summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/Library/AuthVariableLib/AuthService.c
diff options
context:
space:
mode:
Diffstat (limited to 'SecurityPkg/Library/AuthVariableLib/AuthService.c')
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthService.c1009
1 files changed, 518 insertions, 491 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 3059e5d256..054ee4d1d9 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -32,28 +32,28 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
//
// Public Exponent of RSA Key.
//
-CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
+CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
-CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
//
// Requirement for different signature type which have been defined in UEFI spec.
// These data are used to perform SignatureList format check while setting PK/KEK variable.
//
-EFI_SIGNATURE_ITEM mSupportSigItem[] = {
-//{SigType, SigHeaderSize, SigDataSize }
- {EFI_CERT_SHA256_GUID, 0, 32 },
- {EFI_CERT_RSA2048_GUID, 0, 256 },
- {EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
- {EFI_CERT_SHA1_GUID, 0, 20 },
- {EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
- {EFI_CERT_X509_GUID, 0, ((UINT32) ~0)},
- {EFI_CERT_SHA224_GUID, 0, 28 },
- {EFI_CERT_SHA384_GUID, 0, 48 },
- {EFI_CERT_SHA512_GUID, 0, 64 },
- {EFI_CERT_X509_SHA256_GUID, 0, 48 },
- {EFI_CERT_X509_SHA384_GUID, 0, 64 },
- {EFI_CERT_X509_SHA512_GUID, 0, 80 }
+EFI_SIGNATURE_ITEM mSupportSigItem[] = {
+ // {SigType, SigHeaderSize, SigDataSize }
+ { EFI_CERT_SHA256_GUID, 0, 32 },
+ { EFI_CERT_RSA2048_GUID, 0, 256 },
+ { EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
+ { EFI_CERT_SHA1_GUID, 0, 20 },
+ { EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
+ { EFI_CERT_X509_GUID, 0, ((UINT32) ~0) },
+ { EFI_CERT_SHA224_GUID, 0, 28 },
+ { EFI_CERT_SHA384_GUID, 0, 48 },
+ { EFI_CERT_SHA512_GUID, 0, 64 },
+ { EFI_CERT_X509_SHA256_GUID, 0, 48 },
+ { EFI_CERT_X509_SHA384_GUID, 0, 64 },
+ { EFI_CERT_X509_SHA512_GUID, 0, 80 }
};
/**
@@ -76,22 +76,22 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
**/
EFI_STATUS
AuthServiceInternalFindVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT VOID **Data,
- OUT UINTN *DataSize
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ OUT VOID **Data,
+ OUT UINTN *DataSize
)
{
- EFI_STATUS Status;
- AUTH_VARIABLE_INFO AuthVariableInfo;
+ EFI_STATUS Status;
+ AUTH_VARIABLE_INFO AuthVariableInfo;
ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
Status = mAuthVarLibContextIn->FindVariable (
- VariableName,
- VendorGuid,
- &AuthVariableInfo
- );
- *Data = AuthVariableInfo.Data;
+ VariableName,
+ VendorGuid,
+ &AuthVariableInfo
+ );
+ *Data = AuthVariableInfo.Data;
*DataSize = AuthVariableInfo.DataSize;
return Status;
}
@@ -113,25 +113,25 @@ AuthServiceInternalFindVariable (
**/
EFI_STATUS
AuthServiceInternalUpdateVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes
)
{
- AUTH_VARIABLE_INFO AuthVariableInfo;
+ AUTH_VARIABLE_INFO AuthVariableInfo;
ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
AuthVariableInfo.VariableName = VariableName;
- AuthVariableInfo.VendorGuid = VendorGuid;
- AuthVariableInfo.Data = Data;
- AuthVariableInfo.DataSize = DataSize;
- AuthVariableInfo.Attributes = Attributes;
+ AuthVariableInfo.VendorGuid = VendorGuid;
+ AuthVariableInfo.Data = Data;
+ AuthVariableInfo.DataSize = DataSize;
+ AuthVariableInfo.Attributes = Attributes;
return mAuthVarLibContextIn->UpdateVariable (
- &AuthVariableInfo
- );
+ &AuthVariableInfo
+ );
}
/**
@@ -152,18 +152,18 @@ AuthServiceInternalUpdateVariable (
**/
EFI_STATUS
AuthServiceInternalUpdateVariableWithTimeStamp (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes,
- IN EFI_TIME *TimeStamp
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes,
+ IN EFI_TIME *TimeStamp
)
{
- EFI_STATUS FindStatus;
- VOID *OrgData;
- UINTN OrgDataSize;
- AUTH_VARIABLE_INFO AuthVariableInfo;
+ EFI_STATUS FindStatus;
+ VOID *OrgData;
+ UINTN OrgDataSize;
+ AUTH_VARIABLE_INFO AuthVariableInfo;
FindStatus = AuthServiceInternalFindVariable (
VariableName,
@@ -177,9 +177,10 @@ AuthServiceInternalUpdateVariableWithTimeStamp (
//
if (!EFI_ERROR (FindStatus) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) != 0)) {
if ((CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
- ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
- (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0))) ||
- (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0))) {
+ ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
+ (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0))) ||
+ (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)))
+ {
//
// For variables with formatted as EFI_SIGNATURE_LIST, the driver shall not perform an append of
// EFI_SIGNATURE_DATA values that are already part of the existing variable value.
@@ -195,14 +196,14 @@ AuthServiceInternalUpdateVariableWithTimeStamp (
ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
AuthVariableInfo.VariableName = VariableName;
- AuthVariableInfo.VendorGuid = VendorGuid;
- AuthVariableInfo.Data = Data;
- AuthVariableInfo.DataSize = DataSize;
- AuthVariableInfo.Attributes = Attributes;
- AuthVariableInfo.TimeStamp = TimeStamp;
+ AuthVariableInfo.VendorGuid = VendorGuid;
+ AuthVariableInfo.Data = Data;
+ AuthVariableInfo.DataSize = DataSize;
+ AuthVariableInfo.Attributes = Attributes;
+ AuthVariableInfo.TimeStamp = TimeStamp;
return mAuthVarLibContextIn->UpdateVariable (
- &AuthVariableInfo
- );
+ &AuthVariableInfo
+ );
}
/**
@@ -216,15 +217,16 @@ AuthServiceInternalUpdateVariableWithTimeStamp (
**/
BOOLEAN
-NeedPhysicallyPresent(
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
+NeedPhysicallyPresent (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid
)
{
// If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
- if (IsVariablePolicyEnabled()) {
- if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
- || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
+ if (IsVariablePolicyEnabled ()) {
+ if ( (CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
+ || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0)))
+ {
return TRUE;
}
}
@@ -244,12 +246,12 @@ InCustomMode (
VOID
)
{
- EFI_STATUS Status;
- VOID *Data;
- UINTN DataSize;
+ EFI_STATUS Status;
+ VOID *Data;
+ UINTN DataSize;
Status = AuthServiceInternalFindVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, &Data, &DataSize);
- if (!EFI_ERROR (Status) && (*(UINT8 *) Data == CUSTOM_SECURE_BOOT_MODE)) {
+ if (!EFI_ERROR (Status) && (*(UINT8 *)Data == CUSTOM_SECURE_BOOT_MODE)) {
return TRUE;
}
@@ -267,15 +269,15 @@ InCustomMode (
**/
EFI_STATUS
UpdatePlatformMode (
- IN UINT32 Mode
+ IN UINT32 Mode
)
{
- EFI_STATUS Status;
- VOID *Data;
- UINTN DataSize;
- UINT8 SecureBootMode;
- UINT8 SecureBootEnable;
- UINTN VariableDataSize;
+ EFI_STATUS Status;
+ VOID *Data;
+ UINTN DataSize;
+ UINT8 SecureBootMode;
+ UINT8 SecureBootEnable;
+ UINTN VariableDataSize;
Status = AuthServiceInternalFindVariable (
EFI_SETUP_MODE_NAME,
@@ -291,8 +293,8 @@ UpdatePlatformMode (
// Update the value of SetupMode variable by a simple mem copy, this could avoid possible
// variable storage reclaim at runtime.
//
- mPlatformMode = (UINT8) Mode;
- CopyMem (Data, &mPlatformMode, sizeof(UINT8));
+ mPlatformMode = (UINT8)Mode;
+ CopyMem (Data, &mPlatformMode, sizeof (UINT8));
if (mAuthVarLibContextIn->AtRuntime ()) {
//
@@ -331,13 +333,13 @@ UpdatePlatformMode (
}
}
- Status = AuthServiceInternalUpdateVariable (
- EFI_SECURE_BOOT_MODE_NAME,
- &gEfiGlobalVariableGuid,
- &SecureBootMode,
- sizeof(UINT8),
- EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- );
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ &SecureBootMode,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ );
if (EFI_ERROR (Status)) {
return Status;
}
@@ -366,6 +368,7 @@ UpdatePlatformMode (
if (EFI_ERROR (Status)) {
return EFI_SUCCESS;
}
+
SecureBootEnable = SECURE_BOOT_DISABLE;
VariableDataSize = 0;
}
@@ -393,21 +396,21 @@ UpdatePlatformMode (
**/
EFI_STATUS
-CheckSignatureListFormat(
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize
+CheckSignatureListFormat (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize
)
{
- EFI_SIGNATURE_LIST *SigList;
- UINTN SigDataSize;
- UINT32 Index;
- UINT32 SigCount;
- BOOLEAN IsPk;
- VOID *RsaContext;
- EFI_SIGNATURE_DATA *CertData;
- UINTN CertLen;
+ EFI_SIGNATURE_LIST *SigList;
+ UINTN SigDataSize;
+ UINT32 Index;
+ UINT32 SigCount;
+ BOOLEAN IsPk;
+ VOID *RsaContext;
+ EFI_SIGNATURE_DATA *CertData;
+ UINTN CertLen;
if (DataSize == 0) {
return EFI_SUCCESS;
@@ -415,21 +418,22 @@ CheckSignatureListFormat(
ASSERT (VariableName != NULL && VendorGuid != NULL && Data != NULL);
- if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
+ if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)) {
IsPk = TRUE;
} else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) ||
(CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
- ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
- (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0)))) {
+ ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
+ (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0))))
+ {
IsPk = FALSE;
} else {
return EFI_SUCCESS;
}
- SigCount = 0;
- SigList = (EFI_SIGNATURE_LIST *) Data;
- SigDataSize = DataSize;
- RsaContext = NULL;
+ SigCount = 0;
+ SigList = (EFI_SIGNATURE_LIST *)Data;
+ SigDataSize = DataSize;
+ RsaContext = NULL;
//
// Walk through the input signature list and check the data format.
@@ -442,14 +446,18 @@ CheckSignatureListFormat(
// The value of SignatureSize should always be 16 (size of SignatureOwner
// component) add the data length according to signature type.
//
- if (mSupportSigItem[Index].SigDataSize != ((UINT32) ~0) &&
- (SigList->SignatureSize - sizeof (EFI_GUID)) != mSupportSigItem[Index].SigDataSize) {
+ if ((mSupportSigItem[Index].SigDataSize != ((UINT32) ~0)) &&
+ ((SigList->SignatureSize - sizeof (EFI_GUID)) != mSupportSigItem[Index].SigDataSize))
+ {
return EFI_INVALID_PARAMETER;
}
- if (mSupportSigItem[Index].SigHeaderSize != ((UINT32) ~0) &&
- SigList->SignatureHeaderSize != mSupportSigItem[Index].SigHeaderSize) {
+
+ if ((mSupportSigItem[Index].SigHeaderSize != ((UINT32) ~0)) &&
+ (SigList->SignatureHeaderSize != mSupportSigItem[Index].SigHeaderSize))
+ {
return EFI_INVALID_PARAMETER;
}
+
break;
}
}
@@ -470,29 +478,32 @@ CheckSignatureListFormat(
if (RsaContext == NULL) {
return EFI_INVALID_PARAMETER;
}
- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);
- CertLen = SigList->SignatureSize - sizeof (EFI_GUID);
+
+ CertData = (EFI_SIGNATURE_DATA *)((UINT8 *)SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);
+ CertLen = SigList->SignatureSize - sizeof (EFI_GUID);
if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen, &RsaContext)) {
RsaFree (RsaContext);
return EFI_INVALID_PARAMETER;
}
+
RsaFree (RsaContext);
}
if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) {
return EFI_INVALID_PARAMETER;
}
+
SigCount += (SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) / SigList->SignatureSize;
SigDataSize -= SigList->SignatureListSize;
- SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize);
+ SigList = (EFI_SIGNATURE_LIST *)((UINT8 *)SigList + SigList->SignatureListSize);
}
- if (((UINTN) SigList - (UINTN) Data) != DataSize) {
+ if (((UINTN)SigList - (UINTN)Data) != DataSize) {
return EFI_INVALID_PARAMETER;
}
- if (IsPk && SigCount > 1) {
+ if (IsPk && (SigCount > 1)) {
return EFI_INVALID_PARAMETER;
}
@@ -511,11 +522,12 @@ VendorKeyIsModified (
VOID
)
{
- EFI_STATUS Status;
+ EFI_STATUS Status;
if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
return EFI_SUCCESS;
}
+
mVendorKeyState = VENDOR_KEYS_MODIFIED;
Status = AuthServiceInternalUpdateVariable (
@@ -564,21 +576,22 @@ VendorKeyIsModified (
**/
EFI_STATUS
ProcessVarWithPk (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes OPTIONAL,
- IN BOOLEAN IsPk
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes OPTIONAL,
+ IN BOOLEAN IsPk
)
{
- EFI_STATUS Status;
- BOOLEAN Del;
- UINT8 *Payload;
- UINTN PayloadSize;
+ EFI_STATUS Status;
+ BOOLEAN Del;
+ UINT8 *Payload;
+ UINTN PayloadSize;
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
- (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
+ if (((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) ||
+ ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0))
+ {
//
// PK, KEK and db/dbx/dbt should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
// authenticated variable.
@@ -590,14 +603,14 @@ ProcessVarWithPk (
// Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
+ if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {
+ Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
Del = TRUE;
}
- Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
+ Status = CheckSignatureListFormat (VariableName, VendorGuid, Payload, PayloadSize);
if (EFI_ERROR (Status)) {
return Status;
}
@@ -608,9 +621,9 @@ ProcessVarWithPk (
Payload,
PayloadSize,
Attributes,
- &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
+ &((EFI_VARIABLE_AUTHENTICATION_2 *)Data)->TimeStamp
);
- if (EFI_ERROR(Status)) {
+ if (EFI_ERROR (Status)) {
return Status;
}
@@ -645,13 +658,13 @@ ProcessVarWithPk (
);
}
- if (!EFI_ERROR(Status) && IsPk) {
- if (mPlatformMode == SETUP_MODE && !Del) {
+ if (!EFI_ERROR (Status) && IsPk) {
+ if ((mPlatformMode == SETUP_MODE) && !Del) {
//
// If enroll PK in setup mode, need change to user mode.
//
Status = UpdatePlatformMode (USER_MODE);
- } else if (mPlatformMode == USER_MODE && Del){
+ } else if ((mPlatformMode == USER_MODE) && Del) {
//
// If delete PK in user mode, need change to setup mode.
//
@@ -687,19 +700,20 @@ ProcessVarWithPk (
**/
EFI_STATUS
ProcessVarWithKek (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes OPTIONAL
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes OPTIONAL
)
{
- EFI_STATUS Status;
- UINT8 *Payload;
- UINTN PayloadSize;
+ EFI_STATUS Status;
+ UINT8 *Payload;
+ UINTN PayloadSize;
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
- (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
+ if (((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) ||
+ ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0))
+ {
//
// DB, DBX and DBT should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
// authenticated variable.
@@ -708,7 +722,7 @@ ProcessVarWithKek (
}
Status = EFI_SUCCESS;
- if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
+ if ((mPlatformMode == USER_MODE) && !(InCustomMode () && UserPhysicalPresent ())) {
//
// Time-based, verify against X509 Cert KEK.
//
@@ -725,10 +739,10 @@ ProcessVarWithKek (
//
// If in setup mode or custom secure boot mode, no authentication needed.
//
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
+ Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
- Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
+ Status = CheckSignatureListFormat (VariableName, VendorGuid, Payload, PayloadSize);
if (EFI_ERROR (Status)) {
return Status;
}
@@ -739,7 +753,7 @@ ProcessVarWithKek (
Payload,
PayloadSize,
Attributes,
- &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
+ &((EFI_VARIABLE_AUTHENTICATION_2 *)Data)->TimeStamp
);
if (EFI_ERROR (Status)) {
return Status;
@@ -767,14 +781,14 @@ ProcessVarWithKek (
**/
BOOLEAN
IsDeleteAuthVariable (
- IN UINT32 OrgAttributes,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes
+ IN UINT32 OrgAttributes,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes
)
{
- BOOLEAN Del;
- UINTN PayloadSize;
+ BOOLEAN Del;
+ UINTN PayloadSize;
Del = FALSE;
@@ -785,7 +799,8 @@ IsDeleteAuthVariable (
// and the DataSize set to the size of the AuthInfo descriptor.
//
if ((Attributes == OrgAttributes) &&
- ((Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)) {
+ ((Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0))
+ {
if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -830,37 +845,37 @@ IsDeleteAuthVariable (
**/
EFI_STATUS
ProcessVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes
)
{
- EFI_STATUS Status;
- AUTH_VARIABLE_INFO OrgVariableInfo;
+ EFI_STATUS Status;
+ AUTH_VARIABLE_INFO OrgVariableInfo;
- Status = EFI_SUCCESS;
+ Status = EFI_SUCCESS;
ZeroMem (&OrgVariableInfo, sizeof (OrgVariableInfo));
Status = mAuthVarLibContextIn->FindVariable (
- VariableName,
- VendorGuid,
- &OrgVariableInfo
- );
+ VariableName,
+ VendorGuid,
+ &OrgVariableInfo
+ );
// If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariablePolicyEnabled())) {
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && (UserPhysicalPresent () || !IsVariablePolicyEnabled ())) {
//
// Allow the delete operation of common authenticated variable(AT or AW) at user physical presence.
//
Status = AuthServiceInternalUpdateVariable (
- VariableName,
- VendorGuid,
- NULL,
- 0,
- 0
- );
+ VariableName,
+ VendorGuid,
+ NULL,
+ 0,
+ 0
+ );
if (!EFI_ERROR (Status) && ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)) {
Status = DeleteCertsFromDb (VariableName, VendorGuid, Attributes);
}
@@ -868,7 +883,7 @@ ProcessVariable (
return Status;
}
- if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
+ if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent ()) {
//
// This variable is protected, only physical present user could modify its value.
//
@@ -897,7 +912,8 @@ ProcessVariable (
}
if ((OrgVariableInfo.Data != NULL) &&
- ((OrgVariableInfo.Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)) {
+ ((OrgVariableInfo.Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0))
+ {
//
// If the variable is already write-protected, it always needs authentication before update.
//
@@ -909,7 +925,6 @@ ProcessVariable (
//
Status = AuthServiceInternalUpdateVariable (VariableName, VendorGuid, Data, DataSize, Attributes);
return Status;
-
}
/**
@@ -923,56 +938,57 @@ ProcessVariable (
**/
EFI_STATUS
FilterSignatureList (
- IN VOID *Data,
- IN UINTN DataSize,
- IN OUT VOID *NewData,
- IN OUT UINTN *NewDataSize
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN OUT VOID *NewData,
+ IN OUT UINTN *NewDataSize
)
{
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN CertCount;
- EFI_SIGNATURE_LIST *NewCertList;
- EFI_SIGNATURE_DATA *NewCert;
- UINTN NewCertCount;
- UINTN Index;
- UINTN Index2;
- UINTN Size;
- UINT8 *Tail;
- UINTN CopiedCount;
- UINTN SignatureListSize;
- BOOLEAN IsNewCert;
- UINT8 *TempData;
- UINTN TempDataSize;
- EFI_STATUS Status;
+ EFI_SIGNATURE_LIST *CertList;
+ EFI_SIGNATURE_DATA *Cert;
+ UINTN CertCount;
+ EFI_SIGNATURE_LIST *NewCertList;
+ EFI_SIGNATURE_DATA *NewCert;
+ UINTN NewCertCount;
+ UINTN Index;
+ UINTN Index2;
+ UINTN Size;
+ UINT8 *Tail;
+ UINTN CopiedCount;
+ UINTN SignatureListSize;
+ BOOLEAN IsNewCert;
+ UINT8 *TempData;
+ UINTN TempDataSize;
+ EFI_STATUS Status;
if (*NewDataSize == 0) {
return EFI_SUCCESS;
}
TempDataSize = *NewDataSize;
- Status = mAuthVarLibContextIn->GetScratchBuffer (&TempDataSize, (VOID **) &TempData);
+ Status = mAuthVarLibContextIn->GetScratchBuffer (&TempDataSize, (VOID **)&TempData);
if (EFI_ERROR (Status)) {
return EFI_OUT_OF_RESOURCES;
}
Tail = TempData;
- NewCertList = (EFI_SIGNATURE_LIST *) NewData;
+ NewCertList = (EFI_SIGNATURE_LIST *)NewData;
while ((*NewDataSize > 0) && (*NewDataSize >= NewCertList->SignatureListSize)) {
- NewCert = (EFI_SIGNATURE_DATA *) ((UINT8 *) NewCertList + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);
+ NewCert = (EFI_SIGNATURE_DATA *)((UINT8 *)NewCertList + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);
NewCertCount = (NewCertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - NewCertList->SignatureHeaderSize) / NewCertList->SignatureSize;
CopiedCount = 0;
for (Index = 0; Index < NewCertCount; Index++) {
IsNewCert = TRUE;
- Size = DataSize;
- CertList = (EFI_SIGNATURE_LIST *) Data;
+ Size = DataSize;
+ CertList = (EFI_SIGNATURE_LIST *)Data;
while ((Size > 0) && (Size >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &NewCertList->SignatureType) &&
- (CertList->SignatureSize == NewCertList->SignatureSize)) {
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ (CertList->SignatureSize == NewCertList->SignatureSize))
+ {
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index2 = 0; Index2 < CertCount; Index2++) {
//
@@ -982,15 +998,17 @@ FilterSignatureList (
IsNewCert = FALSE;
break;
}
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
+
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)Cert + CertList->SignatureSize);
}
}
if (!IsNewCert) {
break;
}
- Size -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
+
+ Size -= CertList->SignatureListSize;
+ CertList = (EFI_SIGNATURE_LIST *)((UINT8 *)CertList + CertList->SignatureListSize);
}
if (IsNewCert) {
@@ -1010,23 +1028,23 @@ FilterSignatureList (
CopiedCount++;
}
- NewCert = (EFI_SIGNATURE_DATA *) ((UINT8 *) NewCert + NewCertList->SignatureSize);
+ NewCert = (EFI_SIGNATURE_DATA *)((UINT8 *)NewCert + NewCertList->SignatureSize);
}
//
// Update SignatureListSize in the kept EFI_SIGNATURE_LIST.
//
if (CopiedCount != 0) {
- SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize + (CopiedCount * NewCertList->SignatureSize);
- CertList = (EFI_SIGNATURE_LIST *) (Tail - SignatureListSize);
- CertList->SignatureListSize = (UINT32) SignatureListSize;
+ SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize + (CopiedCount * NewCertList->SignatureSize);
+ CertList = (EFI_SIGNATURE_LIST *)(Tail - SignatureListSize);
+ CertList->SignatureListSize = (UINT32)SignatureListSize;
}
*NewDataSize -= NewCertList->SignatureListSize;
- NewCertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) NewCertList + NewCertList->SignatureListSize);
+ NewCertList = (EFI_SIGNATURE_LIST *)((UINT8 *)NewCertList + NewCertList->SignatureListSize);
}
- TempDataSize = (Tail - (UINT8 *) TempData);
+ TempDataSize = (Tail - (UINT8 *)TempData);
CopyMem (NewData, TempData, TempDataSize);
*NewDataSize = TempDataSize;
@@ -1047,23 +1065,23 @@ FilterSignatureList (
**/
BOOLEAN
AuthServiceInternalCompareTimeStamp (
- IN EFI_TIME *FirstTime,
- IN EFI_TIME *SecondTime
+ IN EFI_TIME *FirstTime,
+ IN EFI_TIME *SecondTime
)
{
if (FirstTime->Year != SecondTime->Year) {
- return (BOOLEAN) (FirstTime->Year < SecondTime->Year);
+ return (BOOLEAN)(FirstTime->Year < SecondTime->Year);
} else if (FirstTime->Month != SecondTime->Month) {
- return (BOOLEAN) (FirstTime->Month < SecondTime->Month);
+ return (BOOLEAN)(FirstTime->Month < SecondTime->Month);
} else if (FirstTime->Day != SecondTime->Day) {
- return (BOOLEAN) (FirstTime->Day < SecondTime->Day);
+ return (BOOLEAN)(FirstTime->Day < SecondTime->Day);
} else if (FirstTime->Hour != SecondTime->Hour) {
- return (BOOLEAN) (FirstTime->Hour < SecondTime->Hour);
+ return (BOOLEAN)(FirstTime->Hour < SecondTime->Hour);
} else if (FirstTime->Minute != SecondTime->Minute) {
- return (BOOLEAN) (FirstTime->Minute < SecondTime->Minute);
+ return (BOOLEAN)(FirstTime->Minute < SecondTime->Minute);
}
- return (BOOLEAN) (FirstTime->Second <= SecondTime->Second);
+ return (BOOLEAN)(FirstTime->Second <= SecondTime->Second);
}
/**
@@ -1081,37 +1099,37 @@ AuthServiceInternalCompareTimeStamp (
**/
EFI_STATUS
-CalculatePrivAuthVarSignChainSHA256Digest(
- IN UINT8 *SignerCert,
- IN UINTN SignerCertSize,
- IN UINT8 *TopLevelCert,
- IN UINTN TopLevelCertSize,
- OUT UINT8 *Sha256Digest
+CalculatePrivAuthVarSignChainSHA256Digest (
+ IN UINT8 *SignerCert,
+ IN UINTN SignerCertSize,
+ IN UINT8 *TopLevelCert,
+ IN UINTN TopLevelCertSize,
+ OUT UINT8 *Sha256Digest
)
{
- UINT8 *TbsCert;
- UINTN TbsCertSize;
- CHAR8 CertCommonName[128];
- UINTN CertCommonNameSize;
- BOOLEAN CryptoStatus;
- EFI_STATUS Status;
+ UINT8 *TbsCert;
+ UINTN TbsCertSize;
+ CHAR8 CertCommonName[128];
+ UINTN CertCommonNameSize;
+ BOOLEAN CryptoStatus;
+ EFI_STATUS Status;
- CertCommonNameSize = sizeof(CertCommonName);
+ CertCommonNameSize = sizeof (CertCommonName);
//
// Get SignerCert CommonName
//
- Status = X509GetCommonName(SignerCert, SignerCertSize, CertCommonName, &CertCommonNameSize);
- if (EFI_ERROR(Status)) {
- DEBUG((DEBUG_INFO, "%a Get SignerCert CommonName failed with status %x\n", __FUNCTION__, Status));
+ Status = X509GetCommonName (SignerCert, SignerCertSize, CertCommonName, &CertCommonNameSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "%a Get SignerCert CommonName failed with status %x\n", __FUNCTION__, Status));
return EFI_ABORTED;
}
//
// Get TopLevelCert tbsCertificate
//
- if (!X509GetTBSCert(TopLevelCert, TopLevelCertSize, &TbsCert, &TbsCertSize)) {
- DEBUG((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n", __FUNCTION__));
+ if (!X509GetTBSCert (TopLevelCert, TopLevelCertSize, &TbsCert, &TbsCertSize)) {
+ DEBUG ((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n", __FUNCTION__));
return EFI_ABORTED;
}
@@ -1141,7 +1159,7 @@ CalculatePrivAuthVarSignChainSHA256Digest(
return EFI_ABORTED;
}
- CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
+ CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
if (!CryptoStatus) {
return EFI_ABORTED;
}
@@ -1179,22 +1197,22 @@ CalculatePrivAuthVarSignChainSHA256Digest(
**/
EFI_STATUS
FindCertsFromDb (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT8 *Data,
- IN UINTN DataSize,
- OUT UINT32 *CertOffset OPTIONAL,
- OUT UINT32 *CertDataSize OPTIONAL,
- OUT UINT32 *CertNodeOffset OPTIONAL,
- OUT UINT32 *CertNodeSize OPTIONAL
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN UINT8 *Data,
+ IN UINTN DataSize,
+ OUT UINT32 *CertOffset OPTIONAL,
+ OUT UINT32 *CertDataSize OPTIONAL,
+ OUT UINT32 *CertNodeOffset OPTIONAL,
+ OUT UINT32 *CertNodeSize OPTIONAL
)
{
- UINT32 Offset;
- AUTH_CERT_DB_DATA *Ptr;
- UINT32 CertSize;
- UINT32 NameSize;
- UINT32 NodeSize;
- UINT32 CertDbListSize;
+ UINT32 Offset;
+ AUTH_CERT_DB_DATA *Ptr;
+ UINT32 CertSize;
+ UINT32 NameSize;
+ UINT32 NodeSize;
+ UINT32 CertDbListSize;
if ((VariableName == NULL) || (VendorGuid == NULL) || (Data == NULL)) {
return EFI_INVALID_PARAMETER;
@@ -1207,9 +1225,9 @@ FindCertsFromDb (
return EFI_INVALID_PARAMETER;
}
- CertDbListSize = ReadUnaligned32 ((UINT32 *) Data);
+ CertDbListSize = ReadUnaligned32 ((UINT32 *)Data);
- if (CertDbListSize != (UINT32) DataSize) {
+ if (CertDbListSize != (UINT32)DataSize) {
return EFI_INVALID_PARAMETER;
}
@@ -1218,8 +1236,8 @@ FindCertsFromDb (
//
// Get corresponding certificates by VendorGuid and VariableName.
//
- while (Offset < (UINT32) DataSize) {
- Ptr = (AUTH_CERT_DB_DATA *) (Data + Offset);
+ while (Offset < (UINT32)DataSize) {
+ Ptr = (AUTH_CERT_DB_DATA *)(Data + Offset);
//
// Check whether VendorGuid matches.
//
@@ -1229,7 +1247,8 @@ FindCertsFromDb (
CertSize = ReadUnaligned32 (&Ptr->CertDataSize);
if (NodeSize != sizeof (EFI_GUID) + sizeof (UINT32) * 3 + CertSize +
- sizeof (CHAR16) * NameSize) {
+ sizeof (CHAR16) * NameSize)
+ {
return EFI_INVALID_PARAMETER;
}
@@ -1238,7 +1257,8 @@ FindCertsFromDb (
// Check whether VariableName matches.
//
if ((NameSize == StrLen (VariableName)) &&
- (CompareMem (Data + Offset, VariableName, NameSize * sizeof (CHAR16)) == 0)) {
+ (CompareMem (Data + Offset, VariableName, NameSize * sizeof (CHAR16)) == 0))
+ {
Offset = Offset + NameSize * sizeof (CHAR16);
if (CertOffset != NULL) {
@@ -1250,7 +1270,7 @@ FindCertsFromDb (
}
if (CertNodeOffset != NULL) {
- *CertNodeOffset = (UINT32) ((UINT8 *) Ptr - Data);
+ *CertNodeOffset = (UINT32)((UINT8 *)Ptr - Data);
}
if (CertNodeSize != NULL) {
@@ -1288,24 +1308,23 @@ FindCertsFromDb (
**/
EFI_STATUS
GetCertsFromDb (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- OUT UINT8 **CertData,
- OUT UINT32 *CertDataSize
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN UINT32 Attributes,
+ OUT UINT8 **CertData,
+ OUT UINT32 *CertDataSize
)
{
- EFI_STATUS Status;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 CertOffset;
- CHAR16 *DbName;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+ UINT32 CertOffset;
+ CHAR16 *DbName;
if ((VariableName == NULL) || (VendorGuid == NULL) || (CertData == NULL) || (CertDataSize == NULL)) {
return EFI_INVALID_PARAMETER;
}
-
if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
//
// Get variable "certdb".
@@ -1324,7 +1343,7 @@ GetCertsFromDb (
Status = AuthServiceInternalFindVariable (
DbName,
&gEfiCertDbGuid,
- (VOID **) &Data,
+ (VOID **)&Data,
&DataSize
);
if (EFI_ERROR (Status)) {
@@ -1372,20 +1391,20 @@ GetCertsFromDb (
**/
EFI_STATUS
DeleteCertsFromDb (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN UINT32 Attributes
)
{
- EFI_STATUS Status;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 VarAttr;
- UINT32 CertNodeOffset;
- UINT32 CertNodeSize;
- UINT8 *NewCertDb;
- UINT32 NewCertDbSize;
- CHAR16 *DbName;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+ UINT32 VarAttr;
+ UINT32 CertNodeOffset;
+ UINT32 CertNodeSize;
+ UINT8 *NewCertDb;
+ UINT32 NewCertDbSize;
+ CHAR16 *DbName;
if ((VariableName == NULL) || (VendorGuid == NULL)) {
return EFI_INVALID_PARAMETER;
@@ -1395,20 +1414,20 @@ DeleteCertsFromDb (
//
// Get variable "certdb".
//
- DbName = EFI_CERT_DB_NAME;
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+ DbName = EFI_CERT_DB_NAME;
+ VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
} else {
//
// Get variable "certdbv".
//
- DbName = EFI_CERT_DB_VOLATILE_NAME;
+ DbName = EFI_CERT_DB_VOLATILE_NAME;
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
}
Status = AuthServiceInternalFindVariable (
DbName,
&gEfiCertDbGuid,
- (VOID **) &Data,
+ (VOID **)&Data,
&DataSize
);
@@ -1453,8 +1472,8 @@ DeleteCertsFromDb (
//
// Construct new data content of variable "certdb" or "certdbv".
//
- NewCertDbSize = (UINT32) DataSize - CertNodeSize;
- NewCertDb = (UINT8*) mCertDbStore;
+ NewCertDbSize = (UINT32)DataSize - CertNodeSize;
+ NewCertDb = (UINT8 *)mCertDbStore;
//
// Copy the DB entries before deleting node.
@@ -1478,13 +1497,13 @@ DeleteCertsFromDb (
//
// Set "certdb" or "certdbv".
//
- Status = AuthServiceInternalUpdateVariable (
- DbName,
- &gEfiCertDbGuid,
- NewCertDb,
- NewCertDbSize,
- VarAttr
- );
+ Status = AuthServiceInternalUpdateVariable (
+ DbName,
+ &gEfiCertDbGuid,
+ NewCertDb,
+ NewCertDbSize,
+ VarAttr
+ );
return Status;
}
@@ -1512,29 +1531,29 @@ DeleteCertsFromDb (
**/
EFI_STATUS
InsertCertsToDb (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- IN UINT8 *SignerCert,
- IN UINTN SignerCertSize,
- IN UINT8 *TopLevelCert,
- IN UINTN TopLevelCertSize
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN UINT32 Attributes,
+ IN UINT8 *SignerCert,
+ IN UINTN SignerCertSize,
+ IN UINT8 *TopLevelCert,
+ IN UINTN TopLevelCertSize
)
{
- EFI_STATUS Status;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 VarAttr;
- UINT8 *NewCertDb;
- UINT32 NewCertDbSize;
- UINT32 CertNodeSize;
- UINT32 NameSize;
- UINT32 CertDataSize;
- AUTH_CERT_DB_DATA *Ptr;
- CHAR16 *DbName;
- UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
-
- if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) ||(TopLevelCert == NULL)) {
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+ UINT32 VarAttr;
+ UINT8 *NewCertDb;
+ UINT32 NewCertDbSize;
+ UINT32 CertNodeSize;
+ UINT32 NameSize;
+ UINT32 CertDataSize;
+ AUTH_CERT_DB_DATA *Ptr;
+ CHAR16 *DbName;
+ UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+
+ if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) || (TopLevelCert == NULL)) {
return EFI_INVALID_PARAMETER;
}
@@ -1542,13 +1561,13 @@ InsertCertsToDb (
//
// Get variable "certdb".
