tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add comment for modules which have external input. 

signed-off-by: jiewen.yao@intel.com
reviewed-by: guo.dong@intel.com
reviewed-by: ting.ye@intel.com
reviewed-by: liming.gao@intel.com
reviewed-by: elvin.li@intel.com



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13446 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
jyao1 2012-06-12 08:28:43 +00:00
parent 90eaa3c1e0
commit dc204d5a0f
30 changed files with 435 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
View File

@ -1,6 +1,11 @@
## @file
# Cryptographic Library Instance for DXE_DRIVER.
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

7
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
View File

@ -1,7 +1,12 @@
## @file
# Cryptographic Library Instance for PEIM.
#
# Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at

12
CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
View File

@ -1,6 +1,14 @@
/** @file
Authenticode Portable Executable Signature Verification over OpenSSL.
Caution: This module requires additional review when modified.
This library will have external input - signature (e.g. PE/COFF Authenticode).
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
data structure.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -26,6 +34,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
If AuthData is NULL, then return FALSE.
If ImageHash is NULL, then return FALSE.
Caution: This function may receive untrusted input.
PE/COFF Authenticode is external input, so this function will do basic check for
Authenticode data structure.
@param[in] AuthData Pointer to the Authenticode Signature retrieved from signed
PE/COFF image to be verified.
@param[in] DataSize Size of the Authenticode Signature in bytes.

21
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
View File

@ -1,6 +1,15 @@
/** @file
PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.
Caution: This module requires additional review when modified.
This library will have external input - signature (e.g. UEFI Authenticated
Variable). It may by input in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -281,6 +290,10 @@ _Exit:
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
Caution: This function may receive untrusted input.
UEFI Authenticated Variable is external input, so this function will do basic
check for PKCS#7 data structure.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise
@ -389,6 +402,10 @@ WrapPkcs7Data (
If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then
return FALSE. If P7Length overflow, then return FAlSE.
Caution: This function may receive untrusted input.
UEFI Authenticated Variable is external input, so this function will do basic
check for PKCS#7 data structure.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
@ -589,6 +606,10 @@ Pkcs7FreeSigners (
If P7Data, TrustedCert or InData is NULL, then return FALSE.
If P7Length, CertLength or DataLength overflow, then return FAlSE.
Caution: This function may receive untrusted input.
UEFI Authenticated Variable is external input, so this function will do basic
check for PKCS#7 data structure.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which

5
CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
View File

@ -1,6 +1,11 @@
## @file
# Cryptographic Library Instance for DXE_RUNTIME_DRIVER
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

5
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
View File

@ -10,6 +10,11 @@
# 5) DhGenerateParameter
# 6) DhGenerateKey
#
# Caution: This module requires additional review when modified.
# This library will have external input - signature.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

7
MdeModulePkg/Universal/CapsulePei/CapsulePei.inf
View File

@ -3,7 +3,12 @@
#
# Capsule update module supports EFI and UEFI.
#
# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This driver will have external input - capsule image.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions

5
MdeModulePkg/Universal/CapsulePei/CapsuleX64.inf
View File

@ -4,6 +4,11 @@
# The X64 entrypoint to process capsule in long mode.
# This module is built as X64.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - capsule image.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials

12
MdeModulePkg/Universal/CapsulePei/Common/CapsuleCoalesce.c
View File

@ -1,6 +1,14 @@
/** @file
The logic to process capsule.
Caution: This module requires additional review when modified.
This driver will have external input - capsule image.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
CapsuleDataCoalesce() will do basic validation before coalesce capsule data
into memory.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -792,6 +800,10 @@ BuildCapsuleDescriptors (
| PrivateDataDesc 0 |
MemBase ---->+---------------------------+<----- BlockList
Caution: This function may receive untrusted input.
The capsule data is external input, so this routine will do basic validation before
coalesce capsule data into memory.
@param PeiServices General purpose services available to every PEIM.
@param BlockListBuffer Point to the buffer of Capsule Descriptor Variables.
@param MemoryBase Pointer to the base of a block of memory that we can walk

42
MdeModulePkg/Universal/Disk/PartitionDxe/Gpt.c
View File

@ -2,7 +2,18 @@
Decode a hard disk partitioned with the GPT scheme in the UEFI 2.0
specification.
Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
Caution: This file requires additional review when modified.
This driver will have external input - disk partition.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
PartitionInstallGptChildHandles() routine will read disk partition content and
do basic validation before PartitionInstallChildHandle().
PartitionValidGptTable(), PartitionCheckGptEntry() routine will accept disk
partition content and validate the GPT table and GPT entry.
Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -19,6 +30,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
/**
Install child handles if the Handle supports GPT partition structure.
Caution: This function may receive untrusted input.
The GPT partition table header is external input, so this routine
will do basic validation for GPT partition table header before return.
@param[in] BlockIo Parent BlockIo interface.
@param[in] DiskIo Disk Io protocol.
@param[in] Lba The starting Lba of the Partition Table
@ -77,8 +92,11 @@ PartitionRestoreGptTable (
/**
Restore Partition Table to its alternate place.
(Primary -> Backup or Backup -> Primary)
This routine will check GPT partition entry and return entry status.
Caution: This function may receive untrusted input.
The GPT partition entry is external input, so this routine
will do basic validation for GPT partition entry and report status.
@param[in] PartHeader Partition table header structure
@param[in] PartEntry The partition entry array
@ -158,6 +176,11 @@ PartitionSetCrc (
/**
Install child handles if the Handle supports GPT partition structure.
Caution: This function may receive untrusted input.
The GPT partition table is external input, so this routine
will do basic validation for GPT partition table before install
child handle for each GPT partition.
@param[in] This Calling context.
@param[in] Handle Parent Handle.
@param[in] DiskIo Parent DiskIo interface.
@ -411,7 +434,11 @@ Done:
}
/**
Install child handles if the Handle supports GPT partition structure.
This routine will read GPT partition table header and return it.
Caution: This function may receive untrusted input.
The GPT partition table header is external input, so this routine
will do basic validation for GPT partition table header before return.
@param[in] BlockIo Parent BlockIo interface.
@param[in] DiskIo Disk Io protocol.
@ -640,8 +667,11 @@ Done:
}
/**
Restore Partition Table to its alternate place.
(Primary -> Backup or Backup -> Primary)
This routine will check GPT partition entry and return entry status.
Caution: This function may receive untrusted input.
The GPT partition entry is external input, so this routine
will do basic validation for GPT partition entry and report status.
@param[in] PartHeader Partition table header structure
@param[in] PartEntry The partition entry array

9
MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf
View File

@ -6,8 +6,13 @@
# the bytes from Start to End of the Parent Block I/O device.
# The partition of physical BlockIo device supported is one of legacy MBR, GPT,
# and "El Torito" partitions.
#
# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
#
# Caution: This module requires additional review when modified.
# This driver will have external input - disk partition.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at

22
MdePkg/Library/BasePeCoffLib/BasePeCoff.c
View File

@ -2,6 +2,19 @@
Base PE/COFF loader supports loading any PE32/PE32+ or TE image, but
only supports relocating IA32, x64, IPF, and EBC images.
Caution: This file requires additional review when modified.
This library will have external input - PE/COFF image.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
The basic guideline is that caller need provide ImageContext->ImageRead () with the
necessary data range check, to make sure when this library reads PE/COFF image, the
PE image buffer is always in valid range.
This library will also do some additional check for PE header fields.
PeCoffLoaderGetPeHeader() routine will do basic check for PE/COFF header.
PeCoffLoaderGetImageInfo() routine will do basic check for whole PE/COFF image.
Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
This program and the accompanying materials
@ -48,7 +61,10 @@ PeCoffLoaderGetPeHeaderMagicValue (
/**
Retrieves the PE or TE Header from a PE/COFF or TE image.
Also done many checks in PE image to make sure PE image DosHeader, PeOptionHeader,
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this routine will
also done many checks in PE image to make sure PE image DosHeader, PeOptionHeader,
SizeOfHeader, Section Data Region and Security Data Region be in PE image range.
@param ImageContext The context of the image being loaded.
@ -376,7 +392,9 @@ PeCoffLoaderGetPeHeader (
The ImageRead and Handle fields of ImageContext structure must be valid prior
to invoking this service.
Also done many checks in PE image to make sure PE image DosHeader, PeOptionHeader,
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this routine will
also done many checks in PE image to make sure PE image DosHeader, PeOptionHeader,
SizeOfHeader, Section Data Region and Security Data Region be in PE image range.
@param ImageContext The pointer to the image context structure that describes the PE/COFF

7
MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
View File

@ -4,7 +4,12 @@
# The IA32 version library support loading IA32, X64 and EBC PE/COFF images.
# The X64 version library support loading IA32, X64 and EBC PE/COFF images.
#
# Copyright (c) 2006 - 2010, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This library will have external input - PE/COFF image.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
# Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved.<BR>
#
# This program and the accompanying materials

43
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View File

@ -1,6 +1,17 @@
/** @file
Implement image verification services for secure boot service in UEFI2.3.1.
Caution: This file requires additional review when modified.
This library will have external input - PE/COFF image.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
read is within the image buffer.
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
untrusted PE/COFF image and validate its data structure within this image buffer before use.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -14,14 +25,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include "DxeImageVerificationLib.h"
//
// Caution: This is used by a function which may receive untrusted input.
// These global variables hold PE/COFF image data, and they should be validated before use.
//
EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader;
UINTN mImageSize;
UINT32 mPeCoffHeaderOffset;
EFI_IMAGE_DATA_DIRECTORY *mSecDataDir = NULL;
EFI_GUID mCertType;
//
// Information on current PE/COFF image
//
UINTN mImageSize;
UINT8 *mImageBase = NULL;
UINT8 mImageDigest[MAX_DIGEST_SIZE];
UINTN mImageDigestSize;
EFI_IMAGE_DATA_DIRECTORY *mSecDataDir = NULL;
UINT8 *mImageBase = NULL;
EFI_GUID mCertType;
//
// Notify string for authorization UI.
@ -57,6 +76,10 @@ HASH_TABLE mHash[] = {
/**
Reads contents of a PE/COFF image in memory buffer.
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will make sure the PE/COFF image content
read is within the image buffer.
@param FileHandle Pointer to the file handle to read the PE/COFF image.
@param FileOffset Offset into the PE/COFF image to begin the read operation.
@param ReadSize On input, the size in bytes of the requested read operation.
@ -229,6 +252,10 @@ GetImageType (
Caculate hash of Pe/Coff image based on the authenticode image hashing in
PE/COFF Specification 8.0 Appendix A
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@param[in] HashAlg Hash algorithm type.
@retval TRUE Successfully hash image.
@ -550,6 +577,10 @@ Done:
Pe/Coff image based on the authenticode image hashing in PE/COFF Specification
8.0 Appendix A
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@retval EFI_UNSUPPORTED Hash algorithm is not supported.
@retval EFI_SUCCESS Hash successfully.
@ -1184,6 +1215,10 @@ Done:
If no,
Error out
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@param[in] AuthenticationStatus
This is the authentication status returned from the security
measurement services for the input file.

