2019-09-03 11:58:42 +02:00
/*
* refit / scan / securemenu . c
*
* Copyright ( c ) 2006 - 2010 Christoph Pfisterer
* All rights reserved .
*
* Redistribution and use in source and binary forms , with or without
* modification , are permitted provided that the following conditions are
* met :
*
* * Redistributions of source code must retain the above copyright
* notice , this list of conditions and the following disclaimer .
*
* * Redistributions in binary form must reproduce the above copyright
* notice , this list of conditions and the following disclaimer in the
* documentation and / or other materials provided with the
* distribution .
*
* * Neither the name of Christoph Pfisterer nor the names of the
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission .
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* " AS IS " AND ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING , BUT NOT
* LIMITED TO , THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED . IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT , INDIRECT , INCIDENTAL ,
* SPECIAL , EXEMPLARY , OR CONSEQUENTIAL DAMAGES ( INCLUDING , BUT NOT
* LIMITED TO , PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES ; LOSS OF USE ,
* DATA , OR PROFITS ; OR BUSINESS INTERRUPTION ) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY , WHETHER IN CONTRACT , STRICT LIABILITY , OR TORT
* ( INCLUDING NEGLIGENCE OR OTHERWISE ) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE , EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE .
*/
2020-02-17 21:41:09 +01:00
//CONST INTN SecureMenuDef = 0; // jief : not used ??
2019-09-03 11:58:42 +02:00
# ifdef ENABLE_SECURE_BOOT
2021-02-11 12:41:59 +01:00
# include <Platform.h>
# include "../Platform/Settings.h"
# include "../Platform/Nvram.h"
2019-09-03 11:58:42 +02:00
# include "entry_scan.h"
2021-02-11 12:41:59 +01:00
# include "../gui/REFIT_MENU_SCREEN.h"
# include "../gui/menu_items/menu_items.h"
# include "secureboot.h"
# include "../Platform/Self.h"
# include "../refit/screen.h"
# include "../libeg/XTheme.h"
2019-09-03 11:58:42 +02:00
# include <Guid/ImageAuthentication.h>
# ifndef DEBUG_ALL
# define DEBUG_SECURE_MENU 1
# else
# define DEBUG_SECURE_MENU DEBUG_ALL
# endif
# if DEBUG_SECURE_MENU == 0
# define DBG(...)
# else
# define DBG(...) DebugLog(DEBUG_SECURE_MENU, __VA_ARGS__)
# endif
extern BOOLEAN gGuiIsReady ;
extern BOOLEAN gThemeNeedInit ;
// Add secure boot tool entry
2020-10-03 19:02:31 +02:00
void AddSecureBootTool ( void )
2019-09-03 11:58:42 +02:00
{
LOADER_ENTRY * Entry ;
// If in forced mode or no secure boot then don't add tool
2021-02-11 12:41:59 +01:00
if ( ! gSettings . Boot . SecureBoot & & ! gSettings . Boot . SecureBootSetupMode ) {
2019-09-03 11:58:42 +02:00
return ;
}
2021-02-21 14:49:09 +01:00
//panic("not done yet");
2021-02-11 12:41:59 +01:00
// if (gSettings.Boot.SecureBoot) {
// Entry = new REFIT_MENU_ENTRY_SECURE_BOOT();
// Entry->Title.SWPrintf("Clover Secure Boot Configuration");
//// Entry->Tag = TAG_SECURE_BOOT_CONFIG;
// Entry->Image = ThemeX.GetIcon(BUILTIN_ICON_FUNC_SECURE_BOOT_CONFIG);
//
// } else {
// Entry = new REFIT_MENU_ENTRY_SECURE_BOOT_CONFIG();
// Entry->Title.SWPrintf("Enable Clover Secure Boot");
//// Entry->Tag = TAG_SECURE_BOOT;
// Entry->Image = ThemeX.GetIcon(BUILTIN_ICON_FUNC_SECURE_BOOT);
// }
2021-02-21 14:49:09 +01:00
//----- not done yet ----------
// Entry->Row = 1;
2019-09-03 11:58:42 +02:00
//actions
2021-02-21 14:49:09 +01:00
// Entry->AtClick = ActionSelect;
// Entry->AtDoubleClick = ActionEnter;
// Entry->AtRightClick = ActionHelp;
// MainMenu.AddMenuEntry(Entry);
2019-09-03 11:58:42 +02:00
}
2021-02-11 12:41:59 +01:00
STATIC REFIT_ABSTRACT_MENU_ENTRY QueryEntry [ ] = {
2020-04-10 12:04:21 +02:00
{ L " Deny authentication " _XSW , SECURE_BOOT_POLICY_DENY , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " Allow authentication " _XSW , SECURE_BOOT_POLICY_ALLOW , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " Insert authentication into database " _XSW , SECURE_BOOT_POLICY_INSERT , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
2019-09-03 11:58:42 +02:00
} ;
STATIC REFIT_MENU_ENTRY * QueryEntries [ ] = { QueryEntry , QueryEntry + 1 , QueryEntry + 2 } ;
2020-04-10 12:04:21 +02:00
STATIC REFIT_MENU_SCREEN QueryUserMenu = { 0 , L " Secure Boot Authentication " _XSW , L " " _XSW , 3 , NULL , 2 , QueryEntries ,
2020-03-21 08:34:28 +01:00
0 , NULL , NULL , FALSE , FALSE , 0 , 0 , 0 , 0 ,
/* FILM_CENTRE, FILM_CENTRE,*/ { 0 , 0 , 0 , 0 } , NULL } ;
2019-09-03 11:58:42 +02:00
// Query the secure boot user what to do with image
UINTN QuerySecureBootUser ( IN CONST EFI_DEVICE_PATH_PROTOCOL * DevicePath )
{
UINTN Response = SECURE_BOOT_POLICY_DENY ;
// Check parameters
if ( DevicePath ! = NULL ) {
// Get the device path string
2021-02-11 12:41:59 +01:00
QueryUserMenu . InfoLines . setEmpty ( )
QueryUserMenu . InfoLines . Add ( L " Please select the authentication action for " _XSW ) ;
QueryUserMenu . InfoLines . AddNoNull ( FileDevicePathToXStringW ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( QueryUserMenu . InfoLines . size ( ) > = 1 ) {
2019-09-03 11:58:42 +02:00
// Get the device path file path
2021-02-11 12:41:59 +01:00
QueryUserMenu . InfoLines . AddNoNull ( FileDevicePathToXStringW ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( QueryUserMenu . InfoLines . size ( ) > = 2 ) {
2019-09-03 11:58:42 +02:00
// Create the entries
2021-02-11 12:41:59 +01:00
REFIT_SIMPLE_MENU_ENTRY_TAG * ChosenEntry = NULL ;
2019-09-03 11:58:42 +02:00
UINTN MenuExit ;
// Update the menu
2021-02-02 10:02:21 +01:00
QueryUserMenu . Entries . size ( ) = gSettings . Boot . SecureBootSetupMode ? 2 : 3 ;
2019-09-03 11:58:42 +02:00
// Debug message
2021-02-11 12:41:59 +01:00
DBG ( " VerifySecureBootImage: Query user for authentication action for %ls \n " , QueryUserMenu . InfoLines [ 1 ] ) ;
2019-09-03 11:58:42 +02:00
// Because we may
if ( ! gGuiIsReady ) {
InitScreen ( FALSE ) ;
if ( gThemeNeedInit ) {
2021-02-11 12:41:59 +01:00
UINTN Size = 0 ;
InitTheme ( ( CHAR8 * ) GetNvramVariable ( L " Clover.Theme " , & gEfiAppleBootGuid , NULL , & Size ) ) ;
2020-04-16 18:21:13 +02:00
ThemeX . ClearScreen ( ) ;
2019-09-03 11:58:42 +02:00
gThemeNeedInit = FALSE ;
}
gGuiIsReady = TRUE ;
}
// Run the query menu
do
{
2020-03-03 21:44:07 +01:00
MenuExit = QueryUserMenu . RunMenu ( & ChosenEntry ) ;
2019-09-03 11:58:42 +02:00
if ( ( ChosenEntry ! = NULL ) & &
( ( MenuExit = = MENU_EXIT_ENTER ) | | ( MenuExit = = MENU_EXIT_DETAILS ) ) ) {
