C++程序  |  813行  |  26.36 KB

/** @file
  The main process for IpSecConfig application.

  Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>

  This program and the accompanying materials
  are licensed and made available under the terms and conditions of the BSD License
  which accompanies this distribution.  The full text of the license may be found at
  http://opensource.org/licenses/bsd-license.php.

  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

**/

#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/HiiLib.h>

#include <Protocol/IpSec.h>

#include "IpSecConfig.h"
#include "Dump.h"
#include "Indexer.h"
#include "PolicyEntryOperation.h"
#include "Delete.h"
#include "Helper.h"

//
// String token ID of IpSecConfig command help message text.
//
GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringIpSecHelpTokenId = STRING_TOKEN (STR_IPSEC_CONFIG_HELP);

//
// Used for ShellCommandLineParseEx only
// and to ensure user inputs are in valid format
//
SHELL_PARAM_ITEM    mIpSecConfigParamList[] = {
  { L"-p",                    TypeValue },
  { L"-a",                    TypeValue },
  { L"-i",                    TypeValue },
  { L"-e",                    TypeValue },
  { L"-d",                    TypeValue },
  { L"-f",                    TypeFlag },
  { L"-l",                    TypeFlag },
  { L"-enable",               TypeFlag },
  { L"-disable",              TypeFlag },
  { L"-status",               TypeFlag },

  //
  // SPD Selector
  //
  { L"--local",               TypeValue },
  { L"--remote",              TypeValue },
  { L"--proto",               TypeValue },
  { L"--local-port",          TypeValue },
  { L"--remote-port",         TypeValue },
  { L"--icmp-type",           TypeValue },
  { L"--icmp-code",           TypeValue },

  //
  // SPD Data
  //
  { L"--name",                TypeValue },
  { L"--packet-flag",         TypeValue },
  { L"--action",              TypeValue },
  { L"--lifebyte",            TypeValue },
  { L"--lifetime-soft",       TypeValue },
  { L"--lifetime",            TypeValue },
  { L"--mode",                TypeValue },
  { L"--tunnel-local",        TypeValue },
  { L"--tunnel-remote",       TypeValue },
  { L"--dont-fragment",       TypeValue },
  { L"--ipsec-proto",         TypeValue },
  { L"--auth-algo",           TypeValue },
  { L"--encrypt-algo",        TypeValue },

  { L"--ext-sequence",        TypeFlag  },
  { L"--sequence-overflow",   TypeFlag  },
  { L"--fragment-check",      TypeFlag  },
  { L"--ext-sequence-",       TypeFlag  },
  { L"--sequence-overflow-",  TypeFlag  },
  { L"--fragment-check-",     TypeFlag  },

  //
  // SA ID
  // --ipsec-proto
  //
  { L"--spi",                 TypeValue },
  { L"--tunnel-dest",         TypeValue },
  { L"--tunnel-source",       TypeValue },
  { L"--lookup-spi",          TypeValue },
  { L"--lookup-ipsec-proto",  TypeValue },
  { L"--lookup-dest",         TypeValue },

  //
  // SA DATA
  // --mode
  // --auth-algo
  // --encrypt-algo
  //
  { L"--sequence-number",     TypeValue },
  { L"--antireplay-window",   TypeValue },
  { L"--auth-key",            TypeValue },
  { L"--encrypt-key",         TypeValue },
  { L"--path-mtu",            TypeValue },

  //
  // PAD ID
  //
  { L"--peer-id",             TypeValue },
  { L"--peer-address",        TypeValue },
  { L"--auth-proto",          TypeValue },
  { L"--auth-method",         TypeValue },
  { L"--ike-id",              TypeValue },
  { L"--ike-id-",             TypeValue },
  { L"--auth-data",           TypeValue },
  { L"--revocation-data",     TypeValue },
  { L"--lookup-peer-id",      TypeValue },
  { L"--lookup-peer-address", TypeValue },

  { NULL,                     TypeMax   },
};

