efi__cacert_8c_source.html

/*

 * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public License as

 * published by the Free Software Foundation; either version 2 of the

 * License, or any later version.

 *

 * This program is distributed in the hope that it will be useful, but

 * WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 * General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

 * 02110-1301, USA.

 *

 * You can also choose to distribute this program under the terms of

 * the Unmodified Binary Distribution Licence (as given in the file

 * COPYING.UBDL), provided that you have satisfied its requirements.

 */


FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

FILE_SECBOOT ( PERMITTED );


/** @file

 *

 * EFI CA certificates

 *

 */


#include <stdlib.h>

#include <string.h>

#include <assert.h>

#include <errno.h>

#include <ipxe/init.h>

#include <ipxe/x509.h>

#include <ipxe/rootcert.h>

#include <ipxe/efi/efi.h>

#include <ipxe/efi/efi_siglist.h>

#include <ipxe/efi/Guid/TlsAuthentication.h>


/** List of EFI CA certificates */


static struct x509_chain efi_cacerts = {

        .refcnt = REF_INIT ( ref_no_free ),

        .links = LIST_HEAD_INIT ( efi_cacerts.links ),

};


/**

 * Retrieve EFI CA certificate

 *

 * @v data              TlsCaCertificate variable data

 * @v len               Length of TlsCaCertificate

 * @v offset            Offset within data

 * @v next              Next offset, or negative error

 */


static int efi_cacert ( const void *data, size_t len, size_t offset ) {

        struct asn1_cursor *cursor;

        struct x509_certificate *cert;

        int next;

        int rc;


        /* Extract ASN.1 object */

        next = efisig_asn1 ( data, len, offset, &cursor );

        if ( next < 0 ) {

                rc = next;

                DBGC ( &efi_cacerts, "EFICA could not parse at +%#zx: %s\n",

                       offset, strerror ( rc ) );

                goto err_asn1;

        }


        /* Append to list of EFI CA certificates */

        if ( ( rc = x509_append_raw ( &efi_cacerts, cursor->data,

                                      cursor->len ) ) != 0 ) {

                DBGC ( &efi_cacerts, "EFICA could not append at +%#zx: %s\n",

                       offset, strerror ( rc ) );

                goto err_append;

        }

        cert = x509_last ( &efi_cacerts );

        DBGC ( &efi_cacerts, "EFICA found certificate %s\n",

               x509_name ( cert ) );


        /* Mark certificate as valid (i.e. trusted) if permitted */

        if ( allow_trust_override ) {

                DBGC ( &efi_cacerts, "EFICA trusting certificate %s\n",

                       x509_name ( cert ) );

                x509_set_valid ( cert, NULL, &root_certificates );

        }


        /* Free ASN.1 object */

        free ( cursor );


        return next;


 err_append:

        free ( cursor );

 err_asn1:

        return rc;

}


/**

 * Retrieve all EFI CA certificates

 *

 * @ret rc              Return status code

 */


static int efi_cacert_all ( void ) {

        EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;

        EFI_GUID *guid = &efi_tls_ca_certificate_guid;

        static CHAR16 *wname = EFI_TLS_CA_CERTIFICATE_VARIABLE;

        int offset = 0;

        UINT32 attrs;

        UINTN size;

        void *data;

        EFI_STATUS efirc;

        int rc;


        /* Get variable length */

        size = 0;

        if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,

                                         NULL ) ) != EFI_BUFFER_TOO_SMALL ) {

                rc = -EEFI ( efirc );

                DBGC ( &efi_cacerts, "EFICA could not get %ls size: %s\n",

                       wname, strerror ( rc ) );

                goto err_len;

        }


        /* Allocate temporary buffer */

        data = malloc ( size );

        if ( ! data ) {

                rc = -ENOMEM;

                goto err_alloc;

        }


        /* Read variable */

        if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,

                                         data ) ) != 0 ) {

                rc = -EEFI ( efirc );

                DBGC ( &efi_cacerts, "EFICA could not read %ls: %s\n",

                       wname, strerror ( rc ) );

                goto err_get;

        }


        /* Parse certificates */

        while ( ( ( size_t ) offset ) < size ) {

                offset = efi_cacert ( data, size, offset );

                if ( offset < 0 ) {

                        rc = offset;

                        goto err_cacert;

                }

        }


        /* Success */

        rc = 0;


 err_cacert:

 err_get:

        free ( data );

 err_alloc:

 err_len:

        return rc;

}


/**

 * Initialise EFI CA certificates

 *

 */


static void efi_cacert_init ( void ) {

        int rc;


        /* Initialise all certificates */

        if ( ( rc = efi_cacert_all() ) != 0 ) {

                DBGC ( &efi_cacert, "EFICA could not initialise: %s\n",

                       strerror ( rc ) );

                /* Nothing we can do at this point */

                return;

        }

}


/** EFI CA certificates initialisation function */


struct init_fn efi_cacert_init_fn __init_fn ( INIT_LATE ) = {

        .name = "eficacert",

        .initialise = efi_cacert_init,

};


/**

 * Discard any EFI CA certificates

 *

 */


static void efi_cacert_shutdown ( int booting __unused ) {


        /* Drop our references to the certificates */

        DBGC ( &efi_cacert, "EFICA discarding certificates\n" );

        x509_truncate ( &efi_cacerts, NULL );

        assert ( list_empty ( &efi_cacerts.links ) );

}


/** EFI CA certificates shutdown function */


struct startup_fn efi_cacert_shutdown_fn __startup_fn ( STARTUP_NORMAL ) = {

        .name = "efi_cacert",

        .shutdown = efi_cacert_shutdown,

};


UINTN
UINT64 UINTN
Unsigned value of native width.
Definition ProcessorBind.h:115

CHAR16
unsigned short CHAR16
2-byte Character.
Definition ProcessorBind.h:102

UINT32
unsigned int UINT32
4-byte unsigned value.
Definition ProcessorBind.h:99

NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322

TlsAuthentication.h
This file defines TlsCaCertificate variable.

