OvmfPkg: Add custom SecureBootConfigDxe that doesn't reset

We don't force a platform reset for OVMF when PK is changed in
custom mode setup.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Lee Rosenbaum <lee.g.rosenbaum@intel.com>
Reviewed-by: Erik Bjorge <erik.c.bjorge@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13635 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
jljusten 2012-08-15 00:03:59 +00:00
parent ff8dd312dd
commit 8c71ec8f11
16 changed files with 7379 additions and 12 deletions

View File

@ -527,5 +527,5 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif

View File

@ -170,7 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
@ -356,7 +356,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.UEFI_APPLICATION]
FILE APPLICATION = $(NAMED_GUID) {
PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
@ -370,7 +370,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.USER_DEFINED.ACPITABLE]
FILE FREEFORM = $(NAMED_GUID) {
RAW ACPI |.acpi

View File

@ -529,5 +529,5 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif

View File

@ -170,7 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
@ -356,7 +356,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.UEFI_APPLICATION]
FILE APPLICATION = $(NAMED_GUID) {
PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
@ -370,7 +370,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.USER_DEFINED.ACPITABLE]
FILE FREEFORM = $(NAMED_GUID) {
RAW ACPI |.acpi

View File

@ -527,5 +527,5 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif

View File

@ -170,7 +170,7 @@ INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
INF OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf
!else
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!endif
@ -356,7 +356,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.UEFI_APPLICATION]
FILE APPLICATION = $(NAMED_GUID) {
PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
@ -370,7 +370,7 @@ FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
UI STRING="$(MODULE_NAME)" Optional
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[Rule.Common.USER_DEFINED.ACPITABLE]
FILE FREEFORM = $(NAMED_GUID) {
RAW ACPI |.acpi

View File

@ -0,0 +1,495 @@
/** @file
VFR file used by the SecureBoot configuration component.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigNvData.h"
formset
guid = SECUREBOOT_CONFIG_FORM_SET_GUID,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE),
help = STRING_TOKEN(STR_SECUREBOOT_HELP),
classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID,
varstore SECUREBOOT_CONFIGURATION,
varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID,
name = SECUREBOOT_CONFIGURATION,
guid = SECUREBOOT_CONFIG_FORM_SET_GUID;
//
// ##1 Form "Secure Boot Configuration"
//
form formid = SECUREBOOT_CONFIGURATION_FORM_ID,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
subtitle text = STRING_TOKEN(STR_NULL);
//
// Define of Check Box: Attempt Secure Boot
//
suppressif TRUE;
checkbox varid = SECUREBOOT_CONFIGURATION.HideSecureBoot,
prompt = STRING_TOKEN(STR_NULL),
help = STRING_TOKEN(STR_NULL),
endcheckbox;
endif;
//
// Display of Check Box: Attempt Secure Boot
//
grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
checkbox varid = SECUREBOOT_CONFIGURATION.SecureBootState,
questionid = KEY_SECURE_BOOT_ENABLE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
help = STRING_TOKEN(STR_SECURE_BOOT_HELP),
flags = INTERACTIVE,
endcheckbox;
endif;
//
// Display of Oneof: 'Secure Boot Mode'
//
oneof varid = SECUREBOOT_CONFIGURATION.SecureBootMode,
questionid = KEY_SECURE_BOOT_MODE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
flags = INTERACTIVE,
option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;
option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0;
endoneof;
//
//
// Display of 'Current Secure Boot Mode'
//
suppressif ideqval SECUREBOOT_CONFIGURATION.SecureBootMode == SECURE_BOOT_MODE_STANDARD;
grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_OPTION;
endif;
endif;
endform;
//
// ##2 Form: 'Custom Secure Boot Options'
//
form formid = FORMID_SECURE_BOOT_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_OPTION_TITLE);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_PK_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_KEK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_KEK_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_DB_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DB_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_DBX_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DBX_OPTION;
endform;
//
// ##3 Form: 'PK Options'
//
form formid = FORMID_SECURE_BOOT_PK_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
//
// Define of Check Box: 'Delete PK'
//
suppressif TRUE;
checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
prompt = STRING_TOKEN(STR_NULL),
help = STRING_TOKEN(STR_NULL),
endcheckbox;
endif;
grayoutif ideqval SECUREBOOT_CONFIGURATION.HasPk == 1;
goto FORMID_ENROLL_PK_FORM,
prompt = STRING_TOKEN(STR_ENROLL_PK),
help = STRING_TOKEN(STR_ENROLL_PK_HELP),
flags = INTERACTIVE,
key = KEY_ENROLL_PK;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of Check Box: 'Delete Pk'
//
grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
questionid = KEY_SECURE_BOOT_DELETE_PK,
prompt = STRING_TOKEN(STR_DELETE_PK),
help = STRING_TOKEN(STR_DELETE_PK_HELP),
flags = INTERACTIVE,
endcheckbox;
endif;
endform;
//
// ##4 Form: 'Enroll PK'
//
form formid = FORMID_ENROLL_PK_FORM,
title = STRING_TOKEN(STR_ENROLL_PK);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORM_FILE_EXPLORER_ID_PK,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
flags = INTERACTIVE,
key = SECUREBOOT_ADD_PK_FILE_FORM_ID;
endform;
//
// ##5 Form: 'KEK Options'
//
form formid = FORMID_SECURE_BOOT_KEK_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION);
//
// Display of 'Enroll KEK'
//
goto FORMID_ENROLL_KEK_FORM,
prompt = STRING_TOKEN(STR_ENROLL_KEK),
help = STRING_TOKEN(STR_ENROLL_KEK_HELP),
flags = INTERACTIVE;
subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of 'Delete KEK'
//
goto FORMID_DELETE_KEK_FORM,
prompt = STRING_TOKEN(STR_DELETE_KEK),
help = STRING_TOKEN(STR_DELETE_KEK_HELP),
flags = INTERACTIVE,
key = KEY_DELETE_KEK;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// ##6 Form: 'Enroll KEK'
//
form formid = FORMID_ENROLL_KEK_FORM,
title = STRING_TOKEN(STR_ENROLL_KEK_TITLE);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORM_FILE_EXPLORER_ID_KEK,
prompt = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE),
help = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP),
flags = INTERACTIVE,
key = FORMID_ENROLL_KEK_FORM;
subtitle text = STRING_TOKEN(STR_NULL);
label FORMID_ENROLL_KEK_FORM;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_KEK_GUID,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_KEK;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_KEK;
endform;
//
// ##7 Form: 'Delete KEK'
//
form formid = FORMID_DELETE_KEK_FORM,
title = STRING_TOKEN(STR_DELETE_KEK_TITLE);
label LABEL_KEK_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// ##8 Form: 'DB Options'
//
form formid = FORMID_SECURE_BOOT_DB_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
flags = 0;
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
flags = INTERACTIVE,
key = SECUREBOOT_DELETE_SIGNATURE_FROM_DB;
endform;
//
// ##9 Form: 'DBX Options'
//
form formid = FORMID_SECURE_BOOT_DBX_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
flags = 0;
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
flags = INTERACTIVE,
key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX;
endform;
//
// Form: 'Delete Signature' for DB Options.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
label LABEL_DB_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: 'Delete Signature' for DBX Options.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
label LABEL_DBX_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: 'Enroll Signature' for DB options.
//
form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORM_FILE_EXPLORER_ID_DB,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
flags = INTERACTIVE,
key = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
subtitle text = STRING_TOKEN(STR_NULL);
label SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_SIGNATURE_GUID_DB,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_DB;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_DB;
endform;
//
// Form: 'Enroll Signature' for DBX options.
//
form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORM_FILE_EXPLORER_ID_DBX,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
flags = INTERACTIVE,
key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
subtitle text = STRING_TOKEN(STR_NULL);
label SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_DBX;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_DBX;
endform;
//
// File Explorer for PK
//
form formid = FORM_FILE_EXPLORER_ID_PK,
title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
label FORM_FILE_EXPLORER_ID;
label LABEL_END;
endform;
//
// File Explorer for KEK
//
form formid = FORM_FILE_EXPLORER_ID_KEK,
title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
label FORM_FILE_EXPLORER_ID;
label LABEL_END;
endform;
//
// File Explorer for DB
//
form formid = FORM_FILE_EXPLORER_ID_DB,
title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
label FORM_FILE_EXPLORER_ID;
label LABEL_END;
endform;
//
// File Explorer for DBX
//
form formid = FORM_FILE_EXPLORER_ID_DBX,
title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
label FORM_FILE_EXPLORER_ID;
label LABEL_END;
endform;
//
// Enroll Pk from File Commit Form
//
form formid = SECUREBOOT_ADD_PK_FILE_FORM_ID,
title = STRING_TOKEN(STR_SAVE_PK_FILE);
label SECUREBOOT_ADD_PK_FILE_FORM_ID;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
text
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
text = STRING_TOKEN(STR_SAVE_AND_EXIT),
text = STRING_TOKEN(STR_NULL),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_PK;
text
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
text = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
text = STRING_TOKEN(STR_NULL),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_PK;
endform;
endformset;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,133 @@
/** @file
The module entry point for SecureBoot configuration module.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigImpl.h"
/**
The entry point for SecureBoot configuration driver.
@param[in] ImageHandle The image handle of the driver.
@param[in] SystemTable The system table.
@retval EFI_ALREADY_STARTED The driver already exists in system.
@retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
@retval EFI_SUCCES All the related protocols are installed on the driver.
@retval Others Fail to get the SecureBootEnable variable.
**/
EFI_STATUS
EFIAPI
SecureBootConfigDriverEntryPoint (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
//
// If already started, return.
//
Status = gBS->OpenProtocol (
ImageHandle,
&gEfiCallerIdGuid,
NULL,
ImageHandle,
ImageHandle,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (!EFI_ERROR (Status)) {
return EFI_ALREADY_STARTED;
}
//
// Create a private data structure.
//
PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate);
if (PrivateData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Install SecureBoot configuration form
//
Status = InstallSecureBootConfigForm (PrivateData);
if (EFI_ERROR (Status)) {
goto ErrorExit;
}
//
// Install private GUID.
//
Status = gBS->InstallMultipleProtocolInterfaces (
&ImageHandle,
&gEfiCallerIdGuid,
PrivateData,
NULL
);
if (EFI_ERROR (Status)) {
goto ErrorExit;
}
return EFI_SUCCESS;
ErrorExit:
if (PrivateData != NULL) {
UninstallSecureBootConfigForm (PrivateData);
}
return Status;
}
/**
Unload the SecureBoot configuration form.
@param[in] ImageHandle The driver's image handle.
@retval EFI_SUCCESS The SecureBoot configuration form is unloaded.
@retval Others Failed to unload the form.
**/
EFI_STATUS
EFIAPI
SecureBootConfigDriverUnload (
IN EFI_HANDLE ImageHandle
)
{
EFI_STATUS Status;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
Status = gBS->HandleProtocol (
ImageHandle,
&gEfiCallerIdGuid,
(VOID **) &PrivateData
);
if (EFI_ERROR (Status)) {
return Status;
}
ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE);
gBS->UninstallMultipleProtocolInterfaces (
&ImageHandle,
&gEfiCallerIdGuid,
PrivateData,
NULL
);
UninstallSecureBootConfigForm (PrivateData);
return EFI_SUCCESS;
}

View File

@ -0,0 +1,105 @@
## @file
# Component name for SecureBoot configuration module for OVMF.
#
# Need custom SecureBootConfigDxe for OVMF that does not force
# resets after PK changes since OVMF doesn't have persistent variables
#
# Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = SecureBootConfigDxe
FILE_GUID = F0E6A44F-7195-41c3-AC64-54F202CD0A21
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
ENTRY_POINT = SecureBootConfigDriverEntryPoint
UNLOAD_IMAGE = SecureBootConfigDriverUnload
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
SecureBootConfigDriver.c
SecureBootConfigImpl.c
SecureBootConfigFileExplorer.c
SecureBootConfigDevicePath.c
SecureBootConfigMisc.c
SecureBootConfigImpl.h
SecureBootConfig.vfr
SecureBootConfigStrings.uni
SecureBootConfigNvData.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
BaseCryptLib
MemoryAllocationLib
UefiLib
UefiBootServicesTableLib
UefiRuntimeServicesTableLib
UefiDriverEntryPoint
UefiHiiServicesLib
DebugLib
HiiLib
PlatformSecureLib
[Guids]
gEfiIfrTianoGuid
gEfiCustomModeEnableGuid
gEfiSecureBootEnableDisableGuid
gSecureBootConfigFormSetGuid
gEfiCertPkcs7Guid
gEfiCertRsa2048Guid ## CONSUMES
gEfiCertX509Guid ## CONSUMES
gEfiCertSha1Guid ## CONSUMES
gEfiCertSha256Guid ## CONSUMES
gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
gEfiImageSecurityDatabaseGuid ## CONSUMES
gEfiFileSystemVolumeLabelInfoIdGuid ## CONSUMES
gEfiGlobalVariableGuid ## PRODUCES ## Variable Guid
gEfiVT100PlusGuid ## CONSUMES ## GUID (The type of terminal)
gEfiVT100Guid ## CONSUMES ## GUID (The type of terminal)
## CONSUMES ## GUID HOB (The hob holding memory type information)
gEfiVTUTF8Guid ## CONSUMES ## GUID (The type of terminal)
## SOMETIMES_CONSUMES ## Variable:L"BootXX" (Boot option variable)
## CONSUMES ## Variable:L"Timeout" (The time out value in second of showing progress bar)
## SOMETIMES_CONSUMES ## Variable:L"BootOrder" (The boot option array)
## SOMETIMES_CONSUMES ## Variable:L"DriverOrder" (The driver order list)
## SOMETIMES_CONSUMES ## Variable:L"ConIn" (The device path of console in device)
## SOMETIMES_CONSUMES ## Variable:L"ConOut" (The device path of console out device)
## SOMETIMES_CONSUMES ## Variable:L"ErrOut" (The device path of error out device)
gEfiFileInfoGuid ## CONSUMES ## GUID
gEfiPcAnsiGuid ## CONSUMES ## GUID (The type of terminal)
gEfiUartDevicePathGuid ## CONSUMES ## GUID (Identify the device path for UARD device)
gEfiSasDevicePathGuid ## CONSUMES ## GUID (Identify the device path for SAS device)
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiHiiConfigRoutingProtocolGuid ## CONSUMES
gEfiSimpleFileSystemProtocolGuid ## PROTOCOL CONSUMES
gEfiLoadFileProtocolGuid ## PROTOCOL CONSUMES
gEfiBlockIoProtocolGuid ## PROTOCOL CONSUMES
gEfiDevicePathProtocolGuid ## PROTOCOL CONSUMES
gEfiDevicePathToTextProtocolGuid
gEfiDebugPortProtocolGuid
[Depex]
gEfiHiiConfigRoutingProtocolGuid AND
gEfiHiiDatabaseProtocolGuid AND
gEfiVariableArchProtocolGuid AND
gEfiVariableWriteArchProtocolGuid

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,614 @@
/** @file
The header file of HII Config Access protocol implementation of SecureBoot
configuration module.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __SECUREBOOT_CONFIG_IMPL_H__
#define __SECUREBOOT_CONFIG_IMPL_H__
#include <Uefi.h>
#include <Protocol/HiiConfigAccess.h>
#include <Protocol/HiiConfigRouting.h>
#include <Protocol/SimpleFileSystem.h>
#include <Protocol/BlockIo.h>
#include <Protocol/DevicePath.h>
#include <Protocol/DevicePathToText.h>
#include <Protocol/DebugPort.h>
#include <Protocol/LoadFile.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiHiiServicesLib.h>
#include <Library/UefiLib.h>
#include <Library/HiiLib.h>
#include <Library/DevicePathLib.h>
#include <Library/PrintLib.h>
#include <Library/PlatformSecureLib.h>
#include <Library/BaseCryptLib.h>
#include <Guid/MdeModuleHii.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/FileSystemVolumeLabelInfo.h>
#include <Guid/ImageAuthentication.h>
#include <Guid/FileInfo.h>
#include "SecureBootConfigNvData.h"
//
// Tool generated IFR binary data and String package data
//
extern UINT8 SecureBootConfigBin[];
extern UINT8 SecureBootConfigDxeStrings[];
//
// Shared IFR form update data
//
extern VOID *mStartOpCodeHandle;
extern VOID *mEndOpCodeHandle;
extern EFI_IFR_GUID_LABEL *mStartLabel;
extern EFI_IFR_GUID_LABEL *mEndLabel;
#define MAX_CHAR 480
#define TWO_BYTE_ENCODE 0x82
//
// SHA-1 digest size in bytes.
//
#define SHA1_DIGEST_SIZE 20
//
// SHA-256 digest size in bytes
//
#define SHA256_DIGEST_SIZE 32
//
// Set max digest size as SHA256 Output (32 bytes) by far
//
#define MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
#define WIN_CERT_UEFI_RSA2048_SIZE 256
//
// Support hash types
//
#define HASHALG_SHA1 0x00000000
#define HASHALG_SHA224 0x00000001
#define HASHALG_SHA256 0x00000002
#define HASHALG_SHA384 0x00000003
#define HASHALG_SHA512 0x00000004
#define HASHALG_MAX 0x00000005
#define SECUREBOOT_MENU_OPTION_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'u')
#define SECUREBOOT_MENU_ENTRY_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'r')
typedef struct {
EFI_DEVICE_PATH_PROTOCOL Header;
EFI_GUID Guid;
UINT8 VendorDefinedData[1];
} VENDOR_DEVICE_PATH_WITH_DATA;
typedef struct {
EFI_DEVICE_PATH_PROTOCOL Header;
UINT16 NetworkProtocol;
UINT16 LoginOption;
UINT64 Lun;
UINT16 TargetPortalGroupTag;
CHAR16 TargetName[1];
} ISCSI_DEVICE_PATH_WITH_NAME;
typedef enum _FILE_EXPLORER_DISPLAY_CONTEXT {
FileExplorerDisplayFileSystem,
FileExplorerDisplayDirectory,
FileExplorerDisplayUnknown
} FILE_EXPLORER_DISPLAY_CONTEXT;
typedef enum _FILE_EXPLORER_STATE {
FileExplorerStateInActive = 0,
FileExplorerStateEnrollPkFile,
FileExplorerStateEnrollKekFile,
FileExplorerStateEnrollSignatureFileToDb,
FileExplorerStateEnrollSignatureFileToDbx,
FileExplorerStateUnknown
} FILE_EXPLORER_STATE;
typedef struct {
CHAR16 *Str;
UINTN Len;
UINTN Maxlen;
} POOL_PRINT;
typedef
VOID
(*DEV_PATH_FUNCTION) (
IN OUT POOL_PRINT *Str,
IN VOID *DevPath
);
typedef struct {
UINT8 Type;
UINT8 SubType;
DEV_PATH_FUNCTION Function;
} DEVICE_PATH_STRING_TABLE;
typedef struct {
UINTN Signature;
LIST_ENTRY Head;
UINTN MenuNumber;
} SECUREBOOT_MENU_OPTION;
extern SECUREBOOT_MENU_OPTION FsOptionMenu;
extern SECUREBOOT_MENU_OPTION DirectoryMenu;
typedef struct {
UINTN Signature;
LIST_ENTRY Link;
UINTN OptionNumber;
UINT16 *DisplayString;
UINT16 *HelpString;
EFI_STRING_ID DisplayStringToken;
EFI_STRING_ID HelpStringToken;
VOID *FileContext;
} SECUREBOOT_MENU_ENTRY;
typedef struct {
EFI_HANDLE Handle;
EFI_DEVICE_PATH_PROTOCOL *DevicePath;
EFI_FILE_HANDLE FHandle;
UINT16 *FileName;
EFI_FILE_SYSTEM_VOLUME_LABEL *Info;
BOOLEAN IsRoot;
BOOLEAN IsDir;
BOOLEAN IsRemovableMedia;
BOOLEAN IsLoadFile;
BOOLEAN IsBootLegacy;
} SECUREBOOT_FILE_CONTEXT;
//
// We define another format of 5th directory entry: security directory
//
typedef struct {
UINT32 Offset; // Offset of certificate
UINT32 SizeOfCert; // size of certificate appended
} EFI_IMAGE_SECURITY_DATA_DIRECTORY;
typedef enum{
ImageType_IA32,
ImageType_X64
} IMAGE_TYPE;
///
/// HII specific Vendor Device Path definition.
///
typedef struct {
VENDOR_DEVICE_PATH VendorDevicePath;
EFI_DEVICE_PATH_PROTOCOL End;
} HII_VENDOR_DEVICE_PATH;
typedef struct {
UINTN Signature;
EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
EFI_HII_HANDLE HiiHandle;
EFI_HANDLE DriverHandle;
FILE_EXPLORER_STATE FeCurrentState;
FILE_EXPLORER_DISPLAY_CONTEXT FeDisplayContext;
SECUREBOOT_MENU_ENTRY *MenuEntry;
SECUREBOOT_FILE_CONTEXT *FileContext;
EFI_GUID *SignatureGUID;
} SECUREBOOT_CONFIG_PRIVATE_DATA;
extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
#define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
//
// Cryptograhpic Key Information
//
#pragma pack(1)
typedef struct _CPL_KEY_INFO {
UINT32 KeyLengthInBits; // Key Length In Bits
UINT32 BlockSize; // Operation Block Size in Bytes
UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
UINT32 KeyType; // Key Type
UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
UINT32 Flags; // Additional Key Property Flags
} CPL_KEY_INFO;
#pragma pack()
/**
Retrieves the size, in bytes, of the context buffer required for hash operations.
@return The size, in bytes, of the context buffer required for hash operations.
**/
typedef
EFI_STATUS
(EFIAPI *HASH_GET_CONTEXT_SIZE)(
VOID
);
/**
Initializes user-supplied memory pointed by HashContext as hash context for
subsequent use.
If HashContext is NULL, then ASSERT().
@param[in, out] HashContext Pointer to Context being initialized.
@retval TRUE HASH context initialization succeeded.
@retval FALSE HASH context initialization failed.
**/
typedef
BOOLEAN
(EFIAPI *HASH_INIT)(
IN OUT VOID *HashContext
);
/**
Performs digest on a data buffer of the specified length. This function can
be called multiple times to compute the digest of long or discontinuous data streams.
If HashContext is NULL, then ASSERT().
@param[in, out] HashContext Pointer to the MD5 context.
@param[in] Data Pointer to the buffer containing the data to be hashed.
@param[in] DataLength Length of Data buffer in bytes.
@retval TRUE HASH data digest succeeded.
@retval FALSE Invalid HASH context. After HashFinal function has been called, the
HASH context cannot be reused.
**/
typedef
BOOLEAN
(EFIAPI *HASH_UPDATE)(
IN OUT VOID *HashContext,
IN CONST VOID *Data,
IN UINTN DataLength
);
/**
Completes hash computation and retrieves the digest value into the specified
memory. After this function has been called, the context cannot be used again.
If HashContext is NULL, then ASSERT().
If HashValue is NULL, then ASSERT().
@param[in, out] HashContext Pointer to the MD5 context
@param[out] HashValue Pointer to a buffer that receives the HASH digest
value (16 bytes).
@retval TRUE HASH digest computation succeeded.
@retval FALSE HASH digest computation failed.
**/
typedef
BOOLEAN
(EFIAPI *HASH_FINAL)(
IN OUT VOID *HashContext,
OUT UINT8 *HashValue
);
//
// Hash Algorithm Table
//
typedef struct {
CHAR16 *Name; ///< Name for Hash Algorithm
UINTN DigestLength; ///< Digest Length
UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
UINTN OidLength; ///< Length of Hash OID Value
HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
HASH_INIT HashInit; ///< Pointer to Hash Init function
HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
HASH_FINAL HashFinal; ///< Pointer to Hash Final function
} HASH_TABLE;
typedef struct {
WIN_CERTIFICATE Hdr;
UINT8 CertData[1];
} WIN_CERTIFICATE_EFI_PKCS;
/**
This function publish the SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
@retval EFI_SUCCESS HII Form is installed successfully.
@retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
@retval Others Other errors as indicated.
**/
EFI_STATUS
InstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
);
/**
This function removes SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
**/
VOID
UninstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
);
/**
This function allows a caller to extract the current configuration for one
or more named elements from the target driver.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Request A null-terminated Unicode string in
<ConfigRequest> format.
@param[out] Progress On return, points to a character in the Request
string. Points to the string's null terminator if
request was successful. Points to the most recent
'&' before the first failing name/value pair (or
the beginning of the string if the failure is in
the first name/value pair) if the request was not
successful.
@param[out] Results A null-terminated Unicode string in
<ConfigAltResp> format which has all values filled
in for the names in the Request string. String to
be allocated by the called function.
@retval EFI_SUCCESS The Results is filled with the requested values.
@retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
@retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootExtractConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Request,
OUT EFI_STRING *Progress,
OUT EFI_STRING *Results
);
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Configuration A null-terminated Unicode string in <ConfigResp>
format.
@param[out] Progress A pointer to a string filled in with the offset of
the most recent '&' before the first failing
name/value pair (or the beginning of the string if
the failure is in the first name/value pair) or
the terminating NULL if all was successful.
@retval EFI_SUCCESS The Results is processed successfully.
@retval EFI_INVALID_PARAMETER Configuration is NULL.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootRouteConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Configuration,
OUT EFI_STRING *Progress
);
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Action Specifies the type of action taken by the browser.
@param[in] QuestionId A unique value which is sent to the original
exporting driver so that it can identify the type
of data to expect.
@param[in] Type The type of value for the question.
@param[in] Value A pointer to the data being sent to the original
exporting driver.
@param[out] ActionRequest On return, points to the action requested by the
callback function.
@retval EFI_SUCCESS The callback successfully handled the action.
@retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
variable and its data.
@retval EFI_DEVICE_ERROR The variable could not be saved.
@retval EFI_UNSUPPORTED The specified Action is not supported by the
callback.
**/
EFI_STATUS
EFIAPI
SecureBootCallback (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN EFI_BROWSER_ACTION Action,
IN EFI_QUESTION_ID QuestionId,
IN UINT8 Type,
IN EFI_IFR_TYPE_VALUE *Value,
OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
);
/**
This function converts an input device structure to a Unicode string.
@param[in] DevPath A pointer to the device path structure.
@return A new allocated Unicode string that represents the device path.
**/
CHAR16 *
EFIAPI
DevicePathToStr (
IN EFI_DEVICE_PATH_PROTOCOL *DevPath
);
/**
Clean up the dynamic opcode at label and form specified by both LabelId.
@param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
@param[in] PrivateData Module private data.
**/
VOID
CleanUpPage (
IN UINT16 LabelId,
IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
);
/**
Update the file explorer page with the refreshed file system.
@param[in] PrivateData Module private data.
@param[in] KeyValue Key value to identify the type of data to expect.
@retval TRUE Inform the caller to create a callback packet to exit file explorer.
@retval FALSE Indicate that there is no need to exit file explorer.
**/
BOOLEAN
UpdateFileExplorer (
IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
IN UINT16 KeyValue
);
/**
Free resources allocated in Allocate Rountine.
@param[in, out] MenuOption Menu to be freed
**/
VOID
FreeMenu (
IN OUT SECUREBOOT_MENU_OPTION *MenuOption
);
/**
Read file content into BufferPtr, the size of the allocate buffer
is *FileSize plus AddtionAllocateSize.
@param[in] FileHandle The file to be read.
@param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
@param[out] FileSize Size of input file
@param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
In case the buffer need to contain others besides the file content.
@retval EFI_SUCCESS The file was read into the buffer.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_OUT_OF_RESOURCES A memory allocation failed.
@retval others Unexpected error.
**/
EFI_STATUS
ReadFileContent (
IN EFI_FILE_HANDLE FileHandle,
IN OUT VOID **BufferPtr,
OUT UINTN *FileSize,
IN UINTN AddtionAllocateSize
);
/**
Close an open file handle.
@param[in] FileHandle The file handle to close.
**/
VOID
CloseFile (
IN EFI_FILE_HANDLE FileHandle
);
/**
Converts a nonnegative integer to an octet string of a specified length.
@param[in] Integer Pointer to the nonnegative integer to be converted
@param[in] IntSizeInWords Length of integer buffer in words
@param[out] OctetString Converted octet string of the specified length
@param[in] OSSizeInBytes Intended length of resulting octet string in bytes
Returns:
@retval EFI_SUCCESS Data conversion successfully
@retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
**/
EFI_STATUS
EFIAPI
Int2OctStr (
IN CONST UINTN *Integer,
IN UINTN IntSizeInWords,
OUT UINT8 *OctetString,
IN UINTN OSSizeInBytes
);
/**
Convert a String to Guid Value.
@param[in] Str Specifies the String to be converted.
@param[in] StrLen Number of Unicode Characters of String (exclusive \0)
@param[out] Guid Return the result Guid value.
@retval EFI_SUCCESS The operation is finished successfully.
@retval EFI_NOT_FOUND Invalid string.
**/
EFI_STATUS
StringToGuid (
IN CHAR16 *Str,
IN UINTN StrLen,
OUT EFI_GUID *Guid
);
/**
Worker function that prints an EFI_GUID into specified Buffer.
@param[in] Guid Pointer to GUID to print.
@param[in] Buffer Buffer to print Guid into.
@param[in] BufferSize Size of Buffer.
@retval Number of characters printed.
**/
UINTN
GuidToString (
IN EFI_GUID *Guid,
IN CHAR16 *Buffer,
IN UINTN BufferSize
);
#endif

View File

@ -0,0 +1,334 @@
/** @file
Helper functions for SecureBoot configuration module.
Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigImpl.h"
/**
Read file content into BufferPtr, the size of the allocate buffer
is *FileSize plus AddtionAllocateSize.
@param[in] FileHandle The file to be read.
@param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
@param[out] FileSize Size of input file
@param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
In case the buffer need to contain others besides the file content.
@retval EFI_SUCCESS The file was read into the buffer.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_OUT_OF_RESOURCES A memory allocation failed.
@retval others Unexpected error.
**/
EFI_STATUS
ReadFileContent (
IN EFI_FILE_HANDLE FileHandle,
IN OUT VOID **BufferPtr,
OUT UINTN *FileSize,
IN UINTN AddtionAllocateSize
)
{
UINTN BufferSize;
UINT64 SourceFileSize;
VOID *Buffer;
EFI_STATUS Status;
if ((FileHandle == NULL) || (FileSize == NULL)) {
return EFI_INVALID_PARAMETER;
}
Buffer = NULL;
//
// Get the file size
//
Status = FileHandle->SetPosition (FileHandle, (UINT64) -1);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
Status = FileHandle->GetPosition (FileHandle, &SourceFileSize);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
Status = FileHandle->SetPosition (FileHandle, 0);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
BufferSize = (UINTN) SourceFileSize + AddtionAllocateSize;
Buffer = AllocateZeroPool(BufferSize);
if (Buffer == NULL) {
return EFI_OUT_OF_RESOURCES;
}
BufferSize = (UINTN) SourceFileSize;
*FileSize = BufferSize;
Status = FileHandle->Read (FileHandle, &BufferSize, Buffer);
if (EFI_ERROR (Status) || BufferSize != *FileSize) {
FreePool (Buffer);
Buffer = NULL;
Status = EFI_BAD_BUFFER_SIZE;
goto ON_EXIT;
}
ON_EXIT:
*BufferPtr = Buffer;
return Status;
}
/**
Close an open file handle.
@param[in] FileHandle The file handle to close.
**/
VOID
CloseFile (
IN EFI_FILE_HANDLE FileHandle
)
{
if (FileHandle != NULL) {
FileHandle->Close (FileHandle);
}
}
/**
Convert a nonnegative integer to an octet string of a specified length.
@param[in] Integer Pointer to the nonnegative integer to be converted
@param[in] IntSizeInWords Length of integer buffer in words
@param[out] OctetString Converted octet string of the specified length
@param[in] OSSizeInBytes Intended length of resulting octet string in bytes
Returns:
@retval EFI_SUCCESS Data conversion successfully
@retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
**/
EFI_STATUS
EFIAPI
Int2OctStr (
IN CONST UINTN *Integer,
IN UINTN IntSizeInWords,
OUT UINT8 *OctetString,
IN UINTN OSSizeInBytes
)
{
CONST UINT8 *Ptr1;
UINT8 *Ptr2;
for (Ptr1 = (CONST UINT8 *)Integer, Ptr2 = OctetString + OSSizeInBytes - 1;
Ptr1 < (UINT8 *)(Integer + IntSizeInWords) && Ptr2 >= OctetString;
Ptr1++, Ptr2--) {
*Ptr2 = *Ptr1;
}
for (; Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords) && *Ptr1 == 0; Ptr1++);
if (Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords)) {
return EFI_BUFFER_TOO_SMALL;
}
if (Ptr2 >= OctetString) {
ZeroMem (OctetString, Ptr2 - OctetString + 1);
}
return EFI_SUCCESS;
}
/**
Convert a String to Guid Value.
@param[in] Str Specifies the String to be converted.
@param[in] StrLen Number of Unicode Characters of String (exclusive \0)
@param[out] Guid Return the result Guid value.
@retval EFI_SUCCESS The operation is finished successfully.
@retval EFI_NOT_FOUND Invalid string.
**/
EFI_STATUS
StringToGuid (
IN CHAR16 *Str,
IN UINTN StrLen,
OUT EFI_GUID *Guid
)
{
CHAR16 *PtrBuffer;
CHAR16 *PtrPosition;
UINT16 *Buffer;
UINTN Data;
UINTN Index;
UINT16 Digits[3];
Buffer = (CHAR16 *) AllocateZeroPool (sizeof (CHAR16) * (StrLen + 1));
if (Buffer == NULL) {
return EFI_OUT_OF_RESOURCES;
}
StrCpy (Buffer, Str);
//
// Data1
//
PtrBuffer = Buffer;
PtrPosition = PtrBuffer;
while (*PtrBuffer != L'\0') {
if (*PtrBuffer == L'-') {
break;
}
PtrBuffer++;
}
if (*PtrBuffer == L'\0') {
FreePool (Buffer);
return EFI_NOT_FOUND;
}
*PtrBuffer = L'\0';
Data = StrHexToUintn (PtrPosition);
Guid->Data1 = (UINT32)Data;
//
// Data2
//
PtrBuffer++;
PtrPosition = PtrBuffer;
while (*PtrBuffer != L'\0') {
if (*PtrBuffer == L'-') {
break;
}
PtrBuffer++;
}
if (*PtrBuffer == L'\0') {
FreePool (Buffer);
return EFI_NOT_FOUND;
}
*PtrBuffer = L'\0';
Data = StrHexToUintn (PtrPosition);
Guid->Data2 = (UINT16)Data;
//
// Data3
//
PtrBuffer++;
PtrPosition = PtrBuffer;
while (*PtrBuffer != L'\0') {
if (*PtrBuffer == L'-') {
break;
}
PtrBuffer++;
}
if (*PtrBuffer == L'\0') {
FreePool (Buffer);
return EFI_NOT_FOUND;
}
*PtrBuffer = L'\0';
Data = StrHexToUintn (PtrPosition);
Guid->Data3 = (UINT16)Data;
//
// Data4[0..1]
//
for ( Index = 0 ; Index < 2 ; Index++) {
PtrBuffer++;
if ((*PtrBuffer == L'\0') || ( *(PtrBuffer + 1) == L'\0')) {
FreePool (Buffer);
return EFI_NOT_FOUND;
}
Digits[0] = *PtrBuffer;
PtrBuffer++;
Digits[1] = *PtrBuffer;
Digits[2] = L'\0';
Data = StrHexToUintn (Digits);
Guid->Data4[Index] = (UINT8)Data;
}
//
// skip the '-'
//
PtrBuffer++;
if ((*PtrBuffer != L'-' ) || ( *PtrBuffer == L'\0')) {
return EFI_NOT_FOUND;
}
//
// Data4[2..7]
//
for ( ; Index < 8; Index++) {
PtrBuffer++;
if ((*PtrBuffer == L'\0') || ( *(PtrBuffer + 1) == L'\0')) {
FreePool (Buffer);
return EFI_NOT_FOUND;
}
Digits[0] = *PtrBuffer;
PtrBuffer++;
Digits[1] = *PtrBuffer;
Digits[2] = L'\0';
Data = StrHexToUintn (Digits);
Guid->Data4[Index] = (UINT8)Data;
}
FreePool (Buffer);
return EFI_SUCCESS;
}
/**
Worker function that prints an EFI_GUID into specified Buffer.
@param[in] Guid Pointer to GUID to print.
@param[in] Buffer Buffer to print Guid into.
@param[in] BufferSize Size of Buffer.
@retval Number of characters printed.
**/
UINTN
GuidToString (
IN EFI_GUID *Guid,
IN CHAR16 *Buffer,
IN UINTN BufferSize
)
{
UINTN Size;
Size = UnicodeSPrint (
Buffer,
BufferSize,
L"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
(UINTN)Guid->Data1,
(UINTN)Guid->Data2,
(UINTN)Guid->Data3,
(UINTN)Guid->Data4[0],
(UINTN)Guid->Data4[1],
(UINTN)Guid->Data4[2],
(UINTN)Guid->Data4[3],
(UINTN)Guid->Data4[4],
(UINTN)Guid->Data4[5],
(UINTN)Guid->Data4[6],
(UINTN)Guid->Data4[7]
);
//
// SPrint will null terminate the string. The -1 skips the null
//
return Size - 1;
}

View File

@ -0,0 +1,118 @@
/** @file
Header file for NV data structure definition.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__
#define __SECUREBOOT_CONFIG_NV_DATA_H__
#include <Guid/HiiPlatformSetupFormset.h>
#include <Guid/SecureBootConfigHii.h>
//
// Used by VFR for form or button identification
//
#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001
#define SECUREBOOT_CONFIGURATION_FORM_ID 0x01
#define FORMID_SECURE_BOOT_OPTION_FORM 0x02
#define FORMID_SECURE_BOOT_PK_OPTION_FORM 0x03
#define FORMID_SECURE_BOOT_KEK_OPTION_FORM 0x04
#define FORMID_SECURE_BOOT_DB_OPTION_FORM 0x05
#define FORMID_SECURE_BOOT_DBX_OPTION_FORM 0x06
#define FORMID_ENROLL_PK_FORM 0x07
#define SECUREBOOT_ADD_PK_FILE_FORM_ID 0x08
#define FORMID_ENROLL_KEK_FORM 0x09
#define FORMID_DELETE_KEK_FORM 0x0a
#define SECUREBOOT_ENROLL_SIGNATURE_TO_DB 0x0b
#define SECUREBOOT_DELETE_SIGNATURE_FROM_DB 0x0c
#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX 0x0d
#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX 0x0e
#define FORM_FILE_EXPLORER_ID 0x0f
#define FORM_FILE_EXPLORER_ID_PK 0x10
#define FORM_FILE_EXPLORER_ID_KEK 0x11
#define FORM_FILE_EXPLORER_ID_DB 0x12
#define FORM_FILE_EXPLORER_ID_DBX 0x13
#define SECURE_BOOT_MODE_CUSTOM 0x01
#define SECURE_BOOT_MODE_STANDARD 0x00
#define KEY_SECURE_BOOT_ENABLE 0x1000
#define KEY_SECURE_BOOT_MODE 0x1001
#define KEY_VALUE_SAVE_AND_EXIT_DB 0x1002
#define KEY_VALUE_NO_SAVE_AND_EXIT_DB 0x1003
#define KEY_VALUE_SAVE_AND_EXIT_PK 0x1004
#define KEY_VALUE_NO_SAVE_AND_EXIT_PK 0x1005
#define KEY_VALUE_SAVE_AND_EXIT_KEK 0x1008
#define KEY_VALUE_NO_SAVE_AND_EXIT_KEK 0x1009
#define KEY_VALUE_SAVE_AND_EXIT_DBX 0x100a
#define KEY_VALUE_NO_SAVE_AND_EXIT_DBX 0x100b
#define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101
#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
#define KEY_SECURE_BOOT_DB_OPTION 0x1103
#define KEY_SECURE_BOOT_DBX_OPTION 0x1104
#define KEY_SECURE_BOOT_DELETE_PK 0x1105
#define KEY_ENROLL_PK 0x1106
#define KEY_ENROLL_KEK 0x1107
#define KEY_DELETE_KEK 0x1108
#define KEY_SECURE_BOOT_KEK_GUID 0x110a
#define KEY_SECURE_BOOT_SIGNATURE_GUID_DB 0x110b
#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX 0x110c
#define LABEL_KEK_DELETE 0x1200
#define LABEL_DB_DELETE 0x1201
#define LABEL_DBX_DELETE 0x1202
#define LABEL_END 0xffff
#define SECURE_BOOT_MAX_ATTEMPTS_NUM 255
#define CONFIG_OPTION_OFFSET 0x2000
#define OPTION_CONFIG_QUESTION_ID 0x2000
#define OPTION_CONFIG_RANGE 0x1000
//
// Question ID 0x2000 ~ 0x2FFF is for KEK
//
#define OPTION_DEL_KEK_QUESTION_ID 0x2000
//
// Question ID 0x3000 ~ 0x3FFF is for DB
//
#define OPTION_DEL_DB_QUESTION_ID 0x3000
//
// Question ID 0x4000 ~ 0x4FFF is for DBX
//
#define OPTION_DEL_DBX_QUESTION_ID 0x4000
#define FILE_OPTION_OFFSET 0x8000
#define FILE_OPTION_MASK 0x7FFF
#define SECURE_BOOT_GUID_SIZE 36
#define SECURE_BOOT_GUID_STORAGE_SIZE 37
//
// Nv Data structure referenced by IFR
//
typedef struct {
BOOLEAN SecureBootState; //Secure Boot Disable/Enable;
BOOLEAN HideSecureBoot; //Hiden Attempt Secure Boot
CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
BOOLEAN PhysicalPresent; //If a Physical Present User;
UINT8 SecureBootMode; //Secure Boot Mode: Standard Or Custom
BOOLEAN DeletePk;
BOOLEAN HasPk; //If Pk is existed it is true;
} SECUREBOOT_CONFIGURATION;
#endif