[Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Kinney, Michael D" <michael.d.kinney@intel.com>
To: edk2-devel@lists.01.org
Cc: Sean Brogan <sean.brogan@microsoft.com>,
	Kelly Steele <kelly.steele@intel.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Michael D Kinney <michael.d.kinney@intel.com>
Subject: [Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr
Date: Mon, 12 Mar 2018 12:30:17 -0700	[thread overview]
Message-ID: <20180312193017.15156-6-michael.d.kinney@intel.com> (raw)
In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=891

Evaluate both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr for the use
of the test key.  If the test key is found in either PCD, then the warning
messages for the use of a test key must be presented.

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
---
 .../PlatformBootManagerLib/PlatformBootManager.c   | 51 +++++++++++++++++++++-
 .../PlatformBootManagerLib.inf                     |  3 +-
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c
index 53391c6077..829f852b61 100644
--- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c
+++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c
@@ -2,7 +2,7 @@
 This file include all platform action which can be customized
 by IBV/OEM.
 
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -347,6 +347,10 @@ PlatformBootManagerAfterConsole (
   ESRT_MANAGEMENT_PROTOCOL       *EsrtManagement;
   VOID                           *Buffer;
   UINTN                          Size;
+  VOID                           *PublicKeyData;
+  UINTN                          PublicKeyDataLength;
+  UINT8                          *PublicKeyDataXdr;
+  UINT8                          *PublicKeyDataXdrEnd;
 
   Status = gBS->LocateProtocol(&gEsrtManagementProtocolGuid, NULL, (VOID **)&EsrtManagement);
   if (EFI_ERROR(Status)) {
@@ -433,6 +437,51 @@ PlatformBootManagerAfterConsole (
       Print(L"WARNING: Capsule Test Key is used.\n");
       PcdSetBoolS(PcdTestKeyUsed, TRUE);
     }
+
+    //
+    // Make sure none of the keys in PcdPkcs7CertBufferXdr match the test key
+    //
+    PublicKeyDataXdr    = PcdGetPtr (PcdPkcs7CertBufferXdr);
+    PublicKeyDataXdrEnd = PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertBufferXdr);
+
+    ASSERT (PublicKeyDataXdr != NULL);
+    ASSERT (PublicKeyDataXdr != PublicKeyDataXdrEnd);
+
+    //
+    // Try each key from PcdPkcs7CertBufferXdr
+    //
+    while (PublicKeyDataXdr < PublicKeyDataXdrEnd) {
+      if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) {
+        //
+        // Key data extends beyond end of PCD
+        //
+        break;
+      }
+      //
+      // Read key length stored in big endian format
+      //
+      PublicKeyDataLength = SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr));
+      //
+      // Point to the start of the key data
+      //
+      PublicKeyDataXdr += sizeof (UINT32);
+      if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) {
+        //
+        // Key data extends beyond end of PCD
+        //
+        break;
+      }
+      PublicKeyData = PublicKeyDataXdr;
+      if ((Size == PublicKeyDataLength) &&
+          (CompareMem(Buffer, PublicKeyData, Size) == 0)) {
+        Print(L"WARNING: Capsule Test Key is used.\n");
+        PcdSetBoolS(PcdTestKeyUsed, TRUE);
+      }
+
+      PublicKeyDataXdr += PublicKeyDataLength;
+      PublicKeyDataXdr = (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeof(UINT32));
+    }
+
     FreePool(Buffer);
   }
 
diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 25394d8ca0..95a65ca88a 100644
--- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -1,7 +1,7 @@
 ## @file
 #  Include all platform action which can be customized by IBV/OEM.
 #
-#  Copyright (c) 2012 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -85,5 +85,6 @@ [Pcd]
   gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiPkcs7TestPublicKeyFileGuid
   gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer
   gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer
+  gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr
   gEfiMdeModulePkgTokenSpaceGuid.PcdTestKeyUsed
 
-- 
2.14.2.windows.3

next prev parent reply	other threads:[~2018-03-12 19:24 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-12 19:30 [Patch 0/5] Add multi-cert PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-12 19:30 ` [Patch 1/5] BaseTools/BinToPcd: Add support for multiple binary input files Kinney, Michael D
2018-03-12 19:30 ` [Patch 2/5] SecurityPkg: Add PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-12 19:30 ` [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-15  6:36   ` Gao, Liming
2018-03-12 19:30 ` [Patch 4/5] Vlv2TbltDevicePkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr Kinney, Michael D
2018-03-15  2:20   ` Wei, David
2018-03-12 19:30 ` Kinney, Michael D [this message]
2018-03-14 15:29 ` [Patch 0/5] Add multi-cert PcdPkcs7CertBufferXdr Steele, Kelly

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:53391c607 dfblob:829f852b6 dfblob:25394d8ca dfblob:95a65ca88 )
 OR (
bs:"[Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180312193017.15156-6-michael.d.kinney@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox