Changeset 98964 in vbox

Timestamp:

Mar 14, 2023 2:40:37 PM (21 months ago)

Author:

vboxsync

Message:

Main/UefiVariableStore: Add API to add signatures to the MOK list (Machine Owner Key) in order to deploy signatures for the guest additions, bugref:10287

Location:

trunk

Files:

• include/iprt/formats/efi-signature.h (modified) (1 diff)
• src/VBox/Main/idl/VirtualBox.xidl (modified) (2 diffs)
• src/VBox/Main/include/UefiVariableStoreImpl.h (modified) (1 diff)
• src/VBox/Main/src-server/UefiVariableStoreImpl.cpp (modified) (1 diff)

trunk/include/iprt/formats/efi-signature.h

@@ -53 +53 @@
 #define EFI_IMAGE_SECURITY_DATABASE_GUID \
     { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
+/** The GUID used for setting and retrieving the MOK (Machine Owner Key) from the variable store. */
+#define EFI_IMAGE_MOK_DATABASE_GUID \
+    { 0x605dab50, 0xe046, 0x4300, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }}
 
 

trunk/src/VBox/Main/idl/VirtualBox.xidl

@@ -6307 +6307 @@
     uuid="d134c6b6-4479-430d-bb73-68a452ba3e67"
     wsmap="managed"
-    reservedMethods="10" reservedAttributes="5"
+    reservedMethods="9" reservedAttributes="5"
     >
     <desc>
@@ -6451 +6451 @@
         in the signature databases.
       </desc>
+    </method>
+
+    <method name="addSignatureToMok">
+      <desc>
+        Convenience method to add a new entry to the MOK (Machine Owner Key) signature database.
+      </desc>
+      <param name="signature" type="octet" safearray="yes" dir="in">
+        <desc>The signature to add.</desc>
+      </param>
+      <param name="owner" type="uuid" mod="string" dir="in">
+        <desc>UUID of the signature owner.</desc>
+      </param>
+      <param name="signatureType" type="SignatureType" dir="in">
+        <desc>Type of the signature.</desc>
+      </param>
     </method>
 

trunk/src/VBox/Main/include/UefiVariableStoreImpl.h

@@ -76 +76 @@
     HRESULT addSignatureToDbx(const std::vector<BYTE> &aData, const com::Guid &aOwnerUuid, SignatureType_T enmSignatureType);
     HRESULT enrollDefaultMsSignatures(void);
+    HRESULT addSignatureToMok(const std::vector<BYTE> &aData, const com::Guid &aOwnerUuid, SignatureType_T enmSignatureType);
 
     int i_uefiVarStoreSetVarAttr(const char *pszVar, uint32_t fAttr);

trunk/src/VBox/Main/src-server/UefiVariableStoreImpl.cpp

@@ -556 +556 @@
 
 
+HRESULT UefiVariableStore::addSignatureToMok(const std::vector<BYTE> &aData, const com::Guid &aOwnerUuid, SignatureType_T enmSignatureType)
+{
+    /* the machine needs to be mutable */
+    AutoMutableStateDependency adep(m->pMachine);
+    if (FAILED(adep.hrc())) return adep.hrc();
+
+    HRESULT hrc = i_retainUefiVariableStore(false /*fReadonly*/);
+    if (FAILED(hrc)) return hrc;
+
+    AutoWriteLock wlock(this COMMA_LOCKVAL_SRC_POS);
+
+    EFI_GUID GuidMokList = EFI_IMAGE_MOK_DATABASE_GUID;
+    hrc = i_uefiVarStoreAddSignatureToDbVec(&GuidMokList, "MokList", aData, aOwnerUuid, enmSignatureType);
+
+    i_releaseUefiVariableStore();
+    return hrc;
+}
+
+
+
+
 /**
  * Sets the given attributes for the given EFI variable store variable.