[RFC PATCH 3/3] eficonfig: add "Delete Key" menu entry

Sun Jun 19 07:20:22 CEST 2022

This commit add the menu-driven interface to delete the
signature database entry.
EFI Signature Lists can contain the multiple signature
entries, this menu can delete the indivisual entry.

If the PK is enrolled and UEFI Secure Boot is in User Mode,
user can not delete the existing signature lists since the
signature lists must be signed by KEK or PK but signing
information is not stored in the signature database.

Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
---
 cmd/eficonfig_sbkey.c | 218 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 217 insertions(+), 1 deletion(-)

diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
index 02ab8f8218..142bb4cef5 100644
--- a/cmd/eficonfig_sbkey.c
+++ b/cmd/eficonfig_sbkey.c
@@ -54,6 +54,29 @@ static const struct eficonfig_sigtype_to_str sigtype_to_str[] = {
 /*	{EFI_CERT_SHA512_GUID,		"SHA512",		SIG_TYPE_HASH}, */
 };
 
+static int eficonfig_console_yes_no(void)
+{
+	int esc = 0;
+	enum bootmenu_key key = KEY_NONE;
+
+	while (1) {
+		bootmenu_loop(NULL, &key, &esc);
+
+		switch (key) {
+		case KEY_SELECT:
+			return 1;
+		case KEY_QUIT:
+			return 0;
+		default:
+			break;
+		}
+	}
+
+	/* never happens */
+	debug("eficonfig: this should not happen");
+	return 0;
+}
+
 static void eficonfig_console_wait_enter(void)
 {
 	int esc = 0;
@@ -72,7 +95,19 @@ static void eficonfig_console_wait_enter(void)
 
 	/* never happens */
 	debug("eficonfig: this should not happen");
-	return;
+}
+
+static bool is_setupmode(void)
+{
+	efi_status_t ret;
+	u8 setup_mode;
+	efi_uintn_t size;
+
+	size = sizeof(setup_mode);
+	ret = efi_get_variable_int(u"SetupMode", &efi_global_variable_guid,
+				   NULL, &size, &setup_mode, NULL);
+
+	return setup_mode == 1;
 }
 
 static bool is_secureboot_enabled(void)
@@ -254,6 +289,103 @@ static efi_status_t eficonfig_process_sigdata_show(void *data)
 	return EFI_SUCCESS;
 }
 
+static efi_status_t eficonfig_process_sigdata_delete(void *data)
+{
+	int yes_no;
+	struct eficonfig_sig_data *sg = data;
+
+	display_sigdata_header(sg, "Delete");
+	display_sigdata_info(sg);
+
+	printf("\n\n  Press ENTER to delete, ESC/CTRL+C to quit");
+	yes_no = eficonfig_console_yes_no();
+	if (!yes_no)
+		return EFI_NOT_READY;
+
+	return EFI_SUCCESS;
+}
+
+static void delete_selected_signature_data(void *db, efi_uintn_t *db_size,
+					   struct eficonfig_sig_data *target,
+					   struct list_head *siglist_list)
+{
+	u8 *dest, *start;
+	struct list_head *pos, *n;
+	u32 remain;
+	u32 size = *db_size;
+	u8 *end = (u8 *)db + size;
+	struct eficonfig_sig_data *sg;
+
+	list_for_each_safe(pos, n, siglist_list) {
+		sg = list_entry(pos, struct eficonfig_sig_data, list);
+		if (sg->esl == target->esl && sg->esd == target->esd) {
+			remain = sg->esl->signature_list_size -
+				 (sizeof(struct efi_signature_list) -
+				 sg->esl->signature_header_size) -
+				 sg->esl->signature_size;
+			if (remain > 0) {
+				/* only delete the single signature data */
+				sg->esl->signature_list_size -= sg->esl->signature_size;
+				size -= sg->esl->signature_size;
+				dest = (u8 *)sg->esd;
+				start = (u8 *)sg->esd + sg->esl->signature_size;
+			} else {
+				/* delete entire signature list */
+				dest = (u8 *)sg->esl;
+				start = (u8 *)sg->esl + sg->esl->signature_list_size;
+				size -= sg->esl->signature_list_size;
+			}
+			memmove(dest, start, (end - start));
+		}
+	}
+
+	*db_size = size;
+}
+
+static efi_status_t create_time_based_payload(void *db, void **new_db, efi_uintn_t *size)
+{
+	efi_status_t ret;
+	struct efi_time time;
+	efi_uintn_t total_size;
+	struct efi_variable_authentication_2 *auth;
+
+	*new_db = NULL;
+
+	/*
+	 * SetVariable() call with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+	 * attribute requires EFI_VARIABLE_AUTHENTICATED_2 descriptor, prepare it
+	 * without certificate data in it.
+	 */
+	total_size = sizeof(struct efi_variable_authentication_2) + *size;
+
+	auth = calloc(1, total_size);
+	if (!auth)
+		return EFI_OUT_OF_RESOURCES;
+
+	ret = EFI_CALL((*efi_runtime_services.get_time)(&time, NULL));
+	if (ret != EFI_SUCCESS) {
+		free(auth);
+		return EFI_OUT_OF_RESOURCES;
+	}
+	time.pad1 = 0;
+	time.nanosecond = 0;
+	time.timezone = 0;
+	time.daylight = 0;
+	time.pad2 = 0;
+	memcpy(&auth->time_stamp, &time, sizeof(time));
+	auth->auth_info.hdr.dwLength = sizeof(struct win_certificate_uefi_guid);
+	auth->auth_info.hdr.wRevision = 0x0200;
+	auth->auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+	guidcpy(&auth->auth_info.cert_type, &efi_guid_cert_type_pkcs7);
+	if (db)
+		memcpy((u8 *)auth + sizeof(struct efi_variable_authentication_2), db, *size);
+
+	*new_db = auth;
+	*size = total_size;
+
+	return EFI_SUCCESS;
+}
+
 static efi_status_t prepare_signature_db_list(struct eficonfig_item **output, void *varname,
 					      void *db, efi_uintn_t db_size,
 					      eficonfig_entry_func func,
@@ -378,6 +510,68 @@ out:
 	return ret;
 }
 
