Commit Graph

39 Commits

Author SHA1 Message Date
Shumin Qiu 69f8bb5288 SecurityPkg: Fix typo.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Shumin Qiu <shumin.qiu@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>



git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17047 6f19259b-4bc3-4df7-8a09-765794883524
2015-03-13 08:25:27 +00:00
Long, Qin 3f63bc365d Add the missed local variable initialization to remove the possible warning.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: "Long, Qin" <qin.long@intel.com>
Reviewed-by: "Fu, Siyuan" <siyuan.fu@intel.com>
Reviewed-by: "Dong, Guo" <guo.dong@initel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16763 6f19259b-4bc3-4df7-8a09-765794883524
2015-02-05 05:37:10 +00:00
Long, Qin 27c93c06c0 Correct the DBX and Certificate Hash Checking.
Add the missed image signature verification against DBX;
and add the missed logic to enhance the certificate hash checking when handling DB database.

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: "Long, Qin" <qin.long@intel.com>
Reviewed-by: "Fu, Siyuan" <siyuan.fu@intel.com>
Reviewed-by: "Dong, Guo" <guo.dong@initel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16744 6f19259b-4bc3-4df7-8a09-765794883524
2015-02-04 08:19:53 +00:00
Long, Qin 12d95665cb Correct the Hash Calculation for Revoked X.509 Certificate to align with RFC3280 and UEFI 2.4 Spec.
This patch added one new X509GetTBSCert() interface in BaseCryptLib to retrieve the TBSCertificate, 
and also corrected the hash calculation for revoked certificate to aligned the RFC3280 and UEFI 2.4 spec.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Long, Qin" <qin.long@intel.com>
Reviewed-by: "Dong, Guo" <guo.dong@initel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16559 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-25 08:37:08 +00:00
Dong Guo 5789fe3587 correct a data type error.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Dong Eric <eric.dong@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16498 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-11 06:34:57 +00:00
Dong Guo 213cc1000e Add failed image Name in the Image Execution Information Table.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16493 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-10 08:09:20 +00:00
Qin Long 7e0699c06e Code clean-up to eliminate potential "dereferenced pointer" warning.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Guo Dong <guo.dong@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16468 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-03 07:40:32 +00:00
Qin Long 2bf41ed7dc Correct the alignment calculation of PE/COFF attribute certificate entry.
This is to resolve the possible certificate entry retrieving issue caused by un-aligned (8-bytes) VirtualAddress in some PE/COFF image, which may break secure boot.

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16449 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-26 08:21:54 +00:00
Qin Long 20333c6d56 UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp Verification support for Secure Boot
Main ChangeLogs includes:
1. Introduce the new GUID and structure definitions for certificate hash and timestamp support;
2. Update Image Verification Library to support DBT signature checking;
3. Update the related SecureBoot Configuration Pages;

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Guo Dong <guo.dong@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16380 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-14 08:41:12 +00:00
Eric Dong 1fee5304db Refine code to make it more safely.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15590 6f19259b-4bc3-4df7-8a09-765794883524
2014-06-25 06:00:49 +00:00
Dong, Guo ffccb935fa Update code to always publish EFI_IMAGE_EXECUTION_INFO_TABLE.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Fu, Siyuan <siyuan.fu@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zhang, Chao B <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15585 6f19259b-4bc3-4df7-8a09-765794883524
2014-06-25 02:02:22 +00:00
Fu Siyuan 68fc0c7319 Update DEC file and DxeImageVerificationLib to note user that ALLOW_EXECUTE_ON_SECURITY_VIOLATION is no longer supported.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14923 6f19259b-4bc3-4df7-8a09-765794883524
2013-12-02 07:52:35 +00:00
jyao1 c1d932429e Add TPM2 implementation.
signed off by: jiewen.yao@intel.com
reviewed by: guo.dong@intel.com

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14687 6f19259b-4bc3-4df7-8a09-765794883524
2013-09-18 05:31:18 +00:00
Fu Siyuan db44ea6c4e 1. Change default PCD in SecurityPkg to 4 (DENY_EXECUTE) in DEC file.
2. ASSERT if PCD value is set to 5 (QUERY_USER_ON_SECURITY_VIOLATION).
3. Update override PCD setting from 5 to 4 in platform DSC file.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14607 6f19259b-4bc3-4df7-8a09-765794883524
2013-08-28 09:06:40 +00:00
sfu5 0ba17ade47 Fix a bug that “SecureBoot” varaible will be updated to NV+AT attribute incorrectly.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ni Ruiyu <ruiyu.ni@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14375 6f19259b-4bc3-4df7-8a09-765794883524
2013-05-17 08:05:01 +00:00
sfu5 7403ff5b9f Fix a bug that IsSignatureFoundInDatabase() incorrectly computes CertCount.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14165 6f19259b-4bc3-4df7-8a09-765794883524
2013-03-06 01:42:04 +00:00
sfu5 6de4c35f99 Update the DxeImageVerificationLib to support for Authenticode-signed UEFI images with multiple signatures.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14141 6f19259b-4bc3-4df7-8a09-765794883524
2013-02-21 05:00:21 +00:00
sfu5 b3d4217001 Add a NULL string to the Image Execution Information Table if the Name is NULL in function AddImageExeInfo().
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13990 6f19259b-4bc3-4df7-8a09-765794883524
2012-12-12 03:03:07 +00:00
tye1 64470c17df Remove useless MD5 OID ASN.1 value from DxeImageVerificationLib.
Signed-off-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13854 6f19259b-4bc3-4df7-8a09-765794883524
2012-10-17 02:26:11 +00:00
sfu5 84bce75b08 Check the value of Hdr.dwLength for signed EFI image before image validation.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13701 6f19259b-4bc3-4df7-8a09-765794883524
2012-09-06 02:15:59 +00:00
sfu5 f6f9031f8e Update the DxeImageVerificationLib to handle the signed image which CertType is set to EFI_CERT_TYPE_PKCS7_GUID.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13672 6f19259b-4bc3-4df7-8a09-765794883524
2012-08-23 07:55:35 +00:00
lgao4 5db28a6753 Add PI1.2.1 SAP2 support and UEFI231B mantis 896
1. Update three Security Handlers to depend on new SecurityManagementLib APIs to register Security service for SAP2

Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Guo Dong <dong.guo@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13661 6f19259b-4bc3-4df7-8a09-765794883524
2012-08-22 02:33:00 +00:00
sfu5 50fe73a1aa 1. Remove the code path which use X509 cert in KEK to validate PKCS7 signed image.
2. Remove the code path to validate UEFI image signed by RSA2048 key.
3. Disable the ALLOW_EXECUTE/DEFER_EXECUTE/QUERY_USER policy PCD.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting  <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13636 6f19259b-4bc3-4df7-8a09-765794883524
2012-08-15 01:39:43 +00:00
sfu5 3277a4e5ed Fix a bug in DxeImageVerificationLib which will pass incorrect trust cert size to AuthenticodeVerify() function.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13526 6f19259b-4bc3-4df7-8a09-765794883524
2012-07-12 01:13:37 +00:00
sfu5 8f8ca22e59 1. Reset system when user changes secure boot state in secure boot configuration form.
2. Update the method to detect secure boot state in DxeImageVerificationLib and secure boot configuration driver.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13505 6f19259b-4bc3-4df7-8a09-765794883524
2012-07-05 08:08:12 +00:00
jyao1 dc204d5a0f Add comment for modules which have external input.
signed-off-by: jiewen.yao@intel.com
reviewed-by: guo.dong@intel.com
reviewed-by: ting.ye@intel.com
reviewed-by: liming.gao@intel.com
reviewed-by: elvin.li@intel.com



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13446 6f19259b-4bc3-4df7-8a09-765794883524
2012-06-12 08:28:43 +00:00
sfu5 de2447dd4c Fix compatibility issue when using IPF image with PE32 magic value in the OptionalHeader.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13433 6f19259b-4bc3-4df7-8a09-765794883524
2012-06-08 02:09:48 +00:00
ydong10 f01b91ae42 Fixed build failed.
Signed-off-by: Eric Dong <eric.dong@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13406 6f19259b-4bc3-4df7-8a09-765794883524
2012-05-31 08:35:48 +00:00
ydong10 bf4a3dbd47 Add new interface GetVariable2 and GetEfiGlobalVariable2 to return more info. Also replace old interface with new one.
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13375 6f19259b-4bc3-4df7-8a09-765794883524
2012-05-30 07:36:00 +00:00
sfu5 4ef15e6e33 Fix a bug in DxeImageVerificationLib to use the correct certificate length when verifying a signed EFI image.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13364 6f19259b-4bc3-4df7-8a09-765794883524
2012-05-28 04:51:53 +00:00
tye1 badd40f9d4 Removes redundant code and adds data size check for certificate data in DxeImageVerificationLib.
Signed-off by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Eric <yong.dong@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13291 6f19259b-4bc3-4df7-8a09-765794883524
2012-05-08 02:53:49 +00:00
tye1 551d808116 Enhances PE image hash algorithm in DxeImageVerificationLib and DxeTpmMeasureBootLib.
Signed-off-by: Ye Ting<ting.ye@intel.com>
Reviewed by: Dong, Eric <yong.dong@intel.com>
Reviewed by: Dong, Guo <guo.dong@intel.com>



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13228 6f19259b-4bc3-4df7-8a09-765794883524
2012-04-28 07:48:15 +00:00
ydong10 e0192326ae Patch include:
1.Change function name to avoid name conflict.
2.Refine check for Pe Image.

Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13220 6f19259b-4bc3-4df7-8a09-765794883524
2012-04-26 01:50:34 +00:00
ydong10 28186d4566 Validate some fields in PE image to make sure not access violation for later code.
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13211 6f19259b-4bc3-4df7-8a09-765794883524
2012-04-24 03:00:32 +00:00
sfu5 bd0de3963b 1. Add more error handling code to DxeImageVerificationLib and BaseCryptLib.
Signed-off-by: sfu5
Reviewed-by: qianouyang
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13109 6f19259b-4bc3-4df7-8a09-765794883524
2012-03-19 05:10:46 +00:00
xdu2 45bf2c4789 SecurityPkg: Update DxeImageVerificationLib with following changes:
1. Update to check image digest against dbx before execute it.
2. Update to support revoke certificate.
3. Update to support enroll unsigned PE image's Hash to allowed database (db). (Note: Unsigned Image's Hash is calculated in the same way with authenticode, the algorithm is assumed to be SHA256.)

Signed-off-by: xdu2
Reviewed-by: tye
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12598 6f19259b-4bc3-4df7-8a09-765794883524
2011-10-28 09:54:08 +00:00
qianouyang beda2356f5 Enable/Disable Secured Boot by 'Secure Boot Configuration' Page which is under Setup browser.
Signed-off-by: qianouyang
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12586 6f19259b-4bc3-4df7-8a09-765794883524
2011-10-28 03:46:20 +00:00
hhuan13 570b3d1a72 1. Enhance DxeImageVerificationLib to avoid some corrupted input.
Signed-off-by: hhuan13
Reviewed-by: qlong


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12399 6f19259b-4bc3-4df7-8a09-765794883524
2011-09-21 05:23:55 +00:00
gdong1 0c18794ea4 Add security package to repository.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12261 6f19259b-4bc3-4df7-8a09-765794883524
2011-09-02 07:49:32 +00:00