//
// -P
//
STR2INT mMapPolicy[] = {
  { L"SPD",       IPsecConfigDataTypeSpd },
  { L"SAD",       IPsecConfigDataTypeSad },
  { L"PAD",       IPsecConfigDataTypePad },
  { NULL,         0 },
};

//
// --proto
//
STR2INT mMapIpProtocol[] = {
  { L"TCP",       EFI_IP4_PROTO_TCP },
  { L"UDP",       EFI_IP4_PROTO_UDP },
  { L"ICMP",      EFI_IP4_PROTO_ICMP },
  { NULL,         0 },
};

//
// --action
//
STR2INT mMapIpSecAction[] = {
  { L"Bypass",    EfiIPsecActionBypass },
  { L"Discard",   EfiIPsecActionDiscard },
  { L"Protect",   EfiIPsecActionProtect },
  { NULL,         0 },
};

//
// --mode
//
STR2INT mMapIpSecMode[] = {
  { L"Transport", EfiIPsecTransport },
  { L"Tunnel",    EfiIPsecTunnel },
  { NULL,         0 },
};

//
// --dont-fragment
//
STR2INT mMapDfOption[] = {
  { L"clear",     EfiIPsecTunnelClearDf },
  { L"set",       EfiIPsecTunnelSetDf },
  { L"copy",      EfiIPsecTunnelCopyDf },
  { NULL,         0 },
};

//
// --ipsec-proto
//
STR2INT mMapIpSecProtocol[] = {
  { L"AH",        EfiIPsecAH },
  { L"ESP",       EfiIPsecESP },
  { NULL,         0 },
};

//
// --auth-algo
//
STR2INT mMapAuthAlgo[] = {
  { L"NONE",         IPSEC_AALG_NONE },
  { L"MD5HMAC",      IPSEC_AALG_MD5HMAC },
  { L"SHA1HMAC",     IPSEC_AALG_SHA1HMAC },
  { L"SHA2-256HMAC", IPSEC_AALG_SHA2_256HMAC },
  { L"SHA2-384HMAC", IPSEC_AALG_SHA2_384HMAC },
  { L"SHA2-512HMAC", IPSEC_AALG_SHA2_512HMAC },
  { L"AES-XCBC-MAC", IPSEC_AALG_AES_XCBC_MAC },
  { L"NULL",         IPSEC_AALG_NULL },
  { NULL,            0 },
};

//
// --encrypt-algo
//
STR2INT mMapEncAlgo[] = {
  { L"NONE",         IPSEC_EALG_NONE },
  { L"DESCBC",       IPSEC_EALG_DESCBC },
  { L"3DESCBC",      IPSEC_EALG_3DESCBC },
  { L"CASTCBC",      IPSEC_EALG_CASTCBC },
  { L"BLOWFISHCBC",  IPSEC_EALG_BLOWFISHCBC },
  { L"NULL",         IPSEC_EALG_NULL },
  { L"AESCBC",       IPSEC_EALG_AESCBC },
  { L"AESCTR",       IPSEC_EALG_AESCTR },
  { L"AES-CCM-ICV8", IPSEC_EALG_AES_CCM_ICV8 },
  { L"AES-CCM-ICV12",IPSEC_EALG_AES_CCM_ICV12 },
  { L"AES-CCM-ICV16",IPSEC_EALG_AES_CCM_ICV16 },
  { L"AES-GCM-ICV8", IPSEC_EALG_AES_GCM_ICV8 },
  { L"AES-GCM-ICV12",IPSEC_EALG_AES_GCM_ICV12 },
  { L"AES-GCM-ICV16",IPSEC_EALG_AES_GCM_ICV16 },
  { NULL,            0 },
};

//
// --auth-proto
//
STR2INT mMapAuthProto[] = {
  { L"IKEv1",        EfiIPsecAuthProtocolIKEv1 },
  { L"IKEv2",        EfiIPsecAuthProtocolIKEv2 },
  { NULL,            0 },
};

//
// --auth-method
//
STR2INT mMapAuthMethod[] = {
  { L"PreSharedSecret", EfiIPsecAuthMethodPreSharedSecret },
  { L"Certificates",    EfiIPsecAuthMethodCertificates },
  { NULL,               0 },
};

EFI_IPSEC2_PROTOCOL          *mIpSec;
EFI_IPSEC_CONFIG_PROTOCOL    *mIpSecConfig;
EFI_HII_HANDLE               mHiiHandle;
CHAR16                       mAppName[]          = L"IpSecConfig";

//
// Used for IpSecConfigRetriveCheckListByName only to check the validation of user input
//
VAR_CHECK_ITEM    mIpSecConfigVarCheckList[] = {
  { L"-enable",              BIT(1)|BIT(0),  BIT(1),  BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-disable",             BIT(1)|BIT(0),  BIT(1),  BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-status",              BIT(1)|BIT(0),  BIT(1),  BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-p",                   BIT(1),         0,       BIT(2)|BIT(1)|BIT(0), 0 },

  { L"-a",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-i",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-d",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-e",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-l",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },
  { L"-f",                   BIT(0),         0,       BIT(2)|BIT(1)|BIT(0), 0 },

  { L"-?",                   BIT(0),         BIT(0),  BIT(2)|BIT(1)|BIT(0), 0 },

  //
  // SPD Selector
  //
  { L"--local",              0,              0,       BIT(2)|BIT(1),        0 },
  { L"--remote",             0,              0,       BIT(2)|BIT(1),        0 },
  { L"--proto",              0,              0,       BIT(2)|BIT(1),        0 },
  { L"--local-port",         0,              0,       BIT(2)|BIT(1),        BIT(0) },
  { L"--remote-port",        0,              0,       BIT(2)|BIT(1),        BIT(0) },
  { L"--icmp-type",          0,              0,       BIT(2)|BIT(1),        BIT(1) },
  { L"--icmp-code",          0,              0,       BIT(2)|BIT(1),        BIT(1) },

  //
  // SPD Data
  //
  { L"--name",               0,              0,       BIT(2),               0 },
  { L"--packet-flag",        0,              0,       BIT(2),               0 },
  { L"--action",             0,              0,       BIT(2)|BIT(1),        0 },
  { L"--lifebyte",           0,              0,       BIT(2)|BIT(1),        0 },
  { L"--lifetime-soft",      0,              0,       BIT(2)|BIT(1),        0 },
  { L"--lifetime",           0,              0,       BIT(2)|BIT(1),        0 },
  { L"--mode",               0,              0,       BIT(2)|BIT(1),        0 },
  { L"--tunnel-local",       0,              0,       BIT(2),               0 },
  { L"--tunnel-remote",      0,              0,       BIT(2),               0 },
  { L"--dont-fragment",      0,              0,       BIT(2),               0 },
  { L"--ipsec-proto",        0,              0,       BIT(2)|BIT(1),        0 },
  { L"--auth-algo",          0,              0,       BIT(2)|BIT(1),        0 },
  { L"--encrypt-algo",       0,              0,       BIT(2)|BIT(1),        0 },

  { L"--ext-sequence",       0,              0,       BIT(2),               BIT(2) },
  { L"--sequence-overflow",  0,              0,       BIT(2),               BIT(2) },
  { L"--fragment-check",     0,              0,       BIT(2),               BIT(2) },
  { L"--ext-sequence-",      0,              0,       BIT(2),               BIT(3) },
  { L"--sequence-overflow-", 0,              0,       BIT(2),               BIT(3) },
  { L"--fragment-check-",    0,              0,       BIT(2),               BIT(3) },

