blob: 3d92afe2ebde95d871b505550e1a2b4675f3b28f [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0+
/*
* UEFI runtime variable services
*
* Copyright (c) 2020, Heinrich Schuchardt <xypron.glpk@gmx.de>
* Copyright (c) 2020 Linaro Limited, Author: AKASHI Takahiro
*/
#include <common.h>
#include <efi_loader.h>
#include <efi_variable.h>
#include <stdlib.h>
enum efi_secure_mode {
EFI_MODE_SETUP,
EFI_MODE_USER,
EFI_MODE_AUDIT,
EFI_MODE_DEPLOYED,
};
struct efi_auth_var_name_type {
const u16 *name;
const efi_guid_t *guid;
const enum efi_auth_var_type type;
};
const efi_guid_t efi_guid_image_security_database =
EFI_IMAGE_SECURITY_DATABASE_GUID;
static const struct efi_auth_var_name_type name_type[] = {
{u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
{u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
{u"db", &efi_guid_image_security_database, EFI_AUTH_VAR_DB},
{u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
/* not used yet
{u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
{u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
*/
};
static bool efi_secure_boot;
static enum efi_secure_mode efi_secure_mode;
/**
* efi_efi_get_variable() - retrieve value of a UEFI variable
*
* This function implements the GetVariable runtime service.
*
* See the Unified Extensible Firmware Interface (UEFI) specification for
* details.
*
* @variable_name: name of the variable
* @vendor: vendor GUID
* @attributes: attributes of the variable
* @data_size: size of the buffer to which the variable value is copied
* @data: buffer to which the variable value is copied
* Return: status code
*/
efi_status_t EFIAPI efi_get_variable(u16 *variable_name,
const efi_guid_t *vendor, u32 *attributes,
efi_uintn_t *data_size, void *data)
{
efi_status_t ret;
EFI_ENTRY("\"%ls\" %pUl %p %p %p", variable_name, vendor, attributes,
data_size, data);
ret = efi_get_variable_int(variable_name, vendor, attributes,
data_size, data, NULL);
/* Remove EFI_VARIABLE_READ_ONLY flag */
if (attributes)
*attributes &= EFI_VARIABLE_MASK;
return EFI_EXIT(ret);
}
/**
* efi_set_variable() - set value of a UEFI variable
*
* This function implements the SetVariable runtime service.
*
* See the Unified Extensible Firmware Interface (UEFI) specification for
* details.
*
* @variable_name: name of the variable
* @vendor: vendor GUID
* @attributes: attributes of the variable
* @data_size: size of the buffer with the variable value
* @data: buffer with the variable value
* Return: status code
*/
efi_status_t EFIAPI efi_set_variable(u16 *variable_name,
const efi_guid_t *vendor, u32 attributes,
efi_uintn_t data_size, const void *data)
{
efi_status_t ret;
EFI_ENTRY("\"%ls\" %pUl %x %zu %p", variable_name, vendor, attributes,
data_size, data);
/* Make sure that the EFI_VARIABLE_READ_ONLY flag is not set */
if (attributes & ~(u32)EFI_VARIABLE_MASK)
ret = EFI_INVALID_PARAMETER;
else
ret = efi_set_variable_int(variable_name, vendor, attributes,
data_size, data, true);
return EFI_EXIT(ret);
}
/**
* efi_get_next_variable_name() - enumerate the current variable names
*
* @variable_name_size: size of variable_name buffer in byte
* @variable_name: name of uefi variable's name in u16
* @vendor: vendor's guid
*
* See the Unified Extensible Firmware Interface (UEFI) specification for
* details.
*
* Return: status code
*/
efi_status_t EFIAPI efi_get_next_variable_name(efi_uintn_t *variable_name_size,
u16 *variable_name,
efi_guid_t *vendor)
{
efi_status_t ret;
EFI_ENTRY("%p \"%ls\" %pUl", variable_name_size, variable_name, vendor);
ret = efi_get_next_variable_name_int(variable_name_size, variable_name,
vendor);
return EFI_EXIT(ret);
}
/**
* efi_query_variable_info() - get information about EFI variables
*
* This function implements the QueryVariableInfo() runtime service.
*
* See the Unified Extensible Firmware Interface (UEFI) specification for
* details.
*
* @attributes: bitmask to select variables to be
* queried
* @maximum_variable_storage_size: maximum size of storage area for the
* selected variable types
* @remaining_variable_storage_size: remaining size of storage are for the
* selected variable types
* @maximum_variable_size: maximum size of a variable of the
* selected type
* Returns: status code
*/
efi_status_t EFIAPI efi_query_variable_info(
u32 attributes, u64 *maximum_variable_storage_size,
u64 *remaining_variable_storage_size,
u64 *maximum_variable_size)
{
efi_status_t ret;
EFI_ENTRY("%x %p %p %p", attributes, maximum_variable_storage_size,
remaining_variable_storage_size, maximum_variable_size);
if (!maximum_variable_storage_size ||
!remaining_variable_storage_size ||
!maximum_variable_size ||
!(attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS))
return EFI_EXIT(EFI_INVALID_PARAMETER);
if ((attributes & ~(u32)EFI_VARIABLE_MASK) ||
(attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) ||
(attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) ||
(!IS_ENABLED(CONFIG_EFI_SECURE_BOOT) &&
(attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)))
return EFI_EXIT(EFI_UNSUPPORTED);
ret = efi_query_variable_info_int(attributes,
maximum_variable_storage_size,
remaining_variable_storage_size,
maximum_variable_size);
return EFI_EXIT(ret);
}
efi_status_t __efi_runtime EFIAPI
efi_get_variable_runtime(u16 *variable_name, const efi_guid_t *guid,
u32 *attributes, efi_uintn_t *data_size, void *data)
{
efi_status_t ret;
ret = efi_get_variable_mem(variable_name, guid, attributes, data_size, data, NULL);
/* Remove EFI_VARIABLE_READ_ONLY flag */
if (attributes)
*attributes &= EFI_VARIABLE_MASK;
return ret;
}
efi_status_t __efi_runtime EFIAPI
efi_get_next_variable_name_runtime(efi_uintn_t *variable_name_size,
u16 *variable_name, efi_guid_t *guid)
{
return efi_get_next_variable_name_mem(variable_name_size, variable_name, guid);
}
/**
* efi_set_secure_state - modify secure boot state variables
* @secure_boot: value of SecureBoot
* @setup_mode: value of SetupMode
* @audit_mode: value of AuditMode
* @deployed_mode: value of DeployedMode
*
* Modify secure boot status related variables as indicated.
