1 // SPDX-License-Identifier: GPL-2.0+
3 * UEFI runtime variable services
5 * Copyright (c) 2020, Heinrich Schuchardt <xypron.glpk@gmx.de>
6 * Copyright (c) 2020 Linaro Limited, Author: AKASHI Takahiro
10 #include <efi_loader.h>
11 #include <efi_variable.h>
14 enum efi_secure_mode {
21 struct efi_auth_var_name_type {
23 const efi_guid_t *guid;
24 const enum efi_auth_var_type type;
27 const efi_guid_t efi_guid_image_security_database =
28 EFI_IMAGE_SECURITY_DATABASE_GUID;
30 static const struct efi_auth_var_name_type name_type[] = {
31 {u"PK", &efi_global_variable_guid, EFI_AUTH_VAR_PK},
32 {u"KEK", &efi_global_variable_guid, EFI_AUTH_VAR_KEK},
33 {u"db", &efi_guid_image_security_database, EFI_AUTH_VAR_DB},
34 {u"dbx", &efi_guid_image_security_database, EFI_AUTH_VAR_DBX},
35 {u"dbt", &efi_guid_image_security_database, EFI_AUTH_VAR_DBT},
36 {u"dbr", &efi_guid_image_security_database, EFI_AUTH_VAR_DBR},
37 {u"AuditMode", &efi_global_variable_guid, EFI_AUTH_MODE},
38 {u"DeployedMode", &efi_global_variable_guid, EFI_AUTH_MODE},
41 static bool efi_secure_boot;
42 static enum efi_secure_mode efi_secure_mode;
45 * efi_efi_get_variable() - retrieve value of a UEFI variable
47 * This function implements the GetVariable runtime service.
49 * See the Unified Extensible Firmware Interface (UEFI) specification for
52 * @variable_name: name of the variable
53 * @vendor: vendor GUID
54 * @attributes: attributes of the variable
55 * @data_size: size of the buffer to which the variable value is copied
56 * @data: buffer to which the variable value is copied
59 efi_status_t EFIAPI efi_get_variable(u16 *variable_name,
60 const efi_guid_t *vendor, u32 *attributes,
61 efi_uintn_t *data_size, void *data)
65 EFI_ENTRY("\"%ls\" %pUs %p %p %p", variable_name, vendor, attributes,
68 ret = efi_get_variable_int(variable_name, vendor, attributes,
69 data_size, data, NULL);
71 /* Remove EFI_VARIABLE_READ_ONLY flag */
73 *attributes &= EFI_VARIABLE_MASK;
79 * efi_set_variable() - set value of a UEFI variable
81 * This function implements the SetVariable runtime service.
83 * See the Unified Extensible Firmware Interface (UEFI) specification for
86 * @variable_name: name of the variable
87 * @vendor: vendor GUID
88 * @attributes: attributes of the variable
89 * @data_size: size of the buffer with the variable value
90 * @data: buffer with the variable value
93 efi_status_t EFIAPI efi_set_variable(u16 *variable_name,
94 const efi_guid_t *vendor, u32 attributes,
95 efi_uintn_t data_size, const void *data)
99 EFI_ENTRY("\"%ls\" %pUs %x %zu %p", variable_name, vendor, attributes,
102 /* Make sure that the EFI_VARIABLE_READ_ONLY flag is not set */
103 if (attributes & ~(u32)EFI_VARIABLE_MASK)
104 ret = EFI_INVALID_PARAMETER;
106 ret = efi_set_variable_int(variable_name, vendor, attributes,
107 data_size, data, true);
109 return EFI_EXIT(ret);
113 * efi_get_next_variable_name() - enumerate the current variable names
115 * @variable_name_size: size of variable_name buffer in byte
116 * @variable_name: name of uefi variable's name in u16
117 * @vendor: vendor's guid
119 * See the Unified Extensible Firmware Interface (UEFI) specification for
122 * Return: status code
124 efi_status_t EFIAPI efi_get_next_variable_name(efi_uintn_t *variable_name_size,
130 EFI_ENTRY("%p \"%ls\" %pUs", variable_name_size, variable_name, vendor);
132 ret = efi_get_next_variable_name_int(variable_name_size, variable_name,
135 return EFI_EXIT(ret);
139 * efi_query_variable_info() - get information about EFI variables
141 * This function implements the QueryVariableInfo() runtime service.
