Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.1:NonFree
ovmf
ovmf-embed-default-keys.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ovmf-embed-default-keys.patch of Package ovmf
From a8b25f3a9326c9dd943fd4d790bd582e22aead80 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 Subject: [PATCH] Add a stub to allow keys to be embedded at build time Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 180 +++++++++++++++++++++ .../Library/AuthVariableLib/AuthVariableLib.inf | 4 + SecurityPkg/Library/AuthVariableLib/Default_DB.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_DBX.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_KEK.h | 2 + SecurityPkg/Library/AuthVariableLib/Default_PK.h | 2 + 6 files changed, 192 insertions(+) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_KEK.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index a54eaaa..3544c64 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ #include "AuthServiceInternal.h" +#include "Default_PK.h" +#include "Default_KEK.h" +#include "Default_DB.h" +#include "Default_DBX.h" /// /// Global database array for scratch @@ -136,6 +140,11 @@ AuthVariableLibInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; + EFI_GUID *SignatureGUID; + UINT32 Attr; if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) { return EFI_INVALID_PARAMETER; @@ -152,6 +161,177 @@ AuthVariableLibInitialize ( return EFI_OUT_OF_RESOURCES; } + //**** + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + // PK + if (Default_PK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // KEK + if (Default_KEK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DB + if (Default_DB == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DBX + if (Default_DBX == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + Default_DBX, + Default_DBX_len, + Attr + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + +SKIP_KEYS: // // Reserve runtime buffer for public key database. The size excludes variable header and name size. // diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index d0c0cc2..552dbb9 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -33,6 +33,10 @@ [Sources] AuthVariableLib.c AuthService.c AuthServiceInternal.h + Default_PK.h + Default_KEK.h + Default_DB.h + Default_DBX.h [Packages] MdePkg/MdePkg.dec diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h new file mode 100644 index 0000000..4d13894 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB = NULL; +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h new file mode 100644 index 0000000..5fd3cdc --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DBX = NULL; +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h new file mode 100644 index 0000000..80883de --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h @@ -0,0 +1,2 @@ +unsigned char *Default_KEK = NULL; +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h new file mode 100644 index 0000000..23b90e4 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor