[Skiboot] [PATCH v2 09/12] secvar/backend: add edk2 derived key updates processing
Stefan Berger
stefanb at linux.ibm.com
Thu Jan 23 12:55:16 AEDT 2020
On 1/19/20 9:36 PM, Eric Richter wrote:
> From: Nayna Jain <nayna at linux.ibm.com>
>
> As part of secureboot key management, the scheme for handling key updates
> is derived from tianocore reference implementation[1]. The wrappers for
> holding the signed update is the Authentication Header and for holding
> the public key certificate is ESL (EFI Signature List), both derived from
> tianocore reference implementation[1].
>
> This patch adds the support to process update queue. This involves:
> 1. Verification of the update signature using the key authorized as per the
> key hierarchy
> 2. Handling addition/deletion of the keys
> 3. Support for dbx(blacklisting of hashes)
> 4. Validation checks for the updates
> 5. Supporting multiple ESLs for single variable both for update/verification
> 6. Timestamp check
> 7. Allowing only single PK
> 8. Failure Handling
>
> [1] https://github.com/tianocore/edk2-staging.git
>
> Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
> Signed-off-by: Eric Richter <erichte at linux.ibm.com>
> ---
>
> V5:
> - Finalizes the previous version to a complete version taking care
> of validation, multiple ESLs, single PK, dbx support, timestamp checks and
> failure handling.
>
> doc/secvar/edk2.rst | 49 ++
> include/secvar.h | 1 +
> libstb/secvar/backend/Makefile.inc | 4 +-
> libstb/secvar/backend/edk2-compat.c | 877 ++++++++++++++++++++++++++++
> libstb/secvar/backend/edk2.h | 243 ++++++++
> 5 files changed, 1172 insertions(+), 2 deletions(-)
> create mode 100644 doc/secvar/edk2.rst
> create mode 100644 libstb/secvar/backend/edk2-compat.c
> create mode 100644 libstb/secvar/backend/edk2.h
>
> diff --git a/doc/secvar/edk2.rst b/doc/secvar/edk2.rst
> new file mode 100644
> index 00000000..e0c29457
> --- /dev/null
> +++ b/doc/secvar/edk2.rst
> @@ -0,0 +1,49 @@
> +.. _secvar/edk2:
> +
> +Skiboot edk2-compatible Secure Variable Backend
> +===============================================
> +
> +Overview
> +--------
> +
> +The edk2 secure variable backend for skiboot borrows from edk2 concepts
> +such as the three key hierarchy (PK, KEK, and db), and a similar
> +structure. In general, variable updates must be signed with a key
> +of a higher level. So, updates to the db must be signed with a key stored
> +in the KEK; updates to the KEK must be signed with the PK. Updates to the
> +PK must be signed with the previous PK (if any).
> +
> +Variables are stored in the efi signature list format, and updates are a
> +signed variant that includes an authentication header.
> +
> +If no PK is currently enrolled, the system is considered to be in "Setup
> +Mode". Any key can be enrolled without signature checks. However, once a
> +PK is enrolled, the system switches to "User Mode", and each update must
> +now be signed according to the hierarchy. Furthermore, when in "User
> +Mode", the backend initialized the ``os-secure-mode`` device tree flag,
> +signaling to the kernel that we are in secure mode.
> +
> +Updates are processed sequentially, in the order that they were provided
> +in the update queue. If any update fails to validate, appears to be
> +malformed, or any other error occurs, NO updates will not be applied.
> +This includes updates that may have successfully applied prior to the
> +error. The system will continue in an error state, reporting the error
> +reason via the ``update-status`` device tree property.
> +
> +P9 Special Case for the Platform Key
> +------------------------------------
> +
> +Due to the powerful nature of the platform key and the lack of lockable
> +flash, the edk2 backend will store the PK in TPM NV rather than PNOR on
> +P9 systems. (TODO expand on this)
> +
> +Update Status Return Codes
> +--------------------------
> +
> +TODO, edk2 driver needs to actually return these properly first
> +
> +
> +Device Tree Bindings
> +--------------------
> +
> +TODO
You intend to fill these ?
> diff --git a/include/secvar.h b/include/secvar.h
> index 2875c700..8b701e00 100644
> --- a/include/secvar.h
> +++ b/include/secvar.h
> @@ -24,6 +24,7 @@ struct secvar_backend_driver {
> };
>
> extern struct secvar_storage_driver secboot_tpm_driver;
> +extern struct secvar_backend_driver edk2_compatible_v1;
>
> int secvar_main(struct secvar_storage_driver, struct secvar_backend_driver);
>
> diff --git a/libstb/secvar/backend/Makefile.inc b/libstb/secvar/backend/Makefile.inc
> index cc1a49fa..1c1896ab 100644
> --- a/libstb/secvar/backend/Makefile.inc
> +++ b/libstb/secvar/backend/Makefile.inc
> @@ -1,11 +1,11 @@
> # SPDX-License-Identifier: Apache-2.0
> # -*-Makefile-*-
>
> -SECVAR_BACKEND_DIR = libstb/secvar/backend
> +SECVAR_BACKEND_DIR = $(SRC)/libstb/secvar/backend
>
> SUBDIRS += $(SECVAR_BACKEND_DIR)
>
> -SECVAR_BACKEND_SRCS =
> +SECVAR_BACKEND_SRCS = edk2-compat.c
> SECVAR_BACKEND_OBJS = $(SECVAR_BACKEND_SRCS:%.c=%.o)
> SECVAR_BACKEND = $(SECVAR_BACKEND_DIR)/built-in.a
>
> diff --git a/libstb/secvar/backend/edk2-compat.c b/libstb/secvar/backend/edk2-compat.c
> new file mode 100644
> index 00000000..b99738b1
> --- /dev/null
> +++ b/libstb/secvar/backend/edk2-compat.c
> @@ -0,0 +1,877 @@
> +// SPDX-License-Identifier: Apache-2.0
> +/* Copyright 2019 IBM Corp. */
> +#ifndef pr_fmt
> +#define pr_fmt(fmt) "EDK2_COMPAT: " fmt
> +#endif
> +
> +#include <opal.h>
> +#include <string.h>
> +#include <time.h>
> +#include <unistd.h>
> +#include <stdint.h>
> +#include <ccan/endian/endian.h>
> +#include "libstb/crypto/pkcs7/pkcs7.h"
> +#include "edk2.h"
> +#include "opal-api.h"
> +#include "../secvar.h"
> +#include "../secvar_devtree.h"
> +#include "../secvar_tpmnv.h"
> +#include <mbedtls/error.h>
> +
> +#define TPMNV_ID_EDK2_PK 0x4532504b // E2PK
> +
> +static bool setup_mode;
> +
> +//struct efi_time *timestamp_list;
remove if not needed
> +
> +/*
> + * Converts utf8 string to ucs2
> + */
> +static char *utf8_to_ucs2(const char *key, const char keylen)
size_t keylen ?
