tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable. 

V3: code clean up

prohibit Image SHA-1 hash option in SecureBootConfigDxe.
Timebased Auth Variable driver should ensure AuthAlgorithm
is SHA256 before further verification

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
This commit is contained in:
Zhang Lubo 2017-01-05 14:58:05 +08:00 committed by Jiaxin Wu
parent 80e63e846a
commit c035e37335
4 changed files with 35 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
SecurityPkg/Library/AuthVariableLib/AuthService.c
View File

@ -18,7 +18,7 @@
They will do basic validation for authentication data structure, then call crypto library They will do basic validation for authentication data structure, then call crypto library
to verify the signature. to verify the signature.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -36,6 +36,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
// //
CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
// //
// Requirement for different signature type which have been defined in UEFI spec. // Requirement for different signature type which have been defined in UEFI spec.
// These data are used to perform SignatureList format check while setting PK/KEK variable. // These data are used to perform SignatureList format check while setting PK/KEK variable.
@ -2244,6 +2246,29 @@ VerifyTimeBasedPayload (
SigData = CertData->AuthInfo.CertData; SigData = CertData->AuthInfo.CertData;
SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)); SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
//
// SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
// signature. Only a digest algorithm of SHA-256 is accepted.
//
// According to PKCS#7 Definition:
// SignedData ::= SEQUENCE {
// version Version,
// digestAlgorithms DigestAlgorithmIdentifiers,
// contentInfo ContentInfo,
// .... }
// The DigestAlgorithmIdentifiers can be used to determine the hash algorithm
// in VARIABLE_AUTHENTICATION_2 descriptor.
// This field has the fixed offset (+13) and be calculated based on two bytes of length encoding.
//
if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
(CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
return EFI_SECURITY_VIOLATION;
}
}
}
// //
// Find out the new data payload which follows Pkcs7 SignedData directly. // Find out the new data payload which follows Pkcs7 SignedData directly.
// //

4
SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
View File

@ -12,7 +12,7 @@
may not be modified without authorization. If platform fails to protect these resources, may not be modified without authorization. If platform fails to protect these resources,
the authentication service provided in this driver will be broken, and the behavior is undefined. the authentication service provided in this driver will be broken, and the behavior is undefined.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -37,6 +37,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Guid/AuthenticatedVariableFormat.h> #include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h> #include <Guid/ImageAuthentication.h>
#define TWO_BYTE_ENCODE 0x82
/// ///
/// Struct to record signature requirement defined by UEFI spec. /// Struct to record signature requirement defined by UEFI spec.
/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field. /// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.

14
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@ -1,7 +1,7 @@
/** @file /** @file
HII Config Access protocol implementation of SecureBoot configuration module. HII Config Access protocol implementation of SecureBoot configuration module.
Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -63,7 +63,6 @@ UINT8 mHashOidValue[] = {
}; };
HASH_TABLE mHash[] = { HASH_TABLE mHash[] = {
{ L"SHA1", 20, &mHashOidValue[8], 5, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final },
{ L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL }, { L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL },
{ L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final}, { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final},
{ L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final}, { L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final},
@ -1786,7 +1785,7 @@ HashPeImage (
SectionHeader = NULL; SectionHeader = NULL;
Status = FALSE; Status = FALSE;
if ((HashAlg != HASHALG_SHA1) && (HashAlg != HASHALG_SHA256)) { if (HashAlg != HASHALG_SHA256) {
return FALSE; return FALSE;
} }
@ -1795,13 +1794,8 @@ HashPeImage (
// //
ZeroMem (mImageDigest, MAX_DIGEST_SIZE); ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
if (HashAlg == HASHALG_SHA1) { mImageDigestSize = SHA256_DIGEST_SIZE;
mImageDigestSize = SHA1_DIGEST_SIZE; mCertType = gEfiCertSha256Guid;
mCertType = gEfiCertSha1Guid;
} else if (HashAlg == HASHALG_SHA256) {
mImageDigestSize = SHA256_DIGEST_SIZE;
mCertType = gEfiCertSha256Guid;
}
CtxSize = mHash[HashAlg].GetContextSize(); CtxSize = mHash[HashAlg].GetContextSize();

8
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
View File

@ -2,7 +2,7 @@
The header file of HII Config Access protocol implementation of SecureBoot The header file of HII Config Access protocol implementation of SecureBoot
configuration module. configuration module.
Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -67,10 +67,7 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
#define MAX_CHAR 480 #define MAX_CHAR 480
#define TWO_BYTE_ENCODE 0x82 #define TWO_BYTE_ENCODE 0x82
//
// SHA-1 digest size in bytes.
//
#define SHA1_DIGEST_SIZE 20
// //
// SHA-256 digest size in bytes // SHA-256 digest size in bytes
// //
@ -94,7 +91,6 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
// //
// Support hash types // Support hash types
// //
#define HASHALG_SHA1 0x00000000
#define HASHALG_SHA224 0x00000001 #define HASHALG_SHA224 0x00000001
#define HASHALG_SHA256 0x00000002 #define HASHALG_SHA256 0x00000002
#define HASHALG_SHA384 0x00000003 #define HASHALG_SHA384 0x00000003