mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-07-26 23:22:07 +00:00
Clean up efiauthenticated.h a lot.
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones
Peter Jones
parent
1f1ec4cea8
commit
324db6bbab
@ -2,214 +2,208 @@
|
|||||||
#define SHIM_EFIAUTHENTICATED_H
|
#define SHIM_EFIAUTHENTICATED_H
|
||||||
|
|
||||||
#include <wincert.h>
|
#include <wincert.h>
|
||||||
//***********************************************************************
|
|
||||||
// Signature Database
|
/***********************************************************************
|
||||||
//***********************************************************************
|
* Signature Database
|
||||||
///
|
***********************************************************************/
|
||||||
/// The format of a signature database.
|
/*
|
||||||
///
|
* The format of a signature database.
|
||||||
|
*/
|
||||||
#pragma pack(1)
|
#pragma pack(1)
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
///
|
/*
|
||||||
/// An identifier which identifies the agent which added the signature to the list.
|
* An identifier which identifies the agent which added the signature to
|
||||||
///
|
* the list.
|
||||||
EFI_GUID SignatureOwner;
|
*/
|
||||||
///
|
EFI_GUID SignatureOwner;
|
||||||
/// The format of the signature is defined by the SignatureType.
|
/*
|
||||||
///
|
* The format of the signature is defined by the SignatureType.
|
||||||
UINT8 SignatureData[1];
|
*/
|
||||||
|
UINT8 SignatureData[1];
|
||||||
} EFI_SIGNATURE_DATA;
|
} EFI_SIGNATURE_DATA;
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
///
|
/*
|
||||||
/// Type of the signature. GUID signature types are defined in below.
|
* Type of the signature. GUID signature types are defined below.
|
||||||
///
|
*/
|
||||||
EFI_GUID SignatureType;
|
EFI_GUID SignatureType;
|
||||||
///
|
/*
|
||||||
/// Total size of the signature list, including this header.
|
* Total size of the signature list, including this header.
|
||||||
///
|
*/
|
||||||
UINT32 SignatureListSize;
|
UINT32 SignatureListSize;
|
||||||
///
|
/*
|
||||||
/// Size of the signature header which precedes the array of signatures.
|
* Size of the signature header which precedes the array of signatures.
|
||||||
///
|
*/
|
||||||
UINT32 SignatureHeaderSize;
|
UINT32 SignatureHeaderSize;
|
||||||
///
|
/*
|
||||||
/// Size of each signature.
|
* Size of each signature.
|
||||||
///
|
*/
|
||||||
UINT32 SignatureSize;
|
UINT32 SignatureSize;
|
||||||
///
|
/*
|
||||||
/// Header before the array of signatures. The format of this header is specified
|
* Header before the array of signatures. The format of this header is
|
||||||
/// by the SignatureType.
|
* specified by the SignatureType.
|
||||||
/// UINT8 SignatureHeader[SignatureHeaderSize];
|
*/
|
||||||
///
|
//UINT8 SignatureHeader[SignatureHeaderSize];
|
||||||
/// An array of signatures. Each signature is SignatureSize bytes in length.
|
/*
|
||||||
/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
|
* An array of signatures. Each signature is SignatureSize bytes in length.
|
||||||
///
|
*/
|
||||||
|
//EFI_SIGNATURE_DATA Signatures[][SignatureSize];
|
||||||
} EFI_SIGNATURE_LIST;
|
} EFI_SIGNATURE_LIST;
|
||||||
|
|
||||||
#pragma pack()
|
#pragma pack()
|
||||||
|
|
||||||
//
|
/*
|
||||||
// _WIN_CERTIFICATE.wCertificateType
|
* WIN_CERTIFICATE.wCertificateType
|
||||||
//
|
*/
|
||||||
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
|
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
|
||||||
#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
|
#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
|
||||||
#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
|
#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
|
||||||
|
|
||||||
#define EFI_CERT_X509_GUID \
|
#define EFI_CERT_X509_GUID \
|
||||||
(EFI_GUID){ \
|
(EFI_GUID) { \
|
||||||
0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
|
0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
|
||||||
}
|
}
|
||||||
|
|
||||||
#define EFI_CERT_RSA2048_GUID \
|
#define EFI_CERT_RSA2048_GUID \
|
||||||
(EFI_GUID){ \
|
(EFI_GUID) { \
|
||||||
0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
|
0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#define EFI_CERT_TYPE_PKCS7_GUID \
|
#define EFI_CERT_TYPE_PKCS7_GUID \
|
||||||
(EFI_GUID){ \
|
(EFI_GUID) { \
|
||||||
0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
|
0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
|
||||||
}
|
}
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// WIN_CERTIFICATE_UEFI_GUID.CertType
|
* WIN_CERTIFICATE_UEFI_GUID.CertType
|
||||||
///
|
*/
|
||||||
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
|
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
|
||||||
{0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
|
{0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// WIN_CERTIFICATE_UEFI_GUID.CertData
|
* WIN_CERTIFICATE_UEFI_GUID.CertData
|
||||||
///
|
*/
|
||||||
typedef struct {
|
typedef struct {
|
||||||
EFI_GUID HashType;
|
EFI_GUID HashType;
|
||||||
UINT8 PublicKey[256];
|
UINT8 PublicKey[256];
|
||||||
UINT8 Signature[256];
|
UINT8 Signature[256];
|
||||||
} EFI_CERT_BLOCK_RSA_2048_SHA256;
|
} EFI_CERT_BLOCK_RSA_2048_SHA256;
|
||||||
|
|
||||||
|
/*
|
||||||
///
|
* Certificate which encapsulates a GUID-specific digital signature
|
||||||
/// Certificate which encapsulates a GUID-specific digital signature
|
*/
|
||||||
///
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
///
|
/*
|
||||||
/// This is the standard WIN_CERTIFICATE header, where
|
* This is the standard WIN_CERTIFICATE header, where wCertificateType is
|
||||||
/// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID.
|
* set to WIN_CERT_TYPE_UEFI_GUID.
|
||||||
///
|
*/
|
||||||
WIN_CERTIFICATE Hdr;
|
WIN_CERTIFICATE Hdr;
|
||||||
///
|
/*
|
||||||
/// This is the unique id which determines the
|
* This is the unique id which determines the format of the CertData.
|
||||||
/// format of the CertData. .
|
*/
|
||||||
///
|
EFI_GUID CertType;
|
||||||
EFI_GUID CertType;
|
/*
|
||||||
///
|
* The following is the certificate data. The format of the data is
|
||||||
/// The following is the certificate data. The format of
|
* determined by the CertType. If CertType is
|
||||||
/// the data is determined by the CertType.
|
* EFI_CERT_TYPE_RSA2048_SHA256_GUID, the CertData will be
|
||||||
/// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID,
|
* EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
|
||||||
/// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
|
*/
|
||||||
///
|
UINT8 CertData[1];
|
||||||
UINT8 CertData[1];
|
|
||||||
} WIN_CERTIFICATE_UEFI_GUID;
|
} WIN_CERTIFICATE_UEFI_GUID;
|
||||||
|
|
||||||
|
/*
|
||||||
///
|
* Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
|
||||||
/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
|
*
|
||||||
///
|
* The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
|
||||||
/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
|
* WIN_CERTIFICATE and encapsulate the information needed to implement the
|
||||||
/// WIN_CERTIFICATE and encapsulate the information needed to
|
* RSASSA-PKCS1-v1_5 digital signature algorithm as specified in RFC2437.
|
||||||
/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as
|
*/
|
||||||
/// specified in RFC2437.
|
typedef struct {
|
||||||
///
|
/*
|
||||||
typedef struct {
|
* This is the standard WIN_CERTIFICATE header, where
|
||||||
///
|
* wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
|
||||||
/// This is the standard WIN_CERTIFICATE header, where
|
*/
|
||||||
/// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
|
WIN_CERTIFICATE Hdr;
|
||||||
///
|
/*
|
||||||
WIN_CERTIFICATE Hdr;
|
* This is the hashing algorithm which was performed on the UEFI
|
||||||
///
|
* executable when creating the digital signature.
|
||||||
/// This is the hashing algorithm which was performed on the
|
*/
|
||||||
/// UEFI executable when creating the digital signature.
|
EFI_GUID HashAlgorithm;
|
||||||
///
|
/*
|
||||||
EFI_GUID HashAlgorithm;
|
* The following is the actual digital signature. The size of the
|
||||||
///
|
* signature is the same size as the key (1024-bit key is 128 bytes)
|
||||||
/// The following is the actual digital signature. The
|
* and can be determined by subtracting the length of the other parts
|
||||||
/// size of the signature is the same size as the key
|
* of this header from the total length of the certificate as found
|
||||||
/// (1024-bit key is 128 bytes) and can be determined by
|
* in Hdr.dwLength.
|
||||||
/// subtracting the length of the other parts of this header
|
*/
|
||||||
/// from the total length of the certificate as found in
|
//UINT8 Signature[];
|
||||||
/// Hdr.dwLength.