Response = ( UINTN ) ChosenEntry - > Tag ;
MenuExit = MENU_EXIT_ESCAPE ;
}
} while ( MenuExit ! = MENU_EXIT_ESCAPE ) ;
}
}
}
return Response ;
}
// Find a device path's signature list
2020-10-03 19:02:31 +02:00
STATIC void * FindImageSignatureDatabase ( IN CONST EFI_DEVICE_PATH_PROTOCOL * DevicePath ,
2019-09-03 11:58:42 +02:00
OUT UINTN * DatabaseSize )
{
EFI_IMAGE_EXECUTION_INFO_TABLE * ImageExeInfoTable = NULL ;
EFI_IMAGE_EXECUTION_INFO * ImageExeInfo ;
CHAR16 * FDP ;
UINT8 * Ptr ;
UINTN Index ;
// Check parameters
if ( DatabaseSize = = NULL ) {
return NULL ;
}
* DatabaseSize = 0 ;
if ( DevicePath = = NULL ) {
return NULL ;
}
// Get the execution information table
2020-10-03 19:02:31 +02:00
if ( EFI_ERROR ( EfiGetSystemConfigurationTable ( & gEfiImageSecurityDatabaseGuid , ( void * * ) & ImageExeInfoTable ) ) | |
2019-09-03 11:58:42 +02:00
( ImageExeInfoTable = = NULL ) ) {
return NULL ;
}
// Get device path string
FDP = FileDevicePathToStr ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( FDP = = NULL ) {
return NULL ;
}
// Get the execution information
Ptr = ( UINT8 * ) ImageExeInfoTable ;
Ptr + = sizeof ( EFI_IMAGE_EXECUTION_INFO_TABLE ) ;
// Traverse the execution information table
ImageExeInfo = ( EFI_IMAGE_EXECUTION_INFO * ) Ptr ;
for ( Index = 0 ; Index < ImageExeInfoTable - > NumberOfImages ; + + Index , Ptr + = ImageExeInfo - > InfoSize ) {
UINT8 * Offset = Ptr + OFFSET_OF ( EFI_IMAGE_EXECUTION_INFO , InfoSize ) + sizeof ( ImageExeInfo - > InfoSize ) ;
CHAR16 * Name = ( CHAR16 * ) Offset ;
// Check to make sure this is valid
if ( ( ImageExeInfo - > Action = = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED ) | |
( ImageExeInfo - > Action = = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND ) ) {
continue ;
}
// Skip the name
do
{
Offset + = sizeof ( CHAR16 ) ;
} while ( * Name + + ) ;
// Compare the device paths
Name = FileDevicePathToStr ( ( EFI_DEVICE_PATH_PROTOCOL * ) Offset ) ;
if ( Name ) {
if ( StrCmp ( FDP , Name ) = = 0 ) {
// Get the signature list and size
Offset + = GetDevicePathSize ( ( EFI_DEVICE_PATH_PROTOCOL * ) Offset ) ;
* DatabaseSize = ( ImageExeInfo - > InfoSize - ( Offset - Ptr ) ) ;
FreePool ( Name ) ;
FreePool ( FDP ) ;
return Offset ;
}
FreePool ( Name ) ;
}
}
FreePool ( FDP ) ;
// Not found
return NULL ;
}
// Insert secure boot image signature
EFI_STATUS AppendImageToAuthorizedDatabase ( IN CONST EFI_DEVICE_PATH_PROTOCOL * DevicePath ,
2020-10-03 19:02:31 +02:00
IN void * FileBuffer ,
2019-09-03 11:58:42 +02:00
IN UINTN FileSize )
{
EFI_STATUS Status = EFI_INVALID_PARAMETER ;
2021-02-11 12:41:59 +01:00
XStringW ErrorString ;
2020-10-03 19:02:31 +02:00
void * Database = NULL ;
2019-09-03 11:58:42 +02:00
UINTN DatabaseSize = 0 ;
// Check that either the device path or the file buffer is valid
if ( ( DevicePath = = NULL ) & & ( ( FileBuffer = = NULL ) | | ( FileSize = = 0 ) ) ) {
return EFI_INVALID_PARAMETER ;
}
// Get the image signature
Database = FindImageSignatureDatabase ( DevicePath , & DatabaseSize ) ;
if ( Database ) {
// Add the image signature to database
Status = AppendImageDatabaseToAuthorizedDatabase ( Database , DatabaseSize ) ;
} else if ( ( FileBuffer = = NULL ) | | ( FileSize = = 0 ) ) {
// Load file by device path
UINT32 AuthenticationStatus = 0 ;
