From: "Kinney, Michael D" <michael.d.kinney@intel.com>
To: edk2-devel@lists.01.org
Cc: Sean Brogan <sean.brogan@microsoft.com>,
Chao Zhang <chao.b.zhang@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>
Subject: [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr
Date: Mon, 12 Mar 2018 12:30:15 -0700 [thread overview]
Message-ID: <20180312193017.15156-4-michael.d.kinney@intel.com> (raw)
In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=891
Use both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr to authenticate
a capsule. The capsule fails authentication if none of the certificates
in PcdPkcs7CertBuffer or PcdPkcs7CertBufferXdr pass.
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
---
.../EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c | 77 +++++++++++++++++++---
.../EdkiiSystemCapsuleLib.inf | 3 +-
2 files changed, 70 insertions(+), 10 deletions(-)
diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c
index 876d2257b3..5217a63082 100644
--- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c
+++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c
@@ -6,7 +6,7 @@
CapsuleAuthenticateSystemFirmware(), ExtractAuthenticatedImage() will receive
untrusted input and do basic validation.
- Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -370,6 +370,8 @@ ExtractAuthenticatedImage (
GUID *CertType;
VOID *PublicKeyData;
UINTN PublicKeyDataLength;
+ UINT8 *PublicKeyDataXdr;
+ UINT8 *PublicKeyDataXdrEnd;
DEBUG((DEBUG_INFO, "ExtractAuthenticatedImage - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));
@@ -410,21 +412,78 @@ ExtractAuthenticatedImage (
if (CompareGuid(&gEfiCertPkcs7Guid, CertType)) {
PublicKeyData = PcdGetPtr(PcdPkcs7CertBuffer);
PublicKeyDataLength = PcdGetSize(PcdPkcs7CertBuffer);
+
+ ASSERT (PublicKeyData != NULL);
+ ASSERT (PublicKeyDataLength != 0);
+
+ Status = AuthenticateFmpImage(
+ ImageAuth,
+ ImageSize,
+ PublicKeyData,
+ PublicKeyDataLength
+ );
+ if (EFI_ERROR (Status)) {
+ PublicKeyDataXdr = PcdGetPtr (PcdPkcs7CertBufferXdr);
+ PublicKeyDataXdrEnd = PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertBufferXdr);
+
+ ASSERT (PublicKeyDataXdr != NULL);
+ ASSERT (PublicKeyDataXdr != PublicKeyDataXdrEnd);
+
+ //
+ // Try each key from PcdPkcs7CertBufferXdr
+ //
+ while (PublicKeyDataXdr < PublicKeyDataXdrEnd) {
+ if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) {
+ //
+ // Key data extends beyond end of PCD
+ //
+ break;
+ }
+ //
+ // Read key length stored in big endian format
+ //
+ PublicKeyDataLength = SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr));
+ //
+ // Point to the start of the key data
+ //
+ PublicKeyDataXdr += sizeof (UINT32);
+ if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) {
+ //
+ // Key data extends beyond end of PCD
+ //
+ break;
+ }
+ PublicKeyData = PublicKeyDataXdr;
+ Status = AuthenticateFmpImage (
+ ImageAuth,
+ ImageSize,
+ PublicKeyData,
+ PublicKeyDataLength
+ );
+ if (!EFI_ERROR (Status)) {
+ break;
+ }
+ PublicKeyDataXdr += PublicKeyDataLength;
+ PublicKeyDataXdr = (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeof(UINT32));
+ }
+ }
} else if (CompareGuid(&gEfiCertTypeRsa2048Sha256Guid, CertType)) {
PublicKeyData = PcdGetPtr(PcdRsa2048Sha256PublicKeyBuffer);
PublicKeyDataLength = PcdGetSize(PcdRsa2048Sha256PublicKeyBuffer);
+
+ ASSERT (PublicKeyData != NULL);
+ ASSERT (PublicKeyDataLength != 0);
+
+ Status = AuthenticateFmpImage(
+ ImageAuth,
+ ImageSize,
+ PublicKeyData,
+ PublicKeyDataLength
+ );
} else {
return FALSE;
}
- ASSERT (PublicKeyData != NULL);
- ASSERT (PublicKeyDataLength != 0);
- Status = AuthenticateFmpImage(
- ImageAuth,
- ImageSize,
- PublicKeyData,
- PublicKeyDataLength
- );
switch (Status) {
case RETURN_SUCCESS:
*LastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS;
diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.inf b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.inf
index a721619a67..2b18d918d1 100644
--- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.inf
+++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.inf
@@ -3,7 +3,7 @@
#
# EDKII System Capsule library instance for DXE/PEI post memory phase.
#
-# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -52,6 +52,7 @@ [Pcd]
gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr ## CONSUMES
[Guids]
gEdkiiSystemFirmwareImageDescriptorFileGuid ## SOMETIMES_CONSUMES ## GUID
--
2.14.2.windows.3
next prev parent reply other threads:[~2018-03-12 19:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 19:30 [Patch 0/5] Add multi-cert PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-12 19:30 ` [Patch 1/5] BaseTools/BinToPcd: Add support for multiple binary input files Kinney, Michael D
2018-03-12 19:30 ` [Patch 2/5] SecurityPkg: Add PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-12 19:30 ` Kinney, Michael D [this message]
2018-03-15 6:36 ` [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr Gao, Liming
2018-03-12 19:30 ` [Patch 4/5] Vlv2TbltDevicePkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-15 2:20 ` Wei, David
2018-03-12 19:30 ` [Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: " Kinney, Michael D
2018-03-14 15:29 ` [Patch 0/5] Add multi-cert PcdPkcs7CertBufferXdr Steele, Kelly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180312193017.15156-4-michael.d.kinney@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox