tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enable/Disable Secured Boot by 'Secure Boot Configuration' Page which is under Setup browser. 

Signed-off-by: qianouyang
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12586 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
qianouyang 2011-10-28 03:46:20 +00:00
parent 23491d5cc2
commit beda2356f5
17 changed files with 1025 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
View File

@ -21,7 +21,19 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define EFI_AUTHENTICATED_VARIABLE_GUID \ #define EFI_AUTHENTICATED_VARIABLE_GUID \
{ 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } } { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } }
#define EFI_SECURE_BOOT_ENABLE_DISABLE \
{ 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } }
extern EFI_GUID gEfiAuthenticatedVariableGuid; extern EFI_GUID gEfiAuthenticatedVariableGuid;
extern EFI_GUID gEfiSecureBootEnableDisableGuid;
///
/// "SecureBootEnable" variable for the Secure boot feature enable/disable.
///
#define EFI_SECURE_BOOT_ENABLE_NAME L"SecureBootEnable"
#define SECURE_BOOT_ENABLE 1
#define SECURE_BOOT_DISABLE 0
/// ///
/// Alignment of variable name and data, according to the architecture: /// Alignment of variable name and data, according to the architecture:

26
SecurityPkg/Include/Guid/SecureBootConfigHii.h Normal file
View File

@ -0,0 +1,26 @@
/** @file
GUIDs used as HII FormSet and HII Package list GUID in SecureBootConfigDxe driver.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under
the terms and conditions of the BSD License that accompanies this distribution.
The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php.
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __SECUREBOOT_CONFIG_HII_GUID_H__
#define __SECUREBOOT_CONFIG_HII_GUID_H__
#define SECUREBOOT_CONFIG_FORM_SET_GUID \
{ \
0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14} \
}
extern EFI_GUID gSecureBootConfigFormSetGuid;
#endif

19
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View File

@ -1117,7 +1117,6 @@ DxeImageVerificationHandler (
IN VOID *FileBuffer, IN VOID *FileBuffer,
IN UINTN FileSize IN UINTN FileSize
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
UINT16 Magic; UINT16 Magic;
@ -1130,6 +1129,7 @@ DxeImageVerificationHandler (
EFI_IMAGE_EXECUTION_ACTION Action; EFI_IMAGE_EXECUTION_ACTION Action;
WIN_CERTIFICATE *WinCertificate; WIN_CERTIFICATE *WinCertificate;
UINT32 Policy; UINT32 Policy;
UINT8 *SecureBootEnable;
if (File == NULL) { if (File == NULL) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
@ -1173,6 +1173,23 @@ DxeImageVerificationHandler (
} else if (Policy == NEVER_EXECUTE) { } else if (Policy == NEVER_EXECUTE) {
return EFI_ACCESS_DENIED; return EFI_ACCESS_DENIED;
} }
SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid);
//
// Skip verification if SecureBootEnable variable doesn't exist.
//
if (SecureBootEnable == NULL) {
return EFI_SUCCESS;
}
//
// Skip verification if SecureBootEnable is disabled.
//
if (*SecureBootEnable == SECURE_BOOT_DISABLE) {
FreePool (SecureBootEnable);
return EFI_SUCCESS;
}
SetupMode = GetEfiGlobalVariable (EFI_SETUP_MODE_NAME); SetupMode = GetEfiGlobalVariable (EFI_SETUP_MODE_NAME);
// //

1
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.h
View File

@ -34,6 +34,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Protocol/SimpleFileSystem.h> #include <Protocol/SimpleFileSystem.h>
#include <Protocol/VariableWrite.h> #include <Protocol/VariableWrite.h>
#include <Guid/ImageAuthentication.h> #include <Guid/ImageAuthentication.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <IndustryStandard/PeImage.h> #include <IndustryStandard/PeImage.h>
#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256 #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256

1
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
View File

@ -62,6 +62,7 @@
gEfiCertSha256Guid gEfiCertSha256Guid
gEfiCertX509Guid gEfiCertX509Guid
gEfiCertRsa2048Guid gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
[Pcd] [Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy

8
SecurityPkg/SecurityPkg.dec
View File

@ -35,6 +35,9 @@
# Include/Guid/AuthenticatedVariableFormat.h # Include/Guid/AuthenticatedVariableFormat.h
gEfiAuthenticatedVariableGuid = { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } } gEfiAuthenticatedVariableGuid = { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } }
# Include/Guid/AuthenticatedVariableFormat.h
gEfiSecureBootEnableDisableGuid = { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } }
## Include/Guid/TcgEventHob.h ## Include/Guid/TcgEventHob.h
gTcgEventEntryHobGuid = { 0x2e3044ac, 0x879f, 0x490f, {0x97, 0x60, 0xbb, 0xdf, 0xaf, 0x69, 0x5f, 0x50 }} gTcgEventEntryHobGuid = { 0x2e3044ac, 0x879f, 0x490f, {0x97, 0x60, 0xbb, 0xdf, 0xaf, 0x69, 0x5f, 0x50 }}
@ -55,7 +58,10 @@
## Include/Guid/TcgConfigHii.h ## Include/Guid/TcgConfigHii.h
gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }} gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }}
## Include/Guid/SecureBootConfigHii.h
gSecureBootConfigFormSetGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}}
[Ppis] [Ppis]
## Include/Ppi/LockPhysicalPresence.h ## Include/Ppi/LockPhysicalPresence.h
gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } } gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } }

3
SecurityPkg/SecurityPkg.dsc
View File

@ -104,7 +104,8 @@
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
} }
SecurityPkg/Tcg/TcgSmm/TcgSmm.inf SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigDxe.inf
[Components.IA32, Components.X64] [Components.IA32, Components.X64]
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf { SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses> <LibraryClasses>

96
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
View File

@ -69,11 +69,15 @@ AutenticatedVariableServiceInitialize (
{ {
EFI_STATUS Status; EFI_STATUS Status;
VARIABLE_POINTER_TRACK Variable; VARIABLE_POINTER_TRACK Variable;
VARIABLE_POINTER_TRACK Variable2;
UINT8 VarValue; UINT8 VarValue;
UINT32 VarAttr; UINT32 VarAttr;
UINT8 *Data; UINT8 *Data;
UINTN DataSize; UINTN DataSize;
UINTN CtxSize; UINTN CtxSize;
UINT8 SecureBootMode;
UINT8 SecureBootEnable;
// //
// Initialize hash context. // Initialize hash context.
// //
@ -146,10 +150,10 @@ AutenticatedVariableServiceInitialize (
Status = FindVariable ( Status = FindVariable (
EFI_PLATFORM_KEY_NAME, EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
&Variable, &Variable2,
&mVariableModuleGlobal->VariableGlobal &mVariableModuleGlobal->VariableGlobal
); );
if (Variable.CurrPtr == NULL) { if (Variable2.CurrPtr == NULL) {
mPlatformMode = SETUP_MODE; mPlatformMode = SETUP_MODE;
} else { } else {
mPlatformMode = USER_MODE; mPlatformMode = USER_MODE;
@ -184,6 +188,7 @@ AutenticatedVariableServiceInitialize (
&mVariableModuleGlobal->VariableGlobal &mVariableModuleGlobal->VariableGlobal
); );
if (Variable.CurrPtr == NULL) { if (Variable.CurrPtr == NULL) {
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
Status = UpdateVariable ( Status = UpdateVariable (
@ -198,7 +203,37 @@ AutenticatedVariableServiceInitialize (
NULL NULL
); );
} }
//
// If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
// If "SecureBootEnable" variable is SECURE_BOOT_ENABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
// If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
//
FindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
if (Variable.CurrPtr != NULL) {
SecureBootEnable = *(GetVariableDataPtr (Variable.CurrPtr));
if (SecureBootEnable == SECURE_BOOT_ENABLE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
} else {
SecureBootMode = SECURE_BOOT_MODE_DISABLE;
}
FindVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
Status = UpdateVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&SecureBootMode,
sizeof(UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
0,
0,
&Variable,
NULL
);
if (EFI_ERROR (Status)) {
return Status;
}
}
// //
// Detect whether a secure platform-specific method to clear PK(Platform Key) // Detect whether a secure platform-specific method to clear PK(Platform Key)
// is configured by platform owner. This method is provided for users force to clear PK // is configured by platform owner. This method is provided for users force to clear PK
@ -445,7 +480,9 @@ UpdatePlatformMode (
VARIABLE_POINTER_TRACK Variable; VARIABLE_POINTER_TRACK Variable;
UINT32 VarAttr; UINT32 VarAttr;
UINT8 SecureBootMode; UINT8 SecureBootMode;
UINT8 SecureBootEnable;
UINTN VariableDataSize;
Status = FindVariable ( Status = FindVariable (
EFI_SETUP_MODE_NAME, EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
@ -457,7 +494,7 @@ UpdatePlatformMode (
} }
mPlatformMode = Mode; mPlatformMode = Mode;
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
Status = UpdateVariable ( Status = UpdateVariable (
EFI_SETUP_MODE_NAME, EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
@ -501,8 +538,8 @@ UpdatePlatformMode (
} }
} }
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
return UpdateVariable ( Status = UpdateVariable (
EFI_SECURE_BOOT_MODE_NAME, EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
&SecureBootMode, &SecureBootMode,
@ -513,6 +550,51 @@ UpdatePlatformMode (
&Variable, &Variable,
NULL NULL
); );
if (EFI_ERROR (Status)) {
return Status;
}
//
// Check "SecureBootEnable" variable's existence. It can enable/disable secure boot feature.
//
Status = FindVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&Variable,
&mVariableModuleGlobal->VariableGlobal
);
if (SecureBootMode == SECURE_BOOT_MODE_ENABLE) {
//
// Create the "SecureBootEnable" variable as secure boot is enabled.
//
SecureBootEnable = SECURE_BOOT_ENABLE;
VariableDataSize = sizeof (SecureBootEnable);
} else {
//
// Delete the "SecureBootEnable" variable if this variable exist as "SecureBoot"
// variable is not in secure boot state.
//
if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) {
return EFI_SUCCESS;
}
SecureBootEnable = SECURE_BOOT_DISABLE;
VariableDataSize = 0;
}
Status = UpdateVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&SecureBootEnable,
VariableDataSize,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
0,
0,
&Variable,
NULL
);
return Status;
} }
/** /**

