3 files changed, 425 insertions, 0 deletions
diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h
new file mode 100644
index 0000000000..b965a42549
--- /dev/null
+++ b/MdePkg/Include/Guid/ImageAuthentication.h
@@ -0,0 +1,221 @@
+/** @file
+  Platform Key, Key Exchange Key, and Image signature database are defined 
+  for the signed image validation.
+
+  Copyright (c) 2009, Intel Corporation
+  All rights reserved. This program and the accompanying materials                          
+  are licensed and made available under the terms and conditions of the BSD License         
+  which accompanies this distribution.  The full text of the license may be found at        
+  http://opensource.org/licenses/bsd-license.php                                            
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.             
+
+  @par Revision Reference:
+  GUIDs defined in UEFI 2.2 spec.
+**/
+
+#ifndef __IMAGE_AUTHTICATION_H__
+#define __IMAGE_AUTHTICATION_H__
+
+#include <Guid/GlobalVariable.h>
+
+#define EFI_IMAGE_SECURITY_DATABASE_GUID \
+  { \
+    0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \
+  }
+
+///
+/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID 
+/// for the authorized signature database.
+///
+#define EFI_IMAGE_SECURITY_DATABASE       L"db"
+///
+/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID 
+/// for the forbidden signature database.
+///
+#define EFI_IMAGE_SECURITY_DATABASE1      L"dbx"
+
+#define SETUP_MODE                        1
+#define USER_MODE                         0
+///
+/// Globally "SetupMode" variable to specify whether the system is currently operating 
+/// in setup mode (1) or not (0). All other values are reserved.
+///
+#define EFI_SETUP_MODE_NAME               L"SetupMode"
+///
+/// Globally "PK" variable for the Platform Key Signature Database.
+///
+#define EFI_PLATFORM_KEY_NAME             L"PK"
+///
+/// Globally "KEK" variable for the Key Exchange Key Signature Database.
+///
+#define EFI_KEY_EXCHANGE_KEY_NAME         L"KEK"
+///
+/// Globally "SignatureSupport" variable returns an array of GUIDs, 
+/// with each GUID representing a type of signature which the platform 
+/// firmware supports for images and other data.
+///
+#define EFI_SIGNATURE_SUPPORT_NAME        L"SignatureSupport"
+
+//***********************************************************************
+// Signature Database
+//***********************************************************************
+///
+/// The format of a signature database. 
+///
+#pragma pack(1)
+
+typedef struct {
+  ///
+  /// An identifier which identifies the agent which added the signature to the list.
+  ///
+  EFI_GUID	        SignatureOwner;
+  ///
+  /// The format of the signature is defined by the SignatureType.
+  ///
+  UINT8		          SignatureData[1];
+} EFI_SIGNATURE_DATA;
+
+typedef struct {
+  ///
+  /// Type of the signature. GUID signature types are defined in below.
+  ///
+  EFI_GUID          	SignatureType;
+  ///
+  /// Total size of the signature list, including this header.
+  ///
+  UINT32            	SignatureListSize;
+  ///
+  /// Size of the signature header which precedes the array of signatures.
+  ///
+  UINT32            	SignatureHeaderSize;
+  ///
+  /// Size of each signature.
+  ///
+  UINT32              SignatureSize; 
+  ///
+  /// Header before the array of signatures. The format of this header is specified 
+  /// by the SignatureType.
+  /// UINT8           SignatureHeader[SignatureHeaderSize];
+  ///
+  /// An array of signatures. Each signature is SignatureSize bytes in length. 
+  /// EFI_SIGNATURE_DATA Signatures[][SignatureSize];
+  ///
+} EFI_SIGNATURE_LIST;
+
+#pragma pack()
+
+///
+/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size should 
+/// always be 0.  The SignatureSize should always be 32 bytes.
+///
+#define EFI_CERT_SHA256_GUID \
+  { \
+    0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \
+  }
+
+///
+/// This identifies a signature containing an RSA-2048 key. The SignatureHeader size should 
+/// always be 0. The SignatureSize should always be 256 bytes.
+///
+#define EFI_CERT_RSA2048_GUID \
+  { \
+    0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \
+  }
+
+///
+/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The 
+/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes.
+///
+#define EFI_CERT_RSA2048_SHA256_GUID \
+  { \
+    0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \
+  }
+
+///
+/// This identifies a signature containing a SHA-1 hash.  The SignatureHeader size should always
+/// be 0. The SignatureSize should always be 20 bytes
+///
+#define EFI_CERT_SHA1_GUID \
+  { \
+    0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \
+  }
+
+///
+/// This identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The 
+/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes.
+///
+#define EFI_CERT_RSA2048_SHA1_GUID \
+  { \
+    0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \
+  }
+
+///
+/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 certificate then 
+/// verification of the signature of an image should validate the public key certificate in the image using 
+/// certificate path verification, up to this X.509 certificate as a trusted root.
+///
+#define EFI_CERT_X509 \
+  { \
+    0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \
+  }
+
+//***********************************************************************
+// Image Execution Information Table Definition
+//***********************************************************************
+typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;
+
+#define EFI_IMAGE_EXECUTION_AUTHENTICATION          0x00000007 
+
+//
+// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table 
+// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID.
+//
+typedef struct {
+  ///
+  /// Describes the action taken by the firmware regarding this image.
+  ///
+  EFI_IMAGE_EXECUTION_ACTION 	  Action;
+  ///
+  /// Size of all of the entire structure.
+  ///
+  UINT32                        InfoSize;
+  ///
+  /// If this image was a UEFI device driver (for option ROM, for example) this is the 
+  /// null-terminated, user-friendly name for the device. If the image was for an application, 
+  /// then this is the name of the application. If this cannot be determined, then a simple 
+  /// NULL character should be put in this position.
+  /// CHAR16                    Name[];
+  ///
+
+  ///
+  /// For device drivers, this is the device path of the device for which this device driver 
+  /// was intended. In some cases, the driver itself may be stored as part of the system 
+  /// firmware, but this field should record the device's path, not the firmware path. For 
+  /// applications, this is the device path of the application. If this cannot be determined, 
+  /// a simple end-of-path device node should be put in this position.
+  /// EFI_DEVICE_PATH_PROTOCOL  DevicePath;
+  ///
+
+  ///
+  /// The image digest of the image. The certificate type must be one of the hash types. 
+  /// The hash type must match the type used in the Signature field.
+  ///
+  WIN_CERTIFICATE               ImageHash;
+  ///
+  /// Zero or more image signatures. If the image contained no signtures, 
+  /// then this field is empty.
+  ///
+  WIN_CERTIFICATE               Signature;
+} EFI_IMAGE_EXECUTION_INFO;
+
+extern EFI_GUID gEfiImageSecurityDatabaseGuid;
+extern EFI_GUID gEfiCertSha256Guid;
+extern EFI_GUID gEfiCertRsa2048Guid;      
+extern EFI_GUID gEfiCertRsa2048Sha256Guid;
+extern EFI_GUID gEfiCertSha1Guid;
+extern EFI_GUID gEfiCertRsa2048Sha1Guid;
+extern EFI_GUID gEfiCertX509Guid;
+
+#endif
diff --git a/MdePkg/Include/Guid/MemoryOverwriteControl.h b/MdePkg/Include/Guid/MemoryOverwriteControl.h
new file mode 100644
index 0000000000..ac50ecd603
--- /dev/null
+++ b/MdePkg/Include/Guid/MemoryOverwriteControl.h
@@ -0,0 +1,76 @@
+/** @file
+  GUID used for MemoryOverwriteRequestControl UEFI variable defined in 
+  TCG Platform Reset Attack Mitigation Specification 1.00.
+  See http://trustedcomputinggroup.org for the latest specification
+
+  The purpose of the MemoryOverwriteRequestControl UEFI variable is to give users (e.g., OS, loader) the ability to 
+  indicate to the platform that secrets are present in memory and that the platform firmware must clear memory upon 
+  a restart. The OS loader should not create the variable. Rather, the  firmware is required to create it. 
+
+  Copyright (c) 2009, Intel Corporation                                                         
+  All rights reserved. This program and the accompanying materials                          
+  are licensed and made available under the terms and conditions of the BSD License         
+  which accompanies this distribution.  The full text of the license may be found at        
+  http://opensource.org/licenses/bsd-license.php                                            
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.             
+
+**/
+
+#ifndef _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_
+#define _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_
+
+#define MEMORY_ONLY_RESET_CONTROL_GUID \
+  { \
+    0xe20939be, 0x32d4, 0x41be, {0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29} \
+  }
+
+///
+///  Variable name is "MemoryOverwriteRequestControl" and it is a 1 byte unsigned value. 
+///  The attributes should be: 
+///  EFI_VARIABLE_NON_VOLATILE | 
+///  EFI_VARIABLE_BOOTSERVICE_ACCESS | 
+///  EFI_VARIABLE_RUNTIME_ACCESS 
+///
+#define MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME L"MemoryOverwriteRequestControl"
+
+///
+/// 0 = Firmware MUST clear the MOR bi
+/// 1 = Firmware MUST set the MOR bit 
+///
+#define MOR_CLEAR_MEMORY_BIT_MASK        0x01
+
+///
+/// 0 = Firmware MAY autodetect a clean shutdown of the Static RTM OS.
+/// 1 = Firmware MUST NOT autodetect a clean shutdown of the Static RTM OS.
+///
+#define MOR_DISABLEAUTODETECT_BIT_MASK   0x10
+
+///
+/// MOR field bit offset
+///
+#define MOR_CLEAR_MEMORY_BIT_OFFSET      0
+#define MOR_DISABLEAUTODETECT_BIT_OFFSET 4
+
+/**
+  Return the ClearMemory bit value 0 or 1.
+
+  @param mor   1 byte value that contains ClearMemory and DisableAutoDetect bit.
