EFI CA certificates. More...

#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <errno.h>
#include <ipxe/init.h>
#include <ipxe/x509.h>
#include <ipxe/rootcert.h>
#include <ipxe/efi/efi.h>
#include <ipxe/efi/efi_siglist.h>
#include <ipxe/efi/Guid/TlsAuthentication.h>

Functions
	FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)

	FILE_SECBOOT (PERMITTED)

static int	efi_cacert (const void *data, size_t len, size_t offset)
	Retrieve EFI CA certificate. More...

static int	efi_cacert_all (void)
	Retrieve all EFI CA certificates. More...

static void	efi_cacert_init (void)
	Initialise EFI CA certificates. More...

struct init_fn efi_cacert_init_fn	__init_fn (INIT_LATE)
	EFI CA certificates initialisation function. More...

static void	efi_cacert_shutdown (int booting __unused)
	Discard any EFI CA certificates. More...

struct startup_fn efi_cacert_shutdown_fn	__startup_fn (STARTUP_NORMAL)
	EFI CA certificates shutdown function. More...

Variables
static struct x509_chain	efi_cacerts
	List of EFI CA certificates. More...

Detailed Description

EFI CA certificates.

Definition in file efi_cacert.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ efi_cacert()

static int efi_cacert	(	const void *	data,
		size_t	len,
		size_t	offset
	)

static

Retrieve EFI CA certificate.

Parameters

data	TlsCaCertificate variable data
len	Length of TlsCaCertificate
offset	Offset within data
next	Next offset, or negative error

Definition at line 58 of file efi_cacert.c.

                                                                       {
         struct asn1_cursor *cursor;
         struct x509_certificate *cert;
         int next;
         int rc;
 
         /* Extract ASN.1 object */
         next = efisig_asn1 ( data, len, offset, &cursor );
         if ( next < 0 ) {
                 rc = next;
                 DBGC ( &efi_cacerts, "EFICA could not parse at +%#zx: %s\n",
                        offset, strerror ( rc ) );
                 goto err_asn1;
         }
 
         /* Append to list of EFI CA certificates */
         if ( ( rc = x509_append_raw ( &efi_cacerts, cursor->data,
                                       cursor->len ) ) != 0 ) {
                 DBGC ( &efi_cacerts, "EFICA could not append at +%#zx: %s\n",
                        offset, strerror ( rc ) );
                 goto err_append;
         }
         cert = x509_last ( &efi_cacerts );
         DBGC ( &efi_cacerts, "EFICA found certificate %s\n",
                x509_name ( cert ) );
 
         /* Mark certificate as valid (i.e. trusted) if permitted */
         if ( allow_trust_override ) {
                 DBGC ( &efi_cacerts, "EFICA trusting certificate %s\n",
                        x509_name ( cert ) );
                 x509_set_valid ( cert, NULL, &root_certificates );
         }
 
         /* Free ASN.1 object */
         free ( cursor );
 
         return next;
 
  err_append:
         free ( cursor );
  err_asn1:
         return rc;
 }

References allow_trust_override, data, asn1_cursor::data, DBGC, efi_cacerts, efisig_asn1(), free, asn1_cursor::len, len, next, NULL, offset, rc, root_certificates, strerror(), x509_append_raw(), x509_last(), x509_name(), and x509_set_valid().

Referenced by efi_cacert_all(), efi_cacert_init(), and efi_cacert_shutdown().

◆ efi_cacert_all()

static int efi_cacert_all ( void )

static

Retrieve all EFI CA certificates.

Return values

rc	Return status code

Definition at line 107 of file efi_cacert.c.

