tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg/TPM: measure UEFI images without associated device paths again 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2652

DxeTpm2MeasureBootHandler() and DxeTpmMeasureBootHandler() functions may
receive a FileBuffer argument that is not associated with any particular
device path (e.g., because the UEFI image has not been loaded from any
particular device path).
Therefore rejecting (File==NULL) at the top of the function is invalid.

Fixes: 4b026f0d5a

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
This commit is contained in:
Guomin Jiang 2020-04-15 11:33:08 +08:00 committed by mergify[bot]
parent b447a20bdf
commit 1755932f89
2 changed files with 20 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
View File

@ -384,8 +384,6 @@ Finish:
and other exception operations. The File parameter allows for possible logging and other exception operations. The File parameter allows for possible logging
within the SAP of the driver. within the SAP of the driver.
If File is NULL, then EFI_ACCESS_DENIED is returned.
If the file specified by File with an authentication status specified by If the file specified by File with an authentication status specified by
AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS is returned. AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS is returned.
@ -398,6 +396,8 @@ Finish:
might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is
returned. returned.
If check image specified by FileBuffer and File is NULL meanwhile, return EFI_ACCESS_DENIED.
@param[in] AuthenticationStatus This is the authentication status returned @param[in] AuthenticationStatus This is the authentication status returned
from the securitymeasurement services for the from the securitymeasurement services for the
input file. input file.
@ -416,7 +416,7 @@ EFI_STATUS
EFIAPI EFIAPI
DxeTpm2MeasureBootHandler ( DxeTpm2MeasureBootHandler (
IN UINT32 AuthenticationStatus, IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File, IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
IN VOID *FileBuffer, IN VOID *FileBuffer,
IN UINTN FileSize, IN UINTN FileSize,
IN BOOLEAN BootPolicy IN BOOLEAN BootPolicy
@ -435,13 +435,6 @@ DxeTpm2MeasureBootHandler (
EFI_PHYSICAL_ADDRESS FvAddress; EFI_PHYSICAL_ADDRESS FvAddress;
UINT32 Index; UINT32 Index;
//
// Check for invalid parameters.
//
if (File == NULL) {
return EFI_ACCESS_DENIED;
}
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
// //
@ -615,6 +608,13 @@ DxeTpm2MeasureBootHandler (
// //
Status = PeCoffLoaderGetImageInfo (&ImageContext); Status = PeCoffLoaderGetImageInfo (&ImageContext);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
//
// Check for invalid parameters.
//
if (File == NULL) {
Status = EFI_ACCESS_DENIED;
}
// //
// The information can't be got from the invalid PeImage // The information can't be got from the invalid PeImage
// //

20
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
View File

@ -678,8 +678,6 @@ Finish:
and other exception operations. The File parameter allows for possible logging and other exception operations. The File parameter allows for possible logging
within the SAP of the driver. within the SAP of the driver.
If File is NULL, then EFI_ACCESS_DENIED is returned.
If the file specified by File with an authentication status specified by If the file specified by File with an authentication status specified by
AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS is returned. AuthenticationStatus is safe for the DXE Core to use, then EFI_SUCCESS is returned.
@ -692,6 +690,8 @@ Finish:
might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is
returned. returned.
If check image specified by FileBuffer and File is NULL meanwhile, return EFI_ACCESS_DENIED.
@param[in] AuthenticationStatus This is the authentication status returned @param[in] AuthenticationStatus This is the authentication status returned
from the securitymeasurement services for the from the securitymeasurement services for the
input file. input file.
@ -710,7 +710,7 @@ EFI_STATUS
EFIAPI EFIAPI
DxeTpmMeasureBootHandler ( DxeTpmMeasureBootHandler (
IN UINT32 AuthenticationStatus, IN UINT32 AuthenticationStatus,
IN CONST EFI_DEVICE_PATH_PROTOCOL *File, IN CONST EFI_DEVICE_PATH_PROTOCOL *File, OPTIONAL
IN VOID *FileBuffer, IN VOID *FileBuffer,
IN UINTN FileSize, IN UINTN FileSize,
IN BOOLEAN BootPolicy IN BOOLEAN BootPolicy
@ -732,13 +732,6 @@ DxeTpmMeasureBootHandler (
EFI_PHYSICAL_ADDRESS FvAddress; EFI_PHYSICAL_ADDRESS FvAddress;
UINT32 Index; UINT32 Index;
//
// Check for invalid parameters.
//
if (File == NULL) {
return EFI_ACCESS_DENIED;
}
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol); Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
// //
@ -912,6 +905,13 @@ DxeTpmMeasureBootHandler (
// //
Status = PeCoffLoaderGetImageInfo (&ImageContext); Status = PeCoffLoaderGetImageInfo (&ImageContext);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
//
// Check for invalid parameters.
//
if (File == NULL) {
return EFI_ACCESS_DENIED;
}
// //
// The information can't be got from the invalid PeImage // The information can't be got from the invalid PeImage
// //