//
- DbName = EFI_CERT_DB_NAME;
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+ DbName = EFI_CERT_DB_NAME;
+ VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
} else {
//
// Get variable "certdbv".
//
- DbName = EFI_CERT_DB_VOLATILE_NAME;
+ DbName = EFI_CERT_DB_VOLATILE_NAME;
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
}
@@ -1558,7 +1577,7 @@ InsertCertsToDb (
Status = AuthServiceInternalFindVariable (
DbName,
&gEfiCertDbGuid,
- (VOID **) &Data,
+ (VOID **)&Data,
&DataSize
);
if (EFI_ERROR (Status)) {
@@ -1593,15 +1612,15 @@ InsertCertsToDb (
//
// Construct new data content of variable "certdb" or "certdbv".
//
- NameSize = (UINT32) StrLen (VariableName);
- CertDataSize = sizeof(Sha256Digest);
- CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32) CertDataSize + NameSize * sizeof (CHAR16);
- NewCertDbSize = (UINT32) DataSize + CertNodeSize;
+ NameSize = (UINT32)StrLen (VariableName);
+ CertDataSize = sizeof (Sha256Digest);
+ CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32)CertDataSize + NameSize * sizeof (CHAR16);
+ NewCertDbSize = (UINT32)DataSize + CertNodeSize;
if (NewCertDbSize > mMaxCertDbSize) {
return EFI_OUT_OF_RESOURCES;
}
- Status = CalculatePrivAuthVarSignChainSHA256Digest(
+ Status = CalculatePrivAuthVarSignChainSHA256Digest (
SignerCert,
SignerCertSize,
TopLevelCert,
@@ -1612,7 +1631,7 @@ InsertCertsToDb (
return Status;
}
- NewCertDb = (UINT8*) mCertDbStore;
+ NewCertDb = (UINT8 *)mCertDbStore;
//
// Copy the DB entries before inserting node.
@@ -1625,20 +1644,20 @@ InsertCertsToDb (
//
// Construct new cert node.
//
- Ptr = (AUTH_CERT_DB_DATA *) (NewCertDb + DataSize);
+ Ptr = (AUTH_CERT_DB_DATA *)(NewCertDb + DataSize);
CopyGuid (&Ptr->VendorGuid, VendorGuid);
CopyMem (&Ptr->CertNodeSize, &CertNodeSize, sizeof (UINT32));
CopyMem (&Ptr->NameSize, &NameSize, sizeof (UINT32));
CopyMem (&Ptr->CertDataSize, &CertDataSize, sizeof (UINT32));
CopyMem (
- (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA),
+ (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA),
VariableName,
NameSize * sizeof (CHAR16)
);
CopyMem (
- (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
+ (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
Sha256Digest,
CertDataSize
);
@@ -1646,13 +1665,13 @@ InsertCertsToDb (
//
// Set "certdb" or "certdbv".
//
- Status = AuthServiceInternalUpdateVariable (
- DbName,
- &gEfiCertDbGuid,
- NewCertDb,
- NewCertDbSize,
- VarAttr
- );
+ Status = AuthServiceInternalUpdateVariable (
+ DbName,
+ &gEfiCertDbGuid,
+ NewCertDb,
+ NewCertDbSize,
+ VarAttr
+ );
return Status;
}
@@ -1674,17 +1693,17 @@ CleanCertsFromDb (
VOID
)
{
- UINT32 Offset;
- AUTH_CERT_DB_DATA *Ptr;
- UINT32 NameSize;
- UINT32 NodeSize;
- CHAR16 *VariableName;
- EFI_STATUS Status;
- BOOLEAN CertCleaned;
- UINT8 *Data;
- UINTN DataSize;
- EFI_GUID AuthVarGuid;
- AUTH_VARIABLE_INFO AuthVariableInfo;
+ UINT32 Offset;
+ AUTH_CERT_DB_DATA *Ptr;
+ UINT32 NameSize;
+ UINT32 NodeSize;
+ CHAR16 *VariableName;
+ EFI_STATUS Status;
+ BOOLEAN CertCleaned;
+ UINT8 *Data;
+ UINTN DataSize;
+ EFI_GUID AuthVarGuid;
+ AUTH_VARIABLE_INFO AuthVariableInfo;
Status = EFI_SUCCESS;
@@ -1700,7 +1719,7 @@ CleanCertsFromDb (
Status = AuthServiceInternalFindVariable (
EFI_CERT_DB_NAME,
&gEfiCertDbGuid,
- (VOID **) &Data,
+ (VOID **)&Data,
&DataSize
);
if (EFI_ERROR (Status)) {
@@ -1714,23 +1733,24 @@ CleanCertsFromDb (
Offset = sizeof (UINT32);
- while (Offset < (UINT32) DataSize) {
- Ptr = (AUTH_CERT_DB_DATA *) (Data + Offset);
+ while (Offset < (UINT32)DataSize) {
+ Ptr = (AUTH_CERT_DB_DATA *)(Data + Offset);
NodeSize = ReadUnaligned32 (&Ptr->CertNodeSize);
NameSize = ReadUnaligned32 (&Ptr->NameSize);
//
// Get VarName tailed with '\0'
//
- VariableName = AllocateZeroPool((NameSize + 1) * sizeof(CHAR16));
+ VariableName = AllocateZeroPool ((NameSize + 1) * sizeof (CHAR16));
if (VariableName == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (VariableName, (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA), NameSize * sizeof(CHAR16));
+
+ CopyMem (VariableName, (UINT8 *)Ptr + sizeof (AUTH_CERT_DB_DATA), NameSize * sizeof (CHAR16));
//
// Keep VarGuid aligned
//
- CopyMem (&AuthVarGuid, &Ptr->VendorGuid, sizeof(EFI_GUID));
+ CopyMem (&AuthVarGuid, &Ptr->VendorGuid, sizeof (EFI_GUID));
//
// Find corresponding time auth variable
@@ -1742,22 +1762,22 @@ CleanCertsFromDb (
&AuthVariableInfo
);
- if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
+ if (EFI_ERROR (Status) || ((AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0)) {
//
// While cleaning certdb, always delete the variable in certdb regardless of it attributes.
//
- Status = DeleteCertsFromDb(
- VariableName,
- &AuthVarGuid,
- AuthVariableInfo.Attributes | EFI_VARIABLE_NON_VOLATILE
- );
+ Status = DeleteCertsFromDb (
+ VariableName,
+ &AuthVarGuid,
+ AuthVariableInfo.Attributes | EFI_VARIABLE_NON_VOLATILE
+ );
CertCleaned = TRUE;
- DEBUG((DEBUG_INFO, "Recovery!! Cert for Auth Variable %s Guid %g is removed for consistency\n", VariableName, &AuthVarGuid));
- FreePool(VariableName);
+ DEBUG ((DEBUG_INFO, "Recovery!! Cert for Auth Variable %s Guid %g is removed for consistency\n", VariableName, &AuthVarGuid));
+ FreePool (VariableName);
break;
}
- FreePool(VariableName);
+ FreePool (VariableName);
Offset = Offset + NodeSize;
}
} while (CertCleaned);
@@ -1796,58 +1816,58 @@ CleanCertsFromDb (
**/
EFI_STATUS
VerifyTimeBasedPayload (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes,
- IN AUTHVAR_TYPE AuthVarType,
- IN EFI_TIME *OrgTimeStamp,
- OUT UINT8 **VarPayloadPtr,
- OUT UINTN *VarPayloadSize
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes,
+ IN AUTHVAR_TYPE AuthVarType,
+ IN EFI_TIME *OrgTimeStamp,
+ OUT UINT8 **VarPayloadPtr,
+ OUT UINTN *VarPayloadSize
)
{
- EFI_VARIABLE_AUTHENTICATION_2 *CertData;
- UINT8 *SigData;
- UINT32 SigDataSize;
- UINT8 *PayloadPtr;
- UINTN PayloadSize;
- UINT32 Attr;
- BOOLEAN VerifyStatus;
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN Index;
- UINTN CertCount;
- UINT32 KekDataSize;
- UINT8 *NewData;
- UINTN NewDataSize;
- UINT8 *Buffer;
- UINTN Length;
- UINT8 *TopLevelCert;
- UINTN TopLevelCertSize;
- UINT8 *TrustedCert;
- UINTN TrustedCertSize;
- UINT8 *SignerCerts;
- UINTN CertStackSize;
- UINT8 *CertsInCertDb;
- UINT32 CertsSizeinDb;
- UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
- EFI_CERT_DATA *CertDataPtr;
+ EFI_VARIABLE_AUTHENTICATION_2 *CertData;
+ UINT8 *SigData;
+ UINT32 SigDataSize;
+ UINT8 *PayloadPtr;
+ UINTN PayloadSize;
+ UINT32 Attr;
+ BOOLEAN VerifyStatus;
+ EFI_STATUS Status;
+ EFI_SIGNATURE_LIST *CertList;
+ EFI_SIGNATURE_DATA *Cert;
+ UINTN Index;
+ UINTN CertCount;
+ UINT32 KekDataSize;
+ UINT8 *NewData;
+ UINTN NewDataSize;
+ UINT8 *Buffer;
+ UINTN Length;
+ UINT8 *TopLevelCert;
+ UINTN TopLevelCertSize;
+ UINT8 *TrustedCert;
+ UINTN TrustedCertSize;
+ UINT8 *SignerCerts;
+ UINTN CertStackSize;
+ UINT8 *CertsInCertDb;
+ UINT32 CertsSizeinDb;
+ UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ EFI_CERT_DATA *CertDataPtr;
//
// 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
// 2. TrustedCert is the certificate which firmware trusts. It could be saved in protected
// storage or PK payload on PK init
//
- VerifyStatus = FALSE;
- CertData = NULL;
- NewData = NULL;
- Attr = Attributes;
- SignerCerts = NULL;
- TopLevelCert = NULL;
- CertsInCertDb = NULL;
- CertDataPtr = NULL;
+ VerifyStatus = FALSE;
+ CertData = NULL;
+ NewData = NULL;
+ Attr = Attributes;
+ SignerCerts = NULL;
+ TopLevelCert = NULL;
+ CertsInCertDb = NULL;
+ CertDataPtr = NULL;
//
// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
@@ -1857,7 +1877,7 @@ VerifyTimeBasedPayload (
// variable value. The authentication descriptor is not part of the variable data and is not
// returned by subsequent calls to GetVariable().
//
- CertData = (EFI_VARIABLE_AUTHENTICATION_2 *) Data;
+ CertData = (EFI_VARIABLE_AUTHENTICATION_2 *)Data;
//
// Verify that Pad1, Nanosecond, TimeZone, Daylight and Pad2 components of the
@@ -1867,7 +1887,8 @@ VerifyTimeBasedPayload (
(CertData->TimeStamp.Nanosecond != 0) ||
(CertData->TimeStamp.TimeZone != 0) ||
(CertData->TimeStamp.Daylight != 0) ||
- (CertData->TimeStamp.Pad2 != 0)) {
+ (CertData->TimeStamp.Pad2 != 0))
+ {
return EFI_SECURITY_VIOLATION;
}
@@ -1885,7 +1906,8 @@ VerifyTimeBasedPayload (
// Cert type should be EFI_CERT_TYPE_PKCS7_GUID.
//
if ((CertData->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) ||
- !CompareGuid (&CertData->AuthInfo.CertType, &gEfiCertPkcs7Guid)) {
+ !CompareGuid (&CertData->AuthInfo.CertType, &gEfiCertPkcs7Guid))
+ {
//
// Invalid AuthInfo type, return EFI_SECURITY_VIOLATION.
//
@@ -1896,8 +1918,8 @@ VerifyTimeBasedPayload (
// Find out Pkcs7 SignedData which follows the EFI_VARIABLE_AUTHENTICATION_2 descriptor.
// AuthInfo.Hdr.dwLength is the length of the entire certificate, including the length of the header.
//
- SigData = CertData->AuthInfo.CertData;
- SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
+ SigData = CertData->AuthInfo.CertData;
+ SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32)(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
//
// SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
@@ -1916,20 +1938,21 @@ VerifyTimeBasedPayload (
if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
- (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
- return EFI_SECURITY_VIOLATION;
- }
+ (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))
+ {
+ return EFI_SECURITY_VIOLATION;
+ }
}
}
//
// Find out the new data payload which follows Pkcs7 SignedData directly.
//
- PayloadPtr = SigData + SigDataSize;
- PayloadSize = DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN) SigDataSize;
+ PayloadPtr = SigData + SigDataSize;
+ PayloadSize = DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN)SigDataSize;
// If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
- if (PayloadSize == 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) == 0 && !IsVariablePolicyEnabled()) {
+ if ((PayloadSize == 0) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0) && !IsVariablePolicyEnabled ()) {
VerifyStatus = TRUE;
goto Exit;
}
@@ -1950,7 +1973,7 @@ VerifyTimeBasedPayload (
// because it is only used at here to do verification temporarily first
// and then used in UpdateVariable() for a time based auth variable set.
//
- Status = mAuthVarLibContextIn->GetScratchBuffer (&NewDataSize, (VOID **) &NewData);
+ Status = mAuthVarLibContextIn->GetScratchBuffer (&NewDataSize, (VOID **)&NewData);
if (EFI_ERROR (Status)) {
return EFI_OUT_OF_RESOURCES;
}
@@ -2005,10 +2028,12 @@ VerifyTimeBasedPayload (
VerifyStatus = FALSE;
goto Exit;
}
- CertList = (EFI_SIGNATURE_LIST *) Data;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+
+ CertList = (EFI_SIGNATURE_LIST *)Data;
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
if ((TopLevelCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||
- (CompareMem (Cert->SignatureData, TopLevelCert, TopLevelCertSize) != 0)) {
+ (CompareMem (Cert->SignatureData, TopLevelCert, TopLevelCertSize) != 0))
+ {
VerifyStatus = FALSE;
goto Exit;
}
@@ -2024,9 +2049,7 @@ VerifyTimeBasedPayload (
NewData,
NewDataSize
);
-
} else if (AuthVarType == AuthVarTypeKek) {
-
//
// Get KEK database from variable.