                                    {
         EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
         EFI_GUID *guid = &efi_tls_ca_certificate_guid;
         static CHAR16 *wname = EFI_TLS_CA_CERTIFICATE_VARIABLE;
         int offset = 0;
         UINT32 attrs;
         UINTN size;
         void *data;
         EFI_STATUS efirc;
         int rc;
 
         /* Get variable length */
         size = 0;
         if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
                                          NULL ) ) != EFI_BUFFER_TOO_SMALL ) {
                 rc = -EEFI ( efirc );
                 DBGC ( &efi_cacerts, "EFICA could not get %ls size: %s\n",
                        wname, strerror ( rc ) );
                 goto err_len;
         }
 
         /* Allocate temporary buffer */
         data = malloc ( size );
         if ( ! data ) {
                 rc = -ENOMEM;
                 goto err_alloc;
         }
 
         /* Read variable */
         if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
                                          data ) ) != 0 ) {
                 rc = -EEFI ( efirc );
                 DBGC ( &efi_cacerts, "EFICA could not read %ls: %s\n",
                        wname, strerror ( rc ) );
                 goto err_get;
         }
 
         /* Parse certificates */
         while ( ( ( size_t ) offset ) < size ) {
                 offset = efi_cacert ( data, size, offset );
                 if ( offset < 0 ) {
                         rc = offset;
                         goto err_cacert;
                 }
         }
 
         /* Success */
         rc = 0;
 
  err_cacert:
  err_get:
         free ( data );
  err_alloc:
  err_len:
         return rc;
 }

References data, DBGC, EEFI, EFI_BUFFER_TOO_SMALL, efi_cacert(), efi_cacerts, efi_systab, efi_tls_ca_certificate_guid, EFI_TLS_CA_CERTIFICATE_VARIABLE, ENOMEM, free, EFI_RUNTIME_SERVICES::GetVariable, guid, malloc(), NULL, offset, rc, EFI_SYSTEM_TABLE::RuntimeServices, size, and strerror().

Referenced by efi_cacert_init().

◆ efi_cacert_init()

static void efi_cacert_init ( void )

static

Initialise EFI CA certificates.

Definition at line 168 of file efi_cacert.c.

                                      {
         int rc;
 
         /* Initialise all certificates */
         if ( ( rc = efi_cacert_all() ) != 0 ) {
                 DBGC ( &efi_cacert, "EFICA could not initialise: %s\n",
                        strerror ( rc ) );
                 /* Nothing we can do at this point */
                 return;
         }
 }

References DBGC, efi_cacert(), efi_cacert_all(), rc, and strerror().

◆ __init_fn()

struct init_fn efi_cacert_init_fn __init_fn ( INIT_LATE )

EFI CA certificates initialisation function.

◆ efi_cacert_shutdown()

static void efi_cacert_shutdown ( int booting __unused )

static

Discard any EFI CA certificates.

Definition at line 190 of file efi_cacert.c.

                                                          {
 
         /* Drop our references to the certificates */
         DBGC ( &efi_cacert, "EFICA discarding certificates\n" );
         x509_truncate ( &efi_cacerts, NULL );
         assert ( list_empty ( &efi_cacerts.links ) );
 }

References assert(), DBGC, efi_cacert(), efi_cacerts, x509_chain::links, list_empty, NULL, and x509_truncate().

◆ __startup_fn()

struct startup_fn efi_cacert_shutdown_fn __startup_fn ( STARTUP_NORMAL )

EFI CA certificates shutdown function.

Variable Documentation

◆ efi_cacerts

struct x509_chain efi_cacerts

static

Initial value:

= {
        .refcnt = REF_INIT ( ref_no_free ),
        .links = LIST_HEAD_INIT ( efi_cacerts.links ),
}

List of EFI CA certificates.

Definition at line 45 of file efi_cacert.c.

Referenced by efi_cacert(), efi_cacert_all(), and efi_cacert_shutdown().

Functions

Variables

Detailed Description

Function Documentation

◆ FILE_LICENCE()

◆ FILE_SECBOOT()

◆ efi_cacert()

◆ efi_cacert_all()

◆ efi_cacert_init()

◆ __init_fn()

◆ efi_cacert_shutdown()

◆ __startup_fn()

Variable Documentation

◆ efi_cacerts