diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/Makefile | 2 | ||||
| -rw-r--r-- | lib/configtable.c | 19 | ||||
| -rw-r--r-- | lib/console.c | 195 | ||||
| -rw-r--r-- | lib/execute.c | 38 | ||||
| -rw-r--r-- | lib/guid.c | 8 | ||||
| -rw-r--r-- | lib/print_crypto.c | 37 | ||||
| -rw-r--r-- | lib/security_policy.c | 14 | ||||
| -rw-r--r-- | lib/shell.c | 3 | ||||
| -rw-r--r-- | lib/simple_file.c | 9 | ||||
| -rw-r--r-- | lib/variables.c | 96 |
10 files changed, 284 insertions, 137 deletions
diff --git a/lib/Makefile b/lib/Makefile index db5ff711..573c52bd 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ TARGET = lib.a -LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o +LIBFILES = $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x))) EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(TOPDIR)/../include \ -I$(TOPDIR)/CryptLib/Include/openssl/ diff --git a/lib/configtable.c b/lib/configtable.c index df047f0e..8675fad1 100644 --- a/lib/configtable.c +++ b/lib/configtable.c @@ -1,8 +1,7 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2013 <James.Bottomley@HansenPartnership.com> * - * see COPYING file - * * read some platform configuration tables */ #include <efi.h> @@ -50,22 +49,22 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath) /* print what we have for debugging */ UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); d += 16; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); d += 16; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); d += 16; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); d += 16; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); d += 16; console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); + d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]); #endif CHAR16 *name = (CHAR16 *)(e->Data); int skip = 0; @@ -94,12 +93,12 @@ configtable_find_image(const EFI_DEVICE_PATH *DevicePath) console_print(L"Device Path Size %d\n", Size); #endif if (Size > e->InfoSize) { - /* parse error; the platform obviously has a + /* parse error; the platform obviously has a * corrupted image table; bail */ console_print(L"Image Execution Information table corrupt\n"); break; } - + if (CompareMem(dp, (void *)DevicePath, Size) == 0) { #ifdef DEBUG_CONFIG console_print(L"***FOUND\n"); diff --git a/lib/console.c b/lib/console.c index 3aee41cd..05f7ec16 100644 --- a/lib/console.c +++ b/lib/console.c @@ -1,8 +1,7 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> * Copyright 2013 Red Hat Inc. <pjones@redhat.com> - * - * see COPYING file */ #include <efi.h> #include <efilib.h> @@ -214,7 +213,7 @@ console_print_box_at(CHAR16 *str_arr[], int highlight, if (col < 0) col = 0; - CopyMem(Line + col + 1, s, min(len, size_cols - 2)*2); + CopyMem(Line + col + 1, s, MIN(len, size_cols - 2)*2); } if (line >= 0 && line == highlight) co->SetAttribute(co, EFI_LIGHTGRAY | @@ -409,7 +408,166 @@ console_notify(CHAR16 *string) console_alertbox(str_arr); } -#define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) +void +console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + + if (!SavedMode) { + console_print(L"Invalid parameter: SavedMode\n"); + return; + } + + CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); + co->EnableCursor(co, FALSE); + co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); +} + +void +console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + + co->EnableCursor(co, SavedMode->CursorVisible); + co->SetCursorPosition(co, SavedMode->CursorColumn, + SavedMode->CursorRow); + co->SetAttribute(co, SavedMode->Attribute); +} + +int +console_countdown(CHAR16* title, const CHAR16* message, int