0b4a304504
- Rename filenames to match the package name OBS-URL: https://build.opensuse.org/request/show/244532 OBS-URL: https://build.opensuse.org/package/show/Virtualization/ovmf?expand=0&rev=2
240 lines
7.7 KiB
Diff
240 lines
7.7 KiB
Diff
From 3b463b18d6427498063895f07aa53271e5d4b43b Mon Sep 17 00:00:00 2001
|
|
From: Gary Ching-Pang Lin <chingpang@gmail.com>
|
|
Date: Fri, 10 May 2013 10:27:51 +0800
|
|
Subject: [PATCH] Add a stub to allow keys to be embedded at build time
|
|
|
|
---
|
|
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c | 173 ++++++++++
|
|
SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h | 2
|
|
SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h | 2
|
|
SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h | 2
|
|
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf | 3
|
|
5 files changed, 182 insertions(+)
|
|
create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
|
|
create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
|
|
create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
|
|
|
|
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
|
|
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
|
|
@@ -28,6 +28,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF
|
|
|
|
#include "Variable.h"
|
|
#include "AuthService.h"
|
|
+#include "Default_PK.h"
|
|
+#include "Default_KEK.h"
|
|
+#include "Default_DB.h"
|
|
|
|
///
|
|
/// Global database array for scratch
|
|
@@ -173,6 +176,11 @@ AutenticatedVariableServiceInitialize (
|
|
UINT8 SecureBootEnable;
|
|
UINT8 CustomMode;
|
|
UINT32 ListSize;
|
|
+ EFI_SIGNATURE_LIST *SigCert;
|
|
+ EFI_SIGNATURE_DATA *SigCertData;
|
|
+ UINTN SigSize;
|
|
+ EFI_GUID *SignatureGUID;
|
|
+ UINT32 Attr;
|
|
|
|
//
|
|
// Initialize hash context.
|
|
@@ -183,6 +191,171 @@ AutenticatedVariableServiceInitialize (
|
|
return EFI_OUT_OF_RESOURCES;
|
|
}
|
|
|
|
+ //****
|
|
+ // Create signature list for PK KEK DB
|
|
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
|
|
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
|
+
|
|
+ // PK
|
|
+ if (Default_PK == NULL)
|
|
+ goto SKIP_KEYS;
|
|
+
|
|
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
|
|
+ if (SignatureGUID == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
|
|
+ Data = AllocateZeroPool (SigSize);
|
|
+ if (Data == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
|
|
+ SigCert->SignatureListSize = (UINT32) SigSize;
|
|
+ SigCert->SignatureHeaderSize = 0;
|
|
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len);
|
|
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
|
|
+
|
|
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
|
|
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
|
|
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
|
|
+
|
|
+ Status = FindVariable (
|
|
+ EFI_PLATFORM_KEY_NAME,
|
|
+ &gEfiGlobalVariableGuid,
|
|
+ &Variable,
|
|
+ &mVariableModuleGlobal->VariableGlobal,
|
|
+ FALSE
|
|
+ );
|
|
+ if (Variable.CurrPtr == NULL) {
|
|
+ Status = UpdateVariable (
|
|
+ EFI_PLATFORM_KEY_NAME,
|
|
+ &gEfiGlobalVariableGuid,
|
|
+ Data,
|
|
+ SigSize,
|
|
+ Attr,
|
|
+ 0,
|
|
+ 0,
|
|
+ &Variable,
|
|
+ NULL
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return Status;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ FreePool(SignatureGUID);
|
|
+ FreePool(Data);
|
|
+
|
|
+ // KEK
|
|
+ if (Default_KEK == NULL)
|
|
+ goto SKIP_KEYS;
|
|
+
|
|
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
|
|
