/** @file Provides services to initialize and process authenticated variables. Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License that accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php. THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ #ifndef _AUTH_VARIABLE_LIB_H_ #define _AUTH_VARIABLE_LIB_H_ #include /// /// Size of AuthInfo prior to the data payload. /// #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \ (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \ sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength) #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData))) typedef struct { CHAR16 *VariableName; EFI_GUID *VendorGuid; UINT32 Attributes; UINTN DataSize; VOID *Data; UINT32 PubKeyIndex; UINT64 MonotonicCount; EFI_TIME *TimeStamp; } AUTH_VARIABLE_INFO; /** Finds variable in storage blocks of volatile and non-volatile storage areas. This code finds variable in storage blocks of volatile and non-volatile storage areas. If VariableName is an empty string, then we just return the first qualified variable without comparing VariableName and VendorGuid. @param[in] VariableName Name of the variable to be found. @param[in] VendorGuid Variable vendor GUID to be found. @param[out] AuthVariableInfo Pointer to AUTH_VARIABLE_INFO structure for output of the variable found. @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while VendorGuid is NULL. @retval EFI_SUCCESS Variable successfully found. @retval EFI_NOT_FOUND Variable not found **/ typedef EFI_STATUS (EFIAPI *AUTH_VAR_LIB_FIND_VARIABLE) ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT AUTH_VARIABLE_INFO *AuthVariableInfo ); /** Finds next variable in storage blocks of volatile and non-volatile storage areas. This code finds next variable in storage blocks of volatile and non-volatile storage areas. If VariableName is an empty string, then we just return the first qualified variable without comparing VariableName and VendorGuid. @param[in] VariableName Name of the variable to be found. @param[in] VendorGuid Variable vendor GUID to be found. @param[out] AuthVariableInfo Pointer to AUTH_VARIABLE_INFO structure for output of the next variable. @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while VendorGuid is NULL. @retval EFI_SUCCESS Variable successfully found. @retval EFI_NOT_FOUND Variable not found **/ typedef EFI_STATUS (EFIAPI *AUTH_VAR_LIB_FIND_NEXT_VARIABLE) ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT AUTH_VARIABLE_INFO *AuthVariableInfo ); /** Update the variable region with Variable information. @param[in] AuthVariableInfo Pointer AUTH_VARIABLE_INFO structure for input of the variable. @retval EFI_SUCCESS The update operation is success. @retval EFI_INVALID_PARAMETER Invalid parameter. @retval EFI_WRITE_PROTECTED Variable is write-protected. @retval EFI_OUT_OF_RESOURCES There is not enough resource. **/ typedef EFI_STATUS (EFIAPI *AUTH_VAR_LIB_UPDATE_VARIABLE) ( IN AUTH_VARIABLE_INFO *AuthVariableInfo ); /** Get scratch buffer. @param[in, out] ScratchBufferSize Scratch buffer size. If input size is greater than the maximum supported buffer size, this value contains the maximum supported buffer size as output. @param[out] ScratchBuffer Pointer to scratch buffer address. @retval EFI_SUCCESS Get scratch buffer successfully. @retval EFI_UNSUPPORTED If input size is greater than the maximum supported buffer size. **/ typedef EFI_STATUS (EFIAPI *AUTH_VAR_LIB_GET_SCRATCH_BUFFER) ( IN OUT UINTN *ScratchBufferSize, OUT VOID **ScratchBuffer ); /** This function is to check if the remaining variable space is enough to set all Variables from argument list successfully. The purpose of the check is to keep the consistency of the Variables to be in variable storage. Note: Variables are assumed to be in same storage. The set sequence of Variables will be same with the sequence of VariableEntry from argument list, so follow the argument sequence to check the Variables. @param[in] Attributes Variable attributes for Variable entries. @param ... The variable argument list with type VARIABLE_ENTRY_CONSISTENCY *. A NULL terminates the list. The VariableSize of VARIABLE_ENTRY_CONSISTENCY is the variable data size as input. It will be changed to variable total size as output. @retval TRUE Have enough variable space to set the Variables successfully. @retval FALSE No enough variable space to set the Variables successfully. **/ typedef BOOLEAN (EFIAPI *AUTH_VAR_LIB_CHECK_REMAINING_SPACE) ( IN UINT32 Attributes, ... ); /** Return TRUE if at OS runtime. @retval TRUE If at OS runtime. @retval FALSE If at boot time. **/ typedef BOOLEAN (EFIAPI *AUTH_VAR_LIB_AT_RUNTIME) ( VOID ); #define AUTH_VAR_LIB_CONTEXT_IN_STRUCT_VERSION 0x01 typedef struct { UINTN StructVersion; UINTN StructSize; // // Reflect the overhead associated with the saving // of a single EFI authenticated variable with the exception // of the overhead associated with the length // of the string name of the EFI variable. // UINTN MaxAuthVariableSize; AUTH_VAR_LIB_FIND_VARIABLE FindVariable; AUTH_VAR_LIB_FIND_NEXT_VARIABLE FindNextVariable; AUTH_VAR_LIB_UPDATE_VARIABLE UpdateVariable; AUTH_VAR_LIB_GET_SCRATCH_BUFFER GetScratchBuffer; AUTH_VAR_LIB_CHECK_REMAINING_SPACE CheckRemainingSpaceForConsistency; AUTH_VAR_LIB_AT_RUNTIME AtRuntime; } AUTH_VAR_LIB_CONTEXT_IN; #define AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION 0x01 typedef struct { UINTN StructVersion; UINTN StructSize; // // Caller needs to set variable property for the variables. // VARIABLE_ENTRY_PROPERTY *AuthVarEntry; UINTN AuthVarEntryCount; // // Caller needs to ConvertPointer() for the pointers. // VOID ***AddressPointer; UINTN AddressPointerCount; } AUTH_VAR_LIB_CONTEXT_OUT; /** Initialization for authenticated varibale services. If this initialization returns error status, other APIs will not work and expect to be not called then. @param[in] AuthVarLibContextIn Pointer to input auth variable lib context. @param[out] AuthVarLibContextOut Pointer to output auth variable lib context. @retval EFI_SUCCESS Function successfully executed. @retval EFI_INVALID_PARAMETER If AuthVarLibContextIn == NULL or AuthVarLibContextOut == NULL. @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource. @retval EFI_UNSUPPORTED Unsupported to process authenticated variable. **/ EFI_STATUS EFIAPI AuthVariableLibInitialize ( IN AUTH_VAR_LIB_CONTEXT_IN *AuthVarLibContextIn, OUT AUTH_VAR_LIB_CONTEXT_OUT *AuthVarLibContextOut ); /** Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set. @param[in] VariableName Name of the variable. @param[in] VendorGuid Variable vendor GUID. @param[in] Data Data pointer. @param[in] DataSize Size of Data. @param[in] Attributes Attribute value of the variable. @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as defined by the Attributes. @retval EFI_INVALID_PARAMETER Invalid parameter. @retval EFI_WRITE_PROTECTED Variable is write-protected. @retval EFI_OUT_OF_RESOURCES There is not enough resource. @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS set, but the AuthInfo does NOT pass the validation check carried out by the firmware. @retval EFI_UNSUPPORTED Unsupported to process authenticated variable. **/ EFI_STATUS EFIAPI AuthVariableLibProcessVariable ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes ); #endif