timeout) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + SIMPLE_INPUT_INTERFACE *ci = ST->ConIn; + SIMPLE_TEXT_OUTPUT_MODE SavedMode; + EFI_INPUT_KEY key; + EFI_STATUS efi_status; + UINTN cols, rows; + CHAR16 *titles[2]; + int wait = 10000000; + + console_save_and_set_mode(&SavedMode); + + titles[0] = title; + titles[1] = NULL; + + console_print_box_at(titles, -1, 0, 0, -1, -1, 1, 1); + + co->QueryMode(co, co->Mode->Mode, &cols, &rows); + + console_print_at((cols - StrLen(message)) / 2, rows / 2, message); + while (1) { + if (timeout > 1) + console_print_at(2, rows - 3, + L"Booting in %d seconds ", + timeout); + else if (timeout) + console_print_at(2, rows - 3, + L"Booting in %d second ", + timeout); + + efi_status = WaitForSingleEvent(ci->WaitForKey, wait); + if (efi_status != EFI_TIMEOUT) { + /* Clear the key in the queue */ + ci->ReadKeyStroke(ci, &key); + break; + } + + timeout--; + if (!timeout) + break; + } + + console_restore_mode(&SavedMode); + + return timeout; +} + +#define HORIZONTAL_MAX_OK 1920 +#define VERTICAL_MAX_OK 1080 +#define COLUMNS_MAX_OK 200 +#define ROWS_MAX_OK 100 + +void +console_mode_handle(VOID) +{ + SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; + EFI_GRAPHICS_OUTPUT_PROTOCOL *gop; + EFI_GUID gop_guid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID; + EFI_GRAPHICS_OUTPUT_MODE_INFORMATION *Info; + + UINTN mode_set; + UINTN rows = 0, columns = 0; + EFI_STATUS efi_status = EFI_SUCCESS; + + efi_status = gBS->LocateProtocol(&gop_guid, NULL, (void **)&gop); + if (EFI_ERROR(efi_status)) { + console_error(L"Locate graphic output protocol fail", efi_status); + return; + } + + Info = gop->Mode->Info; + + /* + * Start verifying if we are in a resolution larger than Full HD + * (1920x1080). If we're not, assume we're in a good mode and do not + * try to change it. + */ + if (Info->HorizontalResolution <= HORIZONTAL_MAX_OK && + Info->VerticalResolution <= VERTICAL_MAX_OK) { + /* keep original mode and return */ + return; + } + + efi_status = co->QueryMode(co, co->Mode->Mode, &columns, &rows); + if (EFI_ERROR(efi_status)) { + console_error(L"Console query mode fail", efi_status); + return; + } + + /* + * Verify current console output to check if the character columns and + * rows in a good mode. + */ + if (columns <= COLUMNS_MAX_OK && rows <= ROWS_MAX_OK) { + /* keep original mode and return */ + return; + } + + if (!console_text_mode) + setup_console(1); + + co->Reset(co, TRUE); + + /* + * If we reached here, then we have a high resolution screen and the + * text too small. Try to switch to a better mode. Mode number 2 is + * first non standard mode, which is provided by the device + * manufacturer, so it should be a good mode. + */ + if (co->Mode->MaxMode > 2) + mode_set = 2; + else + mode_set = 0; + + efi_status = co->SetMode(co, mode_set); + if (EFI_ERROR(efi_status) && mode_set != 0) { + /* + * Set to 0 mode which is required that all output devices + * support at least 80x25 text mode. + */ + mode_set = 0; + efi_status = co->SetMode(co, mode_set); + } + + co->ClearScreen(co); + + if (EFI_ERROR(efi_status)) { + console_error(L"Console set mode fail", efi_status); + } + + return; +} /* Copy of gnu-efi-3.0 with the added secure boot strings */ static struct { @@ -445,7 +603,7 @@ static struct { { EFI_SECURITY_VIOLATION, L"Security Violation"}, // warnings - { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"}, + { EFI_WARN_UNKNOWN_GLYPH, L"Warning Unknown Glyph"}, { EFI_WARN_DELETE_FAILURE, L"Warning Delete Failure"}, { EFI_WARN_WRITE_FAILURE, L"Warning Write Failure"}, { EFI_WARN_BUFFER_TOO_SMALL, L"Warning Buffer Too Small"}, @@ -523,33 +681,6 @@ setup_verbosity(VOID) setup_console(-1); } -/* Included here because they mess up the definition of va_list and friends */ -#include <Library/BaseCryptLib.h> -#include <openssl/err.h> -#include <openssl/crypto.h> - -static int -print_errors_cb(const char *str, size_t len, void *u) -{ - console_print(L"%a", str); - - return len; -} - -EFI_STATUS -print_crypto_errors(EFI_STATUS efi_status, - char *file, const char *func, int line) -{ - if (!(verbose && EFI_ERROR(efi_status))) - return efi_status; - - console_print(L"SSL Error: %a:%d %a(): %r\n", file, line, func, - efi_status); - ERR_print_errors_cb(print_errors_cb, NULL); - - return efi_status; -} - VOID msleep(unsigned long msecs) { diff --git a/lib/execute.c b/lib/execute.c index 3aff28ad..f57a6321 100644 --- a/lib/execute.c +++ b/lib/execute.c @@ -1,41 +1,7 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> - * - * see COPYING file - * - * -- - * - * generate_path is a cut and paste from - * - * git://github.com/mjg59/shim.git - * * Code Copyright 2012 Red Hat, Inc <mjg@redhat.com> - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the - * distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * */ #include <efi.h> @@ -83,7 +49,7 @@ generate_path(CHAR16* name, EFI_LOADED_IMAGE *li, EFI_DEVICE_PATH **path, CHAR16 if (name[0] != '\\') StrCat(*PathName, L"\\"); StrCat(*PathName, name); - + *path = FileDevicePath(li->DeviceHandle, *PathName); error: @@ -1,8 +1,4 @@ -/* - * Copyright 2012 <James.Bottomley@HansenPartnership.com> - * - * see COPYING file - */ +// SPDX-License-Identifier: BSD-2-Clause-Patent #include "shim.h" @@ -36,4 +32,6 @@ EFI_GUID EFI_SECURE_BOOT_DB_GUID = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL; EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; + EFI_GUID SHIM_LOCK_GUID = {0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } }; +EFI_GUID MOK_VARIABLE_STORE = {0xc451ed2b, 0x9694, 0x45d3, {0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89} }; diff --git a/lib/print_crypto.c b/lib/print_crypto.c new file mode 100644 index 00000000..1bab0a6c --- /dev/null +++ b/lib/print_crypto.c @@ -0,0 +1,37 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * Copyright 2019 SUSE LLC <glin@suse.com> + */ + +#include <efi.h> +#include <efilib.h> +#include <stdarg.h> + +#include "shim.h" + +#include <Library/BaseCryptLib.h> +#include <openssl/err.h> +#include <openssl/crypto.h> +#include <console.h> + +static int +print_errors_cb(const char *str, size_t len, void *u) +{ + console_print(L"%a", str); + + return len; +} + +EFI_STATUS +print_crypto_errors(EFI_STATUS efi_status, + char *file, const char *func, int line) +{ + if (!(verbose && EFI_ERROR(efi_status))) + return efi_status; + + console_print(L"SSL Error: %a:%d %a(): %r\n", file, line, func, + efi_status); + ERR_print_errors_cb(print_errors_cb, NULL); + + return efi_status; +} diff --git a/lib/security_policy.c b/lib/security_policy.c index 211f1cfd..6a9b13ed 100644 --- a/lib/security_policy.c +++ b/lib/security_policy.c @@ -1,8 +1,7 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> * - * see COPYING file - * * Install and remove a platform security2 override policy */ @@ -11,12 +10,7 @@ #include "shim.h" -#include <variables.h> -#include <simple_file.h> -#include <errors.h> - #if defined(OVERRIDE_SECURITY_POLICY) -#include <security_policy.h> /* * See the UEFI Platform Initialization manual (Vol2: DXE) for this @@ -60,7 +54,7 @@ extern EFI_STATUS thunk_security_policy_authentication( const EFI_SECURITY_PROTOCOL *This, UINT32 AuthenticationStatus, const EFI_DEVICE_PATH_PROTOCOL *DevicePath - ) + ) __attribute__((unused)); extern EFI_STATUS thunk_security2_policy_authentication( @@ -69,7 +63,7 @@ extern EFI_STATUS thunk_security2_policy_authentication( VOID *FileBuffer, UINTN FileSize, BOOLEAN BootPolicy - ) + ) __attribute__((unused)); static __attribute__((used)) EFI_STATUS @@ -112,7 +106,7 @@ security_policy_authentication ( ) { EFI_STATUS efi_status, fail_status; - EFI_DEVICE_PATH *DevPath + EFI_DEVICE_PATH *DevPath = DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst), *OrigDevPath = DevPath; EFI_HANDLE h; diff --git a/lib/shell.c b/lib/shell.c index e46e7fd2..87f279d6 100644 --- a/lib/shell.c +++ b/lib/shell.c @@ -1,8 +1,7 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> * - * see COPYING file - * * misc shell helper functions */ #include <efi.h> diff --git a/lib/simple_file.c b/lib/simple_file.c index 3bf92ed8..384b20ec 100644 --- a/lib/simple_file.c +++ b/lib/simple_file.c @@ -1,7 +1,6 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> - * - * see COPYING file */ #include <efi.h> @@ -403,10 +402,10 @@ simple_file_selector(EFI_HANDLE * im, CHAR16 ** title, CHAR16 * name, filter = L""; if (!*im) { EFI_HANDLE h; - CHAR16 *volname; + CHAR16 *volname = NULL; - simple_volume_selector(title, &volname, &h); - if (!volname) + efi_status = simple_volume_selector(title, &volname, &h); + if (EFI_ERROR(efi_status) || !volname) return; FreePool(volname); *im = h; diff --git a/lib/variables.c b/lib/variables.c index 9c2e7d0a..0431d4a2 100644 --- a/lib/variables.c +++ b/lib/variables.c @@ -1,22 +1,13 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent /* * Copyright 2012 <James.Bottomley@HansenPartnership.com> * - * see COPYING file - * * Portions of this file are a direct cut and paste from Tianocore * (http://tianocore.sf.net) * * SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c * * Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR> - * This program and the accompanying materials - * are licensed and made available under the terms and conditions of the BSD License - * which accompanies this distribution. The full text of the license may be found - * at - * http://opensource.org/licenses/bsd-license.php - * - * THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, - * WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. * */ #include <efi.h> @@ -25,33 +16,60 @@ #include "shim.h" EFI_STATUS -variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner, - void **out, int *outlen) +fill_esl(const uint8_t *data, const size_t data_len, + const EFI_GUID *type, const EFI_GUID *owner, + uint8_t *out, size_t *outlen) { - *outlen = cert_len + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); + EFI_SIGNATURE_LIST *sl; + EFI_SIGNATURE_DATA *sd; + size_t needed = 0; - *out = AllocateZeroPool(*outlen); - if (!*out) - return EFI_OUT_OF_RESOURCES; + if (!data || !data_len || !type || !outlen) + return EFI_INVALID_PARAMETER; - EFI_SIGNATURE_LIST *sl = *out; + needed = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID) + data_len; + if (!out || *outlen < needed) { + *outlen = needed; + return EFI_BUFFER_TOO_SMALL; + } + + *outlen = needed; + sl = (EFI_SIGNATURE_LIST *)out; sl->SignatureHeaderSize = 0; sl->SignatureType = *type; - sl->SignatureSize = cert_len + sizeof(EFI_GUID); - sl->SignatureListSize = *outlen; - - EFI_SIGNATURE_DATA *sd = *out + sizeof(EFI_SIGNATURE_LIST); + sl->SignatureSize = sizeof(EFI_GUID) + data_len; + sl->SignatureListSize = needed; + sd = (EFI_SIGNATURE_DATA *)(out + sizeof(EFI_SIGNATURE_LIST)); if (owner) sd->SignatureOwner = *owner; - CopyMem(sd->SignatureData, cert, cert_len); + CopyMem(sd->SignatureData, data, data_len); return EFI_SUCCESS; } EFI_STATUS +variable_create_esl(const uint8_t *data, const size_t data_len, + const EFI_GUID *type, const EFI_GUID *owner, + uint8_t **out, size_t *outlen) +{ + EFI_STATUS efi_status; + + *outlen = 0; + efi_status = fill_esl(data, data_len, type, owner, NULL, outlen); + if (efi_status != EFI_BUFFER_TOO_SMALL) + return efi_status; + + *out = AllocateZeroPool(*outlen); + if (!