iPXE
Functions | Variables
efi_cacert.c File Reference

EFI CA certificates. More...

#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <errno.h>
#include <ipxe/init.h>
#include <ipxe/x509.h>
#include <ipxe/rootcert.h>
#include <ipxe/efi/efi.h>
#include <ipxe/efi/efi_siglist.h>
#include <ipxe/efi/Guid/TlsAuthentication.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
static int efi_cacert (const void *data, size_t len, size_t offset)
 Retrieve EFI CA certificate.
static int efi_cacert_all (void)
 Retrieve all EFI CA certificates.
static void efi_cacert_init (void)
 Initialise EFI CA certificates.
struct init_fn efi_cacert_init_fn __init_fn (INIT_LATE)
 EFI CA certificates initialisation function.
static void efi_cacert_shutdown (int booting __unused)
 Discard any EFI CA certificates.
struct startup_fn efi_cacert_shutdown_fn __startup_fn (STARTUP_NORMAL)
 EFI CA certificates shutdown function.

Variables

static struct x509_chain efi_cacerts
 List of EFI CA certificates.

Detailed Description

EFI CA certificates.

Definition in file efi_cacert.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ efi_cacert()

int efi_cacert ( const void * data,
size_t len,
size_t offset )
static

Retrieve EFI CA certificate.

Parameters
dataTlsCaCertificate variable data
lenLength of TlsCaCertificate
offsetOffset within data
nextNext offset, or negative error

Definition at line 58 of file efi_cacert.c.

58 {
59 struct asn1_cursor *cursor;
60 struct x509_certificate *cert;
61 int next;
62 int rc;
63
64 /* Extract ASN.1 object */
65 next = efisig_asn1 ( data, len, offset, &cursor );
66 if ( next < 0 ) {
67 rc = next;
68 DBGC ( &efi_cacerts, "EFICA could not parse at +%#zx: %s\n",
69 offset, strerror ( rc ) );
70 goto err_asn1;
71 }
72
73 /* Append to list of EFI CA certificates */
74 if ( ( rc = x509_append_raw ( &efi_cacerts, cursor->data,
75 cursor->len ) ) != 0 ) {
76 DBGC ( &efi_cacerts, "EFICA could not append at +%#zx: %s\n",
77 offset, strerror ( rc ) );
78 goto err_append;
79 }
80 cert = x509_last ( &efi_cacerts );
81 DBGC ( &efi_cacerts, "EFICA found certificate %s\n",
82 x509_name ( cert ) );
83
84 /* Mark certificate as valid (i.e. trusted) if permitted */
85 if ( allow_trust_override ) {
86 DBGC ( &efi_cacerts, "EFICA trusting certificate %s\n",
87 x509_name ( cert ) );
88 x509_set_valid ( cert, NULL, &root_certificates );
89 }
90
91 /* Free ASN.1 object */
92 free ( cursor );
93
94 return next;
95
96 err_append:
97 free ( cursor );
98 err_asn1:
99 return rc;
100}
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3
next
uint32_t next
Next descriptor address.
Definition dwmac.h:11
len
ring len
Length.
Definition dwmac.h:226
efi_cacerts
static struct x509_chain efi_cacerts
List of EFI CA certificates.
Definition efi_cacert.c:45
efisig_asn1
int efisig_asn1(const void *data, size_t len, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from EFI signature list.
Definition efi_siglist.c:143
data
uint8_t data[48]
Additional event data.
Definition ena.h:11
DBGC
#define DBGC(...)
Definition compiler.h:505
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
allow_trust_override
const int allow_trust_override
Flag indicating if root of trust may be overridden at runtime.
Definition rootcert.c:65
root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21
asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23
asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25
x509_certificate
An X.509 certificate.
Definition x509.h:216
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1674
x509_set_valid
void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition x509.c:1329
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325

References allow_trust_override, asn1_cursor::data, data, DBGC, efi_cacerts, efisig_asn1(), free, asn1_cursor::len, len, next, NULL, offset, rc, root_certificates, strerror(), x509_append_raw(), x509_last(), x509_name(), and x509_set_valid().

Referenced by efi_cacert_all(), efi_cacert_init(), efi_cacert_shutdown(), and PROVIDE_REQUIRING_SYMBOL().

◆ efi_cacert_all()

int efi_cacert_all ( void )
static

Retrieve all EFI CA certificates.

Return values
rcReturn status code

Definition at line 107 of file efi_cacert.c.