//
@@ -2043,18 +2066,18 @@ VerifyTimeBasedPayload (
//
// Ready to verify Pkcs7 SignedData. Go through KEK Signature Database to find out X.509 CertList.
//
- KekDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) Data;
+ KekDataSize = (UINT32)DataSize;
+ CertList = (EFI_SIGNATURE_LIST *)Data;
while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// Iterate each Signature Data Node within this CertList for a verify
//
- TrustedCert = Cert->SignatureData;
- TrustedCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
+ TrustedCert = Cert->SignatureData;
+ TrustedCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
//
// Verify Pkcs7 SignedData via Pkcs7Verify library.
@@ -2070,14 +2093,15 @@ VerifyTimeBasedPayload (
if (VerifyStatus) {
goto Exit;
}
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
+
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)Cert + CertList->SignatureSize);
}
}
+
KekDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
+ CertList = (EFI_SIGNATURE_LIST *)((UINT8 *)CertList + CertList->SignatureListSize);
}
} else if (AuthVarType == AuthVarTypePriv) {
-
//
// Process common authenticated variable except PK/KEK/DB/DBX/DBT.
// Get signer's certificates from SignedData.
@@ -2112,24 +2136,25 @@ VerifyTimeBasedPayload (
// Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
//
CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
- Status = CalculatePrivAuthVarSignChainSHA256Digest(
- CertDataPtr->CertDataBuffer,
- ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
- TopLevelCert,
- TopLevelCertSize,
- Sha256Digest
- );
- if (EFI_ERROR(Status) || CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0){
+ Status = CalculatePrivAuthVarSignChainSHA256Digest (
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
+ TopLevelCert,
+ TopLevelCertSize,
+ Sha256Digest
+ );
+ if (EFI_ERROR (Status) || (CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0)) {
goto Exit;
}
} else {
- //
- // Keep backward compatible with previous solution which saves whole signer certs stack in CertDb
- //
- if ((CertStackSize != CertsSizeinDb) ||
- (CompareMem (SignerCerts, CertsInCertDb, CertsSizeinDb) != 0)) {
- goto Exit;
- }
+ //
+ // Keep backward compatible with previous solution which saves whole signer certs stack in CertDb
+ //
+ if ((CertStackSize != CertsSizeinDb) ||
+ (CompareMem (SignerCerts, CertsInCertDb, CertsSizeinDb) != 0))
+ {
+ goto Exit;
+ }
}
}
@@ -2150,23 +2175,23 @@ VerifyTimeBasedPayload (
// When adding a new common authenticated variable, always save Hash of cn of signer cert + tbsCertificate of Top-level issuer
//
CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
- Status = InsertCertsToDb (
- VariableName,
- VendorGuid,
- Attributes,
- CertDataPtr->CertDataBuffer,
- ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
- TopLevelCert,
- TopLevelCertSize
- );
+ Status = InsertCertsToDb (
+ VariableName,
+ VendorGuid,
+ Attributes,
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
+ TopLevelCert,
+ TopLevelCertSize
+ );
if (EFI_ERROR (Status)) {
VerifyStatus = FALSE;
goto Exit;
}
}
} else if (AuthVarType == AuthVarTypePayload) {
- CertList = (EFI_SIGNATURE_LIST *) PayloadPtr;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ CertList = (EFI_SIGNATURE_LIST *)PayloadPtr;
+ Cert = (EFI_SIGNATURE_DATA *)((UINT8 *)CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
TrustedCert = Cert->SignatureData;
TrustedCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
//
@@ -2186,12 +2211,13 @@ VerifyTimeBasedPayload (
Exit:
- if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
+ if ((AuthVarType == AuthVarTypePk) || (AuthVarType == AuthVarTypePriv)) {
if (TopLevelCert != NULL) {
- Pkcs7FreeSigners (TopLevelCert);
+ Pkcs7FreeSigners (TopLevelCert);
}
+
if (SignerCerts != NULL) {
- Pkcs7FreeSigners (SignerCerts);
+ Pkcs7FreeSigners (SignerCerts);
}
}
@@ -2199,12 +2225,12 @@ Exit:
return EFI_SECURITY_VIOLATION;
}
- Status = CheckSignatureListFormat(VariableName, VendorGuid, PayloadPtr, PayloadSize);
+ Status = CheckSignatureListFormat (VariableName, VendorGuid, PayloadPtr, PayloadSize);
if (EFI_ERROR (Status)) {
return Status;
}
- *VarPayloadPtr = PayloadPtr;
+ *VarPayloadPtr = PayloadPtr;
*VarPayloadSize = PayloadSize;
return EFI_SUCCESS;
@@ -2238,29 +2264,29 @@ Exit:
**/
EFI_STATUS
VerifyTimeBasedPayloadAndUpdate (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes,
- IN AUTHVAR_TYPE AuthVarType,
- OUT BOOLEAN *VarDel
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ IN VOID *Data,
+ IN UINTN DataSize,
+ IN UINT32 Attributes,
+ IN AUTHVAR_TYPE AuthVarType,
+ OUT BOOLEAN *VarDel
)
{
- EFI_STATUS Status;
- EFI_STATUS FindStatus;
- UINT8 *PayloadPtr;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *CertData;
- AUTH_VARIABLE_INFO OrgVariableInfo;
- BOOLEAN IsDel;
+ EFI_STATUS Status;
+ EFI_STATUS FindStatus;
+ UINT8 *PayloadPtr;
+ UINTN PayloadSize;
+ EFI_VARIABLE_AUTHENTICATION_2 *CertData;
+ AUTH_VARIABLE_INFO OrgVariableInfo;
+ BOOLEAN IsDel;
ZeroMem (&OrgVariableInfo, sizeof (OrgVariableInfo));
FindStatus = mAuthVarLibContextIn->FindVariable (
- VariableName,
- VendorGuid,
- &OrgVariableInfo
- );
+ VariableName,
+ VendorGuid,
+ &OrgVariableInfo
+ );
Status = VerifyTimeBasedPayload (
VariableName,
@@ -2277,15 +2303,16 @@ VerifyTimeBasedPayloadAndUpdate (
return Status;
}
- if (!EFI_ERROR(FindStatus)
- && (PayloadSize == 0)
- && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0)) {
+ if ( !EFI_ERROR (FindStatus)
+ && (PayloadSize == 0)
+ && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0))
+ {
IsDel = TRUE;
} else {
IsDel = FALSE;
}
- CertData = (EFI_VARIABLE_AUTHENTICATION_2 *) Data;
+ CertData = (EFI_VARIABLE_AUTHENTICATION_2 *)Data;
//
// Final step: Update/Append Variable if it pass Pkcs7Verify
@@ -2302,12 +2329,12 @@ VerifyTimeBasedPayloadAndUpdate (
//
// Delete signer's certificates when delete the common authenticated variable.
//
- if (IsDel && AuthVarType == AuthVarTypePriv && !EFI_ERROR(Status) ) {
+ if (IsDel && (AuthVarType == AuthVarTypePriv) && !EFI_ERROR (Status)) {
Status = DeleteCertsFromDb (VariableName, VendorGuid, Attributes);
}
if (VarDel != NULL) {
- if (IsDel && !EFI_ERROR(Status)) {
+ if (IsDel && !EFI_ERROR (Status)) {
*VarDel = TRUE;
} else {
*VarDel = FALSE;