File ovmf-embed-default-keys.patch of Package ovmf

Overview Repositories Revisions Requests Users Attributes Meta

File ovmf-embed-default-keys.patch of Package ovmf

From 933284f94b8bffb7d3d81152e0b5f49c46a9f787 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 10 May 2013 10:27:51 +0800
Subject: [PATCH 1/3] Add a stub to allow keys to be embedded at build time

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
 .../Library/AuthVariableLib/AuthVariableLib.c      | 180 +++++++++++++++++++++
 .../Library/AuthVariableLib/AuthVariableLib.inf    |   4 +
 SecurityPkg/Library/AuthVariableLib/Default_DB.h   |   2 +
 SecurityPkg/Library/AuthVariableLib/Default_DBX.h  |   2 +
 SecurityPkg/Library/AuthVariableLib/Default_KEK.h  |   2 +
 SecurityPkg/Library/AuthVariableLib/Default_PK.h   |   2 +
 6 files changed, 192 insertions(+)
 create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h
 create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h
 create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_KEK.h
 create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 00917eb374..a7a46fc648 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 **/
 
 #include "AuthServiceInternal.h"
+#include "Default_PK.h"
+#include "Default_KEK.h"
+#include "Default_DB.h"
+#include "Default_DBX.h"
 
 ///
 /// Global database array for scratch
@@ -131,6 +135,11 @@ AuthVariableLibInitialize (
   UINT8                 SecureBootEnable;
   UINT8                 CustomMode;
   UINT32                ListSize;
+  EFI_SIGNATURE_LIST    *SigCert;
+  EFI_SIGNATURE_DATA    *SigCertData;
+  UINTN                 SigSize;
+  EFI_GUID              *SignatureGUID;
+  UINT32                Attr;
 
   if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
     return EFI_INVALID_PARAMETER;
@@ -147,6 +156,177 @@ AuthVariableLibInitialize (
     return EFI_OUT_OF_RESOURCES;
   }
 
+  //****
+  // Create signature list for PK KEK DB
+  Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
+         EFI_VARIABLE_BOOTSERVICE_ACCESS |
+         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+  // PK
+  if (Default_PK == NULL)
+	goto SKIP_KEYS;
+
+  Status = AuthServiceInternalFindVariable (
+             EFI_PLATFORM_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             (VOID **) &Data,
+             &DataSize
+             );
+  if (Status == EFI_NOT_FOUND) {
+    SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+    if (SignatureGUID == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
+    Data = AllocateZeroPool (SigSize);
+    if (Data == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigCert = (EFI_SIGNATURE_LIST*) Data;
+    SigCert->SignatureListSize   = (UINT32) SigSize;
+    SigCert->SignatureHeaderSize = 0;
+    SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len);
+    CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+    SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+    CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+    CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
+
+    Status = AuthServiceInternalUpdateVariable (
+               EFI_PLATFORM_KEY_NAME,
+               &gEfiGlobalVariableGuid,
+               Data,
+               SigSize,
+               Attr
+               );
+    FreePool(SignatureGUID);
+    FreePool(Data);
+
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  // KEK
+  if (Default_KEK == NULL)
+	goto SKIP_KEYS;
+
+  Status = AuthServiceInternalFindVariable (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             &gEfiGlobalVariableGuid,
+             (VOID **) &Data,
+             &DataSize
+             );
+  if (Status == EFI_NOT_FOUND) {
+    SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+    if (SignatureGUID == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
+    Data = AllocateZeroPool (SigSize);
+    if (Data == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigCert = (EFI_SIGNATURE_LIST*) Data;
+    SigCert->SignatureListSize   = (UINT32) SigSize;
+    SigCert->SignatureHeaderSize = 0;
+    SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len);
+    CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+    SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+    CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+    CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
+
+    Status = AuthServiceInternalUpdateVariable (
+               EFI_KEY_EXCHANGE_KEY_NAME,
+               &gEfiGlobalVariableGuid,
+               Data,
+               SigSize,
+               Attr
+               );
+    FreePool(SignatureGUID);
+    FreePool(Data);
+
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  // DB
+  if (Default_DB == NULL)
+	goto SKIP_KEYS;
+
+  Status = AuthServiceInternalFindVariable (
+             EFI_IMAGE_SECURITY_DATABASE,
+             &gEfiImageSecurityDatabaseGuid,
+             (VOID **) &Data,
+             &DataSize
+             );
+  if (Status == EFI_NOT_FOUND) {
+    SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+    if (SignatureGUID == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+    Data = AllocateZeroPool (SigSize);
+    if (Data == NULL) {
+      return EFI_OUT_OF_RESOURCES;
+    }
+
+    SigCert = (EFI_SIGNATURE_LIST*) Data;
+    SigCert->SignatureListSize   = (UINT32) SigSize;
+    SigCert->SignatureHeaderSize = 0;
+    SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
+    CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+    SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+    CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+    CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
+
+    Status = AuthServiceInternalUpdateVariable (
+               EFI_IMAGE_SECURITY_DATABASE,
+               &gEfiImageSecurityDatabaseGuid,
+               Data,
+               SigSize,
+               Attr
+               );
+    FreePool(SignatureGUID);
+    FreePool(Data);
+
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  // DBX
+  if (Default_DBX == NULL)
+	goto SKIP_KEYS;
+
+  Status = AuthServiceInternalFindVariable (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             &gEfiImageSecurityDatabaseGuid,
+             (VOID **) &Data,
+             &DataSize
+             );
+  if (Status == EFI_NOT_FOUND) {
+    Status = AuthServiceInternalUpdateVariable (
+               EFI_IMAGE_SECURITY_DATABASE1,
+               &gEfiImageSecurityDatabaseGuid,
+               Default_DBX,
+               Default_DBX_len,
+               Attr
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+SKIP_KEYS:
   //
   // Reserve runtime buffer for certificate database. The size excludes variable header and name size.
   // Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 572ba4e120..1a46019a5f 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -33,6 +33,10 @@ [Sources]
   AuthVariableLib.c
   AuthService.c
   AuthServiceInternal.h
+  Default_PK.h
+  Default_KEK.h
+  Default_DB.h
+  Default_DBX.h
 
