Changeset 91396 in vbox for trunk/src

Timestamp:

Sep 27, 2021 1:40:35 PM (4 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

147076

Message:

Main: Add IUefiVariableStore interface to manage the content of the UEFI variable store for secure boot support, bugref:9580

Location:

trunk/src/VBox/Main

Files:

• Certificates (added)
• Makefile.kmk (modified) (3 diffs)
• idl/VirtualBox.xidl (modified) (2 diffs)
• include/NvramStoreImpl.h (modified) (1 diff)
• include/TrustAnchorsAndCerts.h (added)
• include/UefiVariableStoreImpl.h (added)
• src-all/NvramStoreImpl.cpp (modified) (3 diffs)
• src-server/UefiVariableStoreImpl.cpp (added)

trunk/src/VBox/Main/Makefile.kmk

@@ -401 +401 @@
 
 testschemadefs: $(VBOX_XML_SCHEMADEFS_H) $(VBOX_XML_SCHEMADEFS_CPP)
+
+
+#
+# Trust anchors and certificates -> .cpp
+#
+VBOX_SVC_CERTS_FILE = $(VBoxSVC_0_OUTDIR)/TrustAnchorsAndCerts.cpp
+VBOX_SVC_CERTS := \
+       UefiMicrosoftKek=MicCorKEKCA2011_2011-06-24.crt \
+       UefiMicrosoftCa=MicCorUEFCA2011_2011-06-27.crt \
+       UefiMicrosoftProPca=MicWinProPCA2011_2011-10-19.crt
+
+VBOX_SVC_CERT_NAMES := $(foreach cert,$(VBOX_SVC_CERTS),$(firstword $(subst =,$(SPACE) ,$(cert))))
+VBOX_SVC_PATH_CERTIFICATES := $(PATH_SUB_CURRENT)/Certificates
+
+$$(VBOX_SVC_CERTS_FILE): $(MAKEFILE_CURRENT) \
+                $(foreach cert,$(VBOX_SVC_CERTS),$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SPACE) ,$(cert)))) \
+                $(VBOX_BIN2C) \
+                | $$(dir $$@)
+        $(QUIET)$(RM) -f -- $@
+        $(QUIET)$(APPEND) -n "$@" \
+        '' \
+        '#include "TrustAnchorsAndCerts.h"' \
+               ''
+        $(foreach cert,$(VBOX_SVC_CERTS), $(NLTAB)$(VBOX_BIN2C) -ascii --append \
+                "$(firstword $(subst =,$(SP) ,$(cert)))" \
+                "$(VBOX_SVC_PATH_CERTIFICATES)/$(lastword $(subst =,$(SP) ,$(cert)))" \
+                "$@")
+
+OTHER_CLEAN += $(VBOX_SVC_CERTS_FILE)
+
+tst-main-certificates: $(VBOX_SVC_CERTS_FILE)
 
 
@@ -542 +573 @@
 
 VBoxSVC_SOURCES = \
+        $(VBOX_SVC_CERTS_FILE) \
         $(VBoxAPIWrap_0_OUTDIR)/VBoxAPI.d \
         src-all/AuthLibrary.cpp \
@@ -615 +647 @@
         src-server/TokenImpl.cpp \
         src-server/TrustedPlatformModuleImpl.cpp \
+        src-server/UefiVariableStoreImpl.cpp \
         $(if $(VBOX_WITH_UNATTENDED), \
         src-server/UnattendedImpl.cpp \