5
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
View File

@ -2,6 +2,11 @@
# The library instance provides security service of image verification.
# Image verification Library module supports UEFI2.3.1
#
# Caution: This module requires additional review when modified.
# This library will have external input - PE/COFF image.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

10
SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c
View File

@ -2,6 +2,12 @@
Execute pending TPM requests from OS or BIOS and Lock TPM.
Caution: This module requires additional review when modified.
This driver will have external input - variable.
This external input must be validated carefully to avoid security issue.
ExecutePendingTpmRequest() will receive untrusted input and do validation.
Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -882,6 +888,10 @@ UserConfirm (
/**
Check and execute the requested physical presence command.
Caution: This function may receive untrusted input.
TcgPpData variable is external input, so this function will validate
its data structure to be valid value.
@param[in] TcgProtocol EFI TCG Protocol instance.
@param[in] TcgPpData Point to the physical presence NV variable.

6
SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.inf
View File

@ -2,7 +2,11 @@
# TCG physical presence library instance. This library will lock
# TPM after executing TPM request.
#
# Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This driver will have external input - variable.
# This external input must be validated carefully to avoid security issue.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at

25
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c
View File

@ -1,6 +1,20 @@
/** @file
The library instance provides security service of TPM measure boot.
Caution: This file requires additional review when modified.
This library will have external input - PE/COFF image and GPT partition.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content
read is within the image buffer.
TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its
data structure within this image buffer before use.
TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse
partition data carefully.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -42,6 +56,10 @@ UINTN mImageSize;
/**
Reads contents of a PE/COFF image in memory buffer.
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will make sure the PE/COFF image content
read is within the image buffer.
@param FileHandle Pointer to the file handle to read the PE/COFF image.
@param FileOffset Offset into the PE/COFF image to begin the read operation.
@param ReadSize On input, the size in bytes of the requested read operation.
@ -86,6 +104,9 @@ DxeTpmMeasureBootLibImageRead (
/**
Measure GPT table data into TPM log.
Caution: This function may receive untrusted input.
The GPT partition table is external input, so this function should parse partition data carefully.
@param TcgProtocol Pointer to the located TCG protocol instance.
@param GptHandle Handle that GPT partition was installed.
@ -247,6 +268,10 @@ TcgMeasureGptTable (
Measure PE image into TPM log based on the authenticode image hashing in
PE/COFF Specification 8.0 Appendix A.
Caution: This function may receive untrusted input.
PE/COFF image is external input, so this function will validate its data structure
within this image buffer before use.
@param[in] TcgProtocol Pointer to the located TCG protocol instance.
@param[in] ImageAddress Start address of image buffer.
@param[in] ImageSize Image size

7
SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.inf
View File

@ -1,7 +1,12 @@
## @file
# The library instance provides security service of TPM measure boot.
#
# Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This library will have external input - PE/COFF image and GPT partition.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at

14
SecurityPkg/Tcg/TcgSmm/TcgSmm.c
View File

@ -2,6 +2,12 @@
It updates TPM items in ACPI table and registers SMI callback
functions for physical presence and ClearMemory.
Caution: This module requires additional review when modified.
This driver will have external input - variable and ACPINvs data in SMM mode.
This external input must be validated carefully to avoid security issue.
PhysicalPresenceCallback() and MemoryClearCallback() will receive untrusted input and do some check.
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -21,6 +27,10 @@ TCG_NVS *mTcgNvs;
/**
Software SMI callback for TPM physical presence which is called from ACPI method.
Caution: This function may receive untrusted input.
Variable and ACPINvs are external input, so this function will validate
its data structure to be valid value.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] Context Points to an optional handler context which was specified when the
handler was registered.
@ -161,6 +171,10 @@ PhysicalPresenceCallback (
/**
Software SMI callback for MemoryClear which is called from ACPI method.
Caution: This function may receive untrusted input.
Variable and ACPINvs are external input, so this function will validate
its data structure to be valid value.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] Context Points to an optional handler context which was specified when the
handler was registered.

4
SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
View File

@ -3,6 +3,10 @@
# registers SMI callback functions for physical presence and
# MemoryClear to handle the requests from ACPI method.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - variable and ACPINvs data in SMM mode.
# This external input must be validated carefully to avoid security issue.
#
# Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

46
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
View File

@ -2,6 +2,19 @@
Implement authentication services for the authenticated variable
service in UEFI2.2.
Caution: This module requires additional review when modified.
This driver will have external input - variable data. It may be input in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
Variable attribute should also be checked to avoid authentication bypass.
ProcessVarWithPk(), ProcessVarWithKek() and ProcessVariable() are the function to do
variable authentication.
VerifyTimeBasedPayload() and VerifyCounterBasedPayload() are sub function to do verification.
They will do basic validation for authentication data structure, then call crypto library
to verify the signature.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -502,6 +515,12 @@ AddPubKeyInStore (
Verify data payload with AuthInfo in EFI_CERT_TYPE_RSA2048_SHA256_GUID type.
Follow the steps in UEFI2.2.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
@param[in] Data Pointer to data with AuthInfo.
@param[in] DataSize Size of Data.
@param[in] PubKey Public key used for verification.
@ -852,6 +871,13 @@ CheckSignatureListFormat(
/**
Process variable with platform key for verification.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@ -961,6 +987,13 @@ ProcessVarWithPk (
/**
Process variable with key exchange key for verification.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@ -1039,6 +1072,13 @@ ProcessVarWithKek (
/**
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@ -1806,6 +1846,12 @@ InsertCertsToDb (
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.

27
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
View File

@ -76,6 +76,13 @@ typedef struct {
/**
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@ -162,6 +169,13 @@ CheckSignatureListFormat(
/**
Process variable with platform key for verification.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@ -191,6 +205,13 @@ ProcessVarWithPk (
/**
Process variable with key exchange key for verification.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@ -257,6 +278,12 @@ CompareTimeStamp (
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.

34
SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
View File

@ -2,6 +2,20 @@
The common variable operation routines shared by DXE_RUNTIME variable
module and DXE_SMM variable module.
Caution: This module requires additional review when modified.
This driver will have external input - variable data. They may be input in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
VariableServiceGetNextVariableName () and VariableServiceQueryVariableInfo() are external API.
They need check input parameter.
VariableServiceGetVariable() and VariableServiceSetVariable() are external API
to receive datasize and data buffer. The size should be checked carefully.
VariableServiceSetVariable() should also check authenticate data to avoid buffer overflow,
integer overflow. It should also check attribute to avoid authentication bypass.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -1945,6 +1959,10 @@ IsHwErrRecVariable (
This code finds variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize is external input.
This function will do basic validation, before parse the data.
@param VariableName Name of Variable to be found.
@param VendorGuid Variable vendor GUID.
@param Attributes Attribute value of the variable found.
@ -2022,6 +2040,9 @@ Done:
This code Finds the Next available variable.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode. This function will do basic validation, before parse the data.
@param VariableNameSize Size of the variable name.
@param VariableName Pointer to variable name.
@param VendorGuid Variable Vendor Guid.
@ -2167,6 +2188,13 @@ Done:
This code sets variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param VariableName Name of Variable to be found.
@param VendorGuid Variable vendor GUID.
@param Attributes Attribute value of the variable found
@ -2336,6 +2364,9 @@ VariableServiceSetVariable (
This code returns information about the EFI variables.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode. This function will do basic validation, before parse the data.
@param Attributes Attributes bitmask to specify the type of variables
on which to return information.
@param MaximumVariableStorageSize Pointer to the maximum size of the storage space available
@ -2497,6 +2528,9 @@ VariableServiceQueryVariableInfo (
/**
This function reclaims variable storage if free size is below the threshold.
Caution: This function may be invoked at SMM runtime.
Care must be taken to make sure not security issue at runtime.
**/
VOID
ReclaimForOS(