FileBuffer = GetFileBufferByFilePath ( FALSE , DevicePath , & FileSize , & AuthenticationStatus ) ;
if ( FileBuffer ) {
if ( FileSize > 0 ) {
// Create image signature
Database = GetImageSignatureDatabase ( FileBuffer , FileSize , & DatabaseSize , TRUE ) ;
if ( Database ) {
// Add the image signature to database
if ( EFI_ERROR ( Status = AppendImageDatabaseToAuthorizedDatabase ( Database , DatabaseSize ) ) ) {
2021-02-11 12:41:59 +01:00
ErrorString = L " Failed to insert image authentication " _XSW ;
2019-09-03 11:58:42 +02:00
}
FreePool ( Database ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Image has no certificates or is not valid " _XSW ;
2019-09-03 11:58:42 +02:00
}
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Image has no certificates or is not valid " _XSW ;
2019-09-03 11:58:42 +02:00
}
FreePool ( FileBuffer ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Failed to load the image " _XSW ;
2019-09-03 11:58:42 +02:00
}
} else {
// Create image signature
Database = GetImageSignatureDatabase ( FileBuffer , FileSize , & DatabaseSize , TRUE ) ;
if ( Database ) {
// Add the image signature to database
if ( EFI_ERROR ( Status = AppendImageDatabaseToAuthorizedDatabase ( Database , DatabaseSize ) ) ) {
2021-02-11 12:41:59 +01:00
ErrorString = L " Failed to insert image authentication " _XSW ;
2019-09-03 11:58:42 +02:00
}
FreePool ( Database ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Image has no certificates or is not valid " _XSW ;
2019-09-03 11:58:42 +02:00
}
}
2021-02-11 12:41:59 +01:00
if ( ErrorString . notEmpty ( ) ) {
2019-09-03 11:58:42 +02:00
CHAR16 * DevicePathStr = FileDevicePathToStr ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( DevicePathStr ! = NULL ) {
2021-02-11 12:41:59 +01:00
XStringW FileDevicePathStr = FileDevicePathFileToXStringW ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( FileDevicePathStr . notEmpty ( ) ) {
XStringW Str = SWPrintf ( " %ls \n %ls \n %ls " , ErrorString . wc_str ( ) , DevicePathStr , FileDevicePathStr . wc_str ( ) ) ;
AlertMessage ( L " Insert Image Authentication " _XSW , Str ) ;
2019-09-03 11:58:42 +02:00
} else {
2021-02-11 12:41:59 +01:00
XStringW Str = SWPrintf ( " %ls \n %ls " , ErrorString . wc_str ( ) , DevicePathStr ) ;
AlertMessage ( L " Insert Image Authentication " _XSW , Str ) ;
2019-09-03 11:58:42 +02:00
}
FreePool ( DevicePathStr ) ;
} else {
2021-02-11 12:41:59 +01:00
AlertMessage ( L " Insert Image Authentication " _XSW , ErrorString ) ;
2019-09-03 11:58:42 +02:00
}
}
return Status ;
}
// Insert secure boot image signature
EFI_STATUS RemoveImageFromAuthorizedDatabase ( IN CONST EFI_DEVICE_PATH_PROTOCOL * DevicePath ,
2020-10-03 19:02:31 +02:00
IN void * FileBuffer ,
2019-09-03 11:58:42 +02:00
IN UINTN FileSize )
{
EFI_STATUS Status = EFI_INVALID_PARAMETER ;
2021-02-11 12:41:59 +01:00
XStringW ErrorString ;
2020-10-03 19:02:31 +02:00
void * Database ;
2019-09-03 11:58:42 +02:00
UINTN DatabaseSize = 0 ;
// Check that either the device path or the file buffer is valid
if ( DevicePath = = NULL ) {
return EFI_INVALID_PARAMETER ;
}
// Get the image signature
Database = FindImageSignatureDatabase ( DevicePath , & DatabaseSize ) ;
if ( Database ) {
// Remove the image signature from database
Status = RemoveImageDatabaseFromAuthorizedDatabase ( Database , DatabaseSize ) ;
} else if ( ( FileBuffer = = NULL ) | | ( FileSize = = 0 ) ) {
// Load file by device path
UINT32 AuthenticationStatus = 0 ;
FileBuffer = GetFileBufferByFilePath ( FALSE , DevicePath , & FileSize , & AuthenticationStatus ) ;
if ( FileBuffer ) {
if ( FileSize > 0 ) {
// Create image signature
Database = GetImageSignatureDatabase ( FileBuffer , FileSize , & DatabaseSize , TRUE ) ;
if ( Database ) {
// Remove the image signature from database
if ( EFI_ERROR ( Status = RemoveImageDatabaseFromAuthorizedDatabase ( Database , DatabaseSize ) ) ) {
2021-02-11 12:41:59 +01:00
ErrorString . takeValueFrom ( L " Failed to remove image authentication " _XSW ) ;
2019-09-03 11:58:42 +02:00
}
FreePool ( Database ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString . takeValueFrom ( L " Image has no certificates or is not valid " _XSW ) ;
2019-09-03 11:58:42 +02:00
}
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Image has no certificates or is not valid " _XSW ;
2019-09-03 11:58:42 +02:00
}
FreePool ( FileBuffer ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString . takeValueFrom ( L " Failed to load the image " ) ;
2019-09-03 11:58:42 +02:00
}
} else {
// Create image signature
Database = GetImageSignatureDatabase ( FileBuffer , FileSize , & DatabaseSize , TRUE ) ;
if ( Database ) {
// Remove the image signature from database
if ( EFI_ERROR ( Status = RemoveImageDatabaseFromAuthorizedDatabase ( Database , DatabaseSize ) ) ) {
2021-02-11 12:41:59 +01:00
ErrorString = L " Failed to remove image authentication " _XSW ;
2019-09-03 11:58:42 +02:00
}
FreePool ( Database ) ;
} else {
2021-02-11 12:41:59 +01:00
ErrorString = L " Image has no certificates or is not valid " _XSW ;
2019-09-03 11:58:42 +02:00
}
}
2021-02-11 12:41:59 +01:00
if ( ErrorString . notEmpty ( ) ) {
2019-09-03 11:58:42 +02:00
CHAR16 * DevicePathStr = FileDevicePathToStr ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( DevicePathStr ! = NULL ) {
2021-02-11 12:41:59 +01:00
XStringW FileDevicePathStr = FileDevicePathFileToXStringW ( ( EFI_DEVICE_PATH_PROTOCOL * ) DevicePath ) ;
if ( FileDevicePathStr . notEmpty ( ) ) {
XStringW Str = SWPrintf ( " %ls \n %ls \n %ls " , ErrorString . wc_str ( ) , DevicePathStr , FileDevicePathStr . wc_str ( ) ) ;
AlertMessage ( L " Remove Image Authentication " _XSW , Str ) ;
2019-09-03 11:58:42 +02:00
} else {
2021-02-11 12:41:59 +01:00
XStringW Str = SWPrintf ( " %ls \n %ls " , ErrorString . wc_str ( ) , DevicePathStr ) ;
AlertMessage ( L " Remove Image Authentication " _XSW , Str ) ;
2019-09-03 11:58:42 +02:00
}
FreePool ( DevicePathStr ) ;
} else {
2021-02-11 12:41:59 +01:00
AlertMessage ( L " Remove Image Authentication " _XSW , ErrorString ) ;
2019-09-03 11:58:42 +02:00
}
}
return Status ;
}
2020-02-28 21:28:33 +01:00
extern REFIT_MENU_ITEM_RETURN MenuEntryReturn ;
2019-09-03 11:58:42 +02:00
# define TAG_POLICY 1
# define TAG_INSERT 2
# define TAG_REMOVE 3
# define TAG_CLEAR 4
# define TAG_DISABLE 5
2021-02-11 12:41:59 +01:00
STATIC REFIT_MENU_ITEM_RETURN SecureBootPolicyEntry = { NULL , TAG_POLICY , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ;
2019-09-03 11:58:42 +02:00