143 * See the Unified Extensible Firmware Interface (UEFI) specification for
146 * @attributes: bitmask to select variables to be
148 * @maximum_variable_storage_size: maximum size of storage area for the
149 * selected variable types
150 * @remaining_variable_storage_size: remaining size of storage are for the
151 * selected variable types
152 * @maximum_variable_size: maximum size of a variable of the
154 * Returns: status code
156 efi_status_t EFIAPI efi_query_variable_info(
157 u32 attributes, u64 *maximum_variable_storage_size,
158 u64 *remaining_variable_storage_size,
159 u64 *maximum_variable_size)
163 EFI_ENTRY("%x %p %p %p", attributes, maximum_variable_storage_size,
164 remaining_variable_storage_size, maximum_variable_size);
166 if (!maximum_variable_storage_size ||
167 !remaining_variable_storage_size ||
168 !maximum_variable_size ||
169 !(attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS))
170 return EFI_EXIT(EFI_INVALID_PARAMETER);
172 if ((attributes & ~(u32)EFI_VARIABLE_MASK) ||
173 (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) ||
174 (attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) ||
175 (!IS_ENABLED(CONFIG_EFI_SECURE_BOOT) &&
176 (attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)))
177 return EFI_EXIT(EFI_UNSUPPORTED);
179 ret = efi_query_variable_info_int(attributes,
180 maximum_variable_storage_size,
181 remaining_variable_storage_size,
182 maximum_variable_size);
184 return EFI_EXIT(ret);
187 efi_status_t __efi_runtime EFIAPI
188 efi_get_variable_runtime(u16 *variable_name, const efi_guid_t *guid,
189 u32 *attributes, efi_uintn_t *data_size, void *data)
193 ret = efi_get_variable_mem(variable_name, guid, attributes, data_size, data, NULL);
195 /* Remove EFI_VARIABLE_READ_ONLY flag */
197 *attributes &= EFI_VARIABLE_MASK;
202 efi_status_t __efi_runtime EFIAPI
203 efi_get_next_variable_name_runtime(efi_uintn_t *variable_name_size,
204 u16 *variable_name, efi_guid_t *guid)
206 return efi_get_next_variable_name_mem(variable_name_size, variable_name, guid);
210 * efi_set_secure_state - modify secure boot state variables
211 * @secure_boot: value of SecureBoot
212 * @setup_mode: value of SetupMode
213 * @audit_mode: value of AuditMode
214 * @deployed_mode: value of DeployedMode
216 * Modify secure boot status related variables as indicated.
218 * Return: status code
220 static efi_status_t efi_set_secure_state(u8 secure_boot, u8 setup_mode,
221 u8 audit_mode, u8 deployed_mode)
224 const u32 attributes_ro = EFI_VARIABLE_BOOTSERVICE_ACCESS |
225 EFI_VARIABLE_RUNTIME_ACCESS |
226 EFI_VARIABLE_READ_ONLY;
227 const u32 attributes_rw = EFI_VARIABLE_BOOTSERVICE_ACCESS |
228 EFI_VARIABLE_RUNTIME_ACCESS;
230 efi_secure_boot = secure_boot;
232 ret = efi_set_variable_int(L"SecureBoot", &efi_global_variable_guid,
233 attributes_ro, sizeof(secure_boot),
234 &secure_boot, false);
235 if (ret != EFI_SUCCESS)
238 ret = efi_set_variable_int(L"SetupMode", &efi_global_variable_guid,
239 attributes_ro, sizeof(setup_mode),
241 if (ret != EFI_SUCCESS)
244 ret = efi_set_variable_int(L"AuditMode", &efi_global_variable_guid,
245 audit_mode || setup_mode ?
246 attributes_ro : attributes_rw,
247 sizeof(audit_mode), &audit_mode, false);
248 if (ret != EFI_SUCCESS)
251 ret = efi_set_variable_int(L"DeployedMode",
252 &efi_global_variable_guid,
253 audit_mode || deployed_mode || setup_mode ?
254 attributes_ro : attributes_rw,
255 sizeof(deployed_mode), &deployed_mode,
262 * efi_transfer_secure_state - handle a secure boot state transition
265 * Depending on @mode, secure boot related variables are updated.