+ if (SignatureGUID == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
|
|
+ Data = AllocateZeroPool (SigSize);
|
|
+ if (Data == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
|
|
+ SigCert->SignatureListSize = (UINT32) SigSize;
|
|
+ SigCert->SignatureHeaderSize = 0;
|
|
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len);
|
|
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
|
|
+
|
|
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
|
|
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
|
|
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
|
|
+
|
|
+ Status = FindVariable (
|
|
+ EFI_KEY_EXCHANGE_KEY_NAME,
|
|
+ &gEfiGlobalVariableGuid,
|
|
+ &Variable,
|
|
+ &mVariableModuleGlobal->VariableGlobal,
|
|
+ FALSE
|
|
+ );
|
|
+ if (Variable.CurrPtr == NULL) {
|
|
+ Status = UpdateVariable (
|
|
+ EFI_KEY_EXCHANGE_KEY_NAME,
|
|
+ &gEfiGlobalVariableGuid,
|
|
+ Data,
|
|
+ SigSize,
|
|
+ Attr,
|
|
+ 0,
|
|
+ 0,
|
|
+ &Variable,
|
|
+ NULL
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return Status;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ FreePool(SignatureGUID);
|
|
+ FreePool(Data);
|
|
+
|
|
+ // DB
|
|
+ if (Default_DB == NULL)
|
|
+ goto SKIP_KEYS;
|
|
+
|
|
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
|
|
+ if (SignatureGUID == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
|
|
+ Data = AllocateZeroPool (SigSize);
|
|
+ if (Data == NULL) {
|
|
+ return EFI_OUT_OF_RESOURCES;
|
|
+ }
|
|
+
|
|
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
|
|
+ SigCert->SignatureListSize = (UINT32) SigSize;
|
|
+ SigCert->SignatureHeaderSize = 0;
|
|
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
|
|
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
|
|
+
|
|
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
|
|
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
|
|
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
|
|
+
|
|
+ Status = FindVariable (
|
|
+ EFI_IMAGE_SECURITY_DATABASE,
|
|
+ &gEfiImageSecurityDatabaseGuid,
|
|
+ &Variable,
|
|
+ &mVariableModuleGlobal->VariableGlobal,
|
|
+ FALSE
|
|
+ );
|
|
+ if (Variable.CurrPtr == NULL) {
|
|
+ Status = UpdateVariable (
|
|
+ EFI_IMAGE_SECURITY_DATABASE,
|
|
+ &gEfiImageSecurityDatabaseGuid,
|
|
+ Data,
|
|
+ SigSize,
|
|
+ Attr,
|
|
+ 0,
|
|
+ 0,
|
|
+ &Variable,
|
|
+ NULL
|
|
+ );
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return Status;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ FreePool(SignatureGUID);
|
|
+ FreePool(Data);
|
|
+
|
|
+SKIP_KEYS:
|
|
+ //****
|
|
+
|
|
//
|
|
// Prepare runtime buffer for serialized data of time-based authenticated
|
|
// Variable, i.e. (VariableName, VendorGuid, Attributes, TimeStamp, Data).
|
|
--- /dev/null
|
|
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
|
|
@@ -0,0 +1,2 @@
|
|
+unsigned char *Default_DB = NULL;
|
|
+unsigned int Default_DB_len = 0;
|
|
--- /dev/null
|
|
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
|
|
@@ -0,0 +1,2 @@
|
|
+unsigned char *Default_KEK = NULL;
|
|
+unsigned int Default_KEK_len = 0;
|
|
--- /dev/null
|
|
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
|
|
@@ -0,0 +1,2 @@
|
|
+unsigned char *Default_PK = NULL;
|
|
+unsigned int Default_PK_len = 0;
|
|
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
|
|
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
|
|
@@ -40,6 +40,9 @@
|
|
AuthService.c
|
|
AuthService.h
|
|
Measurement.c
|
|
+ Default_PK.h
|
|
+ Default_KEK.h
|
|
+ Default_DB.h
|
|
|
|
[Packages]
|
|
MdePkg/MdePkg.dec
|