1 // SPDX-License-Identifier: GPL-2.0+
3 * UEFI runtime variable services
5 * Copyright (c) 2017 Rob Clark
8 #define LOG_CATEGORY LOGC_EFI
11 #include <efi_loader.h>
12 #include <efi_variable.h>
14 #include <env_internal.h>
21 #include <crypto/pkcs7_parser.h>
22 #include <linux/compat.h>
23 #include <u-boot/crc.h>
24 #include <asm/sections.h>
26 #ifdef CONFIG_EFI_SECURE_BOOT
27 static u8 pkcs7_hdr[] = {
29 0x30, 0x82, 0x05, 0xc7,
30 /* OID: pkcs7-signedData */
31 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02,
32 /* Context Structured? */
33 0xa0, 0x82, 0x05, 0xb8,
37 * efi_variable_parse_signature - parse a signature in variable
38 * @buf: Pointer to variable's value
39 * @buflen: Length of @buf
40 * @tmpbuf: Pointer to temporary buffer
42 * Parse a signature embedded in variable's value and instantiate
43 * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
44 * pkcs7's signedData, some header needed be prepended for correctly
45 * parsing authentication data, particularly for variable's.
46 * A temporary buffer will be allocated if needed, and it should be
47 * kept valid during the authentication because some data in the buffer
48 * will be referenced by efi_signature_verify().
50 * Return: Pointer to pkcs7_message structure on success, NULL on error
52 static struct pkcs7_message *efi_variable_parse_signature(const void *buf,
58 struct pkcs7_message *msg;
61 * This is the best assumption to check if the binary is
62 * already in a form of pkcs7's signedData.
64 if (buflen > sizeof(pkcs7_hdr) &&
65 !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
66 msg = pkcs7_parse_message(buf, buflen);
73 * Otherwise, we should add a dummy prefix sequence for pkcs7
74 * message parser to be able to process.
75 * NOTE: EDK2 also uses similar hack in WrapPkcs7Data()
76 * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
78 * The header should be composed in a more refined manner.
80 EFI_PRINT("Makeshift prefix added to authentication data\n");
81 ebuflen = sizeof(pkcs7_hdr) + buflen;
82 if (ebuflen <= 0x7f) {
83 EFI_PRINT("Data is too short\n");
87 ebuf = malloc(ebuflen);
89 EFI_PRINT("Out of memory\n");
93 memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr));
94 memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen);
96 ebuf[2] = (len >> 8) & 0xff;
99 ebuf[0x11] = (len >> 8) & 0xff;
100 ebuf[0x12] = len & 0xff;
102 msg = pkcs7_parse_message(ebuf, ebuflen);
114 * efi_variable_authenticate - authenticate a variable
115 * @variable: Variable name in u16
116 * @vendor: Guid of variable
117 * @data_size: Size of @data
118 * @data: Pointer to variable's value
119 * @given_attr: Attributes to be given at SetVariable()
120 * @env_attr: Attributes that an existing variable holds
121 * @time: signed time that an existing variable holds
123 * Called by efi_set_variable() to verify that the input is correct.
124 * Will replace the given data pointer with another that points to
125 * the actual data to store in the internal memory.
126 * On success, @data and @data_size will be replaced with variable's
127 * actual data, excluding authentication data, and its size, and variable's
128 * attributes and signed time will also be returned in @env_attr and @time,
131 * Return: status code
133 static efi_status_t efi_variable_authenticate(u16 *variable,
134 const efi_guid_t *vendor,
135 efi_uintn_t *data_size,
136 const void **data, u32 given_attr,
137 u32 *env_attr, u64 *time)
139 const struct efi_variable_authentication_2 *auth;
140 struct efi_signature_store *truststore, *truststore2;
141 struct pkcs7_message *var_sig;
142 struct efi_image_regions *regs;
143 struct efi_time timestamp;
147 enum efi_auth_var_type var_type;
155 ret = EFI_SECURITY_VIOLATION;
157 if (*data_size < sizeof(struct efi_variable_authentication_2))
160 /* authentication data */
162 if (*data_size < (sizeof(auth->time_stamp)
163 + auth->auth_info.hdr.dwLength))
166 if (guidcmp(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7))
169 memcpy(×tamp, &auth->time_stamp, sizeof(timestamp));
170 if (timestamp.pad1 || timestamp.nanosecond || timestamp.timezone ||
171 timestamp.daylight || timestamp.pad2)
174 *data += sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength;
