Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
ovmf.6568
ovmf-embed-default-keys.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ovmf-embed-default-keys.patch of Package ovmf.6568
From 6bf96df236dbe46c1e4591b6a59553928bfd603c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 180 +++++++++++++++++++++ .../Library/AuthVariableLib/AuthVariableLib.inf | 4 + SecurityPkg/Library/AuthVariableLib/Default_DB.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_DBX.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_KEK.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_PK.h | 2 + 6 files changed, 192 insertions(+) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_KEK.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index c4fbb64..9e12588 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ #include "AuthServiceInternal.h" +#include "Default_PK.h" +#include "Default_KEK.h" +#include "Default_DB.h" +#include "Default_DBX.h" /// /// Global database array for scratch @@ -147,6 +151,11 @@ AuthVariableLibInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; + EFI_GUID *SignatureGUID; + UINT32 Attr; if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) { return EFI_INVALID_PARAMETER; @@ -163,6 +172,177 @@ AuthVariableLibInitialize ( return EFI_OUT_OF_RESOURCES; } + //**** + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + // PK + if (Default_PK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // KEK + if (Default_KEK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DB + if (Default_DB == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DBX + if (Default_DBX == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + Default_DBX, + Default_DBX_len, + Attr + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + +SKIP_KEYS: // // Reserve runtime buffer for public key database. The size excludes variable header and name size. // diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 572ba4e..1a46019 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -33,6 +33,10 @@ [Sources] AuthVariableLib.c AuthService.c AuthServiceInternal.h + Default_PK.h + Default_KEK.h + Default_DB.h + Default_DBX.h [Packages] MdePkg/MdePkg.dec diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h new file mode 100644 index 0000000..4d13894 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB = NULL; +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h new file mode 100644 index 0000000..5fd3cdc --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DBX = NULL; +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h new file mode 100644 index 0000000..80883de --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h @@ -0,0 +1,2 @@ +unsigned char *Default_KEK = NULL; +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h new file mode 100644 index 0000000..23b90e4 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; -- 2.8.1 From a627dbe16f6ebe1a1f294c82c30f7ad9745baf04 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Tue, 15 Dec 2015 16:54:54 +0800 Subject: [PATCH 2/2] Add DB_EX to include one more DB cert Signed-off-by: Gary Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++++---- .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++ 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 9e12588..523b0e4 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Default_PK.h" #include "Default_KEK.h" #include "Default_DB.h" +#include "Default_DB_EX.h" #include "Default_DBX.h" /// @@ -283,19 +284,25 @@ AuthVariableLibInitialize ( &DataSize ); if (Status == EFI_NOT_FOUND) { + UINTN SigSize_1 = 0; + UINTN SigSize_2 = 0; + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); if (SignatureGUID == NULL) { return EFI_OUT_OF_RESOURCES; } - SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; - Data = AllocateZeroPool (SigSize); + SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + if (Default_DB_EX != NULL) { + SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len; + } + Data = AllocateZeroPool (SigSize_1 + SigSize_2); if (Data == NULL) { return EFI_OUT_OF_RESOURCES; } SigCert = (EFI_SIGNATURE_LIST*) Data; - SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureListSize = (UINT32) SigSize_1; SigCert->SignatureHeaderSize = 0; SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); @@ -304,11 +311,23 @@ AuthVariableLibInitialize ( CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + if (Default_DB_EX != NULL) { + SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1); + SigCert->SignatureListSize = (UINT32) SigSize_2; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len); + } + Status = AuthServiceInternalUpdateVariable ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, Data, - SigSize, + SigSize_1 + SigSize_2, Attr ); FreePool(SignatureGUID); diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h new file mode 100644 index 0000000..001f125 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB_EX = NULL; +unsigned int Default_DB_EX_len = 0; -- 2.8.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor