efi-boot-shim/include/efiauthenticated.h
2022-04-27 22:41:59 +01:00

202 lines
6.5 KiB
C

// SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef SHIM_EFIAUTHENTICATED_H
#define SHIM_EFIAUTHENTICATED_H
#include "wincert.h"
/***********************************************************************
* Signature Database
***********************************************************************/
/*
* The format of a signature database.
*/
#pragma pack(1)
typedef struct {
/*
* An identifier which identifies the agent which added the signature to
* the list.
*/
EFI_GUID SignatureOwner;
/*
* The format of the signature is defined by the SignatureType.
*/
UINT8 SignatureData[1];
} EFI_SIGNATURE_DATA;
typedef struct {
/*
* Type of the signature. GUID signature types are defined below.
*/
EFI_GUID SignatureType;
/*
* Total size of the signature list, including this header.
*/
UINT32 SignatureListSize;
/*
* Size of the signature header which precedes the array of signatures.
*/
UINT32 SignatureHeaderSize;
/*
* Size of each signature.
*/
UINT32 SignatureSize;
/*
* Header before the array of signatures. The format of this header is
* specified by the SignatureType.
*/
//UINT8 SignatureHeader[SignatureHeaderSize];
/*
* An array of signatures. Each signature is SignatureSize bytes in length.
*/
//EFI_SIGNATURE_DATA Signatures[][SignatureSize];
} EFI_SIGNATURE_LIST;
#pragma pack()
/*
* WIN_CERTIFICATE.wCertificateType
*/
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
/*
* WIN_CERTIFICATE_UEFI_GUID.CertData
*/
typedef struct {
EFI_GUID HashType;
UINT8 PublicKey[256];
UINT8 Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;
/*
* Certificate which encapsulates a GUID-specific digital signature
*/
typedef struct {
/*
* This is the standard WIN_CERTIFICATE header, where wCertificateType is
* set to WIN_CERT_TYPE_UEFI_GUID.
*/
WIN_CERTIFICATE Hdr;
/*
* This is the unique id which determines the format of the CertData.
*/
EFI_GUID CertType;
/*
* The following is the certificate data. The format of the data is
* determined by the CertType. If CertType is
* EFI_CERT_TYPE_RSA2048_SHA256_GUID, the CertData will be
* EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
*/
UINT8 CertData[1];
} WIN_CERTIFICATE_UEFI_GUID;
/*
* Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
*
* The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
* WIN_CERTIFICATE and encapsulate the information needed to implement the
* RSASSA-PKCS1-v1_5 digital signature algorithm as specified in RFC2437.
*/
typedef struct {
/*
* This is the standard WIN_CERTIFICATE header, where
* wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
*/
WIN_CERTIFICATE Hdr;
/*
* This is the hashing algorithm which was performed on the UEFI
* executable when creating the digital signature.
*/
EFI_GUID HashAlgorithm;
/*
* The following is the actual digital signature. The size of the
* signature is the same size as the key (1024-bit key is 128 bytes)
* and can be determined by subtracting the length of the other parts
* of this header from the total length of the certificate as found
* in Hdr.dwLength.
*/
//UINT8 Signature[];
} WIN_CERTIFICATE_EFI_PKCS1_15;
/*
* Attributes of Authenticated Variable
*/
#ifndef EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
#endif
#ifndef EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
#endif
#ifndef EFI_VARIABLE_APPEND_WRITE
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
#endif
/*
* AuthInfo is a WIN_CERTIFICATE using the wCertificateType
* WIN_CERTIFICATE_UEFI_GUID and the CertType
* EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
* authenticated access, then the Data buffer should begin with an
* authentication descriptor prior to the data payload and DataSize should
* reflect the the data.and descriptor size. The caller shall digest the
* Monotonic Count value and the associated data for the variable update
* using the SHA-256 1-way hash algorithm. The ensuing the 32-byte digest
* will be signed using the private key associated w/ the public/private
* 2048-bit RSA key-pair. The WIN_CERTIFICATE shall be used to describe the
* signature of the Variable data *Data. In addition, the signature will also
* include the MonotonicCount value to guard against replay attacks.
*/
typedef struct {
/*
* Included in the signature of AuthInfo.Used to ensure freshness/no
* replay. Incremented during each "Write" access.
*/
UINT64 MonotonicCount;
/*
* Provides the authorization for the variable access. It is a
* signature across the variable data and the Monotonic Count value.
* Caller uses Private key that is associated with a public key that
* has been provisioned via the key exchange.
*/
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION;
/*
* When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
* set, then the Data buffer shall begin with an instance of a complete (and
* serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall
* be followed by the new variable value and DataSize shall reflect the
* combined size of the descriptor and the new variable value. The
* authentication descriptor is not part of the variable data and is not
* returned by subsequent calls to GetVariable().
*/
typedef struct {
/*
* For the TimeStamp value, components Pad1, Nanosecond, TimeZone,
* Daylight and Pad2 shall be set to 0. This means that the time
* shall always be expressed in GMT.
*/
EFI_TIME TimeStamp;
/*
* Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
*/
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION_2;
/*
* Size of AuthInfo prior to the data payload.
*/
#define AUTHINFO_SIZE ((offsetof(EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
(offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
#define AUTHINFO2_SIZE(VarAuth2) ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
#define OFFSET_OF_AUTHINFO2_CERT_DATA ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)))
#endif /* SHIM_EFIAUTHENTICATED_H */