efi_loader: add signature verification functions
In this commit, implemented are a couple of helper functions which will be
used to materialize variable authentication as well as image authentication
in later patches.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
diff --git a/include/efi_api.h b/include/efi_api.h
index 1c40ffc..77d6bf2 100644
--- a/include/efi_api.h
+++ b/include/efi_api.h
@@ -18,6 +18,7 @@
#include <efi.h>
#include <charset.h>
+#include <pe.h>
#ifdef CONFIG_EFI_LOADER
#include <asm/setjmp.h>
@@ -329,6 +330,10 @@
EFI_GUID(0x8be4df61, 0x93ca, 0x11d2, 0xaa, 0x0d, \
0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c)
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+ EFI_GUID(0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, \
+ 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f)
+
#define EFI_FDT_GUID \
EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, \
0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
@@ -1682,4 +1687,86 @@
#define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MIN 0x00001000
#define LAST_ATTEMPT_STATUS_ERROR_UNSUCCESSFUL_VENDOR_RANGE_MAX 0x00004000
+/* Certificate types in signature database */
+#define EFI_CERT_SHA256_GUID \
+ EFI_GUID(0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, \
+ 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28)
+#define EFI_CERT_RSA2048_GUID \
+ EFI_GUID(0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, \
+ 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6)
+#define EFI_CERT_X509_GUID \
+ EFI_GUID(0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, \
+ 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72)
+#define EFI_CERT_X509_SHA256_GUID \
+ EFI_GUID(0x3bd2a492, 0x96c0, 0x4079, 0xb4, 0x20, \
+ 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed)
+#define EFI_CERT_TYPE_PKCS7_GUID \
+ EFI_GUID(0x4aafd29d, 0x68df, 0x49ee, 0x8a, 0xa9, \
+ 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7)
+
+/**
+ * win_certificate_uefi_guid - A certificate that encapsulates
+ * a GUID-specific signature
+ *
+ * @hdr: Windows certificate header
+ * @cert_type: Certificate type
+ * @cert_data: Certificate data
+ */
+struct win_certificate_uefi_guid {
+ WIN_CERTIFICATE hdr;
+ efi_guid_t cert_type;
+ u8 cert_data[];
+} __attribute__((__packed__));
+
+/**
+ * efi_variable_authentication_2 - A time-based authentication method
+ * descriptor
+ *
+ * This structure describes an authentication information for
+ * a variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+ * and should be included as part of a variable's value.
+ * Only EFI_CERT_TYPE_PKCS7_GUID is accepted.
+ *
+ * @time_stamp: Descriptor's time stamp
+ * @auth_info: Authentication info
+ */
+struct efi_variable_authentication_2 {
+ struct efi_time time_stamp;
+ struct win_certificate_uefi_guid auth_info;
+} __attribute__((__packed__));
+
+/**
+ * efi_signature_data - A format of signature
+ *
+ * This structure describes a single signature in signature database.
+ *
+ * @signature_owner: Signature owner
+ * @signature_data: Signature data
+ */
+struct efi_signature_data {
+ efi_guid_t signature_owner;
+ u8 signature_data[];
+} __attribute__((__packed__));
+
+/**
+ * efi_signature_list - A format of signature database
+ *
+ * This structure describes a list of signatures with the same type.
+ * An authenticated variable's value is a concatenation of one or more
+ * efi_signature_list's.
+ *
+ * @signature_type: Signature type
+ * @signature_list_size: Size of signature list
+ * @signature_header_size: Size of signature header
+ * @signature_size: Size of signature
+ */
+struct efi_signature_list {
+ efi_guid_t signature_type;
+ u32 signature_list_size;
+ u32 signature_header_size;
+ u32 signature_size;
+/* u8 signature_header[signature_header_size]; */
+/* struct efi_signature_data signatures[...][signature_size]; */
+} __attribute__((__packed__));
+
#endif