1 #ifndef _INC_EFIAUTHENTICATED_H 2 #define _INC_EFIAUTHENTICATED_H 3 #include <wincert.h> 4 //*********************************************************************** 5 // Signature Database 6 //*********************************************************************** 7 /// 8 /// The format of a signature database. 9 /// 10 #pragma pack(1) 11 12 typedef struct { 13 /// 14 /// An identifier which identifies the agent which added the signature to the list. 15 /// 16 EFI_GUID SignatureOwner; 17 /// 18 /// The format of the signature is defined by the SignatureType. 19 /// 20 UINT8 SignatureData[1]; 21 } EFI_SIGNATURE_DATA; 22 23 typedef struct { 24 /// 25 /// Type of the signature. GUID signature types are defined in below. 26 /// 27 EFI_GUID SignatureType; 28 /// 29 /// Total size of the signature list, including this header. 30 /// 31 UINT32 SignatureListSize; 32 /// 33 /// Size of the signature header which precedes the array of signatures. 34 /// 35 UINT32 SignatureHeaderSize; 36 /// 37 /// Size of each signature. 38 /// 39 UINT32 SignatureSize; 40 /// 41 /// Header before the array of signatures. The format of this header is specified 42 /// by the SignatureType. 43 /// UINT8 SignatureHeader[SignatureHeaderSize]; 44 /// 45 /// An array of signatures. Each signature is SignatureSize bytes in length. 46 /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; 47 /// 48 } EFI_SIGNATURE_LIST; 49 50 #pragma pack() 51 52 // 53 // _WIN_CERTIFICATE.wCertificateType 54 // 55 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 56 #define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 57 #define WIN_CERT_TYPE_EFI_GUID 0x0EF1 58 59 #define EFI_CERT_X509_GUID \ 60 (EFI_GUID){ \ 61 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \ 62 } 63 64 #define EFI_CERT_RSA2048_GUID \ 65 (EFI_GUID){ \ 66 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ 67 } 68 69 70 #define EFI_CERT_TYPE_PKCS7_GUID \ 71 (EFI_GUID){ \ 72 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \ 73 } 74 75 /// 76 /// WIN_CERTIFICATE_UEFI_GUID.CertType 77 /// 78 #define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ 79 {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } 80 81 /// 82 /// WIN_CERTIFICATE_UEFI_GUID.CertData 83 /// 84 typedef struct { 85 EFI_GUID HashType; 86 UINT8 PublicKey[256]; 87 UINT8 Signature[256]; 88 } EFI_CERT_BLOCK_RSA_2048_SHA256; 89 90 91 /// 92 /// Certificate which encapsulates a GUID-specific digital signature 93 /// 94 typedef struct { 95 /// 96 /// This is the standard WIN_CERTIFICATE header, where 97 /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. 98 /// 99 WIN_CERTIFICATE Hdr; 100 /// 101 /// This is the unique id which determines the 102 /// format of the CertData. . 103 /// 104 EFI_GUID CertType; 105 /// 106 /// The following is the certificate data. The format of 107 /// the data is determined by the CertType. 108 /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID, 109 /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure. 110 /// 111 UINT8 CertData[1]; 112 } WIN_CERTIFICATE_UEFI_GUID; 113 114 115 /// 116 /// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. 117 /// 118 /// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from 119 /// WIN_CERTIFICATE and encapsulate the information needed to 120 /// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as 121 /// specified in RFC2437. 122 /// 123 typedef struct { 124 /// 125 /// This is the standard WIN_CERTIFICATE header, where 126 /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. 127 /// 128 WIN_CERTIFICATE Hdr; 129 /// 130 /// This is the hashing algorithm which was performed on the 131 /// UEFI executable when creating the digital signature. 132 /// 133 EFI_GUID HashAlgorithm; 134 /// 135 /// The following is the actual digital signature. The 136 /// size of the signature is the same size as the key 137 /// (1024-bit key is 128 bytes) and can be determined by 138 /// subtracting the length of the other parts of this header 139 /// from the total length of the certificate as found in 140 /// Hdr.dwLength. 141 /// 142 /// UINT8 Signature[]; 143 /// 144 } WIN_CERTIFICATE_EFI_PKCS1_15; 145 146 #define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field)) 147 148 /// 149 /// Attributes of Authenticated Variable 150 /// 151 #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 152 #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020 153 #define EFI_VARIABLE_APPEND_WRITE 0x00000040 154 155 /// 156 /// AuthInfo is a WIN_CERTIFICATE using the wCertificateType 157 /// WIN_CERTIFICATE_UEFI_GUID and the CertType 158 /// EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies 159 /// authenticated access, then the Data buffer should begin with an 160 /// authentication descriptor prior to the data payload and DataSize 161 /// should reflect the the data.and descriptor size. The caller 162 /// shall digest the Monotonic Count value and the associated data 163 /// for the variable update using the SHA-256 1-way hash algorithm. 164 /// The ensuing the 32-byte digest will be signed using the private 165 /// key associated w/ the public/private 2048-bit RSA key-pair. The 166 /// WIN_CERTIFICATE shall be used to describe the signature of the 167 /// Variable data *Data. In addition, the signature will also 168 /// include the MonotonicCount value to guard against replay attacks. 169 /// 170 typedef struct { 171 /// 172 /// Included in the signature of 173 /// AuthInfo.Used to ensure freshness/no 174 /// replay. Incremented during each 175 /// "Write" access. 176 /// 177 UINT64 MonotonicCount; 178 /// 179 /// Provides the authorization for the variable 180 /// access. It is a signature across the 181 /// variable data and the Monotonic Count 182 /// value. Caller uses Private key that is 183 /// associated with a public key that has been 184 /// provisioned via the key exchange. 185 /// 186 WIN_CERTIFICATE_UEFI_GUID AuthInfo; 187 } EFI_VARIABLE_AUTHENTICATION; 188 189 /// 190 /// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is 191 /// set, then the Data buffer shall begin with an instance of a complete (and serialized) 192 /// EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new 193 /// variable value and DataSize shall reflect the combined size of the descriptor and the new 194 /// variable value. The authentication descriptor is not part of the variable data and is not 195 /// returned by subsequent calls to GetVariable(). 196 /// 197 typedef struct { 198 /// 199 /// For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and 200 /// Pad2 shall be set to 0. This means that the time shall always be expressed in GMT. 201 /// 202 EFI_TIME TimeStamp; 203 /// 204 /// Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted. 205 /// 206 WIN_CERTIFICATE_UEFI_GUID AuthInfo; 207 } EFI_VARIABLE_AUTHENTICATION_2; 208 209 /// 210 /// Size of AuthInfo prior to the data payload. 211 /// 212 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \ 213 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \ 214 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) 215 216 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ 217 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength) 218 219 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ 220 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData))) 221 222 #endif 223