+static efi_status_t process_delete_key(void *varname)
+{
+	u32 attr, i, count = 0;
+	efi_status_t ret;
+	struct eficonfig_item *menu_item = NULL, *iter;
+	void *db = NULL, *new_db = NULL;
+	efi_uintn_t db_size;
+	struct list_head siglist_list;
+	struct eficonfig_sig_data *selected;
+
+	db = efi_get_var(varname, efi_auth_var_get_guid(varname), &db_size);
+	if (!db) {
+		eficonfig_print_msg("There is no entry in the signature database.");
+		return EFI_NOT_FOUND;
+	}
+
+	ret = prepare_signature_db_list(&menu_item, varname, db, db_size,
+					eficonfig_process_sigdata_delete, &selected,
+					&siglist_list, &count);
+	if (ret != EFI_SUCCESS)
+		goto out;
+
+	ret = eficonfig_process_common(menu_item, count, " ** Delete Key **");
+
+	if (ret == EFI_SUCCESS) {
+		delete_selected_signature_data(db, &db_size, selected, &siglist_list);
+
+		ret = create_time_based_payload(db, &new_db, &db_size);
+		if (ret != EFI_SUCCESS)
+			goto out;
+
+		attr = EFI_VARIABLE_NON_VOLATILE |
+		       EFI_VARIABLE_BOOTSERVICE_ACCESS |
+		       EFI_VARIABLE_RUNTIME_ACCESS |
+		       EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+		ret = efi_set_variable_int((u16 *)varname, efi_auth_var_get_guid((u16 *)varname),
+					   attr, db_size, new_db, false);
+		if (ret != EFI_SUCCESS) {
+			eficonfig_print_msg("ERROR! Fail to delete signature database");
+			goto out;
+		}
+	}
+
+out:
+	if (menu_item) {
+		iter = menu_item;
+		for (i = 0; i < count - 1; iter++, i++) {
+			free(iter->title);
+			free(iter->data);
+		}
+	}
+
+	free(menu_item);
+	free(db);
+	free(new_db);
+
+	/* to stay the parent menu */
+	ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret;
+
+	return ret;
+}
+
 static efi_status_t eficonfig_process_show_signature_db(void *data)
 {
 	efi_status_t ret;
@@ -394,6 +588,27 @@ static efi_status_t eficonfig_process_show_signature_db(void *data)
 	return ret;
 }
 
+static efi_status_t eficonfig_process_delete_key(void *data)
+{
+	efi_status_t ret;
+
+	if (!is_setupmode()) {
+		eficonfig_print_msg("Not in the SetupMode, can not delete.");
+		return EFI_SUCCESS;
+	}
+
+	while (1) {
+		ret = process_delete_key(data);
+		if (ret != EFI_SUCCESS)
+			break;
+	}
+
+	/* to stay the parent menu */
+	ret = (ret == EFI_ABORTED) ? EFI_NOT_READY : ret;
+
+	return ret;
+}
+
 static struct eficonfig_item key_config_pk_menu_items[] = {
 	{"Enroll New Key", eficonfig_process_enroll_key},
 	{"Show Signature Database", eficonfig_process_show_signature_db},
@@ -403,6 +618,7 @@ static struct eficonfig_item key_config_pk_menu_items[] = {
 static struct eficonfig_item key_config_menu_items[] = {
 	{"Enroll New Key", eficonfig_process_enroll_key},
 	{"Show Signature Database", eficonfig_process_show_signature_db},
+	{"Delete Key", eficonfig_process_delete_key},
 	{"Quit", eficonfig_process_quit},
 };
 
-- 
2.17.1

