smmstoretool is effectively a UEFI variable store writing tool, with
a specific emphasis on the SMMSTORE backend implementation.
However, it could also support other backends. Since it's typical for
the variable store to be `n / 2 - 1` blocks, but not typical how large
each block should be, allow this to be overridden on the command line.
This is necessary because in EDK2, the module producing the firmware
volume block protocol, the backend, will initialise a HOB or set PCDs to
indicate the size of the store to the rest of the stack, and an
assertion will be hit if the store has been preseeded by smmstoretool
using differently-sized blocks.
For example, `make CFLAGS=-DSMM_BLOCK_SIZE=8192` builds this for a
firmware volume block protocol implementation with 8K blocks.
Change-Id: I08b78cfb0b591641f09fcf86f40dd31e6b6c9b30
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88427
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Alicja Michalska <ahplka19@gmail.com>
Finalise the new support for adding secure boot variables by adding this
alias. db and dbx have this GUID, all others (PKDefault, KEKDefault,
dbDefault, dbxDefault, PK, and KEK) have the "global" GUID.
Change-Id: I58a825498d57c0bc04516fe41fe94924bdff2181
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88426
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
MonotonicCount is required, or UEFITool fails to parse the store.
TimeStamp is required for variables with authenticated attributes.
Change-Id: Iea933c9943ec18ea773700cdf1e3bede0e8ef292
Signed-off-by: Benjamin Doron <benjamin.doron00@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88424
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This helps with initialising UEFI secure boot variables for the first
boot, for example, by setting PKDefault, KEKDefault, dbDefault and
dbxDefault to the desired certificates.
Tested, and the get subcommand returns the same data that the set
command added. However, EDK2's variable driver (from approximately
edk2-stable202505) asserts that the variable store isn't the expected
size, and UEFITool can't decode it correctly. This is also the case for
other types supported before this patch, suggesting that the bug is in
general variable-handling code in this utility. Will be debugged and
addressed in a follow-up.
Change-Id: If36394bb56388a35882702c93e26e63124fe0a63
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88377
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
If the header size is equal to fv.length, then `fv_parse()` will go
out-of-bounds when obtaining the variable store data, and obviously,
there is no data if the header takes up all available space.
Change-Id: I0ac46e098a14b51f936cb99f5e6bf83411570bc5
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88452
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
We want to distinguish between a variable store that's marked as capable
of storing authenticated variables (basically, checking their signatures
and promising that there's no TOCTOU possible), and a variable with the
authentication-checking enabled.
Change-Id: Ibf6ffbe279961ff54b0988d98a912a8421598e3b
Signed-off-by: Benjamin Doron <benjamin.doron@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/88423
Reviewed-by: Sean Rhodes <sean@starlabs.systems>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
It's in particular useful for working with variables that contain 64-bit
pointers, like CapsuleUpdateData* global variables defined by UEFI
specification.
Change-Id: I4b46b41cdc5f69d4ca189659bef1e44f64c0d554
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/82611
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com>
These data types were added during review of CB:79080 but they weren't
added to the help message.
Change-Id: I6e79d65c80c292c3f5d2a2611e602db5cc6cf374
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/82610
Reviewed-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
We are going to expose ths tool to end users, and want to take
care that the presented information can be consumed by them.
The current code simply prints below warnings if we use release
binary available for end-user to download:
No firmware volume header present
No valid firmware volume was found
It will be concerning and not clear to end users, they might not
understant why it happens, what are the implications, and whether
it is something that they should worry about.
This commit tries to explain what actually happens here.
Change-Id: Iaa2678f5ae7c243811484c0567ced97ae0b3fc0a
Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/82692
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Input file is parsed for FMAP and SMMSTORE region which is used if
found. Otherwise, the whole file is assumed to be the region. Passing
an image with FMAP that lacks SMMSTORER is an error.
Change-Id: Ieab555d7bbcfa4dadf6a5070d1297acd737440fb
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/80903
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Offline SMMSTORE variable modification tool. Can be used to
pre-configure ROM image or debug EFI state stored in a dump.
Change-Id: I6c1c06f1d0c39c13b5be76a3070f09b715aca6e0
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/79080
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