trunk/src/VBox/Main/idl/VirtualBox.xidl

@@ -5897 +5897 @@
   </interface>
 
+   <enum
+    name="SignatureType"
+    uuid="6f6e67ef-9a32-4084-af84-5702679f882a"
+    >
+    <desc>
+      UEFI signature type enumeration.
+    </desc>
+
+    <const name="X509"                  value="0">
+      <desc>X.509 certificate.</desc>
+    </const>
+    <const name="Sha256"                value="1">
+      <desc>SHA256 hash.</desc>
+    </const>
+  </enum>
+
+  <interface
+    name="IUefiVariableStore" extends="$unknown"
+    uuid="f39d5888-9009-4e77-94b5-9cdcfc1859c3"
+    wsmap="managed"
+    reservedMethods="10" reservedAttributes="5"
+    >
+    <desc>
+        The IUefiVariableStore interface allows inspecting and manipulating the content
+        of an existing UEFI variable store in a NVRAM file. This is used only in the
+        <link to="INvramStore::uefiVariableStore" /> attribute.
+    </desc>
+
+    <method name="addVariable">
+      <desc>Adds a new variable to the non volatile storage area.</desc>
+      <param name="name" type="wstring" dir="in">
+        <desc>Name of the variable.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the variable owner.</desc>
+      </param>
+      <param name="data" type="octet" dir="in" safearray="yes">
+        <desc>The variable data.</desc>
+      </param>
+    </method>
+
+    <method name="deleteVariable">
+      <desc>Deletes the given variable from the non volatile storage area.</desc>
+      <param name="name" type="wstring" dir="in">
+        <desc>Name of the variable.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the variable owner.</desc>
+      </param>
+    </method>
+
+    <method name="changeVariable">
+      <desc>Changes the data of the given variable.</desc>
+      <param name="name" type="wstring" dir="in">
+        <desc>Name of the variable.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the variable owner.</desc>
+      </param>
+      <param name="data" type="octet" dir="in" safearray="yes">
+        <desc>The new variable data.</desc>
+      </param>
+    </method>
+
+    <method name="queryVariableByName">
+      <desc>Queries the variable content variable by the given name.</desc>
+      <param name="name" type="wstring" dir="in">
+        <desc>Name of the variable to look for.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="out">
+        <desc>UUID of the variable owner returned on success.</desc>
+      </param>
+      <param name="data" type="octet" dir="out" safearray="yes">
+        <desc>The variable data returned on success.</desc>
+      </param>
+    </method>
+
+    <method name="queryVariables">
+      <desc>
+        Queries all variables in the non volatile storage and returns their names.
+      </desc>
+      <param name="names" type="wstring" dir="out" safearray="yes">
+        <desc>The variable names returned on success.</desc>
+      </param>
+      <param name="owners" type="uuid" mod="string" dir="out" safearray="yes">
+        <desc>UUID of the variable owners returned on success.</desc>
+      </param>
+    </method>
+
+    <method name="enrollPlatformKey">
+      <desc>
+        Convenience method to enroll a new platform key (PK) for enabling Secure Boot.
+      </desc>
+      <param name="platformKey" type="octet" safearray="yes" dir="in">
+        <desc>The platform key (PK) to enroll.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the PK owner.</desc>
+      </param>
+    </method>
+
+    <method name="addKek">
+      <desc>
+        Convenience method to add a new Key Encryption Key (KEK) for Secure Boot.
+      </desc>
+      <param name="keyEncryptionKey" type="octet" safearray="yes" dir="in">
+        <desc>The Key Encryption Key (KEK) to add.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the KEK owner.</desc>
+      </param>
+      <param name="signatureType" type="SignatureType" dir="in">
+        <desc>Type of the signature.</desc>
+      </param>
+    </method>
+
+    <method name="addSignatureToDb">
+      <desc>
+        Convenience method to add a new entry to the signature database.
+      </desc>
+      <param name="signature" type="octet" safearray="yes" dir="in">
+        <desc>The signature to add.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the signature owner.</desc>
+      </param>
+      <param name="signatureType" type="SignatureType" dir="in">
+        <desc>Type of the signature.</desc>
+      </param>
+    </method>
+
+    <method name="addSignatureToDbx">
+      <desc>
+        Convenience method to add a new entry to the forbidden signature database.
+      </desc>
+      <param name="signature" type="octet" safearray="yes" dir="in">
+        <desc>The signature to add.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the signature owner.</desc>
+      </param>
+      <param name="signatureType" type="SignatureType" dir="in">
+        <desc>Type of the signature.</desc>
+      </param>
+    </method>
+
+    <method name="enrollDefaultMsSignatures">
+      <desc>
+        Convenience method to enroll the standard Microsoft KEK and signatures
+        in the signature databases.
+      </desc>
+    </method>
+
+  </interface>
+
   <interface
     name="INvramStore" extends="$unknown"
@@ -5914 +6069 @@
       </desc>
     </attribute>
+
+    <attribute name="uefiVariableStore" type="IUefiVariableStore" readonly="yes">
+      <desc>Object to manipulate the data in an existing UEFI variable store.</desc>
+    </attribute>
+
+    <method name="initUefiVariableStore">
+      <desc>Initializes the UEFI variable store.</desc>
+      <param name="size" type="unsigned long" dir="in">
+        <desc>
+          Size in bytes of the UEFI variable store. Must be 0 for now to initialize to the
+          default size.
+        </desc>
+      </param>
+    </method>
 