266 * Those variables are *read-only* for users, efi_set_variable_int()
269 * Return: status code
271 static efi_status_t efi_transfer_secure_state(enum efi_secure_mode mode)
275 EFI_PRINT("Switching secure state from %d to %d\n", efi_secure_mode,
278 if (mode == EFI_MODE_DEPLOYED) {
279 ret = efi_set_secure_state(1, 0, 0, 1);
280 if (ret != EFI_SUCCESS)
282 } else if (mode == EFI_MODE_AUDIT) {
283 ret = efi_set_variable_int(L"PK", &efi_global_variable_guid,
284 EFI_VARIABLE_BOOTSERVICE_ACCESS |
285 EFI_VARIABLE_RUNTIME_ACCESS,
287 if (ret != EFI_SUCCESS)
290 ret = efi_set_secure_state(0, 1, 1, 0);
291 if (ret != EFI_SUCCESS)
293 } else if (mode == EFI_MODE_USER) {
294 ret = efi_set_secure_state(1, 0, 0, 0);
295 if (ret != EFI_SUCCESS)
297 } else if (mode == EFI_MODE_SETUP) {
298 ret = efi_set_secure_state(0, 1, 0, 0);
299 if (ret != EFI_SUCCESS)
302 return EFI_INVALID_PARAMETER;
305 efi_secure_mode = mode;
310 /* TODO: What action should be taken here? */
311 printf("ERROR: Secure state transition failed\n");
315 efi_status_t efi_init_secure_state(void)
317 enum efi_secure_mode mode;
318 u8 efi_vendor_keys = 0;
321 u8 deployed_mode = 0;
325 if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
326 size = sizeof(deployed_mode);
327 ret = efi_get_variable_int(u"DeployedMode", &efi_global_variable_guid,
328 NULL, &size, &deployed_mode, NULL);
329 size = sizeof(audit_mode);
330 ret = efi_get_variable_int(u"AuditMode", &efi_global_variable_guid,
331 NULL, &size, &audit_mode, NULL);
333 ret = efi_get_variable_int(u"PK", &efi_global_variable_guid,
334 NULL, &size, NULL, NULL);
335 if (ret == EFI_BUFFER_TOO_SMALL) {
344 mode = EFI_MODE_DEPLOYED;
346 mode = EFI_MODE_AUDIT;
348 mode = EFI_MODE_SETUP;
350 mode = EFI_MODE_USER;
352 ret = efi_transfer_secure_state(mode);
353 if (ret != EFI_SUCCESS)
356 /* As we do not provide vendor keys this variable is always 0. */
357 ret = efi_set_variable_int(L"VendorKeys",
358 &efi_global_variable_guid,
359 EFI_VARIABLE_BOOTSERVICE_ACCESS |
360 EFI_VARIABLE_RUNTIME_ACCESS |
361 EFI_VARIABLE_READ_ONLY,
362 sizeof(efi_vendor_keys),
363 &efi_vendor_keys, false);
368 * efi_secure_boot_enabled - return if secure boot is enabled or not
370 * Return: true if enabled, false if disabled
372 bool efi_secure_boot_enabled(void)
374 return efi_secure_boot;
377 enum efi_auth_var_type efi_auth_var_get_type(const u16 *name,
378 const efi_guid_t *guid)
380 for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) {
381 if (!u16_strcmp(name, name_type[i].name) &&
382 !guidcmp(guid, name_type[i].guid))
383 return name_type[i].type;
385 return EFI_AUTH_VAR_NONE;
388 const efi_guid_t *efi_auth_var_get_guid(const u16 *name)
390 for (size_t i = 0; i < ARRAY_SIZE(name_type); ++i) {
391 if (!u16_strcmp(name, name_type[i].name))
392 return name_type[i].guid;
394 return &efi_global_variable_guid;
398 * efi_get_var() - read value of an EFI variable
400 * @name: variable name
401 * @start: vendor GUID
402 * @size: size of allocated buffer
404 * Return: buffer with variable data or NULL
406 void *efi_get_var(const u16 *name, const efi_guid_t *vendor, efi_uintn_t *size)
412 ret = efi_get_variable_int(name, vendor, NULL, size, buf, NULL);
413 if (ret == EFI_BUFFER_TOO_SMALL) {
417 ret = efi_get_variable_int(name, vendor, NULL, size, buf, NULL);
420 if (ret != EFI_SUCCESS) {