*out) + return EFI_OUT_OF_RESOURCES; + + return fill_esl(data, data_len, type, owner, *out, outlen); +} + +EFI_STATUS CreateTimeBasedPayload(IN OUT UINTN * DataSize, IN OUT UINT8 ** Data) { EFI_STATUS efi_status; @@ -123,8 +141,8 @@ CreateTimeBasedPayload(IN OUT UINTN * DataSize, IN OUT UINT8 ** Data) } EFI_STATUS -SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, - UINT32 options, int createtimebased) +SetSecureVariable(const CHAR16 * const var, UINT8 *Data, UINTN len, + EFI_GUID owner, UINT32 options, int createtimebased) { EFI_SIGNATURE_LIST *Cert; UINTN DataSize; @@ -137,9 +155,9 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, return EFI_SECURITY_VIOLATION; if (createtimebased) { - int ds; + size_t ds; efi_status = variable_create_esl(Data, len, &X509_GUID, NULL, - (void **)&Cert, &ds); + (uint8_t **)&Cert, &ds); if (EFI_ERROR(efi_status)) { console_print(L"Failed to create %s certificate %d\n", var, efi_status); @@ -159,7 +177,7 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, return efi_status; } - efi_status = gRT->SetVariable(var, &owner, + efi_status = gRT->SetVariable((CHAR16 *)var, &owner, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | @@ -204,34 +222,39 @@ SETOSIndicationsAndReboot(UINT64 indications) } EFI_STATUS -get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, - UINT32 *attributes) +get_variable_attr(const CHAR16 * const var, UINT8 **data, UINTN *len, + EFI_GUID owner, UINT32 *attributes) { EFI_STATUS efi_status; *len = 0; - efi_status = gRT->GetVariable(var, &owner, NULL, len, NULL); + efi_status = gRT->GetVariable((CHAR16 *)var, &owner, NULL, len, NULL); if (efi_status != EFI_BUFFER_TOO_SMALL) { if (!EFI_ERROR(efi_status)) /* this should never happen */ return EFI_PROTOCOL_ERROR; return efi_status; } - *data = AllocateZeroPool(*len); + /* + * Add three zero pad bytes; at least one correctly aligned UCS-2 + * character. + */ + *data = AllocateZeroPool(*len + 3); if (!*data) return EFI_OUT_OF_RESOURCES; - efi_status = gRT->GetVariable(var, &owner, attributes, len, *data); + efi_status = gRT->GetVariable((CHAR16 *)var, &owner, attributes, len, *data); if (EFI_ERROR(efi_status)) { FreePool(*data); *data = NULL; } + return efi_status; } EFI_STATUS -get_variable(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner) +get_variable(const CHAR16 * const var, UINT8 **data, UINTN *len, EFI_GUID owner) { return get_variable_attr(var, data, len, owner, NULL); } @@ -254,7 +277,8 @@ find_in_esl(UINT8 *Data, UINTN DataSize, UINT8 *key, UINTN keylen) } EFI_STATUS -find_in_variable_esl(CHAR16* var, EFI_GUID owner, UINT8 *key, UINTN keylen) +find_in_variable_esl(const CHAR16 * const var, EFI_GUID owner, UINT8 *key, + UINTN keylen) { UINTN DataSize = 0; UINT8 *Data = NULL; @@ -305,7 +329,7 @@ variable_is_secureboot(void) } EFI_STATUS -variable_enroll_hash(CHAR16 *var, EFI_GUID owner, +variable_enroll_hash(const CHAR16 * const var, EFI_GUID owner, UINT8 hash[SHA256_DIGEST_SIZE]) { EFI_STATUS efi_status; @@ -330,7 +354,7 @@ variable_enroll_hash(CHAR16 *var, EFI_GUID owner, efi_status = SetSecureVariable(var, sig, sizeof(sig), owner, EFI_VARIABLE_APPEND_WRITE, 0); else - efi_status = gRT->SetVariable(var, &owner, + efi_status = gRT->SetVariable((CHAR16 *)var, &owner, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_APPEND_WRITE, |