Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-05-09 03:21:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

efi_loader: variable: support variable authentication

Browse source 
With this commit, EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
is supported for authenticated variables and the system secure state
will transfer between setup mode and user mode as UEFI specification
section 32.3 describes.

Internally, authentication data is stored as part of authenticated
variable's value. It is nothing but a pkcs7 message (but we need some
wrapper, see efi_variable_parse_signature()) and will be validated by
efi_variable_authenticate(), hence efi_signature_verify_with_db().

Associated time value will be encoded in "{...,time=...}" along with
other UEFI variable's attributes.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This commit is contained in:
AKASHI Takahiro 2020-04-14 11:51:41 +09:00 committed by Heinrich Schuchardt
parent be6296d05b
commit 767f6eeb01
2 changed files with 649 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

3
include/efi_loader.h
View file

@ -184,6 +184,7 @@ extern const efi_guid_t efi_guid_image_security_database;
extern const efi_guid_t efi_guid_sha256;
extern const efi_guid_t efi_guid_cert_x509;
extern const efi_guid_t efi_guid_cert_x509_sha256;
extern const efi_guid_t efi_guid_cert_type_pkcs7;
/* GUID of RNG protocol */
extern const efi_guid_t efi_guid_rng_protocol;
@ -753,6 +754,8 @@ efi_status_t efi_image_region_add(struct efi_image_regions *regs,
void efi_sigstore_free(struct efi_signature_store *sigstore);
struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name);
bool efi_secure_boot_enabled(void);
#endif /* CONFIG_EFI_SECURE_BOOT */
#else /* CONFIG_IS_ENABLED(EFI_LOADER) */