blob: 8e61f0a77b90c8701480f3db129a86fb8e05755a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
/** @file
Type definitions and object declarations for the EnrollDefaultKeys
application.
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef ENROLL_DEFAULT_KEYS_H_
#define ENROLL_DEFAULT_KEYS_H_
#include <Uefi/UefiBaseType.h>
//
// Convenience structure types for constructing "signature lists" for
// authenticated UEFI variables.
//
// The most important thing about the variable payload is that it is a list of
// lists, where the element size of any given *inner* list is constant.
//
// Since X509 certificates vary in size, each of our *inner* lists will contain
// one element only (one X.509 certificate). This is explicitly mentioned in
// the UEFI specification, in "28.4.1 Signature Database", in a Note.
//
// The list structure looks as follows:
//
// struct EFI_VARIABLE_AUTHENTICATION_2 { |
// struct EFI_TIME { |
// UINT16 Year; |
// UINT8 Month; |
// UINT8 Day; |
// UINT8 Hour; |
// UINT8 Minute; |
// UINT8 Second; |
// UINT8 Pad1; |
// UINT32 Nanosecond; |
// INT16 TimeZone; |
// UINT8 Daylight; |
// UINT8 Pad2; |
// } TimeStamp; |
// |
// struct WIN_CERTIFICATE_UEFI_GUID { | |
// struct WIN_CERTIFICATE { | |
// UINT32 dwLength; ----------------------------------------+ |
// UINT16 wRevision; | |
// UINT16 wCertificateType; | |
// } Hdr; | +- DataSize
// | |
// EFI_GUID CertType; | |
// UINT8 CertData[1] = { <--- "struct hack" | |
// struct EFI_SIGNATURE_LIST { | | |
// EFI_GUID SignatureType; | | |
// UINT32 SignatureListSize; -------------------------+ | |
// UINT32 SignatureHeaderSize; | | |
// UINT32 SignatureSize; ---------------------------+ | | |
// UINT8 SignatureHeader[SignatureHeaderSize]; | | | |
// v | | |
// struct EFI_SIGNATURE_DATA { | | | |
// EFI_GUID SignatureOwner; | | | |
// UINT8 SignatureData[1] = { <--- "struct hack" | | | |
// X.509 payload | | | |
// } | | | |
// } Signatures[]; | | |
// } SigLists[]; | |
// }; | |
// } AuthInfo; | |
// }; |
//
// Given that the "struct hack" invokes undefined behavior (which is why C99
// introduced the flexible array member), and because subtracting those pesky
// sizes of 1 is annoying, and because the format is fully specified in the
// UEFI specification, we'll introduce two matching convenience structures that
// are customized for our X.509 purposes.
//
#pragma pack (1)
typedef struct {
EFI_TIME TimeStamp;
//
// dwLength covers data below
//
UINT32 dwLength;
UINT16 wRevision;
UINT16 wCertificateType;
EFI_GUID CertType;
} SINGLE_HEADER;
typedef struct {
//
// SignatureListSize covers data below
//
EFI_GUID SignatureType;
UINT32 SignatureListSize;
UINT32 SignatureHeaderSize; // constant 0
UINT32 SignatureSize;
//
// SignatureSize covers data below
//
EFI_GUID SignatureOwner;
//
// X.509 certificate follows
//
} REPEATING_HEADER;
#pragma pack ()
//
// A structure that collects the values of UEFI variables related to Secure
// Boot.
//
typedef struct {
UINT8 SetupMode;
UINT8 SecureBoot;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT8 VendorKeys;
} SETTINGS;
//
// Refer to "AuthData.c" for details on the following objects.
//
extern CONST UINT8 mMicrosoftKek[];
extern CONST UINTN mSizeOfMicrosoftKek;
extern CONST UINT8 mMicrosoftPca[];
extern CONST UINTN mSizeOfMicrosoftPca;
extern CONST UINT8 mMicrosoftUefiCa[];
extern CONST UINTN mSizeOfMicrosoftUefiCa;
extern CONST UINT8 mSha256OfDevNull[];
extern CONST UINTN mSizeOfSha256OfDevNull;
#endif /* ENROLL_DEFAULT_KEYS_H_ */
|