+
+  @return ClearMemory bit value
+**/
+#define MOR_CLEAR_MEMORY_VALUE(mor)        (((UINT8)(mor) & MOR_CLEAR_MEMORY_BIT_MASK) >> MOR_CLEAR_MEMORY_BIT_OFFSET)
+
+/**
+  Return the DisableAutoDetect bit value 0 or 1.
+
+  @param mor   1 byte value that contains ClearMemory and DisableAutoDetect bit.
+
+  @return DisableAutoDetect bit value
+**/
+#define MOR_DISABLE_AUTO_DETECT_VALUE(mor) (((UINT8)(mor) & MOR_DISABLEAUTODETECT_BIT_MASK) >> MOR_DISABLEAUTODETECT_BIT_OFFSET)
+
+extern EFI_GUID gEfiMemoryOverwriteControlDataGuid;
+
+#endif
diff --git a/MdePkg/Include/Guid/WinCertificate.h b/MdePkg/Include/Guid/WinCertificate.h
new file mode 100644
index 0000000000..f7a4190c2e
--- /dev/null
+++ b/MdePkg/Include/Guid/WinCertificate.h
@@ -0,0 +1,128 @@
+/** @file
+  GUID for UEFI WIN_CERTIFICATE structure. 
+
+  Copyright (c) 2006 - 2009, Intel Corporation                                                         
+  All rights reserved. This program and the accompanying materials                          
+  are licensed and made available under the terms and conditions of the BSD License         
+  which accompanies this distribution.  The full text of the license may be found at        
+  http://opensource.org/licenses/bsd-license.php                                            
+
+  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     
+  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.             
+
+  @par Revision Reference:
+  GUID defined in UEFI 2.0 spec.
+**/
+
+#ifndef __EFI_WIN_CERTIFICATE_H__
+#define __EFI_WIN_CERTIFICATE_H__
+
+//
+// _WIN_CERTIFICATE.wCertificateType
+// 
+#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
+#define WIN_CERT_TYPE_EFI_PKCS115      0x0EF0
+#define WIN_CERT_TYPE_EFI_GUID         0x0EF1
+
+///
+/// The WIN_CERTIFICATE structure is part of the PE/COFF specification.
+///
+typedef struct {
+  ///
+  /// The length of the entire certificate,  
+  /// including the length of the header, in bytes.                                
+  ///
+  UINT32  dwLength;
+  ///
+  /// The revision level of the WIN_CERTIFICATE 
+  /// structure. The current revision level is 0x0200.                                   
+  ///
+  UINT16  wRevision;
+  ///
+  /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI      
+  /// certificate types. The UEFI specification reserves the range of 
+  /// certificate type values from 0x0EF0 to 0x0EFF.                          
+  ///
+  UINT16  wCertificateType;
+  ///
+  /// The following is the actual certificate. The format of   
+  /// the certificate depends on wCertificateType.
+  ///
+  /// UINT8 bCertificate[ANYSIZE_ARRAY];
+  ///
+} WIN_CERTIFICATE;
+
+///
+/// WIN_CERTIFICATE_UEFI_GUID.CertType
+/// 
+#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
+  {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }
+
+///
+/// WIN_CERTIFICATE_UEFI_GUID.CertData
+/// 
+typedef struct {
+  UINT32  HashType;
+  UINT8   PublicKey[256];
+  UINT8   Signature[256];
+} EFI_CERT_BLOCK_RSA_2048_SHA256;
+
+
+///
+/// Certificate which encapsulates a GUID-specific digital signature
+///
+typedef struct {
+  ///
+  /// This is the standard WIN_CERTIFICATE header, where
+  /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. 
+  ///                         
+  WIN_CERTIFICATE   Hdr;
+  ///
+  /// This is the unique id which determines the 
+  /// format of the CertData. .
+  ///
+  EFI_GUID          CertType;
+  /// 
+  /// The following is the certificate data. The format of
+  /// the data is determined by the CertType. 
+  /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID,
+  /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
+  ///
+  UINT8            CertData[1];
+} WIN_CERTIFICATE_UEFI_GUID;
+
+
+///   
+/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
+///  
+/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
+/// WIN_CERTIFICATE and encapsulate the information needed to  
+/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as  
+/// specified in RFC2437.  
+///  
+typedef struct {     
+  ///
+  /// This is the standard WIN_CERTIFICATE header, where 
+  /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.                       
+  ///
+  WIN_CERTIFICATE Hdr;
+  ///
+  /// This is the hashing algorithm which was performed on the
+  /// UEFI executable when creating the digital signature. 
+  ///
+  EFI_GUID        HashAlgorithm;
+  ///
+  /// The following is the actual digital signature. The   
+  /// size of the signature is the same size as the key 
+  /// (1024-bit key is 128 bytes) and can be determined by 
+  /// subtracting the length of the other parts of this header
+  /// from the total length of the certificate as found in 
+  /// Hdr.dwLength.                               
+  ///
+  /// UINT8 Signature[];
+  ///
+} WIN_CERTIFICATE_EFI_PKCS1_15;
+
+extern EFI_GUID gEfiCertTypeRsa2048Sha256Guid;
+
+#endif