From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 94C99226462F3 for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877339" Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:26 -0700 From: "Kinney, Michael D" To: edk2-devel@lists.01.org Cc: Sean Brogan , Kelly Steele , Jiewen Yao , Michael D Kinney Date: Mon, 12 Mar 2018 12:30:17 -0700 Message-Id: <20180312193017.15156-6-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 19:24:07 -0000 https://bugzilla.tianocore.org/show_bug.cgi?id=891 Evaluate both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr for the use of the test key. If the test key is found in either PCD, then the warning messages for the use of a test key must be presented. Cc: Sean Brogan Cc: Kelly Steele Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney --- .../PlatformBootManagerLib/PlatformBootManager.c | 51 +++++++++++++++++++++- .../PlatformBootManagerLib.inf | 3 +- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c index 53391c6077..829f852b61 100644 --- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c +++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c @@ -2,7 +2,7 @@ This file include all platform action which can be customized by IBV/OEM. -Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -347,6 +347,10 @@ PlatformBootManagerAfterConsole ( ESRT_MANAGEMENT_PROTOCOL *EsrtManagement; VOID *Buffer; UINTN Size; + VOID *PublicKeyData; + UINTN PublicKeyDataLength; + UINT8 *PublicKeyDataXdr; + UINT8 *PublicKeyDataXdrEnd; Status = gBS->LocateProtocol(&gEsrtManagementProtocolGuid, NULL, (VOID **)&EsrtManagement); if (EFI_ERROR(Status)) { @@ -433,6 +437,51 @@ PlatformBootManagerAfterConsole ( Print(L"WARNING: Capsule Test Key is used.\n"); PcdSetBoolS(PcdTestKeyUsed, TRUE); } + + // + // Make sure none of the keys in PcdPkcs7CertBufferXdr match the test key + // + PublicKeyDataXdr = PcdGetPtr (PcdPkcs7CertBufferXdr); + PublicKeyDataXdrEnd = PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertBufferXdr); + + ASSERT (PublicKeyDataXdr != NULL); + ASSERT (PublicKeyDataXdr != PublicKeyDataXdrEnd); + + // + // Try each key from PcdPkcs7CertBufferXdr + // + while (PublicKeyDataXdr < PublicKeyDataXdrEnd) { + if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + // + // Read key length stored in big endian format + // + PublicKeyDataLength = SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr)); + // + // Point to the start of the key data + // + PublicKeyDataXdr += sizeof (UINT32); + if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + PublicKeyData = PublicKeyDataXdr; + if ((Size == PublicKeyDataLength) && + (CompareMem(Buffer, PublicKeyData, Size) == 0)) { + Print(L"WARNING: Capsule Test Key is used.\n"); + PcdSetBoolS(PcdTestKeyUsed, TRUE); + } + + PublicKeyDataXdr += PublicKeyDataLength; + PublicKeyDataXdr = (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeof(UINT32)); + } + FreePool(Buffer); } diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf index 25394d8ca0..95a65ca88a 100644 --- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf @@ -1,7 +1,7 @@ ## @file # Include all platform action which can be customized by IBV/OEM. # -# Copyright (c) 2012 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at @@ -85,5 +85,6 @@ [Pcd] gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiPkcs7TestPublicKeyFileGuid gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr gEfiMdeModulePkgTokenSpaceGuid.PcdTestKeyUsed -- 2.14.2.windows.3