  //
  // SA ID
  // --ipsec-proto
  //
  { L"--spi",                0,              0,       BIT(1),               0 },
  { L"--tunnel-dest",        0,              0,       BIT(1),               0 },
  { L"--tunnel-source",      0,              0,       BIT(1),               0 },
  { L"--lookup-spi",         0,              0,       BIT(1),               0 },
  { L"--lookup-ipsec-proto", 0,              0,       BIT(1),               0 },
  { L"--lookup-dest",        0,              0,       BIT(1),               0 },

  //
  // SA DATA
  // --mode
  // --auth-algo
  // --encrypt-algo
  //
  { L"--sequence-number",    0,              0,       BIT(1),               0 },
  { L"--antireplay-window",  0,              0,       BIT(1),               0 },
  { L"--auth-key",           0,              0,       BIT(1),               0 },
  { L"--encrypt-key",        0,              0,       BIT(1),               0 },
  { L"--path-mtu",           0,              0,       BIT(1),               0 },

  //
  // The example to add a PAD:
  // "-A --peer-id Mike [--peer-address 10.23.2.2] --auth-proto IKE1/IKE2
  //     --auth-method PreSharedSeceret/Certificate --ike-id
  //     --auth-data 343343 --revocation-data 2342432"
  // The example to delete a PAD:
  // "-D * --lookup-peer-id Mike [--lookup-peer-address 10.23.2.2]"
  // "-D 1"
  // The example to edit a PAD:
  // "-E * --lookup-peer-id Mike --auth-method Certificate"

  //
  // PAD ID
  //
  { L"--peer-id",            0,              0,       BIT(0),               BIT(4) },
  { L"--peer-address",       0,              0,       BIT(0),               BIT(5) },
  { L"--auth-proto",         0,              0,       BIT(0),               0 },
  { L"--auth-method",        0,              0,       BIT(0),               0 },
  { L"--IKE-ID",             0,              0,       BIT(0),               BIT(6) },
  { L"--IKE-ID-",            0,              0,       BIT(0),               BIT(7) },
  { L"--auth-data",          0,              0,       BIT(0),               0 },
  { L"--revocation-data",    0,              0,       BIT(0),               0 },
  { L"--lookup-peer-id",     0,              0,       BIT(0),               BIT(4) },
  { L"--lookup-peer-address",0,              0,       BIT(0),               BIT(5) },

  { NULL,                    0,              0,       0,                    0 },
};

/**
  The function to allocate the proper sized buffer for various
  EFI interfaces.

  @param[in, out] Status        Current status.
  @param[in, out] Buffer        Current allocated buffer, or NULL.
  @param[in]      BufferSize    Current buffer size needed

  @retval TRUE     If the buffer was reallocated and the caller should try the API again.
  @retval FALSE    If the buffer was not reallocated successfully.
**/
BOOLEAN
GrowBuffer (
  IN OUT EFI_STATUS    *Status,
  IN OUT VOID          **Buffer,
  IN     UINTN         BufferSize
  )
{
  BOOLEAN    TryAgain;

  ASSERT (Status != NULL);
  ASSERT (Buffer != NULL);

  //
  // If this is an initial request, buffer will be null with a new buffer size.
  //
  if ((NULL == *Buffer) && (BufferSize != 0)) {
    *Status = EFI_BUFFER_TOO_SMALL;
  }

  //
  // If the status code is "buffer too small", resize the buffer.
  //
  TryAgain = FALSE;
  if (*Status == EFI_BUFFER_TOO_SMALL) {

    if (*Buffer != NULL) {
      FreePool (*Buffer);
    }

    *Buffer = AllocateZeroPool (BufferSize);

    if (*Buffer != NULL) {
      TryAgain = TRUE;
    } else {
      *Status = EFI_OUT_OF_RESOURCES;
    }
  }

  //
  // If there's an error, free the buffer.
  //
  if (!TryAgain && EFI_ERROR (*Status) && (*Buffer != NULL)) {
    FreePool (*Buffer);
    *Buffer = NULL;
  }

  return TryAgain;
}

/**
  Function returns an array of handles that support the requested protocol
  in a buffer allocated from a pool.

