1 files changed, 225 insertions, 0 deletions
diff --git a/roms/edk2/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c b/roms/edk2/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
new file mode 100644
index 000000000..14b6a2a54
--- /dev/null
+++ b/roms/edk2/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
@@ -0,0 +1,225 @@
+/** @file
+
+  A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile
+  variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe
+  (which is a UEFI_DRIVER) consume them.
+
+  Copyright (C) 2013, 2015, 2018, Red Hat, Inc.
+  Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi/UefiBaseType.h>
+#include <Uefi/UefiSpec.h>
+
+#include <Guid/HttpTlsCipherList.h>
+#include <Guid/TlsAuthentication.h>
+
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/QemuFwCfgLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+
+/**
+  Read the list of trusted CA certificates from the fw_cfg file
+  "etc/edk2/https/cacerts", and store it to
+  gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.
+
+  The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.
+**/
+STATIC
+VOID
+SetCaCerts (
+  VOID
+  )
+{
+  EFI_STATUS           Status;
+  FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;
+  UINTN                HttpsCaCertsSize;
+  VOID                 *HttpsCaCerts;
+
+  Status = QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem,
+             &HttpsCaCertsSize);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching CA cert list\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    return;
+  }
+
+  //
+  // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This
+  // serves two purposes:
+  //
+  // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we
+  //     cannot make it volatile without deleting it first.
+  //
+  // (b) If we fail to recreate the variable later, deleting the current one is
+  //     still justified if the fw_cfg file exists. Emptying the set of trusted
+  //     CA certificates will fail HTTPS boot, which is better than trusting
+  //     any certificate that's possibly missing from the fw_cfg file.
+  //
+  Status = gRT->SetVariable (
+                  EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName
+                  &gEfiTlsCaCertificateGuid,       // VendorGuid
+                  0,                               // Attributes
+                  0,                               // DataSize
+                  NULL                             // Data
+                  );
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    //
+    // This is fatal.
+    //
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",
+      gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,
+      EFI_TLS_CA_CERTIFICATE_VARIABLE));
+    ASSERT_EFI_ERROR (Status);
+    CpuDeadLoop ();
+  }
+
+  if (HttpsCaCertsSize == 0) {
+    DEBUG ((DEBUG_VERBOSE, "%a:%a: applied empty CA cert list\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    return;
+  }
+
+  HttpsCaCerts = AllocatePool (HttpsCaCertsSize);
+  if (HttpsCaCerts == NULL) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCaCerts\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    return;
+  }
+
+  QemuFwCfgSelectItem (HttpsCaCertsItem);
+  QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);
+
+  Status = gRT->SetVariable (
+                  EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName
+                  &gEfiTlsCaCertificateGuid,       // VendorGuid
+                  EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes
+                  HttpsCaCertsSize,                // DataSize
+                  HttpsCaCerts                     // Data
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\": %r\n",
+      gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,
+      EFI_TLS_CA_CERTIFICATE_VARIABLE, Status));
+    goto FreeHttpsCaCerts;
+  }
+
+  DEBUG ((DEBUG_VERBOSE, "%a:%a: stored CA cert list (%Lu byte(s))\n",
+    gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));
+
+FreeHttpsCaCerts:
+  FreePool (HttpsCaCerts);
+}
+
+/**
+  Read the list of trusted cipher suites from the fw_cfg file
+  "etc/edk2/https/ciphers", and store it to
+  gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
+
+  The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the
+  list is processed by the latter.
+**/
+STATIC
+VOID
+SetCipherSuites (
+  VOID
+  )
+{
+  EFI_STATUS           Status;
+  FIRMWARE_CONFIG_ITEM HttpsCiphersItem;
+  UINTN                HttpsCiphersSize;
+  VOID                 *HttpsCiphers;
+
+  Status = QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersItem,
+             &HttpsCiphersSize);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    return;
+  }
+  //
+  // From this point on, any failure is fatal. An ordered cipher preference
+  // list is available from QEMU, thus we cannot let the firmware attempt HTTPS
+  // boot with either pre-existent or non-existent preferences. An empty set of
+  // cipher suites does not fail HTTPS boot automatically; the default cipher
+  // suite preferences would take effect, and we must prevent that.
+  //
+  // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If
+  // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot
+  // make it volatile without deleting it first.
+  //
+  Status = gRT->SetVariable (
+                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
+                  &gEdkiiHttpTlsCipherListGuid,        // VendorGuid
+                  0,                                   // Attributes
+                  0,                                   // DataSize
+                  NULL                                 // Data
+                  );
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",
+      gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,
+      EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));
+    goto Done;
+  }
+
+  if (HttpsCiphersSize == 0) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    Status = EFI_INVALID_PARAMETER;
+    goto Done;
+  }
+
+  HttpsCiphers = AllocatePool (HttpsCiphersSize);
+  if (HttpsCiphers == NULL) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n",
+      gEfiCallerBaseName, __FUNCTION__));
+    Status = EFI_OUT_OF_RESOURCES;
+    goto Done;
+  }
+
+  QemuFwCfgSelectItem (HttpsCiphersItem);
+  QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers);
+
+  Status = gRT->SetVariable (
+                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
+                  &gEdkiiHttpTlsCipherListGuid,        // VendorGuid
+                  EFI_VARIABLE_BOOTSERVICE_ACCESS,     // Attributes
+                  HttpsCiphersSize,                    // DataSize
+                  HttpsCiphers                         // Data
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n",
+      gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,
+      EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));
+    goto FreeHttpsCiphers;
+  }
+
+  DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s))\n",
+    gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize));
+
+FreeHttpsCiphers:
+  FreePool (HttpsCiphers);
+
+Done:
+  if (EFI_ERROR (Status)) {
+    ASSERT_EFI_ERROR (Status);
+    CpuDeadLoop ();
+  }
+}
+
+RETURN_STATUS
+EFIAPI
+TlsAuthConfigInit (
+  VOID
+  )
+{
+  SetCaCerts ();
+  SetCipherSuites ();
+
+  return RETURN_SUCCESS;
+}