21#include <Protocol/SimpleFileSystem.h>
23#include <Library/BaseLib.h>
24#include <Library/BaseMemoryLib.h>
25#include <Library/BaseOverflowLib.h>
26#include <Library/DebugLib.h>
27#include <Library/MemoryAllocationLib.h>
32#include <Library/PrintLib.h>
33#include <Library/UefiBootServicesTableLib.h>
34#include <Library/UefiRuntimeServicesTableLib.h>
72 case EFI_SECURITY_VIOLATION:
90 IN CONST CHAR8 *Model,
91 IN UINT64 Ecid OPTIONAL
95 CHAR8 BridgeModel[16];
96 UINTN BridgeModelSize;
107 if (EFI_ERROR (Status)) {
111 for (BridgeModelSize = 0;
mSbHardwareModel[BridgeModelSize] !=
'\0'; ++BridgeModelSize) {
112 BridgeModel[BridgeModelSize] = AsciiCharToUpper (
mSbHardwareModel[BridgeModelSize]);
115 BridgeModel[BridgeModelSize] =
'\0';
117 Status =
gRT->SetVariable (
120 EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
125 if (EFI_ERROR (Status)) {
129 Status =
gRT->SetVariable (
132 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
179 if (Policy == NULL) {
180 return EFI_INVALID_PARAMETER;
189 return EFI_NOT_FOUND;
217 if (Reason == NULL) {
218 return EFI_INVALID_PARAMETER;
223 DataSize =
sizeof (FailReason);
225 L
"AppleSecureBootWindowsFailureReason",
232 *Reason = FailReason;
255 return EFI_UNSUPPORTED;
258 return gRT->SetVariable (
259 L
"AppleSecureBootWindowsFailureReason",
261 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
270 IN EFI_FILE_PROTOCOL *Volume,
277 EFI_FILE_PROTOCOL *FileHandle;
283 ASSERT (FileSize != NULL);
286 if (EFI_ERROR (Status)) {
291 if (EFI_ERROR (Status)) {
292 FileHandle->Close (FileHandle);
296 FileBuffer = AllocatePool (FileReadSize);
297 if (FileBuffer == NULL) {
298 FileHandle->Close (FileHandle);
309 FileHandle->Close (FileHandle);
311 if (EFI_ERROR (Status)) {
312 FreePool (FileBuffer);
316 *FileSize = FileReadSize;
341 if (Reason == NULL) {
342 return EFI_INVALID_PARAMETER;
347 DataSize =
sizeof (FailReason);
349 L
"AppleSecureBootFailureReason",
356 *Reason = FailReason;
379 return EFI_UNSUPPORTED;
382 return gRT->SetVariable (
383 L
"AppleSecureBootFailureReason",
385 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
412 if (Reason == NULL) {
413 return EFI_INVALID_PARAMETER;
418 DataSize =
sizeof (FailReason);
420 L
"AppleSecureBootKernelFailureReason",
427 *Reason = FailReason;
450 return EFI_UNSUPPORTED;
453 return gRT->SetVariable (
454 L
"AppleSecureBootKernelFailureReason",
456 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
481 if (Policy == NULL) {
482 return EFI_INVALID_PARAMETER;
498 IN CONST VOID *ImageBuffer,
500 IN CONST VOID *ManifestBuffer,
501 IN UINTN ManifestSize,
503 IN BOOLEAN SetFailureReason,
511 ASSERT (ImageBuffer != NULL);
513 ASSERT (ManifestBuffer != NULL);
514 ASSERT (ManifestSize > 0);
516 if (Img4Verify == NULL) {
517 Status =
gBS->LocateProtocol (
522 if (EFI_ERROR (Status)) {
523 return EFI_UNSUPPORTED;
531 return EFI_LOAD_ERROR;
534 Status = Img4Verify->Verify (
545 if (EFI_ERROR (Status)) {
546 return EFI_SECURITY_VIOLATION;