  @param[in]      SearchType    Specifies which handle(s) are to be returned.
  @param[in]      Protocol      Provides the protocol to search by.
                                This parameter is only valid for SearchType ByProtocol.

  @param[in]      SearchKey     Supplies the search key depending on the SearchType.
  @param[in, out] NoHandles     The number of handles returned in Buffer.
  @param[out]     Buffer        A pointer to the buffer to return the requested array of
                                handles that support Protocol.

  @retval EFI_SUCCESS    The resulting array of handles was returned.
  @retval Others         Other mistake case.
**/
EFI_STATUS
LocateHandle (
  IN     EFI_LOCATE_SEARCH_TYPE    SearchType,
  IN     EFI_GUID                  *Protocol  OPTIONAL,
  IN     VOID                      *SearchKey OPTIONAL,
  IN OUT UINTN                     *NoHandles,
     OUT EFI_HANDLE                **Buffer
  )
{
  EFI_STATUS    Status;
  UINTN         BufferSize;

  ASSERT (NoHandles != NULL);
  ASSERT (Buffer != NULL);

  //
  // Initialize for GrowBuffer loop.
  //
  Status      = EFI_SUCCESS;
  *Buffer     = NULL;
  BufferSize  = 50 * sizeof (EFI_HANDLE);

  //
  // Call the real function.
  //
  while (GrowBuffer (&Status, (VOID **) Buffer, BufferSize)) {
    Status = gBS->LocateHandle (
                    SearchType,
                    Protocol,
                    SearchKey,
                    &BufferSize,
                    *Buffer
                    );
  }

  *NoHandles = BufferSize / sizeof (EFI_HANDLE);
  if (EFI_ERROR (Status)) {
    *NoHandles = 0;
  }

  return Status;
}

/**
  Find the first instance of this protocol in the system and return its interface.

  @param[in]  ProtocolGuid    The guid of the protocol.
  @param[out] Interface       The pointer to the first instance of the protocol.

  @retval EFI_SUCCESS    A protocol instance matching ProtocolGuid was found.
  @retval Others         A protocol instance matching ProtocolGuid was not found.
**/
EFI_STATUS
LocateProtocol (
  IN  EFI_GUID    *ProtocolGuid,
  OUT VOID        **Interface
  )

{
  EFI_STATUS    Status;
  UINTN         NumberHandles;
  UINTN         Index;
  EFI_HANDLE    *Handles;

  *Interface    = NULL;
  Handles       = NULL;
  NumberHandles = 0;

  Status        = LocateHandle (ByProtocol, ProtocolGuid, NULL, &NumberHandles, &Handles);
  if (EFI_ERROR (Status)) {
    DEBUG ((EFI_D_INFO, "LibLocateProtocol: Handle not found\n"));
    return Status;
  }

  for (Index = 0; Index < NumberHandles; Index++) {
    ASSERT (Handles != NULL);
    Status = gBS->HandleProtocol (
                    Handles[Index],
                    ProtocolGuid,
                    Interface
                    );

    if (!EFI_ERROR (Status)) {
      break;
    }
  }

  if (Handles != NULL) {
    FreePool (Handles);
  }

  return Status;
}

/**
  Helper function called to check the conflicted flags.

  @param[in] CheckList       The pointer to the VAR_CHECK_ITEM table.
  @param[in] ParamPackage    The pointer to the ParamPackage list.

  @retval EFI_SUCCESS              No conflicted flags.
  @retval EFI_INVALID_PARAMETER    The input parameter is erroroneous or there are some conflicted flags.
**/
EFI_STATUS
IpSecConfigRetriveCheckListByName (
  IN VAR_CHECK_ITEM    *CheckList,
  IN LIST_ENTRY        *ParamPackage
)
{

  LIST_ENTRY        *Node;
  VAR_CHECK_ITEM    *Item;
  UINT32            Attribute1;
  UINT32            Attribute2;
  UINT32            Attribute3;
  UINT32            Attribute4;
  UINT32            Index;

  Attribute1 = 0;
  Attribute2 = 0;
  Attribute3 = 0;
  Attribute4 = 0;
  Index      = 0;
  Item       = mIpSecConfigVarCheckList;

  if ((ParamPackage == NULL) || (CheckList == NULL)) {
    return EFI_INVALID_PARAMETER;
  }

  //
  // Enumerate through the list of parameters that are input by user.
  //
  for (Node = GetFirstNode (ParamPackage); !IsNull (ParamPackage, Node); Node = GetNextNode (ParamPackage, Node)) {
    if (((SHELL_PARAM_PACKAGE *) Node)->Name != NULL) {
      //
      // Enumerate the check list that defines the conflicted attributes of each flag.
      //
      for (; Item->VarName != NULL; Item++) {
        if (StrCmp (((SHELL_PARAM_PACKAGE *) Node)->Name, Item->VarName) == 0) {
          Index++;
          if (Index == 1) {
            Attribute1 = Item->Attribute1;
            Attribute2 = Item->Attribute2;
            Attribute3 = Item->Attribute3;
            Attribute4 = Item->Attribute4;
          } else {
            Attribute1 &= Item->Attribute1;
            Attribute2 |= Item->Attribute2;
            Attribute3 &= Item->Attribute3;
            Attribute4 |= Item->Attribute4;
            if (Attribute1 != 0) {
              return EFI_INVALID_PARAMETER;
            }

            if (Attribute2 != 0) {
              if ((Index == 2) && (StrCmp (Item->VarName, L"-p") == 0)) {
                continue;
              }

              return EFI_INVALID_PARAMETER;
            }

            if (Attribute3 == 0) {
              return EFI_INVALID_PARAMETER;
            }
            if (((Attribute4 & 0xFF) == 0x03) || ((Attribute4 & 0xFF) == 0x0C) ||
                ((Attribute4 & 0xFF) == 0x30) || ((Attribute4 & 0xFF) == 0xC0)) {
              return EFI_INVALID_PARAMETER;
            }
          }
          break;
        }
      }

      Item = mIpSecConfigVarCheckList;
    }
  }

  return EFI_SUCCESS;
}

/**
  This is the declaration of an EFI image entry point. This entry point is
  the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
  both device drivers and bus drivers.

  The entry point for IpSecConfig application that parse the command line input and call an IpSecConfig process.

  @param[in] ImageHandle    The image handle of this application.
  @param[in] SystemTable    The pointer to the EFI System Table.

  @retval EFI_SUCCESS    The operation completed successfully.

**/
EFI_STATUS
EFIAPI
InitializeIpSecConfig (
  IN EFI_HANDLE          ImageHandle,
  IN EFI_SYSTEM_TABLE    *SystemTable
  )
{
  EFI_STATUS                    Status;
  EFI_IPSEC_CONFIG_DATA_TYPE    DataType;
  UINT8                         Value;
  LIST_ENTRY                    *ParamPackage;
  CONST CHAR16                  *ValueStr;
  CHAR16                        *ProblemParam;
  UINTN                         NonOptionCount;
  EFI_HII_PACKAGE_LIST_HEADER   *PackageList;

  //
  // Retrieve HII package list from ImageHandle
  //
  Status = gBS->OpenProtocol (
                  ImageHandle,
                  &gEfiHiiPackageListProtocolGuid,
                  (VOID **) &PackageList,
                  ImageHandle,
                  NULL,
                  EFI_OPEN_PROTOCOL_GET_PROTOCOL
                  );
  if (EFI_ERROR (Status)) {
    return Status;
  }

  //
  // Publish HII package list to HII Database.
  //
  Status = gHiiDatabase->NewPackageList (
                          gHiiDatabase,
                          PackageList,
                          NULL,
                          &mHiiHandle
                          );
  if (EFI_ERROR (Status)) {
    return Status;
  }

  ASSERT (mHiiHandle != NULL);

  Status = ShellCommandLineParseEx (mIpSecConfigParamList, &ParamPackage, &ProblemParam, TRUE, FALSE);
  if (EFI_ERROR (Status)) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, ProblemParam);
    goto Done;
  }

  Status = IpSecConfigRetriveCheckListByName (mIpSecConfigVarCheckList, ParamPackage);
  if (EFI_ERROR (Status)) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_MISTAKEN_OPTIONS), mHiiHandle);
    goto Done;
  }

  Status = LocateProtocol (&gEfiIpSecConfigProtocolGuid, (VOID **) &mIpSecConfig);
  if (EFI_ERROR (Status) || mIpSecConfig == NULL) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
    goto Done;
  }

  Status = LocateProtocol (&gEfiIpSec2ProtocolGuid, (VOID **) &mIpSec);
  if (EFI_ERROR (Status) || mIpSec == NULL) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
    goto Done;
  }

  //
  // Enable IPsec.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"-enable")) {
    if (!(mIpSec->DisabledFlag)) {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_ENABLE), mHiiHandle, mAppName);
    } else {
      //
      // Set enable flag.
      //
      Value  = IPSEC_STATUS_ENABLED;
      Status = gRT->SetVariable (
                      IPSECCONFIG_STATUS_NAME,
                      &gEfiIpSecConfigProtocolGuid,
                      EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
                      sizeof (Value),
                      &Value
                      );
      if (!EFI_ERROR (Status)) {
        mIpSec->DisabledFlag = FALSE;
        ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_SUCCESS), mHiiHandle, mAppName);
      } else {
        ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_FAILED), mHiiHandle, mAppName);
      }
    }

    goto Done;
  }

  //
  // Disable IPsec.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"-disable")) {
    if (mIpSec->DisabledFlag) {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_DISABLE), mHiiHandle, mAppName);
    } else {
      //
      // Set disable flag; however, leave it to be disabled in the callback function of DisabledEvent.
      //
      gBS->SignalEvent (mIpSec->DisabledEvent);
      if (mIpSec->DisabledFlag) {
        ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_SUCCESS), mHiiHandle, mAppName);
      } else {
        ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_FAILED), mHiiHandle, mAppName);
      }
    }

    goto Done;
  }

  //
  //IPsec Status.
  //
  if (ShellCommandLineGetFlag (ParamPackage, L"-status")) {
    if (mIpSec->DisabledFlag) {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_DISABLE), mHiiHandle, mAppName);
    } else {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_ENABLE), mHiiHandle, mAppName);
    }
    goto Done;
  }

  //
  // Try to get policy database type.
  //
  DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) - 1;
  ValueStr = ShellCommandLineGetValue (ParamPackage, L"-p");
  if (ValueStr != NULL) {
    DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) MapStringToInteger (ValueStr, mMapPolicy);
    if (DataType == -1) {
      ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_DB), mHiiHandle, mAppName, ValueStr);
      goto Done;
    }
  }

  NonOptionCount = ShellCommandLineGetCount (ParamPackage);
  if ((NonOptionCount - 1) > 0) {
    ValueStr = ShellCommandLineGetRawValue (ParamPackage, (UINT32) (NonOptionCount - 1));
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_REDUNDANCY_MANY), mHiiHandle, mAppName, ValueStr);
    goto Done;
  }

  if (DataType == -1) {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_DB), mHiiHandle, mAppName);
    goto Done;
  }

  if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {
    Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
    Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
    Status = EditPolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
    Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {
    Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else if (ShellCommandLineGetFlag (ParamPackage, L"-l")) {
    Status = ListPolicyEntry (DataType, ParamPackage);
    if (EFI_ERROR (Status)) {
      goto Done;
    }
  } else {
    ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, mAppName);
    goto Done;
  }

Done:
  ShellCommandLineFreeVarList (ParamPackage);
  HiiRemovePackages (mHiiHandle);

  return EFI_SUCCESS;
}