From: Kun Qin <kuqin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909

This change updated the interface of 'CreateTimeBasedPayload' by
requiring the caller to provide a timestamp, instead of relying on time
protocol to be ready during runtime. It intends to extend the library
availability during boot environment.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Min Xu <min.m.xu@...>

Signed-off-by: Kun Qin <kun.qin@...>
Reviewed-by: Jiewen Yao <Jiewen.yao@...>
Acked-by: Michael Kubacki <michael.kubacki@...>
---

Notes:
v3:
- Added reviewed-by tag [Jiewen]
- Added acked-by tag [Michael Kubacki]

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 53 +=
+++++++++++--------
SecurityPkg/Include/Library/SecureBootVariableLib.h | 9 +=
++-
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 8 +=
--
3 files changed, 40 insertions(+), 30 deletions(-)

diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi=
b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index e0d137666e0e..3b33a356aba3 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -6,8 +6,10 @@
(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>=0D
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>=0D
Copyright (c) 2021, Semihalf All rights reserved.<BR>=0D
+ Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
**/=0D
+#include <Uefi.h>=0D
#include <Guid/GlobalVariable.h>=0D
#include <Guid/AuthenticatedVariableFormat.h>=0D
#include <Guid/ImageAuthentication.h>=0D
@@ -21,6 +23,21 @@
#include <Library/SecureBootVariableLib.h>=0D
#include "Library/DxeServicesLib.h"=0D
=0D
+// This time can be used when deleting variables, as it should be greater =
than any variable time.=0D
+EFI_TIME mMaxTimestamp =3D {=0D
+ 0xFFFF, // Year=0D
+ 0xFF, // Month=0D
+ 0xFF, // Day=0D
+ 0xFF, // Hour=0D
+ 0xFF, // Minute=0D
+ 0xFF, // Second=0D
+ 0x00,=0D
+ 0x00000000, // Nanosecond=0D
+ 0,=0D
+ 0,=0D
+ 0x00=0D
+};=0D
+=0D
/** Creates EFI Signature List structure.=0D
=0D
@param[in] Data A pointer to signature data.=0D
@@ -118,7 +135,7 @@ ConcatenateSigList (
=0D
@param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D
@param[out] SigListsSize A pointer to size of signature list=0D
- @param[out] SigListOut a pointer to a callee-allocated buffer w=
ith signature lists=0D
+ @param[out] SigListsOut a pointer to a callee-allocated buffer =
with signature lists=0D
=0D
@retval EFI_SUCCESS Create time based payload successfully.=
=0D
@retval EFI_NOT_FOUND Section with key has not been found.=0D
@@ -210,28 +227,30 @@ SecureBootFetchData (
pointer to NULL to wrap an empty payloa=
d.=0D
On output, Pointer to the new payload d=
ate buffer allocated from pool,=0D
it's caller's responsibility to free th=
e memory when finish using it.=0D
+ @param[in] Time Pointer to time information to created =
time based payload.=0D
=0D
@retval EFI_SUCCESS Create time based payload successfully.=
=0D
@retval EFI_OUT_OF_RESOURCES There are not enough memory resources t=
o create time based payload.=0D
@retval EFI_INVALID_PARAMETER The parameter is invalid.=0D
@retval Others Unexpected error happens.=0D
=0D
-**/=0D
+--*/=0D
EFI_STATUS=0D
+EFIAPI=0D
CreateTimeBasedPayload (=0D
- IN OUT UINTN *DataSize,=0D
- IN OUT UINT8 **Data=0D
+ IN OUT UINTN *DataSize,=0D
+ IN OUT UINT8 **Data,=0D
+ IN EFI_TIME *Time=0D
)=0D
{=0D
- EFI_STATUS Status;=0D
UINT8 *NewData;=0D
UINT8 *Payload;=0D
UINTN PayloadSize;=0D
EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;=0D
UINTN DescriptorSize;=0D
- EFI_TIME Time;=0D
=0D
- if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL)) {=0D
+ if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL) || (Time =3D=3D NULL)) =
{=0D
+ DEBUG ((DEBUG_ERROR, "%a(), invalid arg\n", __FUNCTION__));=0D
return EFI_INVALID_PARAMETER;=0D
}=0D
=0D
@@ -247,6 +266,7 @@ CreateTimeBasedPayload (
DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) +=
OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);=0D