> +{
> + int i;
> + char *str;
> + str = zalloc(keylen * 2);
str = NULL check ?
> +
> + for (i = 0; i < keylen*2; key++) {
> + str[i++] = *key;
> + str[i++] = '\0';
> + }
> + return str;
> +}
> +
> +/*
> + * Returns true if key1 = key2
> + */
> +static bool key_equals(const char *key1, const char *key2)
> +{
return !strcmp(key1, key2);
> + if (memcmp(key1, key2, strlen(key2)+1) == 0)
> + return true;
> +
> + return false;
> +}
> +
> +/**
> + * Returns the authority that can sign the given key update
> + */
> +static void get_key_authority(const char *ret[3], const char *key)
> +{
> + int i = 0;
> +
> + memset(ret, 0, sizeof(char *) * 3);
Shouldn't be necessary since you are NULL-terminating the array and
presumably all callers stop once they see the NULL.
> + if (key_equals(key, "PK"))
> + ret[i++] = "PK";
> + if (key_equals(key, "KEK"))
> + ret[i++] = "PK";
> + if (key_equals(key, "db") || key_equals(key, "dbx")) {
> + ret[i++] = "KEK";
> + ret[i++] = "PK";
> + }
> + ret[i] = NULL;
> +}
> +
> +/*
> + * PK needs to be stored in the TPMNV space if on p9
> + * We store it using the form <u64:esl size><esl data>, the
> + * extra secvar headers are unnecessary
> + */
> +static int edk2_p9_load_pk(void)
> +{
> + struct secvar_node *pkvar;
> + uint64_t size;
> + int rc;
> +
> + // Ensure it exists
> + rc = secvar_tpmnv_alloc(TPMNV_ID_EDK2_PK, -1);
check rc now that you have it
> +
> + // Peek to get the size
> + rc = secvar_tpmnv_read(TPMNV_ID_EDK2_PK, &size, sizeof(size), 0);
> + if (rc == OPAL_EMPTY)
> + return 0;
Is this OPAL_SUCCESS?
> + else if (rc)
> + return -1;
Isn't there a better return code for 0 and -1. Below you return OPAL_*
return codes.
> +
> + if (size > secvar_storage.max_var_size)
> + return OPAL_RESOURCE;
> +
> + pkvar = alloc_secvar(size);
NULL ptr check
> + memcpy(pkvar->var->key, "PK", 3);
> + pkvar->var->key_len = 3;
> + pkvar->var->data_size = size;
> + pkvar->flags |= SECVAR_FLAG_VOLATILE;
> +
> + rc = secvar_tpmnv_read(TPMNV_ID_EDK2_PK, pkvar->var->data, pkvar->var->data_size, sizeof(pkvar->var->data_size));
> + if (rc)
> + return rc;
this returns an OPAL_ error code following what I see in secvar_tpmnv_read
> +
> + list_add_tail(&variable_bank, &pkvar->link);
> +
> + return OPAL_SUCCESS;
> +}
> +
> +/*
> + * Writes the PK to the TPM.
> + */
> +static int edk2_p9_write_pk(void)
> +{
> + char *tmp;
> + int32_t tmpsize;
> + struct secvar_node *pkvar;
> + int rc;
> +
> + pkvar = find_secvar("PK", 3, &variable_bank);
find_secvar cannot do a strlen() + 1 on the name? All callers seem to
have to pass the length of the string + 1.
> +
> + // Should not happen
> + if (!pkvar)
> + return OPAL_INTERNAL_ERROR;
> +
> + // Reset the pk flag to volatile on p9
> + pkvar->flags |= SECVAR_FLAG_VOLATILE;
> +
> + tmpsize = secvar_tpmnv_size(TPMNV_ID_EDK2_PK);
> + if (tmpsize < 0) {
> + prlog(PR_ERR, "TPMNV space for PK was not allocated properly\n");
> + return OPAL_RESOURCE;
> + }
> + if (tmpsize < pkvar->var->data_size + sizeof(pkvar->var->data_size)) {
> + prlog(PR_ERR, "TPMNV PK space is insufficient, %d < %llu\n", tmpsize,
> + // Cast needed because x86 compiler complains building the test
> + (long long unsigned) pkvar->var->data_size + sizeof(pkvar->var->data_size));
> + return OPAL_RESOURCE;
> + }
> +
> + tmp = zalloc(tmpsize);
a rare NULL pointer check; good
> + if (!tmp)
> + return OPAL_NO_MEM;
> +
> + memcpy(tmp, &pkvar->var->data_size, sizeof(pkvar->var->data_size));
> + memcpy(tmp + sizeof(pkvar->var->data_size),
> + pkvar->var->data,
> + pkvar->var->data_size);
> +
> + tmpsize = pkvar->var->data_size + sizeof(pkvar->var->data_size);
> +
> + rc = secvar_tpmnv_write(TPMNV_ID_EDK2_PK, tmp, tmpsize, 0);
> +
> + free(tmp);
> +
> + return rc;
> +}
> +
> +/*
> + * Returns the size of the ESL.