STATIC REFIT_MENU_ENTRY InsertImageSignatureEntry = { L " Add image authentication to database " , TAG_INSERT , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ;
STATIC REFIT_MENU_ENTRY RemoveImageSignatureEntry = { L " Remove image authentication from database " , TAG_REMOVE , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ;
STATIC REFIT_MENU_ENTRY ClearImageSignatureEntry = { L " Clear image authentication database " , TAG_CLEAR , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ;
STATIC REFIT_MENU_ENTRY DisableSecureBootEntry = { L " Disable secure boot " , TAG_DISABLE , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ;
STATIC REFIT_MENU_ENTRY * SecureBootEntries [ ] = { NULL , NULL , NULL , NULL , NULL , NULL } ;
STATIC REFIT_MENU_SCREEN SecureBootMenu = { 0 , L " Secure Boot Configuration " , NULL , 0 , NULL , 0 , SecureBootEntries ,
0 , NULL , NULL , FALSE , FALSE , 0 , 0 , 0 , 0 ,
/* FILM_CENTRE, FILM_CENTRE,*/ { 0 , 0 , 0 , 0 } , NULL } ;
STATIC REFIT_MENU_ENTRY SecureBootPolicyNameEntry [ ] = {
{ L " Deny " , SECURE_BOOT_POLICY_DENY , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " Allow " , SECURE_BOOT_POLICY_ALLOW , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " Query " , SECURE_BOOT_POLICY_QUERY , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " Insert " , SECURE_BOOT_POLICY_INSERT , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " WhiteList " , SECURE_BOOT_POLICY_WHITELIST , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " BlackList " , SECURE_BOOT_POLICY_BLACKLIST , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
{ L " User " , SECURE_BOOT_POLICY_USER , 0 , 0 , 0 , NULL , NULL , NULL , { 0 , 0 , 0 , 0 } , ActionEnter , ActionNone , ActionNone , ActionNone , NULL } ,
} ;
STATIC REFIT_MENU_ENTRY * SecureBootPolicyEntries [ ] = {
SecureBootPolicyNameEntry ,
SecureBootPolicyNameEntry + 1 ,
SecureBootPolicyNameEntry + 2 ,
SecureBootPolicyNameEntry + 3 ,
SecureBootPolicyNameEntry + 4 ,
SecureBootPolicyNameEntry + 5 ,
SecureBootPolicyNameEntry + 6 ,
& MenuEntryReturn
} ;
STATIC REFIT_MENU_SCREEN SecureBootPolicyMenu = { 0 , L " Secure Boot Policy " , NULL , 0 , NULL ,
sizeof ( SecureBootPolicyEntries ) / sizeof ( REFIT_MENU_ENTRY * ) , SecureBootPolicyEntries ,
0 , NULL , NULL , FALSE , FALSE , 0 , 0 , 0 , 0 ,
/* FILM_CENTRE, FILM_CENTRE,*/ { 0 , 0 , 0 , 0 } , NULL } ;
// Configure secure boot
2020-10-03 19:02:31 +02:00
BOOLEAN ConfigureSecureBoot ( void )
2019-09-03 11:58:42 +02:00
{
BOOLEAN StillConfiguring = TRUE ;
do
{
UINTN Index = 0 , MenuExit ;
REFIT_MENU_ENTRY * ChosenEntry = NULL ;
EFI_DEVICE_PATH * DevicePath = NULL ;
// Add the entry for secure boot policy
2021-02-02 10:02:21 +01:00
SecureBootPolicyEntry . Title . SPrintf ( " Secure boot policy: %ls " , SecureBootPolicyToStr ( gSettings . Boot . SecureBootPolicy ) ) ;
2020-03-10 12:51:04 +01:00
if ( SecureBootPolicyEntry . Title . isEmpty ( ) ) {
2019-09-03 11:58:42 +02:00
break ;
}
SecureBootPolicyMenu . Title = SecureBootPolicyEntry . Title ;
SecureBootMenu . Entries [ Index + + ] = & SecureBootPolicyEntry ;
// Get the proper entries for the secure boot mode
2021-02-02 10:02:21 +01:00
if ( ! gSettings . Boot . SecureBootSetupMode ) {
2019-09-03 11:58:42 +02:00
SecureBootMenu . Entries [ Index + + ] = & InsertImageSignatureEntry ;