   </interface>

trunk/src/VBox/Main/include/NvramStoreImpl.h

@@ -80 +80 @@
     // Wrapped NVRAM store properties
     HRESULT getNonVolatileStorageFile(com::Utf8Str &aNonVolatileStorageFile);
+    HRESULT getUefiVariableStore(ComPtr<IUefiVariableStore> &aUefiVarStore);
 
     // Wrapped NVRAM store members
-    /** @todo */
+    HRESULT initUefiVariableStore(ULONG aSize);
 
 #ifdef VBOX_COM_INPROC

trunk/src/VBox/Main/src-all/NvramStoreImpl.cpp

@@ -24 +24 @@
 #else
 # include "MachineImpl.h"
+# include "AutoStateDep.h"
 #endif
+#include "UefiVariableStoreImpl.h"
 
 #include "AutoCaller.h"
@@ -94 +96 @@
 #else
     /** The Machine object owning this NVRAM store. */
-    Machine * const         pParent;
+    Machine * const                    pParent;
     /** The peer NVRAM store object. */
-    ComObjPtr<NvramStore>   pPeer;
+    ComObjPtr<NvramStore>              pPeer;
+    /** The UEFI variable store. */
+    const ComObjPtr<UefiVariableStore> pUefiVarStore;
 #endif
 
@@ -299 +303 @@
 
     return S_OK;
+}
+
+
+HRESULT NvramStore::getUefiVariableStore(ComPtr<IUefiVariableStore> &aUefiVarStore)
+{
+#ifndef VBOX_COM_INPROC
+    /* the machine needs to be mutable */
+    AutoMutableStateDependency adep(m->pParent);
+    if (FAILED(adep.rc())) return adep.rc();
+
+    /* We need a write lock because of the lazy initialization. */
+    AutoWriteLock wlock(this COMMA_LOCKVAL_SRC_POS);
+
+    /* Check if we have to create the UEFI variabel store object */
+    HRESULT hrc = S_OK;
+    if (!m->pUefiVarStore)
+    {
+        /* Load the NVRAM file first if it isn't already. */
+        if (!m->bd->mapNvram.size())
+        {
+            int vrc = i_loadStore();
+            if (RT_FAILURE(vrc))
+                hrc = setError(E_FAIL, tr("Loading the NVRAM store failed (%Rrc)\n"), vrc);
+        }
+
+        if (SUCCEEDED(hrc))
+        {
+            NvramStoreIter it = m->bd->mapNvram.find("efi/nvram");
+            if (it != m->bd->mapNvram.end())
+            {
+                RTVFSFILE hVfsFileNvram = it->second;
+                RTVFS hVfsEfiVarStore;
+                int vrc = RTEfiVarStoreOpenAsVfs(hVfsFileNvram, 0 /*fMntFlags*/, 0 /*fVarStoreFlags*/, &hVfsEfiVarStore,
+                                                 NULL /*pErrInfo*/);
+                if (RT_SUCCESS(vrc))
+                {
+                    unconst(m->pUefiVarStore).createObject();
+                    m->pUefiVarStore->init(this, m->pParent, hVfsEfiVarStore);
+                }
+                else
+                    hrc = setError(E_FAIL, tr("Opening the UEFI variable store failed (%Rrc)."), vrc);
+            }
+            else
+                hrc = setError(VBOX_E_OBJECT_NOT_FOUND, tr("The UEFI NVRAM file is not existing for this machine."));
+        }
+    }
+
+    if (SUCCEEDED(hrc))
+        m->pUefiVarStore.queryInterfaceTo(aUefiVarStore.asOutParam());
+
+    return hrc;
+#else
+    NOREF(aUefiVarStore);
+    return E_NOTIMPL;
+#endif
+}
+
+
+HRESULT NvramStore::initUefiVariableStore(ULONG aSize)
+{
+    NOREF(aSize);
+    return E_NOTIMPL;
 }