From 1c9418fcafe3d2eea336be092d9cdd29762537fe Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 25 Apr 2019 15:27:57 +0200 Subject: OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file "EnrollDefaultKeys.c" defines three structure types: SINGLE_HEADER, REPEATING_HEADER, and SETTINGS. The definitions are scattered over the C file, and lack high-level summary comments. Extract the structures to "EnrollDefaultKeys.h", and add the missing comments. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude Acked-by: Ard Biesheuvel Reviewed-by: Gary Lin --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 101 +------------------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 121 ++++++++++++++++++++++++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 1 + 3 files changed, 124 insertions(+), 99 deletions(-) create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h (limited to 'OvmfPkg/EnrollDefaultKeys') diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 671efef8d6..fefea66388 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -15,6 +15,8 @@ #include // AsciiPrint() #include // gRT +#include "EnrollDefaultKeys.h" + // // We'll use the certificate below as both Platform Key and as first Key // Exchange Key. @@ -543,97 +545,6 @@ STATIC CONST EFI_GUID mMicrosoftOwnerGuid = { { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, }; -// -// The most important thing about the variable payload is that it is a list of -// lists, where the element size of any given *inner* list is constant. -// -// Since X509 certificates vary in size, each of our *inner* lists will contain -// one element only (one X.509 certificate). This is explicitly mentioned in -// the UEFI specification, in "28.4.1 Signature Database", in a Note. -// -// The list structure looks as follows: -// -// struct EFI_VARIABLE_AUTHENTICATION_2 { | -// struct EFI_TIME { | -// UINT16 Year; | -// UINT8 Month; | -// UINT8 Day; | -// UINT8 Hour; | -// UINT8 Minute; | -// UINT8 Second; | -// UINT8 Pad1; | -// UINT32 Nanosecond; | -// INT16 TimeZone; | -// UINT8 Daylight; | -// UINT8 Pad2; | -// } TimeStamp; | -// | -// struct WIN_CERTIFICATE_UEFI_GUID { | | -// struct WIN_CERTIFICATE { | | -// UINT32 dwLength; ----------------------------------------+ | -// UINT16 wRevision; | | -// UINT16 wCertificateType; | | -// } Hdr; | +- DataSize -// | | -// EFI_GUID CertType; | | -// UINT8 CertData[1] = { <--- "struct hack" | | -// struct EFI_SIGNATURE_LIST { | | | -// EFI_GUID SignatureType; | | | -// UINT32 SignatureListSize; -------------------------+ | | -// UINT32 SignatureHeaderSize; | | | -// UINT32 SignatureSize; ---------------------------+ | | | -// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | -// v | | | -// struct EFI_SIGNATURE_DATA { | | | | -// EFI_GUID SignatureOwner; | | | | -// UINT8 SignatureData[1] = { <--- "struct hack" | | | | -// X.509 payload | | | | -// } | | | | -// } Signatures[]; | | | -// } SigLists[]; | | -// }; | | -// } AuthInfo; | | -// }; | -// -// Given that the "struct hack" invokes undefined behavior (which is why C99 -// introduced the flexible array member), and because subtracting those pesky -// sizes of 1 is annoying, and because the format is fully specified in the -// UEFI specification, we'll introduce two matching convenience structures that -// are customized for our X.509 purposes. -// -#pragma pack (1) -typedef struct { - EFI_TIME TimeStamp; - - // - // dwLength covers data below - // - UINT32 dwLength; - UINT16 wRevision; - UINT16 wCertificateType; - EFI_GUID CertType; -} SINGLE_HEADER; - -typedef struct { - // - // SignatureListSize covers data below - // - EFI_GUID SignatureType; - UINT32 SignatureListSize; - UINT32 SignatureHeaderSize; // constant 0 - UINT32 SignatureSize; - - // - // SignatureSize covers data below - // - EFI_GUID SignatureOwner; - - // - // X.509 certificate follows - // -} REPEATING_HEADER; -#pragma pack () - /** Enroll a set of certificates in a global variable, overwriting it. @@ -844,14 +755,6 @@ GetExact ( return EFI_SUCCESS; } -typedef struct { - UINT8 SetupMode; - UINT8 SecureBoot; - UINT8 SecureBootEnable; - UINT8 CustomMode; - UINT8 VendorKeys; -} SETTINGS; - STATIC EFI_STATUS GetSettings ( diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h new file mode 100644 index 0000000000..9bcd87ff4f --- /dev/null +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -0,0 +1,121 @@ +/** @file + Type definitions for the EnrollDefaultKeys application. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef ENROLL_DEFAULT_KEYS_H_ +#define ENROLL_DEFAULT_KEYS_H_ + +#include + +// +// Convenience structure types for constructing "signature lists" for +// authenticated UEFI variables. +// +// The most important thing about the variable payload is that it is a list of +// lists, where the element size of any given *inner* list is constant. +// +// Since X509 certificates vary in size, each of our *inner* lists will contain +// one element only (one X.509 certificate). This is explicitly mentioned in +// the UEFI specification, in "28.4.1 Signature Database", in a Note. +// +// The list structure looks as follows: +// +// struct EFI_VARIABLE_AUTHENTICATION_2 { | +// struct EFI_TIME { | +// UINT16 Year; | +// UINT8 Month; | +// UINT8 Day; | +// UINT8 Hour; | +// UINT8 Minute; | +// UINT8 Second; | +// UINT8 Pad1; | +// UINT32 Nanosecond; | +// INT16 TimeZone; | +// UINT8 Daylight; | +// UINT8 Pad2; | +// } TimeStamp; | +// | +// struct WIN_CERTIFICATE_UEFI_GUID { | | +// struct WIN_CERTIFICATE { | | +// UINT32 dwLength; ----------------------------------------+ | +// UINT16 wRevision; | | +// UINT16 wCertificateType; | | +// } Hdr; | +- DataSize +// | | +// EFI_GUID CertType; | | +// UINT8 CertData[1] = { <--- "struct hack" | | +// struct EFI_SIGNATURE_LIST { | | | +// EFI_GUID SignatureType; | | | +// UINT32 SignatureListSize; -------------------------+ | | +// UINT32 SignatureHeaderSize; | | | +// UINT32 SignatureSize; ---------------------------+ | | | +// UINT8 SignatureHeader[SignatureHeaderSize]; | | | | +// v | | | +// struct EFI_SIGNATURE_DATA { | | | | +// EFI_GUID SignatureOwner; | | | | +// UINT8 SignatureData[1] = { <--- "struct hack" | | | | +// X.509 payload | | | | +// } | | | | +// } Signatures[]; | | | +// } SigLists[]; | | +// }; | | +// } AuthInfo; | | +// }; | +// +// Given that the "struct hack" invokes undefined behavior (which is why C99 +// introduced the flexible array member), and because subtracting those pesky +// sizes of 1 is annoying, and because the format is fully specified in the +// UEFI specification, we'll introduce two matching convenience structures that +// are customized for our X.509 purposes. +// +#pragma pack (1) +typedef struct { + EFI_TIME TimeStamp; + + // + // dwLength covers data below + // + UINT32 dwLength; + UINT16 wRevision; + UINT16 wCertificateType; + EFI_GUID CertType; +} SINGLE_HEADER; + +typedef struct { + // + // SignatureListSize covers data below + // + EFI_GUID SignatureType; + UINT32 SignatureListSize; + UINT32 SignatureHeaderSize; // constant 0 + UINT32 SignatureSize; + + // + // SignatureSize covers data below + // + EFI_GUID SignatureOwner; + + // + // X.509 certificate follows + // +} REPEATING_HEADER; +#pragma pack () + + +// +// A structure that collects the values of UEFI variables related to Secure +// Boot. +// +typedef struct { + UINT8 SetupMode; + UINT8 SecureBoot; + UINT8 SecureBootEnable; + UINT8 CustomMode; + UINT8 VendorKeys; +} SETTINGS; + +#endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf index 3a215df508..9f315a8e6d 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -16,6 +16,7 @@ [Sources] EnrollDefaultKeys.c + EnrollDefaultKeys.h [Packages] MdeModulePkg/MdeModulePkg.dec -- cgit v1.2.3