17
SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h
View File

@ -402,6 +402,10 @@ GetFvbInfoByAddress (
This code finds variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
@param VariableName Name of Variable to be found.
@param VendorGuid Variable vendor GUID.
@param Attributes Attribute value of the variable found.
@ -429,6 +433,9 @@ VariableServiceGetVariable (
This code Finds the Next available variable.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode. This function will do basic validation, before parse the data.
@param VariableNameSize Size of the variable name.
@param VariableName Pointer to variable name.
@param VendorGuid Variable Vendor Guid.
@ -451,6 +458,13 @@ VariableServiceGetNextVariableName (
This code sets variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param VariableName Name of Variable to be found.
@param VendorGuid Variable vendor GUID.
@param Attributes Attribute value of the variable found
@ -479,6 +493,9 @@ VariableServiceSetVariable (
This code returns information about the EFI variables.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode. This function will do basic validation, before parse the data.
@param Attributes Attributes bitmask to specify the type of variables
on which to return information.
@param MaximumVariableStorageSize Pointer to the maximum size of the storage space available

5
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
View File

@ -1,6 +1,11 @@
## @file
# Component description file for Authenticated Variable module.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - variable data.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

22
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
View File

@ -3,7 +3,18 @@
implements an SMI handler to communicate with the DXE runtime driver
to provide variable services.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
Caution: This module requires additional review when modified.
This driver will have external input - variable data and communicate buffer in SMM mode.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
SmmVariableHandler() will receive untrusted input and do basic validation.
Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
SmmVariableGetStatistics() should also do validation based on its own knowledge.
Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -241,6 +252,9 @@ GetFvbCountAndBuffer (
/**
Get the variable statistics information from the information buffer pointed by gVariableInfo.
Caution: This function may be invoked at SMM runtime.
InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
@param[in, out] InfoEntry A pointer to the buffer of variable information entry.
On input, point to the variable information returned last time. if
InfoEntry->VendorGuid is zero, return the first information.
@ -338,6 +352,12 @@ SmmVariableGetStatistics (
This SMI handler provides services for the variable wrapper driver.
Caution: This function may receive untrusted input.
This variable data and communicate buffer are external input, so this function will do basic validation.
Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
SmmVariableGetStatistics() should also do validation based on its own knowledge.
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
@param[in] RegisterContext Points to an optional handler context which was specified when the
handler was registered.

5
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
View File

@ -9,6 +9,11 @@
# SMM Runtime DXE module would install variable arch protocol and variable
# write arch protocol based on SMM variable module.
#
# Caution: This module requires additional review when modified.
# This driver will have external input - variable data and communicate buffer in SMM mode.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License

21
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c
View File

@ -3,7 +3,17 @@
and volatile storage space and install variable architecture protocol
based on SMM variable module.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
Caution: This module requires additional review when modified.
This driver will have external input - variable data.
This external input must be validated carefully to avoid security issue like
buffer overflow, integer overflow.
RuntimeServiceGetVariable() and RuntimeServiceSetVariable() are external API
to receive data buffer. The size should be checked carefully.
InitCommunicateBuffer() is really function to check the variable data size.
Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -50,6 +60,9 @@ UINTN mVariableBufferSize;
The communicate size is: SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +
DataSize.
Caution: This function may receive untrusted input.
The data size external input, so this function will validate it carefully to avoid buffer overflow.
@param[out] DataPtr Points to the data in the communicate buffer.
@param[in] DataSize The data size to send to SMM.
@param[in] Function The function number to initialize the communicate header.
@ -119,6 +132,9 @@ SendCommunicateBuffer (
/**
This code finds variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
The data size is external input, so this function will validate it carefully to avoid buffer overflow.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[out] Attributes Attribute value of the variable found.
@ -264,6 +280,9 @@ RuntimeServiceGetNextVariableName (
/**
This code sets variable in storage blocks (Volatile or Non-Volatile).
Caution: This function may receive untrusted input.
The data size and data are external input, so this function will validate it carefully to avoid buffer overflow.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Attributes Attribute value of the variable found

7
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf
View File

@ -5,7 +5,12 @@
# installs variable arch protocol and variable write arch protocol and works
# with SMM variable module together.
#
# Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
# Caution: This module requires additional review when modified.
# This driver will have external input - variable data.
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
# Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at