557 IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,
559 OUT VOID **ManifestBufferPtr,
560 OUT UINTN *ManifestSizePtr
567 UINTN ManifestPathSize;
569 CHAR16 *ManifestSuffix;
572 EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *FileSystem;
573 EFI_FILE_PROTOCOL *Root;
575 VOID *ManifestBuffer;
580 STATIC CONST UINTN ManifestSuffixMaxSize =
584 Status =
gBS->LocateDevicePath (
589 if (EFI_ERROR (Status)) {
594 if (ImagePathSize == 0) {
598 Result = BaseOverflowAddUN (
600 ManifestSuffixMaxSize,
604 return EFI_NOT_FOUND;
607 Path = AllocatePool (ManifestPathSize);
609 return EFI_OUT_OF_RESOURCES;
612 Status =
gBS->HandleProtocol (
617 if (EFI_ERROR (Status)) {
622 Status = FileSystem->OpenVolume (FileSystem, &Root);
623 if (EFI_ERROR (Status)) {
630 (FILEPATH_DEVICE_PATH *)DevicePath,
636 ManifestSuffix = &Path[(ImagePathSize /
sizeof (*Path)) - 1];
640 ManifestSuffixMaxSize,
647 ManifestSuffixMaxSize,
660 return EFI_LOAD_ERROR;
668 if (ManifestBuffer == NULL) {
669 return EFI_NOT_FOUND;
672 *ManifestBufferPtr = ManifestBuffer;
673 *ManifestSizePtr = ManifestSize;
703 IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,
705 IN BOOLEAN SetFailureReason
711 DEBUG ((DEBUG_ERROR,
"OCSB: Attempted to call VerifyImg4ByPath\n"));
713 return EFI_SECURITY_VIOLATION;
741 IN CONST VOID *ImageBuffer,
743 IN CONST VOID *ManifestBuffer,
744 IN UINTN ManifestSize,
746 IN BOOLEAN SetFailureReason
754 return EFI_UNSUPPORTED;
759 Status = EFI_UNSUPPORTED;
760 }
else if ((ImageBuffer == NULL) || (ImageSize == 0)) {
761 Status = EFI_INVALID_PARAMETER;
762 }
else if ((ManifestBuffer == NULL) || (ManifestSize == 0)) {
763 Status = EFI_NOT_FOUND;
777 if (SetFailureReason) {
815 IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,
816 IN BOOLEAN SetFailureReason
822 DEBUG ((DEBUG_ERROR,
"OCSB: Attempted to call VerifyWindowsByPath\n"));
824 return EFI_SECURITY_VIOLATION;
849 IN CONST VOID *TargetBuffer,
851 IN BOOLEAN SetFailureReason
859 return EFI_UNSUPPORTED;
864 if ((TargetBuffer == NULL) || (TargetSize == 0)) {
865 Status = EFI_INVALID_PARAMETER;
868 Status = EFI_UNSUPPORTED;
871 if (WinPolicy == 1) {
875 Status = EFI_SUCCESS;
876 }
else if (WinPolicy != 0) {
877 Status = EFI_LOAD_ERROR;
882 if (SetFailureReason) {
891 IN BOOLEAN Reinstall,
893 IN UINT8 SbWinPolicy OPTIONAL,
894 IN BOOLEAN SbWinPolicyValid
921 if (EFI_ERROR (Status)) {
922 DEBUG ((DEBUG_ERROR,
"OCSB: Uninstall failed - %r\n", Status));
926 Status =
gBS->LocateProtocol (
931 if (!EFI_ERROR (Status)) {
938 Status =
gBS->InstallMultipleProtocolInterfaces (
941 (VOID **)&SecureBoot,
944 if (EFI_ERROR (Status)) {
953 DataSize =
sizeof (SbPolicy);
955 L
"AppleSecureBootPolicy",
957 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
961 if (SbWinPolicyValid) {
962 DataSize =
sizeof (SbWinPolicy);
964 L
"AppleSecureBootWindowsPolicy",
966 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
986 IN BOOLEAN LoadingDmg
996 if (EFI_ERROR (Status)) {