EFI_TLS_CA_CERTIFICATE_VARIABLE
#define EFI_TLS_CA_CERTIFICATE_VARIABLE
Definition TlsAuthentication.h:22

EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition UefiBaseType.h:32

EFI_GUID
GUID EFI_GUID
128-bit buffer containing a unique identifier value.
Definition UefiBaseType.h:28

EFI_BUFFER_TOO_SMALL
#define EFI_BUFFER_TOO_SMALL
Enumeration of EFI_STATUS.
Definition UefiBaseType.h:120

rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3

assert.h
Assertions.

assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50

offset
uint16_t offset
Offset to command line.
Definition bzimage.h:3

next
uint32_t next
Next descriptor address.
Definition dwmac.h:11

len
ring len
Length.
Definition dwmac.h:226

guid
uint64_t guid
GUID.
Definition edd.h:1

efi_cacerts
static struct x509_chain efi_cacerts
List of EFI CA certificates.
Definition efi_cacert.c:45

efi_cacert_init
static void efi_cacert_init(void)
Initialise EFI CA certificates.
Definition efi_cacert.c:168

efi_cacert_all
static int efi_cacert_all(void)
Retrieve all EFI CA certificates.
Definition efi_cacert.c:107

efi_cacert_shutdown
static void efi_cacert_shutdown(int booting __unused)
Discard any EFI CA certificates.
Definition efi_cacert.c:190

efi_cacert
static int efi_cacert(const void *data, size_t len, size_t offset)
Retrieve EFI CA certificate.
Definition efi_cacert.c:58

efi_tls_ca_certificate_guid
EFI_GUID efi_tls_ca_certificate_guid
TLS CA certificate variable GUID.
Definition efi_guid.c:478

efisig_asn1
int efisig_asn1(const void *data, size_t len, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from EFI signature list.
Definition efi_siglist.c:143

efi_siglist.h
PEM-encoded ASN.1 data.

data
uint8_t data[48]
Additional event data.
Definition ena.h:11

errno.h
Error codes.

__unused
#define __unused
Declare a variable or data structure as unused.
Definition compiler.h:573

DBGC
#define DBGC(...)
Definition compiler.h:505

INIT_LATE
#define INIT_LATE
Late initialisation.
Definition init.h:33

size
uint16_t size
Buffer size.
Definition dwmac.h:3

FILE_LICENCE
#define FILE_LICENCE(_licence)
Declare a particular licence as applying to a file.
Definition compiler.h:896

ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535

FILE_SECBOOT
#define FILE_SECBOOT(_status)
Declare a file's UEFI Secure Boot permission status.
Definition compiler.h:926

STARTUP_NORMAL
#define STARTUP_NORMAL
Normal startup.
Definition init.h:65

efi.h
EFI API.

EEFI
#define EEFI(efirc)
Convert an EFI status code to an iPXE status code.
Definition efi.h:175

efi_systab
EFI_SYSTEM_TABLE * efi_systab

string.h
String functions.

init.h

__init_fn
#define __init_fn(init_order)
Declare an initialisation functon.
Definition init.h:24

__startup_fn
#define __startup_fn(startup_order)
Declare a startup/shutdown function.
Definition init.h:53

LIST_HEAD_INIT
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition list.h:31

list_empty
#define list_empty(list)
Test whether a list is empty.
Definition list.h:137

malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621

ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition refcnt.c:102

free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55

REF_INIT
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition refcnt.h:78

allow_trust_override
const int allow_trust_override
Flag indicating if root of trust may be overridden at runtime.
Definition rootcert.c:65

root_certificates
struct x509_root root_certificates
Root certificates.
Definition rootcert.c:79

rootcert.h
Root certificate store.

stdlib.h

strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79

EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition UefiSpec.h:1880

EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition UefiSpec.h:1903

asn1_cursor
An ASN.1 object cursor.
Definition asn1.h:21

asn1_cursor::data
const void * data
Start of data.
Definition asn1.h:23

asn1_cursor::len
size_t len
Length of data.
Definition asn1.h:25

init_fn
An initialisation function.
Definition init.h:15

startup_fn
A startup/shutdown function.
Definition init.h:43

x509_certificate
An X.509 certificate.
Definition x509.h:216

x509_chain
An X.509 certificate chain.
Definition x509.h:201

x509_truncate
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition x509.c:1704

x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition x509.c:147

x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition x509.c:1674

x509_set_valid
void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition x509.c:1329

x509.h
X.509 certificates.

x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition x509.h:325