3
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
View File

@ -71,7 +71,8 @@
gEfiImageSecurityDatabaseGuid gEfiImageSecurityDatabaseGuid
gEfiCertX509Guid gEfiCertX509Guid
gEfiCertPkcs7Guid gEfiCertPkcs7Guid
gEfiCertRsa2048Guid gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
[Pcd] [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize

3
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
View File

@ -76,7 +76,8 @@
gEfiImageSecurityDatabaseGuid gEfiImageSecurityDatabaseGuid
gEfiCertX509Guid gEfiCertX509Guid
gEfiCertPkcs7Guid gEfiCertPkcs7Guid
gEfiCertRsa2048Guid gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
[Pcd] [Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize

50
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr Normal file
View File

@ -0,0 +1,50 @@
/** @file
VFR file used by the SecureBoot configuration component.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigNvData.h"
formset
guid = SECUREBOOT_CONFIG_FORM_SET_GUID,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE),
help = STRING_TOKEN(STR_SECUREBOOT_HELP),
classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID,
varstore SECUREBOOT_CONFIGURATION,
varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID,
name = SECUREBOOT_CONFIGURATION,
guid = SECUREBOOT_CONFIG_FORM_SET_GUID;
form formid = SECUREBOOT_CONFIGURATION_FORM_ID,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
subtitle text = STRING_TOKEN(STR_NULL);
suppressif TRUE;
checkbox varid = SECUREBOOT_CONFIGURATION.HideSecureBoot,
prompt = STRING_TOKEN(STR_NULL),
help = STRING_TOKEN(STR_NULL),
endcheckbox;
endif;
grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
checkbox varid = SECUREBOOT_CONFIGURATION.SecureBootState,
questionid = KEY_SECURE_BOOT_ENABLE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
help = STRING_TOKEN(STR_SECURE_BOOT_HELP),
endcheckbox;
endif;
endform;
endformset;