175 *data_size -= (sizeof(auth->time_stamp)
176 + auth->auth_info.hdr.dwLength);
178 memset(&tm, 0, sizeof(tm));
179 tm.tm_year = timestamp.year;
180 tm.tm_mon = timestamp.month;
181 tm.tm_mday = timestamp.day;
182 tm.tm_hour = timestamp.hour;
183 tm.tm_min = timestamp.minute;
184 tm.tm_sec = timestamp.second;
185 new_time = rtc_mktime(&tm);
187 if (!efi_secure_boot_enabled()) {
188 /* finished checking */
193 if (new_time <= *time)
196 /* data to be digested */
197 regs = calloc(sizeof(*regs) + sizeof(struct image_region) * 5, 1);
201 efi_image_region_add(regs, (uint8_t *)variable,
203 + u16_strlen(variable) * sizeof(u16), 1);
204 efi_image_region_add(regs, (uint8_t *)vendor,
205 (uint8_t *)vendor + sizeof(*vendor), 1);
206 efi_image_region_add(regs, (uint8_t *)&given_attr,
207 (uint8_t *)&given_attr + sizeof(given_attr), 1);
208 efi_image_region_add(regs, (uint8_t *)×tamp,
209 (uint8_t *)×tamp + sizeof(timestamp), 1);
210 efi_image_region_add(regs, (uint8_t *)*data,
211 (uint8_t *)*data + *data_size, 1);
213 /* variable's signature list */
214 if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
217 /* ebuf should be kept valid during the authentication */
218 var_sig = efi_variable_parse_signature(auth->auth_info.cert_data,
219 auth->auth_info.hdr.dwLength
220 - sizeof(auth->auth_info),
223 EFI_PRINT("Parsing variable's signature failed\n");
227 /* signature database used for authentication */
228 var_type = efi_auth_var_get_type(variable, vendor);
230 case EFI_AUTH_VAR_PK:
231 case EFI_AUTH_VAR_KEK:
233 truststore = efi_sigstore_parse_sigdb(L"PK");
237 case EFI_AUTH_VAR_DB:
238 case EFI_AUTH_VAR_DBX:
239 /* with PK and KEK */
240 truststore = efi_sigstore_parse_sigdb(L"KEK");
241 truststore2 = efi_sigstore_parse_sigdb(L"PK");
246 truststore = truststore2;
251 /* TODO: support private authenticated variables */
255 /* verify signature */
256 if (efi_signature_verify(regs, var_sig, truststore, NULL)) {
257 EFI_PRINT("Verified\n");
260 efi_signature_verify(regs, var_sig, truststore2, NULL)) {
261 EFI_PRINT("Verified\n");
263 EFI_PRINT("Verifying variable's signature failed\n");
268 /* finished checking */
273 efi_sigstore_free(truststore);
274 efi_sigstore_free(truststore2);
275 pkcs7_free_message(var_sig);
282 static efi_status_t efi_variable_authenticate(u16 *variable,
283 const efi_guid_t *vendor,
284 efi_uintn_t *data_size,
285 const void **data, u32 given_attr,
286 u32 *env_attr, u64 *time)
290 #endif /* CONFIG_EFI_SECURE_BOOT */
292 efi_status_t __efi_runtime
293 efi_get_variable_int(u16 *variable_name, const efi_guid_t *vendor,
294 u32 *attributes, efi_uintn_t *data_size, void *data,
297 return efi_get_variable_mem(variable_name, vendor, attributes, data_size, data, timep);
300 efi_status_t __efi_runtime
301 efi_get_next_variable_name_int(efi_uintn_t *variable_name_size,
302 u16 *variable_name, efi_guid_t *vendor)
304 return efi_get_next_variable_name_mem(variable_name_size, variable_name, vendor);
307 efi_status_t efi_set_variable_int(u16 *variable_name, const efi_guid_t *vendor,
308 u32 attributes, efi_uintn_t data_size,
309 const void *data, bool ro_check)
311 struct efi_var_entry *var;
315 enum efi_auth_var_type var_type;
317 if (!variable_name || !*variable_name || !vendor ||
318 ((attributes & EFI_VARIABLE_RUNTIME_ACCESS) &&
319 !(attributes & EFI_VARIABLE_BOOTSERVICE_ACCESS)))
320 return EFI_INVALID_PARAMETER;
322 /* check if a variable exists */
323 var = efi_var_mem_find(vendor, variable_name, NULL);
324 append = !!(attributes & EFI_VARIABLE_APPEND_WRITE);
325 attributes &= ~(u32)EFI_VARIABLE_APPEND_WRITE;
326 delete = !append && (!data_size || !attributes);
328 /* check attributes */
329 var_type = efi_auth_var_get_type(variable_name, vendor);
331 if (ro_check && (var->attr & EFI_VARIABLE_READ_ONLY))
332 return EFI_WRITE_PROTECTED;
334 if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
335 if (var_type != EFI_AUTH_VAR_NONE)
336 return EFI_WRITE_PROTECTED;
339 /* attributes won't be changed */
341 ((ro_check && var->attr != attributes) ||
342 (!ro_check && ((var->attr & ~(u32)EFI_VARIABLE_READ_ONLY)
343 != (attributes & ~(u32)EFI_VARIABLE_READ_ONLY))))) {
344 return EFI_INVALID_PARAMETER;
348 if (delete || append)
350 * Trying to delete or to update a non-existent
353 return EFI_NOT_FOUND;
356 if (var_type != EFI_AUTH_VAR_NONE) {
357 /* authentication is mandatory */
359 EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
360 EFI_PRINT("%ls: TIME_BASED_AUTHENTICATED_WRITE_ACCESS required\n",
362 return EFI_INVALID_PARAMETER;
366 /* authenticate a variable */
367 if (IS_ENABLED(CONFIG_EFI_SECURE_BOOT)) {
368 if (attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS)
369 return EFI_INVALID_PARAMETER;
371 EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) {
374 ret = efi_variable_authenticate(variable_name, vendor,
376 attributes, &env_attr,
378 if (ret != EFI_SUCCESS)
381 /* last chance to check for delete */
387 (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS |
388 EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) {
389 EFI_PRINT("Secure boot is not configured\n");
390 return EFI_INVALID_PARAMETER;
395 /* EFI_NOT_FOUND has been handled before */
398 u16 *old_data = var->name;
400 for (; *old_data; ++old_data)
403 ret = efi_var_mem_ins(variable_name, vendor, attributes,
404 var->length, old_data, data_size, data,
407 ret = efi_var_mem_ins(variable_name, vendor, attributes,
408 data_size, data, 0, NULL, time);
410 efi_var_mem_del(var);
412 if (ret != EFI_SUCCESS)
415 if (var_type == EFI_AUTH_VAR_PK)
416 ret = efi_init_secure_state();
420 /* Write non-volatile EFI variables to file */
421 if (attributes & EFI_VARIABLE_NON_VOLATILE &&
422 ret == EFI_SUCCESS && efi_obj_list_initialized == EFI_SUCCESS)
428 efi_status_t efi_query_variable_info_int(u32 attributes,
429 u64 *maximum_variable_storage_size,
430 u64 *remaining_variable_storage_size,
431 u64 *maximum_variable_size)
433 *maximum_variable_storage_size = EFI_VAR_BUF_SIZE -
434 sizeof(struct efi_var_file);
435 *remaining_variable_storage_size = efi_var_mem_free();
436 *maximum_variable_size = EFI_VAR_BUF_SIZE -
437 sizeof(struct efi_var_file) -
438 sizeof(struct efi_var_entry);
443 * efi_query_variable_info_runtime() - runtime implementation of
444 * QueryVariableInfo()
446 * @attributes: bitmask to select variables to be
448 * @maximum_variable_storage_size: maximum size of storage area for the
449 * selected variable types
450 * @remaining_variable_storage_size: remaining size of storage are for the
451 * selected variable types
452 * @maximum_variable_size: maximum size of a variable of the
454 * Returns: status code
456 efi_status_t __efi_runtime EFIAPI efi_query_variable_info_runtime(
458 u64 *maximum_variable_storage_size,
459 u64 *remaining_variable_storage_size,
460 u64 *maximum_variable_size)
462 return EFI_UNSUPPORTED;
466 * efi_set_variable_runtime() - runtime implementation of SetVariable()
468 * @variable_name: name of the variable
469 * @vendor: vendor GUID
470 * @attributes: attributes of the variable
471 * @data_size: size of the buffer with the variable value
472 * @data: buffer with the variable value
473 * Return: status code
475 static efi_status_t __efi_runtime EFIAPI
476 efi_set_variable_runtime(u16 *variable_name, const efi_guid_t *vendor,
477 u32 attributes, efi_uintn_t data_size,
480 return EFI_UNSUPPORTED;
484 * efi_variables_boot_exit_notify() - notify ExitBootServices() is called
486 void efi_variables_boot_exit_notify(void)
488 /* Switch variable services functions to runtime version */
489 efi_runtime_services.get_variable = efi_get_variable_runtime;
490 efi_runtime_services.get_next_variable_name =
491 efi_get_next_variable_name_runtime;
492 efi_runtime_services.set_variable = efi_set_variable_runtime;
493 efi_runtime_services.query_variable_info =
494 efi_query_variable_info_runtime;
495 efi_update_table_header_crc32(&efi_runtime_services.hdr);
499 * efi_init_variables() - initialize variable services
501 * Return: status code
503 efi_status_t efi_init_variables(void)
507 ret = efi_var_mem_init();
508 if (ret != EFI_SUCCESS)
511 ret = efi_init_secure_state();
512 if (ret != EFI_SUCCESS)
515 if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) {
516 ret = efi_var_restore((struct efi_var_file *)
517 __efi_var_file_begin);
518 if (ret != EFI_SUCCESS)
519 log_err("Invalid EFI variable seed\n");
522 return efi_var_from_file();