 [Packages]
   MdePkg/MdePkg.dec
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
new file mode 100644
index 0000000000..4d13894216
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB = NULL;
+unsigned int Default_DB_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
new file mode 100644
index 0000000000..5fd3cdc0f4
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DBX = NULL;
+unsigned int Default_DBX_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
new file mode 100644
index 0000000000..80883de1ae
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_KEK = NULL;
+unsigned int Default_KEK_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
new file mode 100644
index 0000000000..23b90e45f0
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_PK = NULL;
+unsigned int Default_PK_len = 0;
-- 
2.15.0

From 72d09098734d00696e0db13d9b84bb01a0c89c76 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 15 Dec 2015 16:54:54 +0800
Subject: [PATCH 2/3] Add DB_EX to include one more DB cert

Signed-off-by: Gary Lin <glin@suse.com>
---
 .../Library/AuthVariableLib/AuthVariableLib.c      | 27 ++++++++++++++++++----
 .../Library/AuthVariableLib/Default_DB_EX.h        |  2 ++
 2 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index a7a46fc648..114f3d84c6 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include "Default_PK.h"
 #include "Default_KEK.h"
 #include "Default_DB.h"
+#include "Default_DB_EX.h"
 #include "Default_DBX.h"
 
 ///
@@ -267,19 +268,25 @@ AuthVariableLibInitialize (
              &DataSize
              );
   if (Status == EFI_NOT_FOUND) {
+    UINTN SigSize_1 = 0;
+    UINTN SigSize_2 = 0;
+
     SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
     if (SignatureGUID == NULL) {
       return EFI_OUT_OF_RESOURCES;
     }
 
-    SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
-    Data = AllocateZeroPool (SigSize);
+    SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+    if (Default_DB_EX != NULL) {
+      SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
+    }
+    Data = AllocateZeroPool (SigSize_1 + SigSize_2);
     if (Data == NULL) {
       return EFI_OUT_OF_RESOURCES;
     }
 
     SigCert = (EFI_SIGNATURE_LIST*) Data;
-    SigCert->SignatureListSize   = (UINT32) SigSize;
+    SigCert->SignatureListSize   = (UINT32) SigSize_1;
     SigCert->SignatureHeaderSize = 0;
     SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
     CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
@@ -288,11 +295,23 @@ AuthVariableLibInitialize (
     CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
     CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
 
+    if (Default_DB_EX != NULL) {
+      SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1);
+      SigCert->SignatureListSize   = (UINT32) SigSize_2;
+      SigCert->SignatureHeaderSize = 0;
+      SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len);
+      CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+      SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+      CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+      CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len);
+    }
+
     Status = AuthServiceInternalUpdateVariable (
                EFI_IMAGE_SECURITY_DATABASE,
                &gEfiImageSecurityDatabaseGuid,
                Data,
-               SigSize,
+               SigSize_1 + SigSize_2,
                Attr
                );
     FreePool(SignatureGUID);
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
new file mode 100644
index 0000000000..001f125065
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB_EX = NULL;
+unsigned int Default_DB_EX_len = 0;
-- 
2.15.0

From 5db901016015df0955085003387f52655ed9b964 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 28 Aug 2017 16:18:00 +0800
Subject: [PATCH 3/3] Check the length of the certificate instead of the
 pointer

Since "xxd -i" may produce a valid pointer for an empty file, it's safer
to check the length of the certificate instead of the pointer.

Signed-off-by: Gary Lin <glin@suse.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 114f3d84c6..641823216a 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -164,7 +164,7 @@ AuthVariableLibInitialize (
          EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
   // PK
-  if (Default_PK == NULL)
+  if (Default_PK_len == 0)
 	goto SKIP_KEYS;
 
   Status = AuthServiceInternalFindVariable (
@@ -211,7 +211,7 @@ AuthVariableLibInitialize (
   }
 
   // KEK
-  if (Default_KEK == NULL)
+  if (Default_KEK_len == 0)
 	goto SKIP_KEYS;
 
   Status = AuthServiceInternalFindVariable (
@@ -258,7 +258,7 @@ AuthVariableLibInitialize (
   }
 
   // DB
-  if (Default_DB == NULL)
+  if (Default_DB_len == 0)
 	goto SKIP_KEYS;
 
   Status = AuthServiceInternalFindVariable (
@@ -277,7 +277,7 @@ AuthVariableLibInitialize (
     }
 
     SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
-    if (Default_DB_EX != NULL) {
+    if (Default_DB_EX_len != 0) {
       SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
     }
     Data = AllocateZeroPool (SigSize_1 + SigSize_2);
@@ -295,7 +295,7 @@ AuthVariableLibInitialize (
     CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
     CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
 
-    if (Default_DB_EX != NULL) {
+    if (Default_DB_EX_len != 0) {
       SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1);
       SigCert->SignatureListSize   = (UINT32) SigSize_2;
       SigCert->SignatureHeaderSize = 0;
@@ -323,7 +323,7 @@ AuthVariableLibInitialize (
   }
 
   // DBX
-  if (Default_DBX == NULL)
+  if (Default_DBX_len == 0)
 	goto SKIP_KEYS;
 
   Status = AuthServiceInternalFindVariable (
-- 
2.15.0

Places

File ovmf-embed-default-keys.patch of Package ovmf

Places