mirror of
https://github.com/CloverHackyColor/CloverBootloader.git
synced 2025-01-06 18:37:43 +01:00
620401dca6
Signed-off-by: Sergey Isakov <isakov-sl@bk.ru>
448 lines
10 KiB
C
448 lines
10 KiB
C
/** @file
|
|
Copyright (C) 2019, vit9696. All rights reserved.
|
|
|
|
All rights reserved.
|
|
|
|
This program and the accompanying materials
|
|
are licensed and made available under the terms and conditions of the BSD License
|
|
which accompanies this distribution. The full text of the license may be found at
|
|
http://opensource.org/licenses/bsd-license.php
|
|
|
|
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
**/
|
|
|
|
#include <Uefi.h>
|
|
#include <Guid/FileInfo.h>
|
|
#include <Protocol/SimpleFileSystem.h>
|
|
|
|
#include <Library/BaseLib.h>
|
|
#include <Library/BaseMemoryLib.h>
|
|
#include <Library/DebugLib.h>
|
|
#include <Library/DevicePathLib.h>
|
|
#include <Library/MemoryAllocationLib.h>
|
|
#include <Library/OcStringLib.h>
|
|
#include <Library/OcStorageLib.h>
|
|
#include <Library/UefiBootServicesTableLib.h>
|
|
|
|
OC_STRUCTORS (OC_STORAGE_VAULT_HASH, ())
|
|
OC_MAP_STRUCTORS (OC_STORAGE_VAULT_FILES)
|
|
OC_STRUCTORS (OC_STORAGE_VAULT, ())
|
|
|
|
#pragma pack(push, 1)
|
|
|
|
typedef PACKED struct {
|
|
VENDOR_DEFINED_DEVICE_PATH Vendor;
|
|
EFI_DEVICE_PATH_PROTOCOL End;
|
|
} DUMMY_BOOT_DEVICE_PATH;
|
|
|
|
typedef PACKED struct {
|
|
VENDOR_DEFINED_DEVICE_PATH Vendor;
|
|
VENDOR_DEFINED_DEVICE_PATH VendorFile;
|
|
EFI_DEVICE_PATH_PROTOCOL End;
|
|
} DUMMY_BOOT_DEVICE_FILE_PATH;
|
|
|
|
#pragma pack(pop)
|
|
|
|
//
|
|
// We do not want to expose these for the time being!.
|
|
//
|
|
|
|
#define INTERNAL_STORAGE_GUID \
|
|
{ 0x33B5C65A, 0x5B82, 0x403D, {0x87, 0xA5, 0xD4, 0x67, 0x62, 0x50, 0xEC, 0x59} }
|
|
|
|
#define INTERNAL_STORAGE_FILE_GUID \
|
|
{ 0x1237EC17, 0xD3CE, 0x401D, {0xA8, 0x41, 0xB1, 0xD8, 0x18, 0xF8, 0xAF, 0x1A} }
|
|
|
|
STATIC
|
|
DUMMY_BOOT_DEVICE_PATH
|
|
mDummyBootDevicePath = {
|
|
.Vendor = {
|
|
.Header = {
|
|
.Type = HARDWARE_DEVICE_PATH,
|
|
.SubType = HW_VENDOR_DP,
|
|
.Length = {sizeof (VENDOR_DEFINED_DEVICE_PATH), 0}
|
|
},
|
|
.Guid = INTERNAL_STORAGE_GUID
|
|
},
|
|
.End = {
|
|
.Type = END_DEVICE_PATH_TYPE,
|
|
.SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE,
|
|
.Length = {END_DEVICE_PATH_LENGTH, 0}
|
|
}
|
|
};
|
|
|
|
STATIC
|
|
DUMMY_BOOT_DEVICE_FILE_PATH
|
|
mDummyBootDeviceFilePath = {
|
|
.Vendor = {
|
|
.Header = {
|
|
.Type = HARDWARE_DEVICE_PATH,
|
|
.SubType = HW_VENDOR_DP,
|
|
.Length = {sizeof (VENDOR_DEFINED_DEVICE_PATH), 0}
|
|
},
|
|
.Guid = INTERNAL_STORAGE_GUID
|
|
},
|
|
.VendorFile = {
|
|
.Header = {
|
|
.Type = HARDWARE_DEVICE_PATH,
|
|
.SubType = HW_VENDOR_DP,
|
|
.Length = {sizeof (VENDOR_DEFINED_DEVICE_PATH), 0}
|
|
},
|
|
.Guid = INTERNAL_STORAGE_FILE_GUID
|
|
},
|
|
.End = {
|
|
.Type = END_DEVICE_PATH_TYPE,
|
|
.SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE,
|
|
.Length = {END_DEVICE_PATH_LENGTH, 0}
|
|
}
|
|
};
|
|
|
|
STATIC
|
|
OC_SCHEMA
|
|
mVaultFilesSchema = OC_SCHEMA_DATAF (NULL, UINT8 [SHA256_DIGEST_SIZE]);
|
|
|
|
///
|
|
/// WARNING: Field list must be alpabetically ordered here!