> + */
> +static int get_esl_signature_list_size(char *buf)
should probably have a size_t buflen ...
> +{
> + EFI_SIGNATURE_LIST list;
> +
> + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST));
... so you know you enough bytes to copy ...
> +
> + prlog(PR_DEBUG, "size of signature list size is %u\n", le32_to_cpu(list.SignatureListSize));
> +
> + return le32_to_cpu(list.SignatureListSize);
... and access this field here
> +}
> +
> +/*
> + * Returns the size of the certificate contained in the ESL.
> + */
> +static int get_esl_cert_size(char *buf)
Same thing here: size_t buflen
> +{
> + EFI_SIGNATURE_LIST list;
> + uint32_t sigsize;
> +
> + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST));
> +
> + sigsize = le32_to_cpu(list.SignatureListSize) - sizeof(list)
> + - le32_to_cpu(list.SignatureHeaderSize) - sizeof(uuid_t);
> +
> + prlog(PR_DEBUG, "sig size is %u\n", sigsize);
> + return sigsize;
> +}
> +
> +/*
> + * Copies the certificate from the ESL into cert buffer.
> + */
> +static int get_esl_cert(char *buf, char **cert)
Also here...
> +{
> + int sig_data_offset;
> + int size;
> + EFI_SIGNATURE_LIST list;
> +
> + memset(&list, 0, sizeof(EFI_SIGNATURE_LIST));
> + memcpy(&list, buf, sizeof(EFI_SIGNATURE_LIST));
Memset above seems useless ; just heats up memory :-)
> +
> + prlog(PR_DEBUG,"size of signature list size is %u\n", le32_to_cpu(list.SignatureListSize));
> + prlog(PR_DEBUG, "size of signature header size is %u\n", le32_to_cpu(list.SignatureHeaderSize));
> + prlog(PR_DEBUG, "size of signature size is %u\n", le32_to_cpu(list.SignatureSize));
> + sig_data_offset = sizeof(list.SignatureType)
> + + sizeof(list.SignatureListSize)
> + + sizeof(list.SignatureHeaderSize)
> + + sizeof(list.SignatureSize)
> + + le32_to_cpu(list.SignatureHeaderSize)
> + + 16 * sizeof(uint8_t);
> +
> + size = le32_to_cpu(list.SignatureSize) - sizeof(uuid_t);
> +
> + memcpy(*cert, buf + sig_data_offset, size);
Why do you need **cert here is you don't allocated the memory for it? Do
you know *cert is big enough for this size?
> +
> + return size;
> +}
> +
> +/*
> + * Extracts size of the PKCS7 signed data embedded in the
> + * struct Authentication 2 Descriptor Header.
> + */
> +static int get_pkcs7_len(struct efi_variable_authentication_2 *auth)
> +{
> + uint32_t dw_length = le32_to_cpu(auth->auth_info.hdr.dw_length);
> + int size;
ssize_t here or size_t ?
> +
> + size = dw_length - (sizeof(auth->auth_info.hdr.dw_length)
> + + sizeof(auth->auth_info.hdr.w_revision)
> + + sizeof(auth->auth_info.hdr.w_certificate_type)
> + + sizeof(auth->auth_info.cert_type));
> +
> + return size;
Better not be <0 ?
> +}
> +
> +/*
> + * Return the timestamp from the Authentication 2 Descriptor.
> + */
> +static int get_timestamp_from_auth(char *data, struct efi_time **timestamp)
> +{
> + *timestamp = (struct efi_time *) data;
I trust you can just cast it like this. Without any checks it that it
does it could just be
struct efi_time *get_timestamp_from_auth(char *data)
But this is just a simple cast you could do where it appears. So I doubt
you need the function unless you wanted to do some sanity checks here.
> +
> + return 0;
> +}
> +
> +/*
> + * This function outputs the Authentication 2 Descriptor in the
> + * auth_buffer and returns the size of the buffer.
> + */
> +static int get_auth_descriptor2(void *data, char **auth_buffer)
size_t datalen ??
> +{
> + struct efi_variable_authentication_2 *auth = data;
> + uint64_t auth_buffer_size;
> + int len;
ssize_t len
> +
> + if (!auth_buffer)
> + return OPAL_PARAMETER;
> +
> + len = get_pkcs7_len(auth);
> + if (len < 0)
> + return OPAL_NO_MEM;
> +
> + auth_buffer_size = sizeof(auth->timestamp) + sizeof(auth->auth_info.hdr)
> + + sizeof(auth->auth_info.cert_type) + len;
> +
> + *auth_buffer = zalloc(auth_buffer_size);
> + if (!(*auth_buffer))
> + return OPAL_NO_MEM;
> +
> + memcpy(*auth_buffer, data, auth_buffer_size);
Are you sure you have enough bytes in data?
> +
> + return auth_buffer_size;
> +}
> +
> +/* Check that PK has single ESL */
> +static bool is_single_pk(char *data, uint64_t data_size)
> +{
> + char *auth_buffer = NULL;
> + uint64_t auth_buffer_size = 0;
> + char *newesl = NULL;
> + uint64_t new_data_size = 0;
> + int esllistsize;
> +
> + auth_buffer_size = get_auth_descriptor2(data, &auth_buffer);
> + printf("auth buffer size is %d\n", (int)auth_buffer_size);
this is probably debug-only output
> + free(auth_buffer);
> + if (auth_buffer_size <= 0)
> + return false;
> +
> + /* Calculate the size of new ESL data */
> + new_data_size = data_size - auth_buffer_size;
> + printf("new data size is %d\n", (int)new_data_size);
> +
> + if (!new_data_size)
> + return true;
> +
> + newesl = zalloc(new_data_size);
NULL check
> + memcpy(newesl, data + auth_buffer_size, new_data_size);
> +
> + esllistsize = get_esl_signature_list_size(newesl);
> + printf("esl list size is %d\n", esllistsize);
> + free(newesl);
> + if (new_data_size > esllistsize)
> + return false;
> +
> + return true;
> +}
> +
> +/*
> + * Initializes supported variables as empty if not loaded from
> + * storage. Variables are initialized as volatile if not found.