133
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c Normal file
View File

@ -0,0 +1,133 @@
/** @file
The module entry point for SecureBoot configuration module.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigImpl.h"
/**
The entry point for SecureBoot configuration driver.
@param[in] ImageHandle The image handle of the driver.
@param[in] SystemTable The system table.
@retval EFI_ALREADY_STARTED The driver already exists in system.
@retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
@retval EFI_SUCCES All the related protocols are installed on the driver.
@retval Others Fail to get the SecureBootEnable variable.
**/
EFI_STATUS
EFIAPI
SecureBootConfigDriverEntryPoint (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
//
// If already started, return.
//
Status = gBS->OpenProtocol (
ImageHandle,
&gEfiCallerIdGuid,
NULL,
ImageHandle,
ImageHandle,
EFI_OPEN_PROTOCOL_TEST_PROTOCOL
);
if (!EFI_ERROR (Status)) {
return EFI_ALREADY_STARTED;
}
//
// Create a private data structure.
//
PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate);
if (PrivateData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Install SecureBoot configuration form
//
Status = InstallSecureBootConfigForm (PrivateData);
if (EFI_ERROR (Status)) {
goto ErrorExit;
}
//
// Install private GUID.
//
Status = gBS->InstallMultipleProtocolInterfaces (
&ImageHandle,
&gEfiCallerIdGuid,
PrivateData,
NULL
);
if (EFI_ERROR (Status)) {
goto ErrorExit;
}
return EFI_SUCCESS;
ErrorExit:
if (PrivateData != NULL) {
UninstallSecureBootConfigForm (PrivateData);
}
return Status;
}
/**
Unload the SecureBoot configuration form.
@param[in] ImageHandle The driver's image handle.
@retval EFI_SUCCESS The SecureBoot configuration form is unloaded.
@retval Others Failed to unload the form.
**/
EFI_STATUS
EFIAPI
SecureBootConfigDriverUnload (
IN EFI_HANDLE ImageHandle
)
{
EFI_STATUS Status;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
Status = gBS->HandleProtocol (
ImageHandle,
&gEfiCallerIdGuid,
(VOID **) &PrivateData
);
if (EFI_ERROR (Status)) {
return Status;
}
ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE);
gBS->UninstallMultipleProtocolInterfaces (
&ImageHandle,
&gEfiCallerIdGuid,
PrivateData,
NULL
);
UninstallSecureBootConfigForm (PrivateData);
return EFI_SUCCESS;
}

65
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf Normal file
View File

@ -0,0 +1,65 @@
## @file
# Component name for SecureBoot configuration module.
#
# Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = SecureBootConfigDxe
FILE_GUID = F0E6A44F-7195-41c3-AC64-54F202CD0A21
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
ENTRY_POINT = SecureBootConfigDriverEntryPoint
UNLOAD_IMAGE = SecureBootConfigDriverUnload
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
SecureBootConfigDriver.c
SecureBootConfigImpl.c
SecureBootConfigImpl.h
SecureBootConfig.vfr
SecureBootConfigStrings.uni
SecureBootConfigNvData.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
MemoryAllocationLib
UefiLib
UefiBootServicesTableLib
UefiRuntimeServicesTableLib
UefiDriverEntryPoint
UefiHiiServicesLib
DebugLib
HiiLib
[Guids]
gEfiIfrTianoGuid
gEfiSecureBootEnableDisableGuid
gSecureBootConfigFormSetGuid
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiHiiConfigRoutingProtocolGuid ## CONSUMES
[Depex]
gEfiHiiConfigRoutingProtocolGuid AND
gEfiHiiDatabaseProtocolGuid AND
gEfiVariableArchProtocolGuid AND
gEfiVariableWriteArchProtocolGuid