SecureBootMenu . Entries [ Index + + ] = & RemoveImageSignatureEntry ;
SecureBootMenu . Entries [ Index + + ] = & ClearImageSignatureEntry ;
SecureBootMenu . Entries [ Index + + ] = & DisableSecureBootEntry ;
}
SecureBootMenu . Entries [ Index + + ] = & MenuEntryReturn ;
2020-02-28 21:28:33 +01:00
SecureBootMenu . Entries . size ( ) = Index ;
2019-09-03 11:58:42 +02:00
// Run the configuration menu
2020-03-03 21:44:07 +01:00
MenuExit = SecureBootMenu . RunMenu ( & ChosenEntry ) ;
2019-09-03 11:58:42 +02:00
if ( ( ChosenEntry ! = NULL ) & &
( ( MenuExit = = MENU_EXIT_ENTER ) | | ( MenuExit = = MENU_EXIT_DETAILS ) ) ) {
switch ( ChosenEntry - > Tag ) {
case TAG_POLICY :
// Change the secure boot policy
do
{
ChosenEntry = NULL ;
2020-03-03 21:44:07 +01:00
MenuExit = SecureBootPolicyMenu . RunMenu ( & ChosenEntry ) ;
2019-09-03 11:58:42 +02:00
if ( ( ChosenEntry ! = NULL ) & &
( ( MenuExit = = MENU_EXIT_ENTER ) | | ( MenuExit = = MENU_EXIT_DETAILS ) ) ) {
switch ( ChosenEntry - > Tag ) {
case SECURE_BOOT_POLICY_DENY :
case SECURE_BOOT_POLICY_ALLOW :
case SECURE_BOOT_POLICY_QUERY :
case SECURE_BOOT_POLICY_INSERT :
case SECURE_BOOT_POLICY_WHITELIST :
case SECURE_BOOT_POLICY_BLACKLIST :
case SECURE_BOOT_POLICY_USER :
// Set a new policy
2021-02-02 10:02:21 +01:00
gSettings . Boot . SecureBootPolicy = ( UINT8 ) ChosenEntry - > Tag ;
DBG ( " User changed secure boot policy: %ls \n " , SecureBootPolicyToStr ( gSettings . Boot . SecureBootPolicy ) ) ;
2019-09-03 11:58:42 +02:00
default :
MenuExit = MENU_EXIT_ESCAPE ;
break ;
}
}
} while ( MenuExit ! = MENU_EXIT_ESCAPE ) ;
break ;
case TAG_INSERT :
// Insert authentication
if ( AskUserForFilePathFromVolumes ( L " Select Image to Insert Authentication... " , & DevicePath ) & &
( DevicePath ! = NULL ) ) {
AppendImageToAuthorizedDatabase ( DevicePath , NULL , 0 ) ;
}
break ;
case TAG_REMOVE :
// Remove authentication
if ( AskUserForFilePathFromVolumes ( L " Select Image to Remove Authentication... " , & DevicePath ) & &
( DevicePath ! = NULL ) ) {
RemoveImageFromAuthorizedDatabase ( DevicePath , NULL , 0 ) ;
}
break ;
case TAG_CLEAR :
// Clear authentication database
if ( YesNoMessage ( L " Clear Authentication Database " , L " Are you sure you want to clear \n the image authentication database? " ) ) {
DBG ( " User cleared authentication database \n " ) ;
AlertMessage ( L " Clear Authentication Database " ,
EFI_ERROR ( ClearAuthorizedDatabase ( ) ) ?
L " Clearing the image authentication database failed! " :
L " Cleared image authentication database successfully " ) ;
}
break ;
case TAG_DISABLE :
// Disable secure boot
if ( YesNoMessage ( L " Disable Secure Boot " , L " Are you sure you want to disable secure boot? " ) ) {
DBG ( " User disabled secure boot \n " ) ;
DisableSecureBoot ( ) ;
2021-02-11 12:41:59 +01:00
if ( ! gSettings . Boot . SecureBoot ) {
2019-09-03 11:58:42 +02:00
return TRUE ;
}
AlertMessage ( L " Disable Secure Boot " , L " Disabling secure boot failed! \n Clover does not appear to own the PK " ) ;
}
break ;
default :
StillConfiguring = FALSE ;
break ;
}
} else if ( MenuExit = = MENU_EXIT_ESCAPE ) {
StillConfiguring = FALSE ;
}
FreePool ( SecureBootPolicyEntry . Title ) ;
} while ( StillConfiguring ) ;
return FALSE ;
}
# endif // ENABLE_SECURE_BOOT