> + * Updates should clear this flag.
> +ec*
> + * Returns OPAL Error if anything fails in initialization
> + */
> +static int edk2_compat_pre_process(void)
> +{
> + struct secvar_node *pkvar;
> + struct secvar_node *kekvar;
> + struct secvar_node *dbvar;
> + struct secvar_node *dbxvar;
> + struct secvar_node *tsvar;
> +
> + // If we are on p9, we need to store the PK in write-lockable
> + // TPMNV space, as we determine our secure mode based on if this
> + // variable exists.
> + // NOTE: Activation of this behavior is subject to change in a later
> + // patch version, ideally the platform should be able to configure
> + // whether it wants this extra protection, or to instead store
> + // everything via the storage driver.
> + if (proc_gen == proc_gen_p9)
> + edk2_p9_load_pk();
> +
> + pkvar = find_secvar("PK", 3, &variable_bank);
> + if (!pkvar) {
> + pkvar = alloc_secvar(0);
> + if (!pkvar)
> + return OPAL_NO_MEM;
> +
> + memcpy(pkvar->var->key, "PK", 3);
> + pkvar->var->key_len = 3;
a helper function like secvar_new(0, "PK", 3, SECVAR_FLAG_VOLATILE)
would be good ...
better yet: don't pass '3' but let alloc_secvar run strlen(). Is there a
reason why pkvar->var->key_len is needed? It looks like key always has a
string and key_len is strlen() + 1. Seems redundant to have to set key_len.
> + pkvar->flags |= SECVAR_FLAG_VOLATILE;
> + list_add_tail(&variable_bank, &pkvar->link);
> + }
> + if (pkvar->var->data_size == 0)
> + setup_mode = true;
> + else
> + setup_mode = false;
> +
> + kekvar = find_secvar("KEK", 4, &variable_bank);
> + if (!kekvar) {
> + kekvar = alloc_secvar(0);
> + if (!kekvar)
> + return OPAL_NO_MEM;
> +
> + memcpy(kekvar->var->key, "KEK", 4);
> + kekvar->var->key_len = 4;
> + kekvar->flags |= SECVAR_FLAG_VOLATILE;
... would save some code
> + list_add_tail(&variable_bank, &kekvar->link);
> + }
> +
> + dbvar = find_secvar("db", 3, &variable_bank);
> + if (!dbvar) {
> + dbvar = alloc_secvar(0);
> + if (!dbvar)
> + return OPAL_NO_MEM;
> +
> + memcpy(dbvar->var->key, "db", 3);
> + dbvar->var->key_len = 3;
> + dbvar->flags |= SECVAR_FLAG_VOLATILE;
again
> + list_add_tail(&variable_bank, &dbvar->link);
> + }
> +
> + dbxvar = find_secvar("dbx", 4, &variable_bank);
> + if (!dbxvar) {
> + dbxvar = alloc_secvar(0);
> + if (!dbxvar)
> + return OPAL_NO_MEM;
> +
> + memcpy(dbxvar->var->key, "dbx", 4);
> + dbxvar->var->key_len = 4;
> + dbxvar->flags |= SECVAR_FLAG_VOLATILE;
and again
> + list_add_tail(&variable_bank, &dbxvar->link);
> + }
> +
> + tsvar = find_secvar("TS", 3, &variable_bank);
> + // Should only ever happen on first boot
> + if (!tsvar) {
> + tsvar = alloc_secvar(sizeof(struct efi_time) * 4);
> + if (!tsvar)
> + return OPAL_NO_MEM;
> +
> + memcpy(tsvar->var->key, "TS", 3);
> + tsvar->var->key_len = 3;
yet again
> + tsvar->var->data_size = sizeof(struct efi_time) * 4;
> + memset(tsvar->var->data, 0, tsvar->var->data_size);
also allow passing data_size and data to this secvar_new()
> + //tsvar->flags |= SECVAR_FLAG_VOLATILE;
commented ?
> + list_add_tail(&variable_bank, &tsvar->link);
> + }
> +
> + return OPAL_SUCCESS;
> +};
> +
> +/**
> + * Returns true if we are in Setup Mode
> + *
> + * Setup Mode is active if we have no PK.
> + * Otherwise, we are in user mode.
> + */
> +/**
> +static int is_setup_mode(void)
bool would be better because you say you want to return 'true'
> +{
> + struct secvar_node *setup;
> +
> + setup = find_secvar((char *)"PK", 3, &variable_bank);
why cast ?
> +
> + // Not sure why this wouldn't exist
> + if (!setup)
> + return 1;
true ?
> +
> + return !setup->var->data_size;
> +}
> +**/
> +
> +/**
> + * Update the variable with the new value.
> + */
> +static int add_to_variable_bank(struct secvar *secvar, void *data, uint64_t dsize)
> +{
> + struct secvar_node *node;
> +
> + node = find_secvar(secvar->key, secvar->key_len, &variable_bank);
> + if (!node)
> + return OPAL_INTERNAL_ERROR;
> +
> + // Expand the secvar allocated memory if needed
> + if (node->size < dsize)
> + if (realloc_secvar(node, dsize))
Is this call correct? Shouldn't it be node = realloc_secvar(node, dsize)
or realloc_secvar(&node, dsize)?
> + return OPAL_NO_MEM;
> +
> + node->var->data_size = dsize;
> + memcpy(node->var->data, data, dsize);
> + node->flags &= ~SECVAR_FLAG_VOLATILE; // Clear the volatile bit when updated
> +
> + return 0;
OPAL_SUCCESS?
> +}
> +
> +static struct efi_time *get_last_timestamp(char *key)
const char *key
> +{
> + struct secvar_node *node;
> + struct efi_time *prev;
> + char *timestamp_list;
> + u8 off;
> +
> + node = find_secvar("TS", 3, &variable_bank);
node NULL check ?
