1. Edk2 | Devel
  2. Messages

[PATCH v3 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern

Kun Qin
 

From: Kun Qin <kuqin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909

This change is in pair with the previous SecureBootVariableLib change,
which updated the interface of `CreateTimeBasedPayload`.

This change added a helper function to query the current time through
Real Time Clock protocol. This function is used when needing to format
an authenticated variable payload.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Min Xu <min.m.xu@...>

Signed-off-by: Kun Qin <kun.qin@...>
Reviewed-by: Jiewen Yao <Jiewen.yao@...>
Acked-by: Michael Kubacki <michael.kubacki@...>
---

Notes:
v3:
- Added reviewed-by tag [Jiewen]
- Added acked-by tag [Michael Kubacki]

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl=
.c | 127 ++++++++++++++++++--
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.=
inf | 1 +
2 files changed, 119 insertions(+), 9 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.c
index a13c349a0f89..4299a6b5e56d 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.c
@@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "SecureBootConfigImpl.h"=0D
#include <UefiSecureBoot.h>=0D
#include <Protocol/HiiPopup.h>=0D
+#include <Protocol/RealTimeClock.h>=0D
#include <Library/BaseCryptLib.h>=0D
#include <Library/SecureBootVariableLib.h>=0D
#include <Library/SecureBootVariableProvisionLib.h>=0D
@@ -136,6 +137,51 @@ CloseEnrolledFile (
FileContext->FileType =3D UNKNOWN_FILE_TYPE;=0D
}=0D
=0D
+/**=0D
+ Helper function to populate an EFI_TIME instance.=0D
+=0D
+ @param[in] Time FileContext cached in SecureBootConfig driver=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+GetCurrentTime (=0D
+ IN EFI_TIME *Time=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ VOID *TestPointer;=0D
+=0D
+ if (Time =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ Status =3D gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL=
, &TestPointer);=0D
+ if (EFI_ERROR (Status)) {=0D
+ return Status;=0D
+ }=0D
+=0D
+ ZeroMem (Time, sizeof (EFI_TIME));=0D
+ Status =3D gRT->GetTime (Time, NULL);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((=0D
+ DEBUG_ERROR,=0D
+ "%a(), GetTime() failed, status =3D '%r'\n",=0D
+ __FUNCTION__,=0D
+ Status=0D
+ ));=0D
+ return Status;=0D
+ }=0D
+=0D
+ Time->Pad1 =3D 0;=0D
+ Time->Nanosecond =3D 0;=0D
+ Time->TimeZone =3D 0;=0D
+ Time->Daylight =3D 0;=0D
+ Time->Pad2 =3D 0;=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
/**=0D
This code checks if the FileSuffix is one of the possible DER-encoded ce=
rtificate suffix.=0D
=0D
@@ -436,6 +482,7 @@ EnrollPlatformKey (
UINT32 Attr;=0D
UINTN DataSize;=0D
EFI_SIGNATURE_LIST *PkCert;=0D
+ EFI_TIME Time;=0D
=0D
PkCert =3D NULL;=0D
=0D
@@ -463,7 +510,13 @@ EnrollPlatformKey (
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE=
NTICATED_WRITE_ACCESS;=0D
DataSize =3D PkCert->SignatureListSize;=0D
- Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time);=
=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
goto ON_EXIT;=0D
@@ -522,6 +575,7 @@ EnrollRsa2048ToKek (
UINTN KekSigListSize;=0D
UINT8 *KeyBuffer;=0D
UINTN KeyLenInBytes;=0D
+ EFI_TIME Time;=0D
=0D
Attr =3D 0;=0D
DataSize =3D 0;=0D
@@ -608,7 +662,13 @@ EnrollRsa2048ToKek (
//=0D
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE=
NTICATED_WRITE_ACCESS;=0D
- Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis=
t);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis=
t, &Time);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
goto ON_EXIT;=0D
@@ -689,6 +749,7 @@ EnrollX509ToKek (
UINTN DataSize;=0D
UINTN KekSigListSize;=0D
UINT32 Attr;=0D
+ EFI_TIME Time;=0D
=0D
X509Data =3D NULL;=0D
X509DataSize =3D 0;=0D
@@ -735,7 +796,13 @@ EnrollX509ToKek (
//=0D
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE=
NTICATED_WRITE_ACCESS;=0D
- Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis=
t);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis=
t, &Time);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
goto ON_EXIT;=0D
@@ -861,6 +928,7 @@ EnrollX509toSigDB (
UINTN DataSize;=0D
UINTN SigDBSize;=0D
UINT32 Attr;=0D
+ EFI_TIME Time;=0D
=0D
X509DataSize =3D 0;=0D
SigDBSize =3D 0;=0D
@@ -910,7 +978,13 @@ EnrollX509toSigDB (
//=0D
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE=
NTICATED_WRITE_ACCESS;=0D
- Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time);=
=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
goto ON_EXIT;=0D
@@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB (
UINT16 *FilePostFix;=0D
UINTN NameLength;=0D
EFI_TIME *Time;=0D
+ EFI_TIME NewTime;=0D
=0D
X509DataSize =3D 0;=0D
DbSize =3D 0;=0D
@@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB (
DataSize =3D DbSize;=0D
}=0D
=0D
- Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);=0D
+ Status =3D GetCurrentTime (&NewTime);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime)=
;=0D
if (EFI_ERROR (Status)) {=0D
goto ON_EXIT;=0D
}=0D
@@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB (
UINTN SigDBSize;=0D
UINT32 Attr;=0D
WIN_CERTIFICATE_UEFI_GUID *GuidCertData;=0D
+ EFI_TIME Time;=0D
=0D
Data =3D NULL;=0D
GuidCertData =3D NULL;=0D
@@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB (
=0D
Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE=
NTICATED_WRITE_ACCESS;=0D
- Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time);=
=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta=
tus));=0D
goto ON_EXIT;=0D
@@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey (
UINT32 KekDataSize;=0D
UINTN DeleteKekIndex;=0D
UINTN GuidIndex;=0D
+ EFI_TIME Time;=0D
=0D
Data =3D NULL;=0D
OldData =3D NULL;=0D
@@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey (
=0D
DataSize =3D Offset;=0D
if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) =
{=0D
- Status =3D CreateTimeBasedPayload (&DataSize, &OldData);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=
=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S=
tatus));=0D
goto ON_EXIT;=0D
@@ -2805,6 +2900,7 @@ DeleteSignature (
BOOLEAN IsItemFound;=0D
UINT32 ItemDataSize;=0D
UINTN GuidIndex;=0D
+ EFI_TIME Time;=0D
=0D
Data =3D NULL;=0D
OldData =3D NULL;=0D
@@ -2931,7 +3027,13 @@ DeleteSignature (
=0D
DataSize =3D Offset;=0D
if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) =
{=0D
- Status =3D CreateTimeBasedPayload (&DataSize, &OldData);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=
=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S=
tatus));=0D
goto ON_EXIT;=0D
@@ -3000,6 +3102,7 @@ DeleteSignatureEx (
UINTN Offset;=0D
UINT8 *VariableData;=0D
UINT8 *NewVariableData;=0D
+ EFI_TIME Time;=0D
=0D
Status =3D EFI_SUCCESS;=0D
VariableAttr =3D 0;=0D
@@ -3120,7 +3223,13 @@ DeleteSignatureEx (
}=0D
=0D
if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) =
!=3D 0) {=0D
- Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData=
);=0D
+ Status =3D GetCurrentTime (&Time);=0D
+ if (EFI_ERROR (Status)) {=0D
+ DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=
=0D
+ goto ON_EXIT;=0D
+ }=0D
+=0D
+ Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData=
, &Time);=0D
if (EFI_ERROR (Status)) {=0D
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S=
tatus));=0D
goto ON_EXIT;=0D
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec=
ureBootConfigDxe.inf
index 420687a21141..1671d5be7ccd 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gDxe.inf
@@ -111,6 +111,7 @@ [Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES=0D
gEfiDevicePathProtocolGuid ## PRODUCES=0D
gEfiHiiPopupProtocolGuid=0D
+ gEfiRealTimeClockArchProtocolGuid ## CONSUMES=0D
=0D
[Depex]=0D
gEfiHiiConfigRoutingProtocolGuid AND=0D
--=20
2.36.0.windows.1
Join devel@edk2.groups.io to automatically receive all group messages.