107 {
108 EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
109 EFI_GUID *guid = &efi_tls_ca_certificate_guid;
110 static CHAR16 *wname = EFI_TLS_CA_CERTIFICATE_VARIABLE;
111 int offset = 0;
112 UINT32 attrs;
113 UINTN size;
114 void *data;
115 EFI_STATUS efirc;
116 int rc;
117
118 /* Get variable length */
119 size = 0;
120 if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
121 NULL ) ) != EFI_BUFFER_TOO_SMALL ) {
122 rc = -EEFI ( efirc );
123 DBGC ( &efi_cacerts, "EFICA could not get %ls size: %s\n",
124 wname, strerror ( rc ) );
125 goto err_len;
126 }
127
128 /* Allocate temporary buffer */
129 data = malloc ( size );
130 if ( ! data ) {
131 rc = -ENOMEM;
132 goto err_alloc;
133 }
134
135 /* Read variable */
136 if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
137 data ) ) != 0 ) {
138 rc = -EEFI ( efirc );
139 DBGC ( &efi_cacerts, "EFICA could not read %ls: %s\n",
140 wname, strerror ( rc ) );
141 goto err_get;
142 }
143
144 /* Parse certificates */
145 while ( ( ( size_t ) offset ) < size ) {
146 offset = efi_cacert ( data, size, offset );
147 if ( offset < 0 ) {
148 rc = offset;
149 goto err_cacert;
150 }
151 }
152
153 /* Success */
154 rc = 0;
155
156 err_cacert:
157 err_get:
158 free ( data );
159 err_alloc:
160 err_len:
161 return rc;
162}
UINTN
UINT64 UINTN
Unsigned value of native width.
Definition ProcessorBind.h:115
CHAR16
unsigned short CHAR16
2-byte Character.
Definition ProcessorBind.h:102
UINT32
unsigned int UINT32
4-byte unsigned value.
Definition ProcessorBind.h:99
EFI_TLS_CA_CERTIFICATE_VARIABLE
#define EFI_TLS_CA_CERTIFICATE_VARIABLE
Definition TlsAuthentication.h:22
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition UefiBaseType.h:32
EFI_GUID
GUID EFI_GUID
128-bit buffer containing a unique identifier value.
Definition UefiBaseType.h:28
EFI_BUFFER_TOO_SMALL
#define EFI_BUFFER_TOO_SMALL
Enumeration of EFI_STATUS.
Definition UefiBaseType.h:120
guid
uint64_t guid
GUID.
Definition edd.h:1
efi_cacert
static int efi_cacert(const void *data, size_t len, size_t offset)
Retrieve EFI CA certificate.
Definition efi_cacert.c:58
efi_tls_ca_certificate_guid
EFI_GUID efi_tls_ca_certificate_guid
TLS CA certificate variable GUID.
Definition efi_guid.c:478
size
uint16_t size
Buffer size.
Definition dwmac.h:3
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
EEFI
#define EEFI(efirc)
Convert an EFI status code to an iPXE status code.
Definition efi.h:175
efi_systab
EFI_SYSTEM_TABLE * efi_systab
malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition UefiSpec.h:1880
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition UefiSpec.h:1903

References data, DBGC, EEFI, EFI_BUFFER_TOO_SMALL, efi_cacert(), efi_cacerts, efi_systab, efi_tls_ca_certificate_guid, EFI_TLS_CA_CERTIFICATE_VARIABLE, ENOMEM, free, EFI_RUNTIME_SERVICES::GetVariable, guid, malloc(), NULL, offset, rc, size, and strerror().

Referenced by efi_cacert_init().

◆ efi_cacert_init()

void efi_cacert_init ( void )
static

Initialise EFI CA certificates.

Definition at line 168 of file efi_cacert.c.

168 {
169 int rc;
170
171 /* Initialise all certificates */
172 if ( ( rc = efi_cacert_all() ) != 0 ) {
173 DBGC ( &efi_cacert, "EFICA could not initialise: %s\n",
174 strerror ( rc ) );
175 /* Nothing we can do at this point */
176 return;
177 }
178}
efi_cacert_all
static int efi_cacert_all(void)
Retrieve all EFI CA certificates.
Definition efi_cacert.c:107

References DBGC, efi_cacert(), efi_cacert_all(), rc, and strerror().

Referenced by __init_fn().

◆ __init_fn()

struct init_fn efi_cacert_init_fn __init_fn ( INIT_LATE )

EFI CA certificates initialisation function.

References __init_fn, efi_cacert_init(), and INIT_LATE.

◆ efi_cacert_shutdown()

void efi_cacert_shutdown ( int booting __unused)
static

Discard any EFI CA certificates.

Definition at line 190 of file efi_cacert.c.

190 {
191
192 /* Drop our references to the certificates */
193 DBGC ( &efi_cacert, "EFICA discarding certificates\n" );
194 x509_truncate ( &efi_cacerts, NULL );
195 assert ( list_empty ( &efi_cacerts.links ) );
196}
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition list.h:137
x509_truncate
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition x509.c:1704

References __unused, assert, DBGC, efi_cacert(), efi_cacerts, list_empty, NULL, and x509_truncate().

Referenced by __startup_fn().

◆ __startup_fn()

struct startup_fn efi_cacert_shutdown_fn __startup_fn ( STARTUP_NORMAL )

EFI CA certificates shutdown function.

References __startup_fn, efi_cacert_shutdown(), and STARTUP_NORMAL.

Variable Documentation

◆ efi_cacerts

struct x509_chain efi_cacerts
static
Initial value:
= {
.refcnt = REF_INIT ( ref_no_free ),
.links = LIST_HEAD_INIT ( efi_cacerts.links ),
}
LIST_HEAD_INIT
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition list.h:31
ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition refcnt.c:102
REF_INIT
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition refcnt.h:78

List of EFI CA certificates.

Definition at line 45 of file efi_cacert.c.

45 {
46 .refcnt = REF_INIT ( ref_no_free ),
47 .links = LIST_HEAD_INIT ( efi_cacerts.links ),
48};

Referenced by efi_cacert(), efi_cacert_all(), and efi_cacert_shutdown().

Generated by doxygen 1.14.0