|
|
||||||
///
|
|
||||||
/// UINT8 Signature[];
|
|
||||||
///
|
|
||||||
} WIN_CERTIFICATE_EFI_PKCS1_15;
|
} WIN_CERTIFICATE_EFI_PKCS1_15;
|
||||||
|
|
||||||
#define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field))
|
#define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field))
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// Attributes of Authenticated Variable
|
* Attributes of Authenticated Variable
|
||||||
///
|
*/
|
||||||
#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
|
#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
|
||||||
#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
|
#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
|
||||||
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
|
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// AuthInfo is a WIN_CERTIFICATE using the wCertificateType
|
* AuthInfo is a WIN_CERTIFICATE using the wCertificateType
|
||||||
/// WIN_CERTIFICATE_UEFI_GUID and the CertType
|
* WIN_CERTIFICATE_UEFI_GUID and the CertType
|
||||||
/// EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
|
* EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
|
||||||
/// authenticated access, then the Data buffer should begin with an
|
* authenticated access, then the Data buffer should begin with an
|
||||||
/// authentication descriptor prior to the data payload and DataSize
|
* authentication descriptor prior to the data payload and DataSize should
|
||||||
/// should reflect the the data.and descriptor size. The caller
|
* reflect the the data.and descriptor size. The caller shall digest the
|
||||||
/// shall digest the Monotonic Count value and the associated data
|
* Monotonic Count value and the associated data for the variable update
|
||||||
/// for the variable update using the SHA-256 1-way hash algorithm.
|
* using the SHA-256 1-way hash algorithm. The ensuing the 32-byte digest
|
||||||
/// The ensuing the 32-byte digest will be signed using the private
|
* will be signed using the private key associated w/ the public/private
|
||||||
/// key associated w/ the public/private 2048-bit RSA key-pair. The
|
* 2048-bit RSA key-pair. The WIN_CERTIFICATE shall be used to describe the
|
||||||
/// WIN_CERTIFICATE shall be used to describe the signature of the
|
* signature of the Variable data *Data. In addition, the signature will also
|
||||||
/// Variable data *Data. In addition, the signature will also
|
* include the MonotonicCount value to guard against replay attacks.
|
||||||
/// include the MonotonicCount value to guard against replay attacks.
|
*/
|
||||||
///
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
///
|
/*
|
||||||
/// Included in the signature of
|
* Included in the signature of AuthInfo.Used to ensure freshness/no
|
||||||
/// AuthInfo.Used to ensure freshness/no
|
* replay. Incremented during each "Write" access.
|
||||||
/// replay. Incremented during each
|
*/
|
||||||
/// "Write" access.
|
UINT64 MonotonicCount;
|
||||||
///
|
/*
|
||||||
UINT64 MonotonicCount;
|
* Provides the authorization for the variable access. It is a
|
||||||
///
|
* signature across the variable data and the Monotonic Count value.
|
||||||
/// Provides the authorization for the variable
|
* Caller uses Private key that is associated with a public key that
|
||||||
/// access. It is a signature across the
|
* has been provisioned via the key exchange.
|
||||||
/// variable data and the Monotonic Count
|
*/
|
||||||
/// value. Caller uses Private key that is
|
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
|
||||||
/// associated with a public key that has been
|
|
||||||
/// provisioned via the key exchange.
|
|
||||||
///
|
|
||||||
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
|
|
||||||
} EFI_VARIABLE_AUTHENTICATION;
|
} EFI_VARIABLE_AUTHENTICATION;
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
|
* When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
|
||||||
/// set, then the Data buffer shall begin with an instance of a complete (and serialized)
|
* set, then the Data buffer shall begin with an instance of a complete (and
|
||||||
/// EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new
|
* serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall
|
||||||
/// variable value and DataSize shall reflect the combined size of the descriptor and the new
|
* be followed by the new variable value and DataSize shall reflect the
|
||||||
/// variable value. The authentication descriptor is not part of the variable data and is not
|
* combined size of the descriptor and the new variable value. The
|
||||||
/// returned by subsequent calls to GetVariable().
|
* authentication descriptor is not part of the variable data and is not
|
||||||
///
|
* returned by subsequent calls to GetVariable().
|
||||||
|
*/
|
||||||
typedef struct {
|
typedef struct {
|
||||||
///
|
/*
|
||||||
/// For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and
|
* For the TimeStamp value, components Pad1, Nanosecond, TimeZone,
|
||||||
/// Pad2 shall be set to 0. This means that the time shall always be expressed in GMT.
|
* Daylight and Pad2 shall be set to 0. This means that the time
|
||||||
///
|
* shall always be expressed in GMT.
|
||||||
EFI_TIME TimeStamp;
|
*/
|
||||||
///
|
EFI_TIME TimeStamp;
|
||||||
/// Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
|
/*
|
||||||
///
|
* Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
|
||||||
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
|
*/
|
||||||
} EFI_VARIABLE_AUTHENTICATION_2;
|
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
|
||||||
|
} EFI_VARIABLE_AUTHENTICATION_2;
|
||||||
|
|
||||||
///
|
/*
|
||||||
/// Size of AuthInfo prior to the data payload.
|
* Size of AuthInfo prior to the data payload.
|
||||||
///
|
*/
|
||||||
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
|
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
|
||||||
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
|
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
|
||||||
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
|
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user