393
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c Normal file
View File

@ -0,0 +1,393 @@
/** @file
HII Config Access protocol implementation of SecureBoot configuration module.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "SecureBootConfigImpl.h"
CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate = {
SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE,
{
SecureBootExtractConfig,
SecureBootRouteConfig,
SecureBootCallback
}
};
HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
{
{
HARDWARE_DEVICE_PATH,
HW_VENDOR_DP,
{
(UINT8) (sizeof (VENDOR_DEVICE_PATH)),
(UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8)
}
},
SECUREBOOT_CONFIG_FORM_SET_GUID
},
{
END_DEVICE_PATH_TYPE,
END_ENTIRE_DEVICE_PATH_SUBTYPE,
{
(UINT8) (END_DEVICE_PATH_LENGTH),
(UINT8) ((END_DEVICE_PATH_LENGTH) >> 8)
}
}
};
/**
Save Secure Boot option to variable space.
@param[in] VarValue The option of Secure Boot.
@retval EFI_SUCCESS The operation is finished successfully.
@retval Others Other errors as indicated.
**/
EFI_STATUS
SaveSecureBootVariable (
IN UINT8 VarValue
)
{
EFI_STATUS Status;
Status = gRT->SetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
sizeof (UINT8),
&VarValue
);
if (EFI_ERROR (Status)) {
return Status;
}
gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
return EFI_SUCCESS;
}
/**
This function allows a caller to extract the current configuration for one
or more named elements from the target driver.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Request A null-terminated Unicode string in
<ConfigRequest> format.
@param[out] Progress On return, points to a character in the Request
string. Points to the string's null terminator if
request was successful. Points to the most recent
'&' before the first failing name/value pair (or
the beginning of the string if the failure is in
the first name/value pair) if the request was not
successful.
@param[out] Results A null-terminated Unicode string in
<ConfigAltResp> format which has all values filled
in for the names in the Request string. String to
be allocated by the called function.
@retval EFI_SUCCESS The Results is filled with the requested values.
@retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
@retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootExtractConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Request,
OUT EFI_STRING *Progress,
OUT EFI_STRING *Results
)
{
EFI_STATUS Status;
UINTN BufferSize;
SECUREBOOT_CONFIGURATION Configuration;
EFI_STRING ConfigRequest;
UINT8 *SecureBootEnable;
if (Progress == NULL || Results == NULL) {
return EFI_INVALID_PARAMETER;
}
*Progress = Request;
if ((Request != NULL) && !HiiIsConfigHdrMatch (Request, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
return EFI_NOT_FOUND;
}
//
// Get the SecureBoot Variable
//
SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid);
//
// If the SecureBoot Variable doesn't exist, hide the SecureBoot Enable/Disable
// Checkbox.
//
if (SecureBootEnable == NULL) {
Configuration.HideSecureBoot = TRUE;
} else {
Configuration.HideSecureBoot = FALSE;
Configuration.SecureBootState = *SecureBootEnable;
}
BufferSize = sizeof (Configuration);
ConfigRequest = Request;
Status = gHiiConfigRouting->BlockToConfig (
gHiiConfigRouting,
ConfigRequest,
(UINT8 *) &Configuration,
BufferSize,
Results,
Progress
);
//
// Set Progress string to the original request string.
//
if (Request == NULL) {
*Progress = NULL;
} else if (StrStr (Request, L"OFFSET") == NULL) {
*Progress = Request + StrLen (Request);
}
return Status;
}
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Configuration A null-terminated Unicode string in <ConfigResp>
format.
@param[out] Progress A pointer to a string filled in with the offset of
the most recent '&' before the first failing
name/value pair (or the beginning of the string if
the failure is in the first name/value pair) or
the terminating NULL if all was successful.
@retval EFI_SUCCESS The Results is processed successfully.
@retval EFI_INVALID_PARAMETER Configuration is NULL.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootRouteConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Configuration,
OUT EFI_STRING *Progress
)
{
EFI_STATUS Status;
UINTN BufferSize;
SECUREBOOT_CONFIGURATION SecureBootConfiguration;
UINT8 *SecureBootEnable;
if (Configuration == NULL || Progress == NULL) {
return EFI_INVALID_PARAMETER;
}
*Progress = Configuration;
if (!HiiIsConfigHdrMatch (Configuration, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
return EFI_NOT_FOUND;
}
//
// Convert <ConfigResp> to buffer data by helper function ConfigToBlock()
//
BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
Status = gHiiConfigRouting->ConfigToBlock (
gHiiConfigRouting,
Configuration,
(UINT8 *) &SecureBootConfiguration,
&BufferSize,
Progress
);
if (EFI_ERROR (Status)) {
return Status;
}
SecureBootEnable = GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid);
if (SecureBootEnable == NULL) {
return EFI_SUCCESS;
}
if ((*SecureBootEnable) != SecureBootConfiguration.SecureBootState) {
//
// If the configure is changed, update the SecureBoot Variable.
//
SaveSecureBootVariable (SecureBootConfiguration.SecureBootState);
}
return EFI_SUCCESS;
}
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Action Specifies the type of action taken by the browser.
@param[in] QuestionId A unique value which is sent to the original
exporting driver so that it can identify the type
of data to expect.
@param[in] Type The type of value for the question.
@param[in] Value A pointer to the data being sent to the original
exporting driver.
@param[out] ActionRequest On return, points to the action requested by the
callback function.
@retval EFI_SUCCESS The callback successfully handled the action.
@retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
variable and its data.
@retval EFI_DEVICE_ERROR The variable could not be saved.
@retval EFI_UNSUPPORTED The specified Action is not supported by the
callback.
**/
EFI_STATUS
EFIAPI
SecureBootCallback (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN EFI_BROWSER_ACTION Action,
IN EFI_QUESTION_ID QuestionId,
IN UINT8 Type,
IN EFI_IFR_TYPE_VALUE *Value,
OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
)
{
BOOLEAN SecureBootEnable;
if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
return EFI_INVALID_PARAMETER;
}
if ((Action != EFI_BROWSER_ACTION_CHANGING) || (QuestionId != KEY_SECURE_BOOT_ENABLE)) {
return EFI_UNSUPPORTED;
}
if (NULL == GetVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid)) {
return EFI_SUCCESS;
}
SecureBootEnable = Value->u8;
SaveSecureBootVariable (Value->u8);
return EFI_SUCCESS;
}
/**
This function publish the SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
@retval EFI_SUCCESS HII Form is installed for this network device.
@retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
@retval Others Other errors as indicated.
**/
EFI_STATUS
InstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
)
{
EFI_STATUS Status;
EFI_HII_HANDLE HiiHandle;
EFI_HANDLE DriverHandle;
EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
DriverHandle = NULL;
ConfigAccess = &PrivateData->ConfigAccess;
Status = gBS->InstallMultipleProtocolInterfaces (
&DriverHandle,
&gEfiDevicePathProtocolGuid,
&mSecureBootHiiVendorDevicePath,
&gEfiHiiConfigAccessProtocolGuid,
ConfigAccess,
NULL
);
if (EFI_ERROR (Status)) {
return Status;
}
PrivateData->DriverHandle = DriverHandle;
//
// Publish the HII package list
//
HiiHandle = HiiAddPackages (
&gSecureBootConfigFormSetGuid,
DriverHandle,
SecureBootConfigDxeStrings,
SecureBootConfigBin,
NULL
);
if (HiiHandle == NULL) {
gBS->UninstallMultipleProtocolInterfaces (
DriverHandle,
&gEfiDevicePathProtocolGuid,
&mSecureBootHiiVendorDevicePath,
&gEfiHiiConfigAccessProtocolGuid,
ConfigAccess,
NULL
);
return EFI_OUT_OF_RESOURCES;
}
PrivateData->HiiHandle = HiiHandle;
return EFI_SUCCESS;
}
/**
This function removes SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
**/
VOID
UninstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
)
{
//
// Uninstall HII package list
//
if (PrivateData->HiiHandle != NULL) {
HiiRemovePackages (PrivateData->HiiHandle);
PrivateData->HiiHandle = NULL;
}
//
// Uninstall HII Config Access Protocol
//
if (PrivateData->DriverHandle != NULL) {
gBS->UninstallMultipleProtocolInterfaces (
PrivateData->DriverHandle,
&gEfiDevicePathProtocolGuid,
&mSecureBootHiiVendorDevicePath,
&gEfiHiiConfigAccessProtocolGuid,
&PrivateData->ConfigAccess,
NULL
);
PrivateData->DriverHandle = NULL;
}
FreePool (PrivateData);
}

190
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h Normal file
View File

@ -0,0 +1,190 @@
/** @file
The header file of HII Config Access protocol implementation of SecureBoot
configuration module.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __SECUREBOOT_CONFIG_IMPL_H__
#define __SECUREBOOT_CONFIG_IMPL_H__
#include <Uefi.h>
#include <Protocol/HiiConfigAccess.h>
#include <Protocol/HiiConfigRouting.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiHiiServicesLib.h>
#include <Library/UefiLib.h>
#include <Library/HiiLib.h>
#include <Library/DevicePathLib.h>
#include <Guid/MdeModuleHii.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include "SecureBootConfigNvData.h"
//
// Tool generated IFR binary data and String package data
//
extern UINT8 SecureBootConfigBin[];
extern UINT8 SecureBootConfigDxeStrings[];
///
/// HII specific Vendor Device Path definition.
///
typedef struct {
VENDOR_DEVICE_PATH VendorDevicePath;
EFI_DEVICE_PATH_PROTOCOL End;
} HII_VENDOR_DEVICE_PATH;
typedef struct {
UINTN Signature;
EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
EFI_HII_HANDLE HiiHandle;
EFI_HANDLE DriverHandle;
} SECUREBOOT_CONFIG_PRIVATE_DATA;
extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
#define SECUREBOOT_CONFIG_PRIVATE_DATA_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
/**
This function publish the SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
@retval EFI_SUCCESS HII Form is installed for this network device.
@retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
@retval Others Other errors as indicated.
**/
EFI_STATUS
InstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
);
/**
This function removes SecureBoot configuration Form.
@param[in, out] PrivateData Points to SecureBoot configuration private data.
**/
VOID
UninstallSecureBootConfigForm (
IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
);
/**
This function allows a caller to extract the current configuration for one
or more named elements from the target driver.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Request A null-terminated Unicode string in
<ConfigRequest> format.
@param[out] Progress On return, points to a character in the Request
string. Points to the string's null terminator if
request was successful. Points to the most recent
'&' before the first failing name/value pair (or
the beginning of the string if the failure is in
the first name/value pair) if the request was not
successful.
@param[out] Results A null-terminated Unicode string in
<ConfigAltResp> format which has all values filled
in for the names in the Request string. String to
be allocated by the called function.
@retval EFI_SUCCESS The Results is filled with the requested values.
@retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
@retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootExtractConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Request,
OUT EFI_STRING *Progress,
OUT EFI_STRING *Results
);
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Configuration A null-terminated Unicode string in <ConfigResp>
format.
@param[out] Progress A pointer to a string filled in with the offset of
the most recent '&' before the first failing
name/value pair (or the beginning of the string if
the failure is in the first name/value pair) or
the terminating NULL if all was successful.
@retval EFI_SUCCESS The Results is processed successfully.
@retval EFI_INVALID_PARAMETER Configuration is NULL.
@retval EFI_NOT_FOUND Routing data doesn't match any storage in this
driver.
**/
EFI_STATUS
EFIAPI
SecureBootRouteConfig (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN CONST EFI_STRING Configuration,
OUT EFI_STRING *Progress
);
/**
This function processes the results of changes in configuration.
@param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
@param[in] Action Specifies the type of action taken by the browser.
@param[in] QuestionId A unique value which is sent to the original
exporting driver so that it can identify the type
of data to expect.
@param[in] Type The type of value for the question.
@param[in] Value A pointer to the data being sent to the original
exporting driver.
@param[out] ActionRequest On return, points to the action requested by the
callback function.
@retval EFI_SUCCESS The callback successfully handled the action.
@retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
variable and its data.
@retval EFI_DEVICE_ERROR The variable could not be saved.
@retval EFI_UNSUPPORTED The specified Action is not supported by the
callback.
**/
EFI_STATUS
EFIAPI
SecureBootCallback (
IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
IN EFI_BROWSER_ACTION Action,
IN EFI_QUESTION_ID QuestionId,
IN UINT8 Type,
IN EFI_IFR_TYPE_VALUE *Value,
OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
);
#endif

34
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h Normal file
View File

@ -0,0 +1,34 @@
/** @file
Header file for NV data structure definition.
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__
#define __SECUREBOOT_CONFIG_NV_DATA_H__
#include <Guid/HiiPlatformSetupFormset.h>
#include <Guid/SecureBootConfigHii.h>
#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001
#define SECUREBOOT_CONFIGURATION_FORM_ID 0x0001
#define KEY_SECURE_BOOT_ENABLE 0x5000
//
// Nv Data structure referenced by IFR
//
typedef struct {
BOOLEAN SecureBootState;
BOOLEAN HideSecureBoot;
} SECUREBOOT_CONFIGURATION;
#endif

BIN
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni Normal file
View File

Binary file not shown.