iPXE
efi_cacert.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2025 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 /** @file
27  *
28  * EFI CA certificates
29  *
30  */
31 
32 #include <stdlib.h>
33 #include <string.h>
34 #include <assert.h>
35 #include <errno.h>
36 #include <ipxe/init.h>
37 #include <ipxe/x509.h>
38 #include <ipxe/rootcert.h>
39 #include <ipxe/efi/efi.h>
40 #include <ipxe/efi/efi_siglist.h>
41 #include <ipxe/efi/Guid/TlsAuthentication.h>
42 
43 /** List of EFI CA certificates */
44 static struct x509_chain efi_cacerts = {
45  .refcnt = REF_INIT ( ref_no_free ),
46  .links = LIST_HEAD_INIT ( efi_cacerts.links ),
47 };
48 
49 /**
50  * Retrieve EFI CA certificate
51  *
52  * @v data TlsCaCertificate variable data
53  * @v len Length of TlsCaCertificate
54  * @v offset Offset within data
55  * @v next Next offset, or negative error
56  */
57 static int efi_cacert ( const void *data, size_t len, size_t offset ) {
58  struct asn1_cursor *cursor;
59  struct x509_certificate *cert;
60  int next;
61  int rc;
62 
63  /* Extract ASN.1 object */
64  next = efisig_asn1 ( data, len, offset, &cursor );
65  if ( next < 0 ) {
66  rc = next;
67  DBGC ( &efi_cacerts, "EFICA could not parse at +%#zx: %s\n",
68  offset, strerror ( rc ) );
69  goto err_asn1;
70  }
71 
72  /* Append to list of EFI CA certificates */
73  if ( ( rc = x509_append_raw ( &efi_cacerts, cursor->data,
74  cursor->len ) ) != 0 ) {
75  DBGC ( &efi_cacerts, "EFICA could not append at +%#zx: %s\n",
76  offset, strerror ( rc ) );
77  goto err_append;
78  }
79  cert = x509_last ( &efi_cacerts );
80  DBGC ( &efi_cacerts, "EFICA found certificate %s\n",
81  x509_name ( cert ) );
82 
83  /* Mark certificate as valid (i.e. trusted) if permitted */
84  if ( allow_trust_override ) {
85  DBGC ( &efi_cacerts, "EFICA trusting certificate %s\n",
86  x509_name ( cert ) );
87  x509_set_valid ( cert, NULL, &root_certificates );
88  }
89 
90  /* Free ASN.1 object */
91  free ( cursor );
92 
93  return next;
94 
95  err_append:
96  free ( cursor );
97  err_asn1:
98  return rc;
99 }
100 
101 /**
102  * Retrieve all EFI CA certificates
103  *
104  * @ret rc Return status code
105  */
106 static int efi_cacert_all ( void ) {
107  EFI_RUNTIME_SERVICES *rs = efi_systab->RuntimeServices;
108  EFI_GUID *guid = &efi_tls_ca_certificate_guid;
109  static CHAR16 *wname = EFI_TLS_CA_CERTIFICATE_VARIABLE;
110  int offset = 0;
111  UINT32 attrs;
112  UINTN size;
113  void *data;
114  EFI_STATUS efirc;
115  int rc;
116 
117  /* Get variable length */
118  size = 0;
119  if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
120  NULL ) ) != EFI_BUFFER_TOO_SMALL ) {
121  rc = -EEFI ( efirc );
122  DBGC ( &efi_cacerts, "EFICA could not get %ls size: %s\n",
123  wname, strerror ( rc ) );
124  goto err_len;
125  }
126 
127  /* Allocate temporary buffer */
128  data = malloc ( size );
129  if ( ! data ) {
130  rc = -ENOMEM;
131  goto err_alloc;
132  }
133 
134  /* Read variable */
135  if ( ( efirc = rs->GetVariable ( wname, guid, &attrs, &size,
136  data ) ) != 0 ) {
137  rc = -EEFI ( efirc );
138  DBGC ( &efi_cacerts, "EFICA could not read %ls: %s\n",
139  wname, strerror ( rc ) );
140  goto err_get;
141  }
142 
143  /* Parse certificates */
144  while ( ( ( size_t ) offset ) < size ) {
145  offset = efi_cacert ( data, size, offset );
146  if ( offset < 0 ) {
147  rc = offset;
148  goto err_cacert;
149  }
150  }
151 
152  /* Success */
153  rc = 0;
154 
155  err_cacert:
156  err_get:
157  free ( data );
158  err_alloc:
159  err_len:
160  return rc;
161 }
162 
163 /**
164  * Initialise EFI CA certificates
165  *
166  */
167 static void efi_cacert_init ( void ) {
168  int rc;
169 
170  /* Initialise all certificates */
171  if ( ( rc = efi_cacert_all() ) != 0 ) {
172  DBGC ( &efi_cacert, "EFICA could not initialise: %s\n",
173  strerror ( rc ) );
174  /* Nothing we can do at this point */
175  return;
176  }
177 }
178 
179 /** EFI CA certificates initialisation function */
180 struct init_fn efi_cacert_init_fn __init_fn ( INIT_LATE ) = {
181  .name = "eficacert",
182  .initialise = efi_cacert_init,
183 };
184 
185 /**
186  * Discard any EFI CA certificates
187  *
188  */
189 static void efi_cacert_shutdown ( int booting __unused ) {
190 
191  /* Drop our references to the certificates */
192  DBGC ( &efi_cacert, "EFICA discarding certificates\n" );
193  x509_truncate ( &efi_cacerts, NULL );
194  assert ( list_empty ( &efi_cacerts.links ) );
195 }
196 
197 /** EFI CA certificates shutdown function */
198 struct startup_fn efi_cacert_shutdown_fn __startup_fn ( STARTUP_NORMAL ) = {
199  .name = "efi_cacert",
200  .shutdown = efi_cacert_shutdown,
201 };
STARTUP_NORMAL
#define STARTUP_NORMAL
Normal startup.
