A new user interface for you! Read more...

File OVMF-embed-default-keys.patch of Package OVMF

From 361205d9ca85b82498d1af597cd98249858b8b44 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <chingpang@gmail.com>
Date: Fri, 10 May 2013 10:27:51 +0800
Subject: [PATCH] Add a stub to allow keys to be embedded at build time

---
 .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++
 .../VariableAuthenticated/RuntimeDxe/Default_DB.h  |   2 +
 .../VariableAuthenticated/RuntimeDxe/Default_KEK.h |   2 +
 .../VariableAuthenticated/RuntimeDxe/Default_PK.h  |   2 +
 .../RuntimeDxe/VariableRuntimeDxe.inf              |   3 +
 5 files changed, 182 insertions(+)
 create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
 create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
 create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 440ede9..1ea0dc4 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -28,6 +28,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include "Variable.h"
 #include "AuthService.h"
+#include "Default_PK.h"
+#include "Default_KEK.h"
+#include "Default_DB.h"
 
 ///
 /// Global database array for scratch
@@ -179,6 +182,11 @@ AutenticatedVariableServiceInitialize (
   UINT8                   SecureBootEnable;
   UINT8                   CustomMode;
   UINT32                  ListSize;
+  EFI_SIGNATURE_LIST      *SigCert;
+  EFI_SIGNATURE_DATA      *SigCertData;
+  UINTN                   SigSize;
+  EFI_GUID                *SignatureGUID;
+  UINT32                  Attr;
 
   //
   // Initialize hash context.
@@ -189,6 +197,171 @@ AutenticatedVariableServiceInitialize (
     return EFI_OUT_OF_RESOURCES;
   }
 
+  //****
+  // Create signature list for PK KEK DB
+  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
+         EFI_VARIABLE_BOOTSERVICE_ACCESS |
+         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+  // PK
+  if (Default_PK == NULL)
+	goto SKIP_KEYS;
+
+  SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+  if (SignatureGUID == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
+  Data = AllocateZeroPool (SigSize);
+  if (Data == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigCert = (EFI_SIGNATURE_LIST*) Data;
+  SigCert->SignatureListSize   = (UINT32) SigSize;
+  SigCert->SignatureHeaderSize = 0;
+  SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len);
+  CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+  SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+  CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+  CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
+
+  Status = FindVariable (
+             EFI_PLATFORM_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             &Variable,
+             &mVariableModuleGlobal->VariableGlobal,
+             FALSE
+             );
+  if (Variable.CurrPtr == NULL) {
+    Status = UpdateVariable (
+               EFI_PLATFORM_KEY_NAME,
+               &gEfiGlobalVariableGuid,
+               Data,
+               SigSize,
+               Attr,
+               0,
+               0,
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  FreePool(SignatureGUID);
+  FreePool(Data);
+
+  // KEK
+  if (Default_KEK == NULL)
+	goto SKIP_KEYS;
+
+  SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+  if (SignatureGUID == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
+  Data = AllocateZeroPool (SigSize);
+  if (Data == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigCert = (EFI_SIGNATURE_LIST*) Data;
+  SigCert->SignatureListSize   = (UINT32) SigSize;
+  SigCert->SignatureHeaderSize = 0;
+  SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len);
+  CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+  SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+  CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+  CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
+
+  Status = FindVariable (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             &Variable,
+             &mVariableModuleGlobal->VariableGlobal,
+             FALSE
+             );
+  if (Variable.CurrPtr == NULL) {
+    Status = UpdateVariable (
+               EFI_KEY_EXCHANGE_KEY_NAME,
+               &gEfiGlobalVariableGuid,
+               Data,
+               SigSize,
+               Attr,
+               0,
+               0,
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  FreePool(SignatureGUID);
+  FreePool(Data);
+
+  // DB
+  if (Default_DB == NULL)
+	goto SKIP_KEYS;
+
+  SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+  if (SignatureGUID == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+  Data = AllocateZeroPool (SigSize);
+  if (Data == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  SigCert = (EFI_SIGNATURE_LIST*) Data;
+  SigCert->SignatureListSize   = (UINT32) SigSize;
+  SigCert->SignatureHeaderSize = 0;
+  SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
+  CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+  SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+  CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+  CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
+
+  Status = FindVariable (
+             EFI_IMAGE_SECURITY_DATABASE,
+             &gEfiImageSecurityDatabaseGuid,
+             &Variable,
+             &mVariableModuleGlobal->VariableGlobal,
+             FALSE
+             );
+  if (Variable.CurrPtr == NULL) {
+    Status = UpdateVariable (
+               EFI_IMAGE_SECURITY_DATABASE,
+               &gEfiImageSecurityDatabaseGuid,
+               Data,
+               SigSize,
+               Attr,
+               0,
+               0,
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  FreePool(SignatureGUID);
+  FreePool(Data);
+
+SKIP_KEYS:
+  //****
+
   //
   // Reserved runtime buffer for "Append" operation in virtual mode.
   //
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
new file mode 100644
index 0000000..4d13894
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB = NULL;
+unsigned int Default_DB_len = 0;
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
new file mode 100644
index 0000000..80883de
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_KEK = NULL;
+unsigned int Default_KEK_len = 0;
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
new file mode 100644
index 0000000..23b90e4
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_PK = NULL;
+unsigned int Default_PK_len = 0;
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
index ab676f4..59e6a60 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
@@ -39,6 +39,9 @@
   Variable.h
   AuthService.c
   AuthService.h
+  Default_PK.h
+  Default_KEK.h
+  Default_DB.h
 
 [Packages]
   MdePkg/MdePkg.dec
-- 
1.8.1.4