|
|
///
|
|
STATIC
|
|
OC_SCHEMA
|
|
mVaultNodesSchema[] = {
|
|
OC_SCHEMA_MAP_IN ("Files", OC_STORAGE_VAULT, Files, &mVaultFilesSchema),
|
|
OC_SCHEMA_INTEGER_IN ("Version", OC_STORAGE_VAULT, Version),
|
|
};
|
|
|
|
STATIC
|
|
OC_SCHEMA_INFO
|
|
mVaultSchema = {
|
|
.Dict = {mVaultNodesSchema, ARRAY_SIZE (mVaultNodesSchema)}
|
|
};
|
|
|
|
|
|
STATIC
|
|
EFI_STATUS
|
|
OcStorageInitializeVault (
|
|
IN OUT OC_STORAGE_CONTEXT *Context,
|
|
IN VOID *Vault OPTIONAL,
|
|
IN UINT32 VaultSize,
|
|
IN OC_RSA_PUBLIC_KEY *StorageKey OPTIONAL,
|
|
IN VOID *Signature OPTIONAL,
|
|
IN UINT32 SignatureSize OPTIONAL
|
|
)
|
|
{
|
|
if (Signature != NULL && Vault == NULL) {
|
|
DEBUG ((DEBUG_ERROR, "OCST: Missing vault with signature\n"));
|
|
return EFI_SECURITY_VIOLATION;
|
|
}
|
|
|
|
if (Vault == NULL) {
|
|
DEBUG ((DEBUG_INFO, "OCST: Missing vault data, ignoring...\n"));
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
if (Signature != NULL) {
|
|
ASSERT (StorageKey != NULL);
|
|
|
|
if (!RsaVerifySigDataFromKey (StorageKey, Signature, SignatureSize, Vault, VaultSize, OcSigHashTypeSha256)) {
|
|
DEBUG ((DEBUG_ERROR, "OCST: Invalid vault signature\n"));
|
|
return EFI_SECURITY_VIOLATION;
|
|
}
|
|
}
|
|
|
|
OC_STORAGE_VAULT_CONSTRUCT (&Context->Vault, sizeof (Context->Vault));
|
|
if (!ParseSerialized (&Context->Vault, &mVaultSchema, Vault, VaultSize)) {
|
|
OC_STORAGE_VAULT_DESTRUCT (&Context->Vault, sizeof (Context->Vault));
|
|
DEBUG ((DEBUG_ERROR, "OCST: Invalid vault data\n"));
|
|
return EFI_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (Context->Vault.Version != OC_STORAGE_VAULT_VERSION) {
|
|
OC_STORAGE_VAULT_DESTRUCT (&Context->Vault, sizeof (Context->Vault));
|
|
DEBUG ((
|
|
DEBUG_ERROR,
|
|
"OCST: Unsupported vault data verion %u vs %u\n",
|
|
Context->Vault.Version,
|
|
OC_STORAGE_VAULT_VERSION
|
|
));
|
|
return EFI_UNSUPPORTED;
|
|
}
|
|
|
|
Context->HasVault = TRUE;
|
|
|
|
return EFI_SUCCESS;
|
|
}
|
|
|
|
STATIC
|
|
UINT8 *
|
|
OcStorageGetDigest (
|
|
IN OUT OC_STORAGE_CONTEXT *Context,
|
|
IN CONST CHAR16 *Filename
|
|
)
|
|
{
|
|
UINT32 Index;
|
|
UINTN StrIndex;
|
|
CHAR8 *VaultFilePath;
|
|
UINTN FilenameSize;
|
|
|
|
if (!Context->HasVault) {
|
|
return NULL;
|
|
}
|
|
|
|
FilenameSize = StrLen (Filename) + 1;
|
|
|
|
for (Index = 0; Index < Context->Vault.Files.Count; ++Index) {
|
|
if (Context->Vault.Files.Keys[Index]->Size != (UINT32) FilenameSize) {
|
|
continue;
|
|
}
|
|
|
|
VaultFilePath = OC_BLOB_GET (Context->Vault.Files.Keys[Index]);
|
|
|
|
for (StrIndex = 0; StrIndex < FilenameSize; ++StrIndex) {
|
|
if (Filename[StrIndex] != VaultFilePath[StrIndex]) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (StrIndex == FilenameSize) {
|
|
return &Context->Vault.Files.Values[Index]->Hash[0];
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
EFI_STATUS
|
|
OcStorageInitFromFs (