Definition: init.h:64
x509_set_valid
void x509_set_valid(struct x509_certificate *cert, struct x509_certificate *issuer, struct x509_root *root)
Set X.509 certificate as validated.
Definition: x509.c:1328
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
EEFI
#define EEFI(efirc)
Convert an EFI status code to an iPXE status code.
Definition: efi.h:174
allow_trust_override
const int allow_trust_override
Flag indicating if root of trust may be overridden at runtime.
Definition: rootcert.c:64
FILE_LICENCE
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
GUID
128 bit buffer containing a unique identifier value.
Definition: Base.h:215
x509_chain::links
struct list_head links
List of links.
Definition: x509.h:204
errno.h
Error codes.
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1673
size
uint16_t size
Buffer size.
Definition: dwmac.h:14
root_certificates
struct x509_root root_certificates
Root certificates.
Definition: rootcert.c:78
asn1_cursor::data
const void * data
Start of data.
Definition: asn1.h:22
DBGC
#define DBGC(...)
Definition: compiler.h:505
UINT32
unsigned int UINT32
Definition: ProcessorBind.h:98
__init_fn
struct init_fn efi_cacert_init_fn __init_fn(INIT_LATE)
EFI CA certificates initialisation function.
CHAR16
unsigned short CHAR16
Definition: ProcessorBind.h:101
x509_truncate
void x509_truncate(struct x509_chain *chain, struct x509_link *link)
Truncate X.509 certificate chain.
Definition: x509.c:1703
EFI_BUFFER_TOO_SMALL
#define EFI_BUFFER_TOO_SMALL
Enumeration of EFI_STATUS.
Definition: UefiBaseType.h:119
startup_fn::name
const char * name
Definition: init.h:43
efi_siglist.h
PEM-encoded ASN.1 data.
asn1_cursor::len
size_t len
Length of data.
Definition: asn1.h:24
efi_cacert_shutdown
static void efi_cacert_shutdown(int booting __unused)
Discard any EFI CA certificates.
Definition: efi_cacert.c:189
list_empty
#define list_empty(list)
Test whether a list is empty.
Definition: list.h:136
startup_fn
A startup/shutdown function.
Definition: init.h:42
x509_chain
An X.509 certificate chain.
Definition: x509.h:200
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
efi_cacerts
static struct x509_chain efi_cacerts
List of EFI CA certificates.
Definition: efi_cacert.c:44
EFI_TLS_CA_CERTIFICATE_VARIABLE
#define EFI_TLS_CA_CERTIFICATE_VARIABLE
Definition: TlsAuthentication.h:21
init_fn
An initialisation function.
Definition: init.h:14
assert.h
Assertions.
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
efisig_asn1
int efisig_asn1(const void *data, size_t len, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from EFI signature list.
Definition: efi_siglist.c:142
__unused
#define __unused
Declare a variable or data structure as unused.
Definition: compiler.h:573
len
ring len
Length.
Definition: dwmac.h:231
init_fn::name
const char * name
Definition: init.h:15
EFI_RUNTIME_SERVICES::GetVariable
EFI_GET_VARIABLE GetVariable
Definition: UefiSpec.h:1902
efi_cacert_all
static int efi_cacert_all(void)
Retrieve all EFI CA certificates.
Definition: efi_cacert.c:106
__startup_fn
struct startup_fn efi_cacert_shutdown_fn __startup_fn(STARTUP_NORMAL)
EFI CA certificates shutdown function.
EFI_RUNTIME_SERVICES
EFI Runtime Services Table.
Definition: UefiSpec.h:1879
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:324
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:215
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
UINTN
UINT64 UINTN
Unsigned value of native width.
Definition: ProcessorBind.h:114
x509.h
X.509 certificates.
TlsAuthentication.h
This file defines TlsCaCertificate variable.
next
uint32_t next
Next descriptor address.
Definition: dwmac.h:22
malloc
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:620
efi.h
EFI API.
guid
uint64_t guid
GUID.
Definition: edd.h:30
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
EFI_SYSTEM_TABLE::RuntimeServices
EFI_RUNTIME_SERVICES * RuntimeServices
A pointer to the EFI Runtime Services Table.
Definition: UefiSpec.h:2094
EFI_STATUS
RETURN_STATUS EFI_STATUS
Function return status for EFI API.
Definition: UefiBaseType.h:31
efi_tls_ca_certificate_guid
EFI_GUID efi_tls_ca_certificate_guid
TLS CA certificate variable GUID.
Definition: efi_guid.c:477
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
REF_INIT
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition: refcnt.h:77
rootcert.h
Root certificate store.
efi_systab
EFI_SYSTEM_TABLE * efi_systab
offset
uint16_t offset
Offset to command line.
Definition: bzimage.h:8
INIT_LATE
#define INIT_LATE
Late initialisation.
Definition: init.h:32
LIST_HEAD_INIT
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition: list.h:30
efi_cacert
static int efi_cacert(const void *data, size_t len, size_t offset)
Retrieve EFI CA certificate.
Definition: efi_cacert.c:57
efi_cacert_init
static void efi_cacert_init(void)
Initialise EFI CA certificates.
Definition: efi_cacert.c:167
ref_no_free
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition: refcnt.c:101
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
string.h
String functions.
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20
x509_chain::refcnt
struct refcnt refcnt
Reference count.
Definition: x509.h:202
Generated by   doxygen 1.8.15