*
* Return: status code
*/
static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode,
u8 audit_mode, u8 deployed_mode)
{
efi_status_t ret;
const u32 attributes_ro = EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_READ_ONLY;
const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS;
efi_secure_boot = secure_boot;
ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid,
attributes_ro, sizeof(secure_boot),
&secure_boot, false);
if (ret != EFI_SUCCESS)
goto err;
ret = efi_set_variable_int(L"SetupMode", &efi_global_variable_guid,
attributes_ro, sizeof(setup_mode),
&setup_mode, false);
if (ret != EFI_SUCCESS)
goto err;
ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid,
audit_mode || setup_mode ?
attributes_ro : attributes_rw,
sizeof(audit_mode), &audit_mode, false);
if (ret != EFI_SUCCESS)
goto err;
ret = efi_set_variable_int(L"DeployedMode",
&efi_global_variable_guid,
audit_mode || deployed_mode || setup_mode ?
attributes_ro : attributes_rw,
sizeof(deployed_mode), &deployed_mode,
false);
err:
return ret;
}
/**
* efi_transfer_secure_state - handle a secure boot state transition
* @mode: new state
*
* Depending on @mode, secure boot related variables are updated.
* Those variables are *read-only* for users, efi_set_variable_int()
* is called here.
*
* Return: status code
*/
static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode)
{
efi_status_t ret;
EFI_PRINT("Switching secure state from %d to %d\n", efi_secure_mode,
mode);
if (mode == EFI_MODE_DEPLOYED) {
ret = efi_set_secure_state(1, 0, 0, 1);
if (ret != EFI_SUCCESS)
goto err;
} else if (mode == EFI_MODE_AUDIT) {
ret = efi_set_variable_int(L"PK", &efi_global_variable_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS,
0, NULL, false);
if (ret != EFI_SUCCESS)
goto err;
ret = efi_set_secure_state(0, 1, 1, 0);
if (ret != EFI_SUCCESS)
goto err;
} else if (mode == EFI_MODE_USER) {
ret = efi_set_secure_state(1, 0, 0, 0);
if (ret != EFI_SUCCESS)
goto err;
} else if (mode == EFI_MODE_SETUP) {
ret = efi_set_secure_state(0, 1, 0, 0);
if (ret != EFI_SUCCESS)
goto err;
} else {
return EFI_INVALID_PARAMETER;
}
efi_secure_mode = mode;
return EFI_SUCCESS;
err:
/* TODO: What action should be taken here? */
printf("ERROR: Secure state transition failed\n");
return ret;
}
efi_status_t efi_init_secure_state(void)
{
enum efi_secure_mode mode = EFI_MODE_SETUP;
u8 efi_vendor_keys = 0;
efi_uintn_t size = 0;
efi_status_t ret;
ret = efi_get_variable_int(L"PK", &efi_global_variable_guid,
NULL, &size, NULL, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT))
mode = EFI_MODE_USER;
}
ret = efi_transfer_secure_state(mode);
if (ret != EFI_SUCCESS)
return ret;
/* As we do not provide vendor keys this variable is always 0. */
ret = efi_set_variable_int(L"VendorKeys",
&efi_global_variable_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_READ_ONLY,
sizeof(efi_vendor_keys),
&efi_vendor_keys, false);
return ret;
}
/**
* efi_secure_boot_enabled - return if secure boot is enabled or not
*
* Return: true if enabled, false if disabled
*/
bool efi_secure_boot_enabled(void)
{
return efi_secure_boot;
}
enum efi_auth_var_type efi_auth_var_get_type(u16 *name, const efi_guid_t *guid)
{
for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) {
if (!u16_strcmp(name, name_type[i].name) &&
!guidcmp(guid, name_type[i].guid))
return name_type[i].type;
}
return EFI_AUTH_VAR_NONE;
}
/**
* efi_get_var() - read value of an EFI variable
*
* @name: variable name
* @start: vendor GUID
* @size: size of allocated buffer
*
* Return: buffer with variable data or NULL
*/
void *efi_get_var(u16 *name, const efi_guid_t *vendor, efi_uintn_t *size)
{
efi_status_t ret;
void *buf = NULL;
*size = 0;
ret = efi_get_variable_int(name, vendor, NULL, size, buf, NULL);
if (ret == EFI_BUFFER_TOO_SMALL) {
buf = malloc(*size);
if (!buf)
return NULL;
ret = efi_get_variable_int(name, vendor, NULL, size, buf, NULL);
}
if (ret != EFI_SUCCESS) {
free(buf);
*size = 0;
return NULL;
}
return buf;
}