> + if (!strncmp(key, "PK", 3))
> + off = 0;
> + else if (!strncmp(key, "KEK", 4))
> + off = 1;
> + else if (!strncmp(key, "db", 3))
> + off = 2;
> + else if (!strncmp(key, "dbx", 4))
> + off = 3;
> + else
> + return NULL; // unexpected variable name?
> +
> + timestamp_list = node->var->data;
> + if (!timestamp_list)
> + return NULL;
> +
> + prev = (struct efi_time *) (timestamp_list + (off * sizeof(struct efi_time)));
Looks like you are accessing an array
return &((struct efi_time *)timestamplist)[index];
> +
> + return prev;
> +}
> +
> +// Update the TS variable with the new timestamp
Sometimes comments are with /* */, this one is //. I guess you need to
be more consistent.
> +static int update_timestamp(char *key, struct efi_time *timestamp)
> +{
> + struct efi_time *prev;
> +
> + prev = get_last_timestamp(key);
> + if (prev == NULL)
> + return OPAL_PARAMETER;
> +
> + memcpy(prev, timestamp, sizeof(struct efi_time));
> +
> + printf("updated prev year is %d month %d day %d\n", le16_to_cpu(prev->year), prev->month, prev->day);
> +// add_to_variable_bank(node->var, timestamp_list, node->var->data_size);
remove if not needed
> +
> + return OPAL_SUCCESS;
> +}
> +
> +static int check_timestamp(char *key, struct efi_time *timestamp)
> +{
> + struct efi_time *prev;
> + char *current = NULL;
> + char *last =NULL;
> + int s1 = 0;
> +
> + prev = get_last_timestamp(key);
> + if (prev == NULL)
> + return OPAL_PARAMETER;
> +
> + printf("timestamp year is %d month %d day %d\n", le16_to_cpu(timestamp->year), timestamp->month, timestamp->day);
> + printf("prev year is %d month %d day %d\n", le16_to_cpu(prev->year), prev->month, prev->day);
> + if (le16_to_cpu(timestamp->year) > le16_to_cpu(prev->year))
> + return OPAL_SUCCESS;
> + if (le16_to_cpu(timestamp->year) < le16_to_cpu(prev->year))
> + return OPAL_PERMISSION;
> +
> + current = &(timestamp->month);
> + last = &(prev->month);
> +
> + s1 = memcmp(current, last, 5);
there must be something better than magic '5'; some sizeof() would look
better. What are you comparing? Put a comment there. It seems to be the
order of month, day, hours, minutes and seconds.
> + if (s1 <= 0) {
> + printf("s1 is %d\n", s1);
remove debug output
Equal time is reason for OPAL_PERMISSION?
> + return OPAL_PERMISSION;
> + }
> +
> + return OPAL_SUCCESS;
> +}
> +
> +/*
> + * Verify the PKCS7 signature on the signed data.
> + */
> +static int verify_signature(void *auth_buffer, char *newcert,
> + uint64_t new_data_size, struct secvar *avar)
> +{
> + struct efi_variable_authentication_2 *auth;
> + mbedtls_pkcs7 *pkcs7;
> + mbedtls_x509_crt x509;
> + char *checkpkcs7cert;
> + char *signing_cert = NULL;
> + char *x509_buf;
> + int len;
> + int signing_cert_size;
> + int rc;
> + char *errbuf;
> + int eslvarsize;
> + int offset = 0;
> +
> + auth = auth_buffer;
you know you have enough bytes for this cast here ? you cannot just pass
in struct efi_variable_..._2 * ?
> + len = get_pkcs7_len(auth);
above you compare if (len < 0) --- do this also here.
> + pkcs7 = malloc(sizeof(struct mbedtls_pkcs7));
NULL pointer check
> + mbedtls_pkcs7_init(pkcs7);
> +
> + rc = mbedtls_pkcs7_parse_der(
> + (const unsigned char *)auth->auth_info.cert_data,
> + (const unsigned int)len, pkcs7);
> + if (rc) {
> + prlog(PR_ERR, "Parsing pkcs7 failed %04x\n", rc);
> + goto pkcs7out;
> + }
> +
> + checkpkcs7cert = zalloc(2048);
NULL pointer check
> + mbedtls_x509_crt_info(checkpkcs7cert, 2048, "CRT:", &(pkcs7->signed_data.certs));
Does this have a return value?
> + prlog(PR_DEBUG, "%s \n", checkpkcs7cert);
> + free(checkpkcs7cert);
> +
> + prlog(PR_INFO, "Load the signing certificate from the keystore");
> +
> + eslvarsize = avar->data_size;
> +
> + while (eslvarsize > 0) {
> + prlog(PR_DEBUG, "esl var size size is %d offset is %d\n", eslvarsize, offset);
> + if (eslvarsize < sizeof(EFI_SIGNATURE_LIST))
> + break;
> +
> + signing_cert_size = get_esl_cert_size(avar->data + offset);
> + if (!signing_cert_size) {
> + rc = OPAL_PERMISSION;
> + break;
> + }
> +
> + signing_cert = zalloc(signing_cert_size);
NULL pointer check... also further below.
> + get_esl_cert(avar->data + offset, &signing_cert);
> +
> + mbedtls_x509_crt_init(&x509);
> + rc = mbedtls_x509_crt_parse(&x509, signing_cert, signing_cert_size);
> +
> + /* If failure in parsing the certificate, try next */
> + if(rc) {
> + prlog(PR_INFO, "X509 certificate parsing failed %04x\n", rc);
> + goto next;
> + }
> +
> + x509_buf = zalloc(2048);
unsigned char x509_buf[2048];
> + mbedtls_x509_crt_info(x509_buf, 2048, "CRT:", &x509);
Check return code ?
> + prlog(PR_INFO, "%s \n", x509_buf);
> + free(x509_buf);
> + rc = mbedtls_pkcs7_signed_data_verify(pkcs7, &x509, newcert, new_data_size);
> +
> + /* If find a signing certificate, you are done */
If you find ...
> + if (rc == 0) {
> + if (signing_cert)
> + free(signing_cert);
No need to check for NULL.
> + mbedtls_x509_crt_free(&x509);
> + prlog(PR_INFO, "Signature Verification passed\n");
> + break;
> + }
> +
> + errbuf = zalloc(1024);
this one you could have allocated above
char errbuf[1024];
> + mbedtls_strerror(rc, errbuf, 1024);
> + prlog(PR_INFO, "Signature Verification failed %02x %s\n", rc, errbuf);
> + free(errbuf);
> +
> +next:
> + offset += get_esl_signature_list_size(avar->data + offset);
> + eslvarsize = eslvarsize - offset;
> + mbedtls_x509_crt_free(&x509);
> + if (signing_cert)
> + free(signing_cert);
again no need to check, just free()
> +
> + }
> +
> +pkcs7out:
> + mbedtls_pkcs7_free(pkcs7);
IMO, this function should also free(pkcs7).
> + free(pkcs7);
this should not be necessary
> +
> + return rc;
> +}
> +
> +
> +/**
> + * Create the single buffer
> + * name || vendor guid || attributes || timestamp || newcontent
> + * which is submitted as signed by the user.
> + */
> +static int get_data_to_verify(char *key, char *new_data,
Return type should be char *, returning NULL if OOM.
> + uint64_t new_data_size,
size_t
> + char **buffer,
> + uint64_t *buffer_size, struct efi_time *timestamp)
size_t
> +{
> + le32 attr = cpu_to_le32(SECVAR_ATTRIBUTES);
> + int size = 0;
> + int varlen;
> + char *wkey;
> + uuid_t guid;
> +
> + if (key_equals(key, "PK")
> + || key_equals(key, "KEK"))
> + guid = EFI_GLOBAL_VARIABLE_GUID;
> +
> + if (key_equals(key, "db")
else if
> + || key_equals(key, "dbx"))
> + guid = EFI_IMAGE_SECURITY_DATABASE_GUID;
> +
> + // Convert utf8 name to ucs2 width
> + varlen = strlen(key) * 2;
varlen should be size_t
> + wkey = utf8_to_ucs2(key, strlen(key));
> +
> + // Prepare the single buffer
> + *buffer_size = varlen + UUID_SIZE + sizeof(attr)
> + + sizeof(struct efi_time) + new_data_size;
> + *buffer = zalloc(*buffer_size);
null ptr check
> +
> + memcpy(*buffer + size, wkey, varlen);
rename size to offset, probably of type off_t ?
> + size = size + varlen;
> + memcpy(*buffer + size, &guid, sizeof(guid));
> + size = size + sizeof(guid);
> + memcpy(*buffer + size, &attr, sizeof(attr));
> + size = size + sizeof(attr);
> + memcpy(*buffer + size, timestamp , sizeof(struct efi_time));
> + size = size + sizeof(struct efi_time);
> +
> + memcpy(*buffer + size, new_data, new_data_size);
> + size = size + new_data_size;
this last one isn't necessary anymore
> +
> + free(wkey);
> +
> + return 0;
> +}
> +
> +static int edk2_compat_process(void)
> +{
> + char *auth_buffer = NULL;
> + uint64_t auth_buffer_size = 0;
size_t
> + struct efi_time *timestamp = NULL;
> + const char *key_authority[3];
> + char *newesl = NULL;
> + uint64_t new_data_size = 0;
size_t
> + char *tbhbuffer = NULL;
> + uint64_t tbhbuffersize = 0;
> + struct secvar_node *anode = NULL;
> + struct secvar_node *node = NULL;
> + int rc = 0;
> + int pk_updated = 0;
> + int i;
> +
> + //setup_mode = is_setup_mode();
> + prlog(PR_INFO, "Setup mode = %d\n", setup_mode);
> +
> + /* Loop through each command in the update bank.
> + * If any command fails, it just loops out of the update bank.
> + * It should also clear the update bank.
> + */
> + list_for_each(&update_bank, node, link) {
> +
> + /* Submitted data is auth_2 descriptor + new ESL data
> + * Extract the auth_2 2 descriptor
> + */
> + printf("setup mode is %d\n", setup_mode);
> + prlog(PR_INFO, "update for %s\n", node->var->key);
> + auth_buffer_size = get_auth_descriptor2(node->var->data, &auth_buffer);
> + if (auth_buffer_size <= 0)
> + return OPAL_PARAMETER;
> +
> + if (node->var->data_size < auth_buffer_size) {
> + rc = OPAL_PARAMETER;
> + goto out;
> + }
> +
> + rc = get_timestamp_from_auth(auth_buffer, ×tamp);
> + if (rc < 0)
> + goto out;
> +
> + rc = check_timestamp(node->var->key, timestamp);
> + if (rc)
> + goto out;
> +
> + /* Calculate the size of new ESL data */
> + new_data_size = node->var->data_size - auth_buffer_size;
> + newesl = zalloc(new_data_size);
> + memcpy(newesl, node->var->data + auth_buffer_size, new_data_size);
> +
> + if (!setup_mode) {
> + /* Prepare the data to be verified */
> + rc = get_data_to_verify(node->var->key, newesl,
> + new_data_size, &tbhbuffer,
> + &tbhbuffersize, timestamp);
> +
> + /* Get the authority to verify the signature */
> + get_key_authority(key_authority, node->var->key);
> + i = 0;
> +
> + /* Try for all the authorities that are allowed to sign.