|
|
OUT OC_STORAGE_CONTEXT *Context,
|
|
IN EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *FileSystem,
|
|
IN CONST CHAR16 *Path,
|
|
IN OC_RSA_PUBLIC_KEY *StorageKey OPTIONAL
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
EFI_FILE_PROTOCOL *RootVolume;
|
|
VOID *Vault;
|
|
VOID *Signature;
|
|
UINT32 DataSize;
|
|
UINT32 SignatureSize;
|
|
|
|
ZeroMem (Context, sizeof (*Context));
|
|
|
|
Context->FileSystem = FileSystem;
|
|
|
|
Status = FileSystem->OpenVolume (FileSystem, &RootVolume);
|
|
if (EFI_ERROR (Status)) {
|
|
DEBUG ((DEBUG_INFO, "OCST: FileSystem volume cannot be opened - %r\n", Status));
|
|
return Status;
|
|
}
|
|
|
|
Status = SafeFileOpen (
|
|
RootVolume,
|
|
&Context->StorageRoot,
|
|
(CHAR16 *) Path,
|
|
EFI_FILE_MODE_READ,
|
|
0
|
|
);
|
|
|
|
RootVolume->Close (RootVolume);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
DEBUG ((DEBUG_INFO, "OCST: Directory %s cannot be opened - %r\n", Path, Status));
|
|
return Status;
|
|
}
|
|
|
|
SignatureSize = 0;
|
|
|
|
if (StorageKey) {
|
|
Signature = OcStorageReadFileUnicode (
|
|
Context,
|
|
OC_STORAGE_VAULT_SIGNATURE_PATH,
|
|
&SignatureSize
|
|
);
|
|
|
|
if (Signature == NULL) {
|
|
DEBUG ((DEBUG_ERROR, "OCS: Missing vault signature\n"));
|
|
OcStorageFree (Context);
|
|
return EFI_SECURITY_VIOLATION;
|
|
}
|
|
} else {
|
|
Signature = NULL;
|
|
}
|
|
|
|
DataSize = 0;
|
|
Vault = OcStorageReadFileUnicode (
|
|
Context,
|
|
OC_STORAGE_VAULT_PATH,
|
|
&DataSize
|
|
);
|
|
|
|
Status = OcStorageInitializeVault (Context, Vault, DataSize, StorageKey, Signature, SignatureSize);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
DEBUG ((DEBUG_INFO, "OCST: Vault init failure %p (%u) - %r\n", Vault, DataSize, Status));
|
|
}
|
|
|
|
gBS->InstallProtocolInterface (
|
|
&Context->StorageHandle,
|
|
&gEfiDevicePathProtocolGuid,
|
|
EFI_NATIVE_INTERFACE,
|
|
&mDummyBootDevicePath
|
|
);
|
|
Context->DummyDevicePath = &mDummyBootDeviceFilePath.Vendor.Header;
|
|
Context->DummyFilePath = &mDummyBootDeviceFilePath.VendorFile.Header;
|
|
|
|
if (Signature != NULL) {
|
|
FreePool (Signature);
|
|
}
|
|
|
|
if (Vault != NULL) {
|
|
FreePool (Vault);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
VOID
|
|
OcStorageFree (
|
|
IN OUT OC_STORAGE_CONTEXT *Context
|
|
)
|
|
{
|
|
if (Context->StorageRoot != NULL) {
|
|
Context->StorageRoot->Close (Context->StorageRoot);
|
|
Context->StorageRoot = NULL;
|
|
}
|
|
|
|
if (Context->HasVault) {
|
|
OC_STORAGE_VAULT_DESTRUCT (&Context->Vault, sizeof (Context->Vault));
|
|
Context->HasVault = FALSE;
|
|
}
|
|
}
|
|
|
|
BOOLEAN
|
|
OcStorageExistsFileUnicode (
|
|
IN OC_STORAGE_CONTEXT *Context,
|
|
IN CONST CHAR16 *FilePath
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
EFI_FILE_PROTOCOL *File;
|
|
UINT8 *VaultDigest;
|
|
|
|
//
|
|
// Using this API with empty filename is also not allowed.
|
|
//
|
|
ASSERT (Context != NULL);
|
|
ASSERT (FilePath != NULL);
|
|
ASSERT (StrLen (FilePath) > 0);
|
|
|
|
VaultDigest = OcStorageGetDigest (Context, FilePath);
|
|
|
|
if (VaultDigest != NULL) {
|
|
return TRUE;
|
|
}
|
|
|
|
if (Context->StorageRoot == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
Status = SafeFileOpen (
|
|
Context->StorageRoot,
|
|
&File,
|
|
(CHAR16 *) FilePath,
|
|
EFI_FILE_MODE_READ,
|
|
0
|
|
);
|
|
|
|
if (!EFI_ERROR (Status)) {
|
|
File->Close (File);
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
VOID *
|
|
OcStorageReadFileUnicode (
|
|
IN OC_STORAGE_CONTEXT *Context,
|
|
IN CONST CHAR16 *FilePath,
|
|
OUT UINT32 *FileSize OPTIONAL
|
|
)
|
|
{
|
|
EFI_STATUS Status;
|
|
EFI_FILE_PROTOCOL *File;
|
|
UINT32 Size;
|
|
UINT8 *FileBuffer;
|
|
UINT8 *VaultDigest;
|
|
UINT8 FileDigest[SHA256_DIGEST_SIZE];
|
|
|
|
//
|
|
// Using this API with empty filename is also not allowed.
|
|
//
|
|
ASSERT (Context != NULL);
|
|
ASSERT (FilePath != NULL);
|
|
ASSERT (StrLen (FilePath) > 0);
|
|
|
|
VaultDigest = OcStorageGetDigest (Context, FilePath);
|
|
|
|
if (Context->HasVault && VaultDigest == NULL) {
|
|
DEBUG ((DEBUG_ERROR, "OCST: Aborting %s file access not present in vault\n", FilePath));
|
|
return NULL;
|
|
}
|
|
|
|
if (Context->StorageRoot == NULL) {
|
|
//
|
|
// TODO: expand support for other contexts.
|
|
//
|
|
return NULL;
|
|
}
|
|
|
|
Status = SafeFileOpen (
|
|
Context->StorageRoot,
|
|
&File,
|
|
(CHAR16 *) FilePath,
|
|
EFI_FILE_MODE_READ,
|
|
0
|
|
);
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
return NULL;
|
|
}
|
|
|
|
Status = GetFileSize (File, &Size);
|
|
if (EFI_ERROR (Status) || Size >= MAX_UINT32 - 1) {
|
|
File->Close (File);
|
|
return NULL;
|
|
}
|
|
|
|
FileBuffer = AllocatePool (Size + 2);
|
|
if (FileBuffer == NULL) {
|
|
File->Close (File);
|
|
return NULL;
|
|
}
|
|
|
|
Status = GetFileData (File, 0, Size, FileBuffer);
|
|
File->Close (File);
|
|
if (EFI_ERROR (Status)) {
|
|
FreePool (FileBuffer);
|
|
return NULL;
|
|
}
|
|
|
|
if (VaultDigest != 0) {
|
|
Sha256 (FileDigest, FileBuffer, Size);
|
|
if (CompareMem (FileDigest, VaultDigest, SHA256_DIGEST_SIZE) != 0) {
|
|
DEBUG ((DEBUG_ERROR, "OCST: Aborting corrupted %s file access\n", FilePath));
|
|
FreePool (FileBuffer);
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
FileBuffer[Size] = 0;
|
|
FileBuffer[Size + 1] = 0;
|
|
|
|
if (FileSize != NULL) {
|
|
*FileSize = Size;
|
|
}
|
|
|
|
return FileBuffer;
|
|
}
|