mirror of https://github.com/acidanthera/audk.git
Verify the provided PKpub is signed with its private key when enrolling a new PK variable in setup mode.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13531 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
2445a70e62
commit
785d84ead0
|
@ -918,36 +918,13 @@ ProcessVarWithPk (
|
|||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
|
||||
//
|
||||
// Verify against X509 Cert PK.
|
||||
//
|
||||
Del = FALSE;
|
||||
Status = VerifyTimeBasedPayload (
|
||||
VariableName,
|
||||
VendorGuid,
|
||||
Data,
|
||||
DataSize,
|
||||
Variable,
|
||||
Attributes,
|
||||
AuthVarTypePk,
|
||||
&Del
|
||||
);
|
||||
if (!EFI_ERROR (Status)) {
|
||||
//
|
||||
// If delete PK in user mode, need change to setup mode.
|
||||
//
|
||||
if (Del && IsPk) {
|
||||
Status = UpdatePlatformMode (SETUP_MODE);
|
||||
}
|
||||
}
|
||||
return Status;
|
||||
} else {
|
||||
//
|
||||
// Process PK or KEK in Setup mode or Custom Secure Boot mode.
|
||||
//
|
||||
Del = FALSE;
|
||||
if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
|
||||
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
|
||||
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
|
||||
if (PayloadSize == 0) {
|
||||
Del = TRUE;
|
||||
}
|
||||
|
||||
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
|
@ -965,19 +942,47 @@ ProcessVarWithPk (
|
|||
Variable,
|
||||
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
|
||||
);
|
||||
} else if (mPlatformMode == USER_MODE) {
|
||||
//
|
||||
// Verify against X509 Cert in PK database.
|
||||
//
|
||||
Status = VerifyTimeBasedPayload (
|
||||
VariableName,
|
||||
VendorGuid,
|
||||
Data,
|
||||
DataSize,
|
||||
Variable,
|
||||
Attributes,
|
||||
AuthVarTypePk,
|
||||
&Del
|
||||
);
|
||||
} else {
|
||||
//
|
||||
// Verify against the certificate in data payload.
|
||||
//
|
||||
Status = VerifyTimeBasedPayload (
|
||||
VariableName,
|
||||
VendorGuid,
|
||||
Data,
|
||||
DataSize,
|
||||
Variable,
|
||||
Attributes,
|
||||
AuthVarTypePayload,
|
||||
&Del
|
||||
);
|
||||
}
|
||||
|
||||
if (IsPk) {
|
||||
if (PayloadSize != 0) {
|
||||
//
|
||||
// If enroll PK in setup mode, need change to user mode.
|
||||
//
|
||||
Status = UpdatePlatformMode (USER_MODE);
|
||||
} else {
|
||||
//
|
||||
// If delete PK in custom mode, need change to setup mode.
|
||||
//
|
||||
UpdatePlatformMode (SETUP_MODE);
|
||||
}
|
||||
if (!EFI_ERROR(Status) && IsPk) {
|
||||
if (mPlatformMode == SETUP_MODE && !Del) {
|
||||
//
|
||||
// If enroll PK in setup mode, need change to user mode.
|
||||
//
|
||||
Status = UpdatePlatformMode (USER_MODE);
|
||||
} else if (mPlatformMode == USER_MODE && Del){
|
||||
//
|
||||
// If delete PK in user mode, need change to setup mode.
|
||||
//
|
||||
Status = UpdatePlatformMode (SETUP_MODE);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1859,7 +1864,7 @@ InsertCertsToDb (
|
|||
data, this value contains the required size.
|
||||
@param[in] Variable The variable information which is used to keep track of variable usage.
|
||||
@param[in] Attributes Attribute value of the variable.
|
||||
@param[in] AuthVarType Verify against PK or KEK database or private database.
|
||||
@param[in] AuthVarType Verify against PK, KEK database, private database or certificate in data payload.
|
||||
@param[out] VarDel Delete the variable or not.
|
||||
|
||||
@retval EFI_INVALID_PARAMETER Invalid parameter.
|
||||
|
@ -2152,6 +2157,22 @@ VerifyTimeBasedPayload (
|
|||
goto Exit;
|
||||
}
|
||||
}
|
||||
} else if (AuthVarType == AuthVarTypePayload) {
|
||||
CertList = (EFI_SIGNATURE_LIST *) PayloadPtr;
|
||||
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
|
||||
RootCert = Cert->SignatureData;
|
||||
RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
|
||||
|
||||
// Verify Pkcs7 SignedData via Pkcs7Verify library.
|
||||
//
|
||||
VerifyStatus = Pkcs7Verify (
|
||||
SigData,
|
||||
SigDataSize,
|
||||
RootCert,
|
||||
RootCertSize,
|
||||
NewData,
|
||||
NewDataSize
|
||||
);
|
||||
} else {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
|
|
@ -59,7 +59,8 @@ typedef struct {
|
|||
typedef enum {
|
||||
AuthVarTypePk,
|
||||
AuthVarTypeKek,
|
||||
AuthVarTypePriv
|
||||
AuthVarTypePriv,
|
||||
AuthVarTypePayload
|
||||
} AUTHVAR_TYPE;
|
||||
|
||||
#pragma pack(1)
|
||||
|
|
Loading…
Reference in New Issue