iPXE
Data Structures | Macros | Typedefs | Functions | Variables
ImageAuthentication.h File Reference

Image signature database are defined for the signed image validation. More...

#include <ipxe/efi/Guid/GlobalVariable.h>
#include <ipxe/efi/Protocol/Hash.h>

Go to the source code of this file.

Data Structures

struct  EFI_SIGNATURE_DATA
 The format of a signature database. More...
 
struct  EFI_SIGNATURE_LIST
 
struct  EFI_CERT_X509_SHA256
 
struct  EFI_CERT_X509_SHA384
 
struct  EFI_CERT_X509_SHA512
 
struct  EFI_CERT_X509_SM3
 
struct  EFI_IMAGE_EXECUTION_INFO
 
struct  EFI_IMAGE_EXECUTION_INFO_TABLE
 

Macros

#define EFI_IMAGE_SECURITY_DATABASE_GUID
 
#define EFI_IMAGE_SECURITY_DATABASE   L"db"
 Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the authorized signature database. More...
 
#define EFI_IMAGE_SECURITY_DATABASE1   L"dbx"
 Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the forbidden signature database. More...
 
#define EFI_IMAGE_SECURITY_DATABASE2   L"dbt"
 Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the timestamp signature database. More...
 
#define SECURE_BOOT_MODE_ENABLE   1
 
#define SECURE_BOOT_MODE_DISABLE   0
 
#define SETUP_MODE   1
 
#define USER_MODE   0
 
#define DEVICE_AUTH_BOOT_MODE_ENABLE   1
 
#define DEVICE_AUTH_BOOT_MODE_DISABLE   0
 
#define EFI_CERT_SHA256_GUID
 This identifies a signature containing a SHA-256 hash. More...
 
#define EFI_CERT_RSA2048_GUID
 This identifies a signature containing an RSA-2048 key. More...
 
#define EFI_CERT_RSA2048_SHA256_GUID
 This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. More...
 
#define EFI_CERT_SHA1_GUID
 This identifies a signature containing a SHA-1 hash. More...
 
#define EFI_CERT_SM3_GUID
 This identifies a signature containing a SM3 hash. More...
 
#define EFI_CERT_RSA2048_SHA1_GUID
 TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash. More...
 
#define EFI_CERT_X509_GUID
 This identifies a signature based on an X.509 certificate. More...
 
#define EFI_CERT_X509_SM3_GUID
 This identifies a signature containing the SM3 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation. More...
 
#define EFI_CERT_SHA224_GUID
 This identifies a signature containing a SHA-224 hash. More...
 
#define EFI_CERT_SHA384_GUID
 This identifies a signature containing a SHA-384 hash. More...
 
#define EFI_CERT_SHA512_GUID
 This identifies a signature containing a SHA-512 hash. More...
 
#define EFI_CERT_X509_SHA256_GUID
 This identifies a signature containing the SHA256 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation. More...
 
#define EFI_CERT_X509_SHA384_GUID
 This identifies a signature containing the SHA384 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation. More...
 
#define EFI_CERT_X509_SHA512_GUID
 This identifies a signature containing the SHA512 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation. More...
 
#define EFI_CERT_TYPE_PKCS7_GUID
 This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315] SignedData value. More...
 
#define EFI_IMAGE_EXECUTION_AUTHENTICATION   0x00000007
 
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED   0x00000000
 
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED   0x00000001
 
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED   0x00000002
 
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND   0x00000003
 
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND   0x00000004
 
#define EFI_IMAGE_EXECUTION_POLICY_FAILED   0x00000005
 
#define EFI_IMAGE_EXECUTION_INITIALIZED   0x00000008
 

Typedefs

typedef UINT8 EFI_SM3_HASH[32]
 
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION
 

Functions

 FILE_LICENCE (BSD2_PATENT)
 
 FILE_SECBOOT (PERMITTED)
 

Variables

EFI_GUID gEfiImageSecurityDatabaseGuid
 
EFI_GUID gEfiCertSha256Guid
 
EFI_GUID gEfiCertRsa2048Guid
 
EFI_GUID gEfiCertRsa2048Sha256Guid
 
EFI_GUID gEfiCertSha1Guid
 
EFI_GUID gEfiCertRsa2048Sha1Guid
 
EFI_GUID gEfiCertX509Guid
 
EFI_GUID gEfiCertSha224Guid
 
EFI_GUID gEfiCertSha384Guid
 
EFI_GUID gEfiCertSha512Guid
 
EFI_GUID gEfiCertX509Sha256Guid
 
EFI_GUID gEfiCertX509Sha384Guid
 
EFI_GUID gEfiCertX509Sha512Guid
 
EFI_GUID gEfiCertPkcs7Guid
 
EFI_GUID gEfiCertSm3Guid
 
EFI_GUID gEfiCertX509Sm3Guid
 

Detailed Description

Image signature database are defined for the signed image validation.

Copyright (c) 2009 - 2024, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent

Revision Reference:
GUIDs defined in UEFI 2.5 spec.

Definition in file ImageAuthentication.h.

Macro Definition Documentation

◆ EFI_IMAGE_SECURITY_DATABASE_GUID

#define EFI_IMAGE_SECURITY_DATABASE_GUID
Value:
{ \
0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \
}

Definition at line 20 of file ImageAuthentication.h.

◆ EFI_IMAGE_SECURITY_DATABASE

#define EFI_IMAGE_SECURITY_DATABASE   L"db"

Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the authorized signature database.

Definition at line 29 of file ImageAuthentication.h.

◆ EFI_IMAGE_SECURITY_DATABASE1

#define EFI_IMAGE_SECURITY_DATABASE1   L"dbx"

Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the forbidden signature database.

Definition at line 34 of file ImageAuthentication.h.

◆ EFI_IMAGE_SECURITY_DATABASE2

#define EFI_IMAGE_SECURITY_DATABASE2   L"dbt"

Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID for the timestamp signature database.

Definition at line 39 of file ImageAuthentication.h.

◆ SECURE_BOOT_MODE_ENABLE

#define SECURE_BOOT_MODE_ENABLE   1

Definition at line 41 of file ImageAuthentication.h.

◆ SECURE_BOOT_MODE_DISABLE

#define SECURE_BOOT_MODE_DISABLE   0

Definition at line 42 of file ImageAuthentication.h.

◆ SETUP_MODE

#define SETUP_MODE   1

Definition at line 44 of file ImageAuthentication.h.

◆ USER_MODE

#define USER_MODE   0

Definition at line 45 of file ImageAuthentication.h.

◆ DEVICE_AUTH_BOOT_MODE_ENABLE

#define DEVICE_AUTH_BOOT_MODE_ENABLE   1

Definition at line 47 of file ImageAuthentication.h.

◆ DEVICE_AUTH_BOOT_MODE_DISABLE

#define DEVICE_AUTH_BOOT_MODE_DISABLE   0

Definition at line 48 of file ImageAuthentication.h.

◆ EFI_CERT_SHA256_GUID

#define EFI_CERT_SHA256_GUID
Value:
{ \
0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \
}

This identifies a signature containing a SHA-256 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 32 bytes.

Definition at line 149 of file ImageAuthentication.h.

◆ EFI_CERT_RSA2048_GUID

#define EFI_CERT_RSA2048_GUID
Value:
{ \
0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
}

This identifies a signature containing an RSA-2048 key.

The key (only the modulus since the public key exponent is known to be 0x10001) shall be stored in big-endian order. The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 256 bytes.

Definition at line 161 of file ImageAuthentication.h.

◆ EFI_CERT_RSA2048_SHA256_GUID

#define EFI_CERT_RSA2048_SHA256_GUID
Value:
{ \
0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \
}

This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 256 bytes.

Definition at line 171 of file ImageAuthentication.h.

◆ EFI_CERT_SHA1_GUID

#define EFI_CERT_SHA1_GUID
Value:
{ \
0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \
}

This identifies a signature containing a SHA-1 hash.

The SignatureSize shall always be 16 (size of SignatureOwner component) + 20 bytes.

Definition at line 180 of file ImageAuthentication.h.

◆ EFI_CERT_SM3_GUID

#define EFI_CERT_SM3_GUID
Value:
{ \
0x57347f87, 0x7a9b, 0x403a, { 0xb9, 0x3c, 0xdc, 0x4a, 0xfb, 0x7a, 0xe, 0xbc } \
}

This identifies a signature containing a SM3 hash.

The SignatureSize shall always be 16 (size of SignatureOwner component) + 32 bytes.

Definition at line 189 of file ImageAuthentication.h.

◆ EFI_CERT_RSA2048_SHA1_GUID

#define EFI_CERT_RSA2048_SHA1_GUID
Value:
{ \
0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \
}

TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 256 bytes.

Definition at line 199 of file ImageAuthentication.h.

◆ EFI_CERT_X509_GUID

#define EFI_CERT_X509_GUID
Value:
{ \
0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
}

This identifies a signature based on an X.509 certificate.

If the signature is an X.509 certificate then verification of the signature of an image should validate the public key certificate in the image using certificate path verification, up to this X.509 certificate as a trusted root. The SignatureHeader size shall always be 0. The SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) + the size of the certificate itself. Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.

Definition at line 213 of file ImageAuthentication.h.

◆ EFI_CERT_X509_SM3_GUID

#define EFI_CERT_X509_SM3_GUID
Value:
{ \
0x60d807e5, 0x10b4, 0x49a9, {0x93, 0x31, 0xe4, 0x4, 0x37, 0x88, 0x8d, 0x37 } \
}

This identifies a signature containing the SM3 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component) + 32 bytes for an EFI_CERT_X509_SM3 structure. If the TimeOfRevocation is non-zero, the certificate should be considered to be revoked from that time and onwards, and otherwise the certificate shall be considered to always be revoked.

Definition at line 226 of file ImageAuthentication.h.

◆ EFI_CERT_SHA224_GUID

#define EFI_CERT_SHA224_GUID
Value:
{ \
0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \
}

This identifies a signature containing a SHA-224 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 28 bytes.

Definition at line 236 of file ImageAuthentication.h.

◆ EFI_CERT_SHA384_GUID

#define EFI_CERT_SHA384_GUID
Value:
{ \
0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \
}

This identifies a signature containing a SHA-384 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 48 bytes.

Definition at line 246 of file ImageAuthentication.h.

◆ EFI_CERT_SHA512_GUID

#define EFI_CERT_SHA512_GUID
Value:
{ \
0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \
}

This identifies a signature containing a SHA-512 hash.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) + 64 bytes.

Definition at line 256 of file ImageAuthentication.h.

◆ EFI_CERT_X509_SHA256_GUID

#define EFI_CERT_X509_SHA256_GUID
Value:
{ \
0x3bd2a492, 0x96c0, 0x4079, {0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \
}

This identifies a signature containing the SHA256 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)

  • 48 bytes for an EFI_CERT_X509_SHA256 structure. If the TimeOfRevocation is non-zero, the certificate should be considered to be revoked from that time and onwards, and otherwise the certificate shall be considered to always be revoked.

Definition at line 269 of file ImageAuthentication.h.

◆ EFI_CERT_X509_SHA384_GUID

#define EFI_CERT_X509_SHA384_GUID
Value:
{ \
0x7076876e, 0x80c2, 0x4ee6, {0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \
}

This identifies a signature containing the SHA384 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)

  • 64 bytes for an EFI_CERT_X509_SHA384 structure. If the TimeOfRevocation is non-zero, the certificate should be considered to be revoked from that time and onwards, and otherwise the certificate shall be considered to always be revoked.

Definition at line 282 of file ImageAuthentication.h.

◆ EFI_CERT_X509_SHA512_GUID

#define EFI_CERT_X509_SHA512_GUID
Value:
{ \
0x446dbf63, 0x2502, 0x4cda, {0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \
}

This identifies a signature containing the SHA512 hash of an X.509 certificate's To-Be-Signed contents, and a time of revocation.

The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)

  • 80 bytes for an EFI_CERT_X509_SHA512 structure. If the TimeOfRevocation is non-zero, the certificate should be considered to be revoked from that time and onwards, and otherwise the certificate shall be considered to always be revoked.

Definition at line 295 of file ImageAuthentication.h.

◆ EFI_CERT_TYPE_PKCS7_GUID

#define EFI_CERT_TYPE_PKCS7_GUID
Value:
{ \
0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \
}

This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315] SignedData value.

Definition at line 304 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTHENTICATION

#define EFI_IMAGE_EXECUTION_AUTHENTICATION   0x00000007

Definition at line 314 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTH_UNTESTED

#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED   0x00000000

Definition at line 315 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED

#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED   0x00000001

Definition at line 316 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED

#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED   0x00000002

Definition at line 317 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND

#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND   0x00000003

Definition at line 318 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND

#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND   0x00000004

Definition at line 319 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_POLICY_FAILED

#define EFI_IMAGE_EXECUTION_POLICY_FAILED   0x00000005

Definition at line 320 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_INITIALIZED

#define EFI_IMAGE_EXECUTION_INITIALIZED   0x00000008

Definition at line 321 of file ImageAuthentication.h.

Typedef Documentation

◆ EFI_SM3_HASH

typedef UINT8 EFI_SM3_HASH[32]

Definition at line 129 of file ImageAuthentication.h.

◆ EFI_IMAGE_EXECUTION_ACTION

typedef UINT32 EFI_IMAGE_EXECUTION_ACTION

Definition at line 312 of file ImageAuthentication.h.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( BSD2_PATENT  )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED  )

Variable Documentation

◆ gEfiImageSecurityDatabaseGuid

EFI_GUID gEfiImageSecurityDatabaseGuid

◆ gEfiCertSha256Guid

EFI_GUID gEfiCertSha256Guid

◆ gEfiCertRsa2048Guid

EFI_GUID gEfiCertRsa2048Guid

◆ gEfiCertRsa2048Sha256Guid

EFI_GUID gEfiCertRsa2048Sha256Guid

◆ gEfiCertSha1Guid

EFI_GUID gEfiCertSha1Guid

◆ gEfiCertRsa2048Sha1Guid

EFI_GUID gEfiCertRsa2048Sha1Guid

◆ gEfiCertX509Guid

EFI_GUID gEfiCertX509Guid

◆ gEfiCertSha224Guid

EFI_GUID gEfiCertSha224Guid

◆ gEfiCertSha384Guid

EFI_GUID gEfiCertSha384Guid

◆ gEfiCertSha512Guid

EFI_GUID gEfiCertSha512Guid

◆ gEfiCertX509Sha256Guid

EFI_GUID gEfiCertX509Sha256Guid

◆ gEfiCertX509Sha384Guid

EFI_GUID gEfiCertX509Sha384Guid

◆ gEfiCertX509Sha512Guid

EFI_GUID gEfiCertX509Sha512Guid

◆ gEfiCertPkcs7Guid

EFI_GUID gEfiCertPkcs7Guid

◆ gEfiCertSm3Guid

EFI_GUID gEfiCertSm3Guid

◆ gEfiCertX509Sm3Guid

EFI_GUID gEfiCertX509Sm3Guid
Generated by   doxygen 1.8.15