diff options
| author | kuqin <kuqin@microsoft.com> | 2022-04-15 13:03:22 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2022-07-07 01:07:00 +0000 |
| commit | 6eb407947592e084110a124be089bef167af1383 (patch) | |
| tree | df045510340ca0e36918157a5f0bd2b74efcccc0 /SecurityPkg/Include | |
| parent | 6de7c084dbb6d02f3b8cdb68dc4716df96c6758f (diff) | |
| download | edk2-6eb407947592e084110a124be089bef167af1383.tar.gz edk2-6eb407947592e084110a124be089bef167af1383.tar.bz2 edk2-6eb407947592e084110a124be089bef167af1383.zip | |
SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This change updated the interfaces provided by SecureBootVariableLib.
The new additions provided interfaces to enroll single authenticated
variable from input, a helper function to query secure boot status,
enroll all secure boot variables from UefiSecureBoot.h defined data
structures, a as well as a routine that deletes all secure boot related
variables.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
Diffstat (limited to 'SecurityPkg/Include')
| -rw-r--r-- | SecurityPkg/Include/Library/SecureBootVariableLib.h | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 24ff0df067..c486801c31 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,6 +44,19 @@ GetSetupMode ( );
/**
+ Helper function to quickly determine whether SecureBoot is enabled.
+
+ @retval TRUE SecureBoot is verifiably enabled.
+ @retval FALSE SecureBoot is either disabled or an error prevented checking.
+
+**/
+BOOLEAN
+EFIAPI
+IsSecureBootEnabled (
+ VOID
+ );
+
+/**
Create a EFI Signature List with data supplied from input argument.
The input certificates from KeyInfo parameter should be DER-encoded
format.
@@ -161,4 +174,60 @@ DeletePlatformKey ( VOID
);
+/**
+ This function will delete the secure boot keys, thus
+ disabling secure boot.
+
+ @return EFI_SUCCESS or underlying failure code.
+**/
+EFI_STATUS
+EFIAPI
+DeleteSecureBootVariables (
+ VOID
+ );
+
+/**
+ A helper function to take in a variable payload, wrap it in the
+ proper authenticated variable structure, and install it in the
+ EFI variable space.
+
+ @param[in] VariableName The name of the key/database.
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable
+ @param[in] DataSize Size parameter for target secure boot variable.
+ @param[in] Data Pointer to signature list formatted secure boot variable content.
+
+ @retval EFI_SUCCESS The enrollment for authenticated variable was successful.
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval Others Unexpected error happens.
+**/
+EFI_STATUS
+EFIAPI
+EnrollFromInput (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN UINTN DataSize,
+ IN VOID *Data
+ );
+
+/**
+ Similar to DeleteSecureBootVariables, this function is used to unilaterally
+ force the state of related SB variables (db, dbx, dbt, KEK, PK, etc.) to be
+ the built-in, hardcoded default vars.
+
+ @param[in] SecureBootPayload Payload information for secure boot related keys.
+
+ @retval EFI_SUCCESS SecureBoot keys are now set to defaults.
+ @retval EFI_ABORTED SecureBoot keys are not empty. Please delete keys first
+ or follow standard methods of altering keys (ie. use the signing system).
+ @retval EFI_SECURITY_VIOLATION Failed to create the PK.
+ @retval Others Something failed in one of the subfunctions.
+
+**/
+EFI_STATUS
+EFIAPI
+SetSecureBootVariablesToDefault (
+ IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload
+ );
+
#endif
|