| /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| |
| #include <stdalign.h> |
| |
| #include "bcd.h" |
| #include "efi-string.h" |
| |
| enum { |
| SIG_BASE_BLOCK = 1718052210, /* regf */ |
| SIG_KEY = 27502, /* nk */ |
| SIG_SUBKEY_FAST = 26220, /* lf */ |
| SIG_KEY_VALUE = 27510, /* vk */ |
| }; |
| |
| enum { |
| REG_SZ = 1, |
| REG_MULTI_SZ = 7, |
| }; |
| |
| /* These structs contain a lot more members than we care for. They have all |
| * been squashed into _padN for our convenience. */ |
| |
| typedef struct { |
| uint32_t sig; |
| uint32_t primary_seqnum; |
| uint32_t secondary_seqnum; |
| uint64_t _pad1; |
| uint32_t version_major; |
| uint32_t version_minor; |
| uint32_t type; |
| uint32_t _pad2; |
| uint32_t root_cell_offset; |
| uint64_t _pad3[507]; |
| } _packed_ BaseBlock; |
| assert_cc(sizeof(BaseBlock) == 4096); |
| assert_cc(offsetof(BaseBlock, sig) == 0); |
| assert_cc(offsetof(BaseBlock, primary_seqnum) == 4); |
| assert_cc(offsetof(BaseBlock, secondary_seqnum) == 8); |
| assert_cc(offsetof(BaseBlock, version_major) == 20); |
| assert_cc(offsetof(BaseBlock, version_minor) == 24); |
| assert_cc(offsetof(BaseBlock, type) == 28); |
| assert_cc(offsetof(BaseBlock, root_cell_offset) == 36); |
| |
| /* All offsets are relative to the base block and technically point to a hive |
| * cell struct. But for our usecase we don't need to bother about that one, |
| * so skip over the cell_size uint32_t. */ |
| #define HIVE_CELL_OFFSET (sizeof(BaseBlock) + 4) |
| |
| typedef struct { |
| uint16_t sig; |
| uint16_t _pad1[13]; |
| uint32_t subkeys_offset; |
| uint32_t _pad2; |
| uint32_t n_key_values; |
| uint32_t key_values_offset; |
| uint32_t _pad3[7]; |
| uint16_t key_name_len; |
| uint16_t _pad4; |
| char key_name[]; |
| } _packed_ Key; |
| assert_cc(offsetof(Key, sig) == 0); |
| assert_cc(offsetof(Key, subkeys_offset) == 28); |
| assert_cc(offsetof(Key, n_key_values) == 36); |
| assert_cc(offsetof(Key, key_values_offset) == 40); |
| assert_cc(offsetof(Key, key_name_len) == 72); |
| assert_cc(offsetof(Key, key_name) == 76); |
| |
| typedef struct { |
| uint16_t sig; |
| uint16_t n_entries; |
| struct SubkeyFastEntry { |
| uint32_t key_offset; |
| char name_hint[4]; |
| } _packed_ entries[]; |
| } _packed_ SubkeyFast; |
| assert_cc(offsetof(SubkeyFast, sig) == 0); |
| assert_cc(offsetof(SubkeyFast, n_entries) == 2); |
| assert_cc(offsetof(SubkeyFast, entries) == 4); |
| |
| typedef struct { |
| uint16_t sig; |
| uint16_t name_len; |
| uint32_t data_size; |
| uint32_t data_offset; |
| uint32_t data_type; |
| uint32_t _pad; |
| char name[]; |
| } _packed_ KeyValue; |
| assert_cc(offsetof(KeyValue, sig) == 0); |
| assert_cc(offsetof(KeyValue, name_len) == 2); |
| assert_cc(offsetof(KeyValue, data_size) == 4); |
| assert_cc(offsetof(KeyValue, data_offset) == 8); |
| assert_cc(offsetof(KeyValue, data_type) == 12); |
| assert_cc(offsetof(KeyValue, name) == 20); |
| |
| #define BAD_OFFSET(offset, len, max) \ |
| ((uint64_t) (offset) + (len) >= (max)) |
| |
| #define BAD_STRUCT(type, offset, max) \ |
| ((uint64_t) (offset) + sizeof(type) >= (max)) |
| |
| #define BAD_ARRAY(type, array, offset, array_len, max) \ |
| ((uint64_t) (offset) + offsetof(type, array) + \ |
| sizeof((type){}.array[0]) * (uint64_t) (array_len) >= (max)) |
| |
| static const Key *get_key(const uint8_t *bcd, uint32_t bcd_len, uint32_t offset, const char *name); |
| |
| static const Key *get_subkey(const uint8_t *bcd, uint32_t bcd_len, uint32_t offset, const char *name) { |
| assert(bcd); |
| assert(name); |
| |
| if (BAD_STRUCT(SubkeyFast, offset, bcd_len)) |
| return NULL; |
| |
| const SubkeyFast *subkey = (const SubkeyFast *) (bcd + offset); |
| if (subkey->sig != SIG_SUBKEY_FAST) |
| return NULL; |
| |
| if (BAD_ARRAY(SubkeyFast, entries, offset, subkey->n_entries, bcd_len)) |
| return NULL; |
| |
| for (uint16_t i = 0; i < subkey->n_entries; i++) { |
| if (!strncaseeq8(name, subkey->entries[i].name_hint, sizeof(subkey->entries[i].name_hint))) |
| continue; |
| |
| const Key *key = get_key(bcd, bcd_len, subkey->entries[i].key_offset, name); |
| if (key) |
| return key; |
| } |
| |
| return NULL; |
| } |
| |
| /* We use NUL as registry path separators for convenience. To start from the root, begin |
| * name with a NUL. Name must end with two NUL. The lookup depth is not restricted, so |
| * name must be properly validated before calling get_key(). */ |
| static const Key *get_key(const uint8_t *bcd, uint32_t bcd_len, uint32_t offset, const char *name) { |
| assert(bcd); |
| assert(name); |
| |
| if (BAD_STRUCT(Key, offset, bcd_len)) |
| return NULL; |
| |
| const Key *key = (const Key *) (bcd + offset); |
| if (key->sig != SIG_KEY) |
| return NULL; |
| |
| if (BAD_ARRAY(Key, key_name, offset, key->key_name_len, bcd_len)) |
| return NULL; |
| |
| if (*name) { |
| if (strncaseeq8(name, key->key_name, key->key_name_len) && strlen8(name) == key->key_name_len) |
| name += key->key_name_len; |
| else |
| return NULL; |
| } |
| |
| name++; |
| return *name ? get_subkey(bcd, bcd_len, key->subkeys_offset, name) : key; |
| } |
| |
| static const KeyValue *get_key_value(const uint8_t *bcd, uint32_t bcd_len, const Key *key, const char *name) { |
| assert(bcd); |
| assert(key); |
| assert(name); |
| |
| if (key->n_key_values == 0) |
| return NULL; |
| |
| if (BAD_OFFSET(key->key_values_offset, sizeof(uint32_t) * (uint64_t) key->n_key_values, bcd_len) || |
| (uintptr_t) (bcd + key->key_values_offset) % alignof(uint32_t) != 0) |
| return NULL; |
| |
| const uint32_t *key_value_list = (const uint32_t *) (bcd + key->key_values_offset); |
| for (uint32_t i = 0; i < key->n_key_values; i++) { |
| uint32_t offset = *(key_value_list + i); |
| |
| if (BAD_STRUCT(KeyValue, offset, bcd_len)) |
| continue; |
| |
| const KeyValue *kv = (const KeyValue *) (bcd + offset); |
| if (kv->sig != SIG_KEY_VALUE) |
| continue; |
| |
| if (BAD_ARRAY(KeyValue, name, offset, kv->name_len, bcd_len)) |
| continue; |
| |
| /* If most significant bit is set, data is stored in data_offset itself, but |
| * we are only interested in UTF16 strings. The only strings that could fit |
| * would have just one char in it, so let's not bother with this. */ |
| if (FLAGS_SET(kv->data_size, UINT32_C(1) << 31)) |
| continue; |
| |
| if (BAD_OFFSET(kv->data_offset, kv->data_size, bcd_len)) |
| continue; |
| |
| if (strncaseeq8(name, kv->name, kv->name_len) && strlen8(name) == kv->name_len) |
| return kv; |
| } |
| |
| return NULL; |
| } |
| |
| /* The BCD store is really just a regular windows registry hive with a rather cryptic internal |
| * key structure. On a running system it gets mounted to HKEY_LOCAL_MACHINE\BCD00000000. |
| * |
| * Of interest to us are these two keys: |
| * - \Objects\{bootmgr}\Elements\24000001 |
| * This key is the "displayorder" property and contains a value of type REG_MULTI_SZ |
| * with the name "Element" that holds a {GUID} list (UTF16, NUL-separated). |
| * - \Objects\{GUID}\Elements\12000004 |
| * This key is the "description" property and contains a value of type REG_SZ with the |
| * name "Element" that holds a NUL-terminated UTF16 string. |
| * |
| * The GUIDs and properties are as reported by "bcdedit.exe /v". |
| * |
| * To get a title for the BCD store we first look at the displayorder property of {bootmgr} |
| * (it always has the GUID 9dea862c-5cdd-4e70-acc1-f32b344d4795). If it contains more than |
| * one GUID, the BCD is multi-boot and we stop looking. Otherwise we take that GUID, look it |
| * up, and return its description property. */ |
| char16_t *get_bcd_title(uint8_t *bcd, size_t bcd_len) { |
| assert(bcd); |
| |
| if (HIVE_CELL_OFFSET >= bcd_len) |
| return NULL; |
| |
| BaseBlock *base_block = (BaseBlock *) bcd; |
| if (base_block->sig != SIG_BASE_BLOCK || |
| base_block->version_major != 1 || |
| base_block->version_minor != 3 || |
| base_block->type != 0 || |
| base_block->primary_seqnum != base_block->secondary_seqnum) |
| return NULL; |
| |
| bcd += HIVE_CELL_OFFSET; |
| bcd_len -= HIVE_CELL_OFFSET; |
| |
| const Key *objects_key = get_key(bcd, bcd_len, base_block->root_cell_offset, "\0Objects\0"); |
| if (!objects_key) |
| return NULL; |
| |
| const Key *displayorder_key = get_subkey( |
| bcd, |
| bcd_len, |
| objects_key->subkeys_offset, |
| "{9dea862c-5cdd-4e70-acc1-f32b344d4795}\0Elements\00024000001\0"); |
| if (!displayorder_key) |
| return NULL; |
| |
| const KeyValue *displayorder_value = get_key_value(bcd, bcd_len, displayorder_key, "Element"); |
| if (!displayorder_value) |
| return NULL; |
| |
| char order_guid[sizeof("{00000000-0000-0000-0000-000000000000}\0")]; |
| if (displayorder_value->data_type != REG_MULTI_SZ || |
| displayorder_value->data_size != sizeof(char16_t[sizeof(order_guid)]) || |
| (uintptr_t) (bcd + displayorder_value->data_offset) % alignof(char16_t) != 0) |
| /* BCD is multi-boot. */ |
| return NULL; |
| |
| /* Keys are stored as ASCII in registry hives if the data fits (and GUIDS always should). */ |
| char16_t *order_guid_utf16 = (char16_t *) (bcd + displayorder_value->data_offset); |
| for (size_t i = 0; i < sizeof(order_guid) - 2; i++) { |
| char16_t c = order_guid_utf16[i]; |
| switch (c) { |
| case '-': |
| case '{': |
| case '}': |
| case '0' ... '9': |
| case 'a' ... 'f': |
| case 'A' ... 'F': |
| order_guid[i] = c; |
| break; |
| default: |
| /* Not a valid GUID. */ |
| return NULL; |
| } |
| } |
| /* Our functions expect the lookup key to be double-derminated. */ |
| order_guid[sizeof(order_guid) - 2] = '\0'; |
| order_guid[sizeof(order_guid) - 1] = '\0'; |
| |
| const Key *default_key = get_subkey(bcd, bcd_len, objects_key->subkeys_offset, order_guid); |
| if (!default_key) |
| return NULL; |
| |
| const Key *description_key = get_subkey( |
| bcd, bcd_len, default_key->subkeys_offset, "Elements\00012000004\0"); |
| if (!description_key) |
| return NULL; |
| |
| const KeyValue *description_value = get_key_value(bcd, bcd_len, description_key, "Element"); |
| if (!description_value) |
| return NULL; |
| |
| if (description_value->data_type != REG_SZ || |
| description_value->data_size < sizeof(char16_t) || |
| description_value->data_size % sizeof(char16_t) != 0 || |
| (uintptr_t) (bcd + description_value->data_offset) % alignof(char16_t)) |
| return NULL; |
| |
| /* The data should already be NUL-terminated. */ |
| char16_t *title = (char16_t *) (bcd + description_value->data_offset); |
| title[description_value->data_size / sizeof(char16_t) - 1] = '\0'; |
| return title; |
| } |