> + * For eg. db/dbx can be signed by both PK or KEK
> + */
> + while (key_authority[i] != NULL) {
> + prlog(PR_DEBUG, "key is %s\n", node->var->key);
> + prlog(PR_DEBUG, "key authority is %s\n", key_authority[i]);
> + anode = find_secvar(key_authority[i], strlen(key_authority[i]) + 1,
> + &variable_bank);
> + if (!anode) {
> + rc = OPAL_PERMISSION;
> + goto out;
> + }
> + if (anode->var->data_size == 0) {
> + rc = OPAL_PERMISSION;
> + goto out;
> + }
> +
> + /* Verify the signature */
> + rc = verify_signature(auth_buffer, tbhbuffer,
> + tbhbuffersize, anode->var);
> +
> + /* Break if signature verification is successful */
> + if (!rc)
> + break;
> + i++;
> + }
> + }
> +
> + if (rc)
> + goto out;
> +
> + /*
> + * If reached here means, signature is verified so update the
> + * value in the variable bank
> + */
> + add_to_variable_bank(node->var, newesl, new_data_size);
Check return code ?
> + // Update the TS variable with the new timestamp
> + update_timestamp(node->var->key, timestamp);
Check return code?
> +
> + /* If the PK is updated, update the secure boot state of the
> + * system at the end of processing */
> + if (key_equals(node->var->key, "PK")) {
> + pk_updated = 1;
> + if(new_data_size == 0)
> + setup_mode = true;
> + else
> + setup_mode = false;
> + printf("setup mode is %d\n", setup_mode);
> + }
> + }
> +
> + if (pk_updated) {
> + // Store the updated pk in TPMNV on p9
> + if (proc_gen == proc_gen_p9) {
> + rc = edk2_p9_write_pk();
> + prlog(PR_INFO, "edk2_p9_write rc=%d\n", rc);
> + }
> + }
> +
> +out:
> + if (auth_buffer)
> + free(auth_buffer);
> + if (newesl)
> + free(newesl);
> + if (tbhbuffer)
> + free(tbhbuffer);
no need to check
> +
> + clear_bank_list(&update_bank);
> +
> + return rc;
> +}
> +
> +static int edk2_compat_post_process(void)
> +{
> + printf("setup mode is %d\n", setup_mode);
> + if (!setup_mode) {
> + secvar_set_secure_mode();
> + prlog(PR_INFO, "Enforcing OS secure mode\n");
> + }
> +
> + return 0;
> +}
> +
> +static bool is_pkcs7_sig_format(void *data)
> +{
> + struct efi_variable_authentication_2 *auth = data;
Why does this function take a void as input rather than the concrete type?
> + uuid_t pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID;
> +
> + if(!(memcmp(&auth->auth_info.cert_type, &pkcs7_guid, 16) == 0))
16 -> sizeof(pkcs7_guid)
You first check that memcmp() returns 0 and then you invert it . Seems
unnecessary and you could just invert the return value below.
> + return false;
> +
> + return true;
> +}
> +
> +static int edk2_compat_validate(struct secvar *var)
What does this validate and what does it have to do with edk2 ?
Can it return a bool?
> +{
> +
> + /*
> + * Checks if the update is for supported
> + * Non-volatile secure variales
variables
> + */
> + if (!key_equals(var->key, "PK")
> + && !key_equals(var->key, "KEK")
> + && !key_equals(var->key, "db")
> + && !key_equals(var->key, "dbx"))
> + return -1;
> +
> + /*
> + * PK update should contain single ESL.
> + */
> + //Not sure if we need to restrict it but, am adding as of now.
> + //Feel free to remove it if you don't it as good idea
Uh?
> + if (key_equals(var->key, "PK")) {
> + printf("check if single PK\n");
> + if (!is_single_pk(var->data, var->data_size)) {
> + printf("not single pk\n");
> + return -1;
> + }
> + }
> +
> + /*
> + * Check that signature type is PKCS7
> + */
> + if (!is_pkcs7_sig_format(var->data))
> + return -1;
> + //Some more checks needs to be added:
> + // - check guid
> + // - check auth struct
> + // - possibly check signature? can't add but can validate
> +
> + return 0;
> +};
> +
> +struct secvar_backend_driver edk2_compatible_v1 = {
> + .pre_process = edk2_compat_pre_process,
> + .process = edk2_compat_process,
> + .post_process = edk2_compat_post_process,
> + .validate = edk2_compat_validate,
> + .compatible = "ibm,edk2-compat-v1",
> +};
> diff --git a/libstb/secvar/backend/edk2.h b/libstb/secvar/backend/edk2.h
> new file mode 100644
> index 00000000..29874ef7
> --- /dev/null
> +++ b/libstb/secvar/backend/edk2.h
> @@ -0,0 +1,243 @@
> +/* Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. This
> + * program and the accompanying materials are licensed and made available
> + * under the terms and conditions of the 2-Clause BSD License which
> + * accompanies this distribution.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions are met:
> + *
> + * 1. Redistributions of source code must retain the above copyright notice,
> + * this list of conditions and the following disclaimer.
> + *
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
> + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
> + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> + * POSSIBILITY OF SUCH DAMAGE.
> + *
> + * This file is derived from the following files referred from edk2-staging[1] repo
> + * of tianocore
> + *
> + * MdePkg/Include/Guid/GlobalVariable.h
> + * MdePkg/Include/Guid/WinCertificate.h
> + * MdePkg/Include/Uefi/UefiMultiPhase.h
> + * MdePkg/Include/Uefi/UefiBaseType.h
> + * MdePkg/Include/Guid/ImageAuthentication.h
> + *
> + * [1] https://github.com/tianocore/edk2-staging
> + *
> + * Copyright 2019 IBM Corp.
> + */
> +
> +#ifndef __EDK2_H__
> +#define __EDK2_H__
> +
> +#define UUID_SIZE 16
> +
> +typedef struct {
> + u8 b[UUID_SIZE];
This may be the first time I see u8; would think uint8_t
> +} uuid_t;
> +
> +#define EFI_GLOBAL_VARIABLE_GUID (uuid_t){{0x61, 0xDF, 0xe4, 0x8b, 0xca, 0x93, 0xd2, 0x11, 0xaa, \
> + 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}}
> +
> +#define EFI_IMAGE_SECURITY_DATABASE_GUID (uuid_t){{0xcb, 0xb2, 0x19, 0xd7, 0x3a, 0x3d, 0x96, 0x45, \
> + 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f}}
> +
> +#define SECVAR_ATTRIBUTES 39
> +
> +///
> +/// This identifies a signature based on an X.509 certificate. If the signature is an X.509
> +/// certificate then verification of the signature of an image should validate the public
> +/// key certificate in the image using certificate path verification, up to this X.509
> +/// certificate as a trusted root. The SignatureHeader size shall always be 0. The
> +/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) +
> +/// the size of the certificate itself.
> +/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.
> +///
> +
> +#define EFI_CERT_RSA2048_GUID \
> + (UUID_INIT) (0x3c5766e8, 0x269c, 0x4e34, 0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6)
> +
> +#define EFI_CERT_TYPE_PKCS7_GUID (uuid_t){{0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, \
> + 0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7}}
> +
> +#define EFI_VARIABLE_NON_VOLATILE 0x00000001
> +#define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002
> +#define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004
> +
> +/*
> + * Attributes of Authenticated Variable
> + */
> +#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
> +#define EFI_VARIABLE_APPEND_WRITE 0x00000040
> +/*
> + * NOTE: EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is deprecated and should be
> + * considered reserved.
> + */
> +#define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
> +
> +/*
> + * win_certificate.w_certificate_type
> + */
> +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
> +
> +#define SECURE_BOOT_MODE_ENABLE 1
> +#define SECURE_BOOT_MODE_DISABLE 0
> +///
> +/// Depricated value definition for SetupMode variable
> +///
> +#define SETUP_MODE 1
> +#define USER_MODE 0
> +
> +/*
> + * EFI Time Abstraction:
> + * Year: 1900 - 9999
> + * Month: 1 - 12
> + * Day: 1 - 31
> + * Hour: 0 - 23
> + * Minute: 0 - 59
> + * Second: 0 - 59
> + * Nanosecond: 0 - 999,999,999
> + * TimeZone: -1440 to 1440 or 2047
> + */
> +struct efi_time {
> + u16 year;
> + u8 month;
> + u8 day;
> + u8 hour;
> + u8 minute;
> + u8 second;
> + u8 pad1;
> + u32 nanosecond;
> + s16 timezone;
> + u8 daylight;
> + u8 pad2;
> +};
> +//***********************************************************************
> +// Signature Database
> +//***********************************************************************
> +///
> +/// The format of a signature database.
> +///
> +#pragma pack(1)
> +
> +typedef struct {
> + ///
> + /// An identifier which identifies the agent which added the signature to the list.
> + ///
> + uuid_t SignatureOwner;
> + ///
> + /// The format of the signature is defined by the SignatureType.
> + ///
> + unsigned char SignatureData[0];
> +} EFI_SIGNATURE_DATA;
> +
> +typedef struct {
> + ///
> + /// Type of the signature. GUID signature types are defined in below.
> + ///
> + uuid_t SignatureType;
> + ///
> + /// Total size of the signature list, including this header.
> + ///
> + uint32_t SignatureListSize;
u32 nad uint32_t in the same file... I would go for uint(8|16|32)_t in
this file just because I saw them most often being used.
> + ///
> + /// Size of the signature header which precedes the array of signatures.
> + ///
> + uint32_t SignatureHeaderSize;
> + ///
> + /// Size of each signature.
> + ///
> + uint32_t SignatureSize;
> + ///
> + /// Header before the array of signatures. The format of this header is specified
> + /// by the SignatureType.
> + /// UINT8 SignatureHeader[SignatureHeaderSize];
> + ///
> + /// An array of signatures. Each signature is SignatureSize bytes in length.
> + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
> + ///
> +} EFI_SIGNATURE_LIST;
> +
> +
> +/*
> + * The win_certificate structure is part of the PE/COFF specification.
> + */
> +struct win_certificate {
> + /*
> + * The length of the entire certificate, including the length of the
> + * header, in bytes.
> + */
> + u32 dw_length;
> + /*
> + * The revision level of the WIN_CERTIFICATE structure. The current
> + * revision level is 0x0200.
> + */
> + u16 w_revision;
> + /*
> + * The certificate type. See WIN_CERT_TYPE_xxx for the UEFI certificate
> + * types. The UEFI specification reserves the range of certificate type
> + * values from 0x0EF0 to 0x0EFF.
> + */
> + u16 w_certificate_type;
> + /*
> + * The following is the actual certificate. The format of
> + * the certificate depends on wCertificateType.
> + */
> + /// UINT8 bCertificate[ANYSIZE_ARRAY];
> +};
> +
> +/*
> + * Certificate which encapsulates a GUID-specific digital signature
> + */
> +struct win_certificate_uefi_guid {
> + /*
> + * This is the standard win_certificate header, where w_certificate_type
> + * is set to WIN_CERT_TYPE_EFI_GUID.
> + */
> + struct win_certificate hdr;
> + /*
> + * This is the unique id which determines the format of the cert_data.
> + */
> + uuid_t cert_type;
> + /*
> + * The following is the certificate data. The format of the data is
> + * determined by the @cert_type. If @cert_type is
> + * EFI_CERT_TYPE_RSA2048_SHA256_GUID, the @cert_data will be
> + * EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
> + */
> + u8 cert_data[1];
> +};
> +/*
> + * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is set,
> + * then the Data buffer shall begin with an instance of a complete (and
> + * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be
> + * followed by the new variable value and DataSize shall reflect the combined
> + * size of the descriptor and the new variable value. The authentication
> + * descriptor is not part of the variable data and is not returned by subsequent
> + * calls to GetVariable().
> + */
> +struct efi_variable_authentication_2 {
> + /*
> + * For the TimeStamp value, components Pad1, Nanosecond, TimeZone, Daylight and
> + * Pad2 shall be set to 0. This means that the time shall always be expressed in GMT.
> + */
> + struct efi_time timestamp;
> + /*
> + * Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
> + */
> + struct win_certificate_uefi_guid auth_info;
> +};
> +
> +#endif
More information about the Skiboot
mailing list