1 #ifndef _INC_EFIAUTHENTICATED_H
2 #define _INC_EFIAUTHENTICATED_H
4 #include "../include/PeImage.h"
5 //***********************************************************************
7 //***********************************************************************
9 /// The format of a signature database.
15 /// An identifier which identifies the agent which added the signature to the list.
17 EFI_GUID SignatureOwner
;
19 /// The format of the signature is defined by the SignatureType.
21 UINT8 SignatureData
[1];
26 /// Type of the signature. GUID signature types are defined in below.
28 EFI_GUID SignatureType
;
30 /// Total size of the signature list, including this header.
32 UINT32 SignatureListSize
;
34 /// Size of the signature header which precedes the array of signatures.
36 UINT32 SignatureHeaderSize
;
38 /// Size of each signature.
42 /// Header before the array of signatures. The format of this header is specified
43 /// by the SignatureType.
44 /// UINT8 SignatureHeader[SignatureHeaderSize];
46 /// An array of signatures. Each signature is SignatureSize bytes in length.
47 /// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
54 // _WIN_CERTIFICATE.wCertificateType
56 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
57 #define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
58 #define WIN_CERT_TYPE_EFI_GUID 0x0EF1
60 #define EFI_CERT_X509_GUID \
62 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
65 #define EFI_CERT_RSA2048_GUID \
67 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
71 #define EFI_CERT_TYPE_PKCS7_GUID \
73 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
77 /// WIN_CERTIFICATE_UEFI_GUID.CertType
79 #define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
80 {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
82 #ifdef __MAKEWITH_GNUEFI
85 /// WIN_CERTIFICATE_UEFI_GUID.CertData
91 } EFI_CERT_BLOCK_RSA_2048_SHA256
;
95 /// Certificate which encapsulates a GUID-specific digital signature
99 /// This is the standard WIN_CERTIFICATE header, where
100 /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID.
104 /// This is the unique id which determines the
105 /// format of the CertData. .
109 /// The following is the certificate data. The format of
110 /// the data is determined by the CertType.
111 /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID,
112 /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
115 } WIN_CERTIFICATE_UEFI_GUID
;
119 /// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
121 /// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
122 /// WIN_CERTIFICATE and encapsulate the information needed to
123 /// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as
124 /// specified in RFC2437.
128 /// This is the standard WIN_CERTIFICATE header, where
129 /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
133 /// This is the hashing algorithm which was performed on the
134 /// UEFI executable when creating the digital signature.
136 EFI_GUID HashAlgorithm
;
138 /// The following is the actual digital signature. The
139 /// size of the signature is the same size as the key
140 /// (1024-bit key is 128 bytes) and can be determined by
141 /// subtracting the length of the other parts of this header
142 /// from the total length of the certificate as found in
145 /// UINT8 Signature[];
147 } WIN_CERTIFICATE_EFI_PKCS1_15
;
149 #define OFFSET_OF(TYPE, Field) ((UINTN) &(((TYPE *)0)->Field))
154 /// Attributes of Authenticated Variable
156 #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
157 #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
158 #define EFI_VARIABLE_APPEND_WRITE 0x00000040
160 #ifdef __MAKEWITH_GNUEFI
163 /// AuthInfo is a WIN_CERTIFICATE using the wCertificateType
164 /// WIN_CERTIFICATE_UEFI_GUID and the CertType
165 /// EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
166 /// authenticated access, then the Data buffer should begin with an
167 /// authentication descriptor prior to the data payload and DataSize
168 /// should reflect the the data.and descriptor size. The caller
169 /// shall digest the Monotonic Count value and the associated data
170 /// for the variable update using the SHA-256 1-way hash algorithm.
171 /// The ensuing the 32-byte digest will be signed using the private
172 /// key associated w/ the public/private 2048-bit RSA key-pair. The
173 /// WIN_CERTIFICATE shall be used to describe the signature of the
174 /// Variable data *Data. In addition, the signature will also
175 /// include the MonotonicCount value to guard against replay attacks.
179 /// Included in the signature of
180 /// AuthInfo.Used to ensure freshness/no
181 /// replay. Incremented during each
184 UINT64 MonotonicCount
;
186 /// Provides the authorization for the variable
187 /// access. It is a signature across the
188 /// variable data and the Monotonic Count
189 /// value. Caller uses Private key that is
190 /// associated with a public key that has been
191 /// provisioned via the key exchange.
193 WIN_CERTIFICATE_UEFI_GUID AuthInfo
;
194 } EFI_VARIABLE_AUTHENTICATION
;
197 /// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
198 /// set, then the Data buffer shall begin with an instance of a complete (and serialized)
199 /// EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new
200 /// variable value and DataSize shall reflect the combined size of the descriptor and the new
201 /// variable value. The authentication descriptor is not part of the variable data and is not
202 /// returned by subsequent calls to GetVariable().
206 /// For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and
207 /// Pad2 shall be set to 0. This means that the time shall always be expressed in GMT.
211 /// Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
213 WIN_CERTIFICATE_UEFI_GUID AuthInfo
;
214 } EFI_VARIABLE_AUTHENTICATION_2
;
219 /// Size of AuthInfo prior to the data payload.
221 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
222 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
223 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
225 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
226 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
228 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
229 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))