virtfw-varstore 0.6.2

efi variable store
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230

//!
//! efi variable store implementation -- core
//!

#![allow(clippy::collapsible_else_if)]
use alloc::vec::Vec;
use core::ops::Deref;
use uguid::Guid;

use uefi::{Error, Status};
use virtfw_libefi::efivar::types::{EfiVar, EfiVarAttr, EfiVarId};

use crate::policy::{VariablePolicyEntry, VariablePolicyType};

pub struct EfiVarStore {
    // boot phases
    pub(crate) end_of_dxe: bool,
    ready_to_boot: bool,
    exit_boot_service: bool,

    // efi variables
    pub(crate) variables: Vec<EfiVar>,

    // variable Policies
    pub(crate) policy_locked: bool,
    pub(crate) policies: Vec<VariablePolicyEntry>,
}

impl EfiVarStore {
    pub const fn new() -> Self {
        let variables = Vec::new();
        let policies = Vec::new();
        Self {
            end_of_dxe: false,
            ready_to_boot: false,
            exit_boot_service: false,

            variables,

            policy_locked: false,
            policies,
        }
    }

    fn get_position(&self, id: &EfiVarId) -> Option<usize> {
        self.variables.iter().position(|v| v.deref() == id)
    }

    pub(crate) fn get_unchecked(&self, id: &EfiVarId) -> Option<&EfiVar> {
        let index = self.get_position(id)?;
        Some(&self.variables[index])
    }

    pub(crate) fn set_unchecked(&mut self, variable: EfiVar) {
        let index = self.get_position(variable.deref());
        if let Some(i) = index {
            // replace
            if false {
                self.variables[i] = variable;
            } else {
                // qemu compatible ordering
                self.variables.remove(i);
                self.variables.push(variable);
            }
        } else {
            // append
            self.variables.push(variable);
        }
    }

    pub(crate) fn set_unchecked_bool(&mut self, id: EfiVarId, attr: EfiVarAttr, boolean: bool) {
        let var = EfiVar::new_from_bool(id, attr, boolean);
        self.set_unchecked(var);
    }

    pub(crate) fn delete_unchecked(&mut self, new: EfiVar) {
        self.variables
            .retain(|v| v.name() != new.name() || v.guid() != new.guid());
    }

    pub fn check_old_new(&self, old: &EfiVar, new: &EfiVar) -> Result<(), Error<&'static str>> {
        if old.attr() != new.attr() {
            return Err(Error::new(Status::INVALID_PARAMETER, "attribute mismatch"));
        }
        Ok(())
    }

    pub fn check_service(&self, variable: &EfiVar) -> Result<(), Error<&'static str>> {
        if !self.exit_boot_service {
            // boot service
            if !variable.attr().bootservice_access() {
                return Err(Error::new(Status::NOT_FOUND, "BS attr not set"));
            }
        } else {
            // runtime
            if !variable.attr().runtime_access() {
                return Err(Error::new(Status::NOT_FOUND, "RT attr not set"));
            }
        };
        Ok(())
    }

    pub fn check_attributes(&self, variable: &EfiVar) -> Result<(), Error<&'static str>> {
        if variable.attr().reserved() != 0 {
            return Err(Error::new(Status::INVALID_PARAMETER, "reserved bit set"));
        }
        if variable.attr().hardware_error() {
            return Err(Error::new(Status::INVALID_PARAMETER, "hw-error bit set"));
        }
        if variable.attr().auth_wr_access() {
            // not used any more
            return Err(Error::new(Status::UNSUPPORTED, "auth bit set"));
        }
        Ok(())
    }

    pub fn get(&self, id: &EfiVarId) -> Result<&EfiVar, Error<&'static str>> {
        if let Some(var) = self.get_unchecked(id) {
            self.check_service(var)?;
            return Ok(var);
        }
        Err(Error::new(Status::NOT_FOUND, "variable not found"))
    }

    pub fn lock(&mut self, name: &str, guid: &Guid) -> Result<(), Error<&'static str>> {
        let policy = VariablePolicyEntry {
            name: name.into(),
            namespace: *guid,
            min_size: 0,
            max_size: u32::MAX,
            attr_must_have: 0.into(),
            attr_cant_have: 0.into(),
            lock_policy_type: VariablePolicyType::LockNow,
        };
        self.policy_register(policy)?;
        Ok(())
    }

    pub fn get_next(&self, id: &EfiVarId) -> Result<&EfiVarId, Error<&'static str>> {
        let mut next_index = 0;
        if !id.name().is_empty() {
            let Some(index) = self.get_position(id) else {
                return Err(Error::new(Status::NOT_FOUND, "variable not found"));
            };
            let var = self.variables.get(index).unwrap();
            self.check_service(var)?;
            next_index = index + 1;
        }

        loop {
            let var_opt = self.variables.get(next_index);
            if var_opt.is_none() {
                return Err(Error::new(Status::NOT_FOUND, "end of list"));
            }
            let var = var_opt.unwrap();
            if self.check_service(var).is_err() {
                next_index += 1;
                continue;
            }
            return Ok(var);
        }
    }

    pub fn delete(&mut self, new: EfiVar) -> Result<(), Error<&'static str>> {
        let old_opt = self.get_unchecked(&new);
        if let Some(old) = old_opt {
            self.check_service(old)?;
            self.check_attributes(old)?;
            self.policy_check(&new, false)?;
            if old.attr().time_auth_wr_access() {
                return Err(Error::new(
                    Status::SECURITY_VIOLATION,
                    "tried to delete auth var without pkcs7 signature",
                ));
            }
            self.delete_unchecked(new);
        }
        Ok(())
    }

    pub fn set(&mut self, new: EfiVar) -> Result<(), Error<&'static str>> {
        if new.data().is_empty() {
            return self.delete(new);
        }
        let old_opt = self.get_unchecked(&new);
        if let Some(old) = old_opt {
            self.check_old_new(old, &new)?;
        }
        self.check_service(&new)?;
        self.check_attributes(&new)?;
        self.policy_check(&new, old_opt.is_none())?;

        if new.attr().time_auth_wr_access() {
            return self.set_time_auth(&new);
        }

        self.set_unchecked(new);
        Ok(())
    }

    pub fn reset(&mut self) {
        self.end_of_dxe = false;
        self.ready_to_boot = false;
        self.exit_boot_service = false;

        self.variables.retain(|v| v.attr().non_volatile());
        self.auth_init();

        self.policy_locked = false;
        self.policies.clear();
    }

    pub fn end_of_dxe(&mut self) {
        self.end_of_dxe = true;
    }

    pub fn ready_to_boot(&mut self) {
        self.ready_to_boot = true;
    }

    pub fn exit_boot_service(&mut self) {
        self.exit_boot_service = true;
    }
}

impl Default for EfiVarStore {
    fn default() -> Self {
        Self::new()
    }
}