1001 DEBUG ((DEBUG_INFO,
"OCSB: Disabling secure boot for Apple images\n"));
1004 DEBUG ((DEBUG_INFO,
"OCSB: Reenabling secure boot after Apple images\n"));
1011 OUT UINT8 *RealPolicy OPTIONAL
1014 if (RealPolicy != NULL) {
1023 IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,
1024 IN VOID *SourceBuffer,
1031 VOID *ManifestBuffer;
1036 ASSERT (SecureBoot != NULL);
1045 if (EFI_ERROR (Status)) {
1046 DEBUG ((DEBUG_WARN,
"OCSB: No secure boot policy - %r\n", Status));
1047 return EFI_SECURITY_VIOLATION;
1058 DEBUG ((DEBUG_INFO,
"OCSB: Direct booting for DMG image\n"));
1066 DEBUG ((DEBUG_INFO,
"OCSB: Secure boot is disabled, skipping\n"));
1067 return EFI_UNSUPPORTED;
1077 if (EFI_ERROR (Status)) {
1078 DEBUG ((DEBUG_INFO,
"OCSB: No IMG4 found - %r\n", Status));
1079 return EFI_UNSUPPORTED;
1082 STATIC UINT32 mCheckedObjects[] = {
1088 for (Index = 0; Index <
ARRAY_SIZE (mCheckedObjects); ++Index) {
1095 mCheckedObjects[Index],
1102 if (!EFI_ERROR (Status)) {
1103 DEBUG ((DEBUG_INFO,
"OCSB: Verified IMG4 without issues\n"));
1104 FreePool (ManifestBuffer);
1113 DEBUG ((DEBUG_WARN,
"OCSB: No suitable signature - %r\n", Status));
1114 FreePool (ManifestBuffer);
1115 return EFI_SECURITY_VIOLATION;
EFI_GUID gAppleImg4VerificationProtocolGuid
@ AppleImg4SbModeDisabled
#define ARRAY_SIZE(Array)
#define APPLE_SB_OBJ_KERNEL_DEBUG
#define APPLE_SB_OBJ_EFIBOOT
#define APPLE_SB_OBJ_KERNEL
EFI_GUID gAppleSecureBootProtocolGuid
#define APPLE_SB_OBJ_EFIBOOT_DEBUG
#define APPLE_SECURE_BOOT_PROTOCOL_REVISION
#define APPLE_SB_OBJ_EFIBOOT_BASE
EFI_GUID gAppleVendorVariableGuid
EFI_GUID gAppleSecureBootVariableGuid
#define APPLE_BRIDGE_OS_HARDWARE_MODEL_VARIABLE_NAME
DMG_FILEPATH_DEVICE_PATH FilePath
APPLE_SECURE_BOOT_PROTOCOL * OcAppleSecureBootGetProtocol(VOID)
STATIC VOID * InternalReadFile(IN EFI_FILE_PROTOCOL *Volume, IN CHAR16 *FilePath, OUT UINT32 *FileSize)
STATIC EFI_STATUS EFIAPI AppleSbGetFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, OUT UINT8 *Reason)
STATIC EFI_STATUS EFIAPI AppleSbSetKernelFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN UINT8 Reason)
STATIC EFI_STATUS EFIAPI AppleSbVerifyWindows(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN CONST VOID *TargetBuffer, IN UINTN TargetSize, IN BOOLEAN SetFailureReason)
EFI_STATUS OcAppleSecureBootVerify(IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, IN VOID *SourceBuffer, IN UINTN SourceSize)
STATIC EFI_STATUS InternalVerifyImg4Worker(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN CONST VOID *ImageBuffer, IN UINTN ImageSize, IN CONST VOID *ManifestBuffer, IN UINTN ManifestSize, IN UINT32 ObjType, IN BOOLEAN SetFailureReason, IN UINT8 SbPolicy)
STATIC APPLE_SECURE_BOOT_PROTOCOL * mSecureBoot
STATIC EFI_STATUS EFIAPI AppleSbGetKernelFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, OUT UINT8 *Reason)
STATIC BOOLEAN mSbAvailable
STATIC EFI_STATUS EFIAPI AppleSbGetPolicy(IN APPLE_SECURE_BOOT_PROTOCOL *This, OUT UINT8 *Policy)
APPLE_SECURE_BOOT_PROTOCOL * OcAppleSecureBootInstallProtocol(IN BOOLEAN Reinstall, IN UINT8 SbPolicy, IN UINT8 SbWinPolicy OPTIONAL, IN BOOLEAN SbWinPolicyValid)
STATIC VOID EFIAPI AppleSbSetAvailability(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN BOOLEAN Available)
STATIC UINT8 mDmgLoadingPolicy
STATIC EFI_STATUS EFIAPI AppleSbSetWindowsFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN UINT8 Reason)
STATIC BOOLEAN mSbWindowsPolicyValid
EFI_STATUS OcAppleSecureBootBootstrapValues(IN CONST CHAR8 *Model, IN UINT64 Ecid OPTIONAL)
STATIC BOOLEAN mDmgLoading
STATIC EFI_STATUS EFIAPI AppleSbGetWindowsPolicy(IN APPLE_SECURE_BOOT_PROTOCOL *This, OUT UINT8 *Policy)
BOOLEAN OcAppleSecureBootGetDmgLoading(OUT UINT8 *RealPolicy OPTIONAL)
STATIC EFI_STATUS EFIAPI AppleSbGetWindowsFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, OUT UINT8 *Reason)
STATIC EFI_STATUS EFIAPI AppleSbSetFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN UINT8 Reason)
STATIC CHAR8 mSbHardwareModel[16]
STATIC EFI_STATUS EFIAPI AppleSbVerifyImg4ByPath(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, IN UINT32 ObjType, IN BOOLEAN SetFailureReason)
STATIC EFI_STATUS EFIAPI AppleSbVerifyImg4(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN CONST VOID *ImageBuffer, IN UINTN ImageSize, IN CONST VOID *ManifestBuffer, IN UINTN ManifestSize, IN UINT32 ObjType, IN BOOLEAN SetFailureReason)
STATIC EFI_STATUS EFIAPI InternalGetImg4ByPath(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, IN UINT8 SbPolicy, OUT VOID **ManifestBufferPtr, OUT UINTN *ManifestSizePtr)
STATIC UINT8 mSbWindowsPolicy
VOID OcAppleSecureBootSetDmgLoading(IN BOOLEAN LoadingDmg)
STATIC UINT8 InternalImg4GetFailureReason(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN UINT8 SbPolicy, IN EFI_STATUS Status)
STATIC EFI_STATUS EFIAPI AppleSbVerifyWindowsByPath(IN APPLE_SECURE_BOOT_PROTOCOL *This, IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, IN BOOLEAN SetFailureReason)
VOID OcFileDevicePathFullName(OUT CHAR16 *PathName, IN CONST FILEPATH_DEVICE_PATH *FilePath, IN UINTN PathNameSize)
UINTN OcFileDevicePathFullNameSize(IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath)
EFI_STATUS OcGetFileSize(IN EFI_FILE_PROTOCOL *File, OUT UINT32 *Size)
EFI_STATUS OcGetFileData(IN EFI_FILE_PROTOCOL *File, IN UINT32 Position, IN UINT32 Size, OUT UINT8 *Buffer)
EFI_STATUS OcSafeFileOpen(IN CONST EFI_FILE_PROTOCOL *Directory, OUT EFI_FILE_PROTOCOL **NewHandle, IN CONST CHAR16 *FileName, IN CONST UINT64 OpenMode, IN CONST UINT64 Attributes)
EFI_STATUS OcUninstallAllProtocolInstances(EFI_GUID *Protocol)
EFI_STATUS EFIAPI OcAsciiSafeSPrint(OUT CHAR8 *StartOfBuffer, IN UINTN BufferSize, IN CONST CHAR8 *FormatString,...)
#define L_STR_SIZE_NT(String)
APPLE_EVENT_HANDLE Handle
EFI_RUNTIME_SERVICES * gRT
EFI_GUID gEfiSimpleFileSystemProtocolGuid
APPLE_SB_GET_POLICY GetPolicy
APPLE_SB_VERIFY_IMG4 VerifyImg4
APPLE_SB_SET_AVAILABILITY SetAvailability
1.12.0