NewData =3D (UINT8 *)AllocateZeroPool (DescriptorSize + PayloadSi=
ze);=0D
if (NewData =3D=3D NULL) {=0D
+ DEBUG ((DEBUG_ERROR, "%a() Out of resources.\n", __FUNCTION__));=0D
return EFI_OUT_OF_RESOURCES;=0D
}=0D
=0D
@@ -256,19 +276,7 @@ CreateTimeBasedPayload (
=0D
DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *)(NewData);=0D
=0D
- ZeroMem (&Time, sizeof (EFI_TIME));=0D
- Status =3D gRT->GetTime (&Time, NULL);=0D
- if (EFI_ERROR (Status)) {=0D
- FreePool (NewData);=0D
- return Status;=0D
- }=0D
-=0D
- Time.Pad1 =3D 0;=0D
- Time.Nanosecond =3D 0;=0D
- Time.TimeZone =3D 0;=0D
- Time.Daylight =3D 0;=0D
- Time.Pad2 =3D 0;=0D
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));=0D
+ CopyMem (&DescriptorData->TimeStamp, Time, sizeof (EFI_TIME));=0D
=0D
DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI=
CATE_UEFI_GUID, CertData);=0D
DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200;=0D
@@ -277,6 +285,7 @@ CreateTimeBasedPayload (
=0D
if (Payload !=3D NULL) {=0D
FreePool (Payload);=0D
+ Payload =3D NULL;=0D
}=0D
=0D
*DataSize =3D DescriptorSize + PayloadSize;=0D
@@ -296,6 +305,7 @@ CreateTimeBasedPayload (
=0D
**/=0D
EFI_STATUS=0D
+EFIAPI=0D
DeleteVariable (=0D
IN CHAR16 *VariableName,=0D
IN EFI_GUID *VendorGuid=0D
@@ -319,7 +329,7 @@ DeleteVariable (
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E=
FI_VARIABLE_BOOTSERVICE_ACCESS=0D
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;=0D
=0D
- Status =3D CreateTimeBasedPayload (&DataSize, &Data);=0D
+ Status =3D CreateTimeBasedPayload (&DataSize, &Data, &mMaxTimestamp);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
return Status;=0D
@@ -351,6 +361,7 @@ DeleteVariable (
=0D
**/=0D
EFI_STATUS=0D
+EFIAPI=0D
SetSecureBootMode (=0D
IN UINT8 SecureBootMode=0D
)=0D
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security=
Pkg/Include/Library/SecureBootVariableLib.h
index 7b7afd9cde7c..9f2d41220b70 100644
--- a/SecurityPkg/Include/Library/SecureBootVariableLib.h
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -6,6 +6,7 @@ Copyright (c) 2011 - 2018, Intel Corporation. All rights re=
served.<BR>
(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>=0D
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>=0D
Copyright (c) 2021, Semihalf All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
@@ -24,6 +25,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
=0D
--*/=0D
EFI_STATUS=0D
+EFIAPI=0D
SetSecureBootMode (=0D
IN UINT8 SecureBootMode=0D
);=0D
@@ -73,6 +75,7 @@ SecureBootFetchData (
pointer to NULL to wrap an empty payloa=
d.=0D
On output, Pointer to the new payload d=
ate buffer allocated from pool,=0D
it's caller's responsibility to free th=
e memory when finish using it.=0D
+ @param[in] Time Pointer to time information to created =
time based payload.=0D
=0D
@retval EFI_SUCCESS Create time based payload successfully.=
=0D
@retval EFI_OUT_OF_RESOURCES There are not enough memory resources t=
o create time based payload.=0D
@@ -81,9 +84,11 @@ SecureBootFetchData (
=0D
--*/=0D
EFI_STATUS=0D
+EFIAPI=0D
CreateTimeBasedPayload (=0D
- IN OUT UINTN *DataSize,=0D
- IN OUT UINT8 **Data=0D
+ IN OUT UINTN *DataSize,=0D
+ IN OUT UINT8 **Data,=0D
+ IN EFI_TIME *Time=0D
);=0D
=0D
/**=0D
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi=
b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
index ed7af3dd9cd5..87db5a258021 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -4,6 +4,7 @@
#=0D
# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>=0D
# Copyright (c) 2021, Semihalf All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -68,12 +69,5 @@ [Guids]
## PRODUCES ## Variable:L"CustomMode"=0D
gEfiCustomModeEnableGuid=0D
=0D
- gEfiCertTypeRsa2048Sha256Guid ## CONSUMES=0D
gEfiCertX509Guid ## CONSUMES=0D
gEfiCertPkcs7Guid ## CONSUMES=0D
-=0D
- gDefaultPKFileGuid=0D
- gDefaultKEKFileGuid=0D
- gDefaultdbFileGuid=0D
- gDefaultdbxFileGuid=0D
- gDefaultdbtFileGuid=0D
--=20
2.36.0.windows.1