tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: SecureBootVariableLib: Updated signature list creator 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910

This change removes the interface of SecureBootFetchData, and replaced
it with `SecureBootCreateDataFromInput`, which will require caller to
prepare available certificates in defined structures.

This improvement will eliminate the dependency of reading from FV,
extending the availability of this library instance.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>

Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
This commit is contained in:
kuqin 2022-04-15 13:38:11 -07:00 committed by mergify[bot]
parent 56c717aafa
commit 6de7c084db
3 changed files with 53 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
SecurityPkg/Include/Library/SecureBootVariableLib.h
View File

@ -44,24 +44,29 @@ GetSetupMode (
); );
/** /**
Create a EFI Signature List with data fetched from section specified as a argument. Create a EFI Signature List with data supplied from input argument.
Found keys are verified using RsaGetPublicKeyFromX509(). The input certificates from KeyInfo parameter should be DER-encoded
format.
@param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list @param[out] SigListsSize A pointer to size of signature list
@param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
@param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
@param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
to be concatenated into signature lists.
@retval EFI_SUCCESS Create time based payload successfully. @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found. @retval EFI_NOT_FOUND Section with key has not been found.
@retval EFI_INVALID_PARAMETER Embedded key has a wrong format. @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens. @retval Others Unexpected error happens.
--*/ --*/
EFI_STATUS EFI_STATUS
SecureBootFetchData ( EFIAPI
IN EFI_GUID *KeyFileGuid, SecureBootCreateDataFromInput (
OUT UINTN *SigListsSize, OUT UINTN *SigListsSize,
OUT EFI_SIGNATURE_LIST **SigListOut OUT EFI_SIGNATURE_LIST **SigListOut,
IN UINTN KeyInfoCount,
IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
); );
/** /**

69
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
View File

@ -10,10 +10,10 @@
SPDX-License-Identifier: BSD-2-Clause-Patent SPDX-License-Identifier: BSD-2-Clause-Patent
**/ **/
#include <Uefi.h> #include <Uefi.h>
#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h> #include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h> #include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h> #include <Guid/ImageAuthentication.h>
#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h> #include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h> #include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h> #include <Library/DebugLib.h>
@ -21,7 +21,6 @@
#include <Library/MemoryAllocationLib.h> #include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h> #include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h> #include <Library/SecureBootVariableLib.h>
#include "Library/DxeServicesLib.h"
// This time can be used when deleting variables, as it should be greater than any variable time. // This time can be used when deleting variables, as it should be greater than any variable time.
EFI_TIME mMaxTimestamp = { EFI_TIME mMaxTimestamp = {
@ -130,24 +129,29 @@ ConcatenateSigList (
} }
/** /**
Create a EFI Signature List with data fetched from section specified as a argument. Create a EFI Signature List with data supplied from input argument.
Found keys are verified using RsaGetPublicKeyFromX509(). The input certificates from KeyInfo parameter should be DER-encoded
format.
@param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list @param[out] SigListsSize A pointer to size of signature list
@param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
@param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
@param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
to be concatenated into signature lists.
@retval EFI_SUCCESS Create time based payload successfully. @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found. @retval EFI_NOT_FOUND Section with key has not been found.
@retval EFI_INVALID_PARAMETER Embedded key has a wrong format. @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens. @retval Others Unexpected error happens.
**/ **/
EFI_STATUS EFI_STATUS
SecureBootFetchData ( EFIAPI
IN EFI_GUID *KeyFileGuid, SecureBootCreateDataFromInput (
OUT UINTN *SigListsSize, OUT UINTN *SigListsSize,
OUT EFI_SIGNATURE_LIST **SigListOut OUT EFI_SIGNATURE_LIST **SigListOut,
IN UINTN KeyInfoCount,
IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
) )
{ {
EFI_SIGNATURE_LIST *EfiSig; EFI_SIGNATURE_LIST *EfiSig;
@ -155,36 +159,41 @@ SecureBootFetchData (
EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status; EFI_STATUS Status;
VOID *Buffer; VOID *Buffer;
VOID *RsaPubKey;
UINTN Size; UINTN Size;
UINTN InputIndex;
UINTN KeyIndex; UINTN KeyIndex;
if ((SigListOut == NULL) || (SigListsSize == NULL)) {
return EFI_INVALID_PARAMETER;
}
if ((KeyInfoCount == 0) || (KeyInfo == NULL)) {
return EFI_INVALID_PARAMETER;
}
InputIndex = 0;
KeyIndex = 0; KeyIndex = 0;
EfiSig = NULL; EfiSig = NULL;
*SigListsSize = 0; *SigListsSize = 0;
while (1) { while (InputIndex < KeyInfoCount) {
Status = GetSectionFromAnyFv ( if (KeyInfo[InputIndex].Data != NULL) {
KeyFileGuid, Size = KeyInfo[InputIndex].DataSize;
EFI_SECTION_RAW, Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data);
KeyIndex, if (Buffer == NULL) {
&Buffer,
&Size
);
if (Status == EFI_SUCCESS) {
RsaPubKey = NULL;
if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
if (EfiSig != NULL) { if (EfiSig != NULL) {
FreePool (EfiSig); FreePool (EfiSig);
} }
FreePool (Buffer); return EFI_OUT_OF_RESOURCES;
return EFI_INVALID_PARAMETER;
} }
Status = CreateSigList (Buffer, Size, &TmpEfiSig); Status = CreateSigList (Buffer, Size, &TmpEfiSig);
if (EFI_ERROR (Status)) {
FreePool (Buffer);
break;
}
// //
// Concatenate lists if more than one section found // Concatenate lists if more than one section found
// //
@ -202,9 +211,7 @@ SecureBootFetchData (
FreePool (Buffer); FreePool (Buffer);
} }
if (Status == EFI_NOT_FOUND) { InputIndex++;
break;
}
} }
if (KeyIndex == 0) { if (KeyIndex == 0) {

3
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
View File

@ -32,15 +32,12 @@
MdePkg/MdePkg.dec MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses] [LibraryClasses]
BaseLib BaseLib
BaseMemoryLib BaseMemoryLib
DebugLib DebugLib
MemoryAllocationLib MemoryAllocationLib
BaseCryptLib
DxeServicesLib
[Guids] [Guids]
## CONSUMES ## Variable:L"SetupMode" ## CONSUMES ## Variable:L"SetupMode"