| /** @file | |
| Provides a helper functions for creating variable authenticated | |
| payloads, signature lists related to secure boot keys. | |
| Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> | |
| (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR> | |
| Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> | |
| Copyright (c) 2021, Semihalf All rights reserved.<BR> | |
| Copyright (c) Microsoft Corporation. | |
| SPDX-License-Identifier: BSD-2-Clause-Patent | |
| **/ | |
| #ifndef SECURE_BOOT_VARIABLE_LIB_H_ | |
| #define SECURE_BOOT_VARIABLE_LIB_H_ | |
| /** | |
| Set the platform secure boot mode into "Custom" or "Standard" mode. | |
| @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or | |
| CUSTOM_SECURE_BOOT_MODE. | |
| @return EFI_SUCCESS The platform has switched to the special mode successfully. | |
| @return other Fail to operate the secure boot mode. | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| SetSecureBootMode ( | |
| IN UINT8 SecureBootMode | |
| ); | |
| /** | |
| Fetches the value of SetupMode variable. | |
| @param[out] SetupMode Pointer to UINT8 for SetupMode output | |
| @retval other Error codes from GetVariable. | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| GetSetupMode ( | |
| OUT UINT8 *SetupMode | |
| ); | |
| /** | |
| Helper function to quickly determine whether SecureBoot is enabled. | |
| @retval TRUE SecureBoot is verifiably enabled. | |
| @retval FALSE SecureBoot is either disabled or an error prevented checking. | |
| **/ | |
| BOOLEAN | |
| EFIAPI | |
| IsSecureBootEnabled ( | |
| VOID | |
| ); | |
| /** | |
| Create a EFI Signature List with data supplied from input argument. | |
| The input certificates from KeyInfo parameter should be DER-encoded | |
| format. | |
| @param[out] SigListsSize A pointer to size of signature list | |
| @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists | |
| @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. | |
| @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, | |
| to be concatenated into signature lists. | |
| @retval EFI_SUCCESS Created signature list from payload successfully. | |
| @retval EFI_NOT_FOUND Section with key has not been found. | |
| @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. | |
| @retval Others Unexpected error happens. | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| SecureBootCreateDataFromInput ( | |
| OUT UINTN *SigListsSize, | |
| OUT EFI_SIGNATURE_LIST **SigListOut, | |
| IN UINTN KeyInfoCount, | |
| IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo | |
| ); | |
| /** | |
| Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 | |
| descriptor with the input data. NO authentication is required in this function. | |
| @param[in, out] DataSize On input, the size of Data buffer in bytes. | |
| On output, the size of data returned in Data | |
| buffer in bytes. | |
| @param[in, out] Data On input, Pointer to data buffer to be wrapped or | |
| pointer to NULL to wrap an empty payload. | |
| On output, Pointer to the new payload date buffer allocated from pool, | |
| it's caller's responsibility to free the memory when finish using it. | |
| @param[in] Time Pointer to time information to created time based payload. | |
| @retval EFI_SUCCESS Create time based payload successfully. | |
| @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. | |
| @retval EFI_INVALID_PARAMETER The parameter is invalid. | |
| @retval Others Unexpected error happens. | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| CreateTimeBasedPayload ( | |
| IN OUT UINTN *DataSize, | |
| IN OUT UINT8 **Data, | |
| IN EFI_TIME *Time | |
| ); | |
| /** | |
| Clears the content of the 'db' variable. | |
| @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails | |
| while VendorGuid is NULL. | |
| @retval other Errors from GetVariable2(), GetTime() and SetVariable() | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeleteDb ( | |
| VOID | |
| ); | |
| /** | |
| Clears the content of the 'dbx' variable. | |
| @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails | |
| while VendorGuid is NULL. | |
| @retval other Errors from GetVariable2(), GetTime() and SetVariable() | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeleteDbx ( | |
| VOID | |
| ); | |
| /** | |
| Clears the content of the 'dbt' variable. | |
| @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails | |
| while VendorGuid is NULL. | |
| @retval other Errors from GetVariable2(), GetTime() and SetVariable() | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeleteDbt ( | |
| VOID | |
| ); | |
| /** | |
| Clears the content of the 'KEK' variable. | |
| @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails | |
| while VendorGuid is NULL. | |
| @retval other Errors from GetVariable2(), GetTime() and SetVariable() | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeleteKEK ( | |
| VOID | |
| ); | |
| /** | |
| Clears the content of the 'PK' variable. | |
| @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails | |
| while VendorGuid is NULL. | |
| @retval other Errors from GetVariable2(), GetTime() and SetVariable() | |
| --*/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeletePlatformKey ( | |
| VOID | |
| ); | |
| /** | |
| This function will delete the secure boot keys, thus | |
| disabling secure boot. | |
| @return EFI_SUCCESS or underlying failure code. | |
| **/ | |
| EFI_STATUS | |
| EFIAPI | |
| DeleteSecureBootVariables ( | |
| VOID | |
| ); | |
| /** | |
| A helper function to take in a variable payload, wrap it in the | |
| proper authenticated variable structure, and install it in the | |
| EFI variable space. | |
| @param[in] VariableName The name of the key/database. | |
| @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable | |
| @param[in] DataSize Size parameter for target secure boot variable. | |
| @param[in] Data Pointer to signature list formatted secure boot variable content. | |
| @retval EFI_SUCCESS The enrollment for authenticated variable was successful. | |
| @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. | |
| @retval EFI_INVALID_PARAMETER The parameter is invalid. | |
| @retval Others Unexpected error happens. | |
| **/ | |
| EFI_STATUS | |
| EFIAPI | |
| EnrollFromInput ( | |
| IN CHAR16 *VariableName, | |
| IN EFI_GUID *VendorGuid, | |
| IN UINTN DataSize, | |
| IN VOID *Data | |
| ); | |
| /** | |
| Similar to DeleteSecureBootVariables, this function is used to unilaterally | |
| force the state of related SB variables (db, dbx, dbt, KEK, PK, etc.) to be | |
| the built-in, hardcoded default vars. | |
| @param[in] SecureBootPayload Payload information for secure boot related keys. | |
| @retval EFI_SUCCESS SecureBoot keys are now set to defaults. | |
| @retval EFI_ABORTED SecureBoot keys are not empty. Please delete keys first | |
| or follow standard methods of altering keys (ie. use the signing system). | |
| @retval EFI_SECURITY_VIOLATION Failed to create the PK. | |
| @retval Others Something failed in one of the subfunctions. | |
| **/ | |
| EFI_STATUS | |
| EFIAPI | |
| SetSecureBootVariablesToDefault ( | |
| IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload | |
| ); | |
| #endif |