/** @file
Provides services to initialize and process authenticated variables.
Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#ifndef _AUTH_VARIABLE_LIB_H_
#define _AUTH_VARIABLE_LIB_H_
#include
///
/// Size of AuthInfo prior to the data payload.
///
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) +\
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) +\
(UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) +\
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
typedef struct {
CHAR16 *VariableName;
EFI_GUID *VendorGuid;
UINT32 Attributes;
UINTN DataSize;
VOID *Data;
UINT32 PubKeyIndex;
UINT64 MonotonicCount;
EFI_TIME *TimeStamp;
} AUTH_VARIABLE_INFO;
/**
Finds variable in storage blocks of volatile and non-volatile storage areas.
This code finds variable in storage blocks of volatile and non-volatile storage areas.
If VariableName is an empty string, then we just return the first
qualified variable without comparing VariableName and VendorGuid.
@param[in] VariableName Name of the variable to be found.
@param[in] VendorGuid Variable vendor GUID to be found.
@param[out] AuthVariableInfo Pointer to AUTH_VARIABLE_INFO structure for
output of the variable found.
@retval EFI_INVALID_PARAMETER If VariableName is not an empty string,
while VendorGuid is NULL.
@retval EFI_SUCCESS Variable successfully found.
@retval EFI_NOT_FOUND Variable not found
**/
typedef
EFI_STATUS
(EFIAPI *AUTH_VAR_LIB_FIND_VARIABLE)(
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT AUTH_VARIABLE_INFO *AuthVariableInfo
);
/**
Finds next variable in storage blocks of volatile and non-volatile storage areas.
This code finds next variable in storage blocks of volatile and non-volatile storage areas.
If VariableName is an empty string, then we just return the first
qualified variable without comparing VariableName and VendorGuid.
@param[in] VariableName Name of the variable to be found.
@param[in] VendorGuid Variable vendor GUID to be found.
@param[out] AuthVariableInfo Pointer to AUTH_VARIABLE_INFO structure for
output of the next variable.
@retval EFI_INVALID_PARAMETER If VariableName is not an empty string,
while VendorGuid is NULL.
@retval EFI_SUCCESS Variable successfully found.
@retval EFI_NOT_FOUND Variable not found
**/
typedef
EFI_STATUS
(EFIAPI *AUTH_VAR_LIB_FIND_NEXT_VARIABLE)(
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT AUTH_VARIABLE_INFO *AuthVariableInfo
);
/**
Update the variable region with Variable information.
@param[in] AuthVariableInfo Pointer AUTH_VARIABLE_INFO structure for
input of the variable.
@retval EFI_SUCCESS The update operation is success.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval EFI_WRITE_PROTECTED Variable is write-protected.
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
**/
typedef
EFI_STATUS
(EFIAPI *AUTH_VAR_LIB_UPDATE_VARIABLE)(
IN AUTH_VARIABLE_INFO *AuthVariableInfo
);
/**
Get scratch buffer.
@param[in, out] ScratchBufferSize Scratch buffer size. If input size is greater than
the maximum supported buffer size, this value contains
the maximum supported buffer size as output.
@param[out] ScratchBuffer Pointer to scratch buffer address.
@retval EFI_SUCCESS Get scratch buffer successfully.
@retval EFI_UNSUPPORTED If input size is greater than the maximum supported buffer size.
**/
typedef
EFI_STATUS
(EFIAPI *AUTH_VAR_LIB_GET_SCRATCH_BUFFER)(
IN OUT UINTN *ScratchBufferSize,
OUT VOID **ScratchBuffer
);
/**
This function is to check if the remaining variable space is enough to set
all Variables from argument list successfully. The purpose of the check
is to keep the consistency of the Variables to be in variable storage.
Note: Variables are assumed to be in same storage.
The set sequence of Variables will be same with the sequence of VariableEntry from argument list,
so follow the argument sequence to check the Variables.
@param[in] Attributes Variable attributes for Variable entries.
@param ... The variable argument list with type VARIABLE_ENTRY_CONSISTENCY *.
A NULL terminates the list. The VariableSize of
VARIABLE_ENTRY_CONSISTENCY is the variable data size as input.
It will be changed to variable total size as output.
@retval TRUE Have enough variable space to set the Variables successfully.
@retval FALSE No enough variable space to set the Variables successfully.
**/
typedef
BOOLEAN
(EFIAPI *AUTH_VAR_LIB_CHECK_REMAINING_SPACE)(
IN UINT32 Attributes,
...
);
/**
Return TRUE if at OS runtime.
@retval TRUE If at OS runtime.
@retval FALSE If at boot time.
**/
typedef
BOOLEAN
(EFIAPI *AUTH_VAR_LIB_AT_RUNTIME)(
VOID
);
#define AUTH_VAR_LIB_CONTEXT_IN_STRUCT_VERSION 0x01
typedef struct {
UINTN StructVersion;
UINTN StructSize;
//
// Reflect the overhead associated with the saving
// of a single EFI authenticated variable with the exception
// of the overhead associated with the length
// of the string name of the EFI variable.
//
UINTN MaxAuthVariableSize;
AUTH_VAR_LIB_FIND_VARIABLE FindVariable;
AUTH_VAR_LIB_FIND_NEXT_VARIABLE FindNextVariable;
AUTH_VAR_LIB_UPDATE_VARIABLE UpdateVariable;
AUTH_VAR_LIB_GET_SCRATCH_BUFFER GetScratchBuffer;
AUTH_VAR_LIB_CHECK_REMAINING_SPACE CheckRemainingSpaceForConsistency;
AUTH_VAR_LIB_AT_RUNTIME AtRuntime;
} AUTH_VAR_LIB_CONTEXT_IN;
#define AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION 0x01
typedef struct {
UINTN StructVersion;
UINTN StructSize;
//
// Caller needs to set variable property for the variables.
//
VARIABLE_ENTRY_PROPERTY *AuthVarEntry;
UINTN AuthVarEntryCount;
//
// Caller needs to ConvertPointer() for the pointers.
//
VOID ***AddressPointer;
UINTN AddressPointerCount;
} AUTH_VAR_LIB_CONTEXT_OUT;
/**
Initialization for authenticated varibale services.
If this initialization returns error status, other APIs will not work
and expect to be not called then.
@param[in] AuthVarLibContextIn Pointer to input auth variable lib context.
@param[out] AuthVarLibContextOut Pointer to output auth variable lib context.
@retval EFI_SUCCESS Function successfully executed.
@retval EFI_INVALID_PARAMETER If AuthVarLibContextIn == NULL or AuthVarLibContextOut == NULL.
@retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
@retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
**/
EFI_STATUS
EFIAPI
AuthVariableLibInitialize (
IN AUTH_VAR_LIB_CONTEXT_IN *AuthVarLibContextIn,
OUT AUTH_VAR_LIB_CONTEXT_OUT *AuthVarLibContextOut
);
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
@param[in] VariableName Name of the variable.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data.
@param[in] Attributes Attribute value of the variable.
@retval EFI_SUCCESS The firmware has successfully stored the variable and its data as
defined by the Attributes.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval EFI_WRITE_PROTECTED Variable is write-protected.
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
@retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS
set, but the AuthInfo does NOT pass the validation
check carried out by the firmware.
@retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
**/
EFI_STATUS
EFIAPI
AuthVariableLibProcessVariable (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN UINT32 Attributes
);
#endif