From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web11.3343.1581665266656025367 for ; Thu, 13 Feb 2020 23:27:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 23:27:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,439,1574150400"; d="scan'208";a="347904227" Received: from shwdeopensfp777.ccr.corp.intel.com ([10.239.158.78]) by fmsmga001.fm.intel.com with ESMTP; 13 Feb 2020 23:27:51 -0800 From: "Wang, Jian J" To: devel@edk2.groups.io Cc: Jiewen Yao , Chao Zhang , Laszlo Ersek Subject: [PATCH v2 06/10] SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1)(CVE-2019-14575) Date: Fri, 14 Feb 2020 15:27:41 +0800 Message-Id: <20200214072745.1570-7-jian.j.wang@intel.com> X-Mailer: git-send-email 2.24.0.windows.2 In-Reply-To: <20200214072745.1570-1-jian.j.wang@intel.com> References: <20200214072745.1570-1-jian.j.wang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 To avoid false-negative issue in check hash against dbx, both error condition (as return value) and check result (as out parameter) of IsCertHashFoundInDatabase() are added. So the caller of this function will know exactly if a failure is caused by a black list hit or other error happening, and enforce a more secure operation to prevent secure boot from being bypassed. For a white list check (db), there's no such necessity. Cc: Jiewen Yao Cc: Chao Zhang Signed-off-by: Jian J Wang Signed-off-by: Laszlo Ersek --- .../DxeImageVerificationLib.c | 64 ++++++++++++------- 1 file changed, 42 insertions(+), 22 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 8739d1fa29..85261ba7f2 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -822,22 +822,23 @@ AddImageExeInfo ( @param[in] SignatureList Pointer to the Signature List in forbidden= database.=0D @param[in] SignatureListSize Size of Signature List.=0D @param[out] RevocationTime Return the time that the certificate was r= evoked.=0D + @param[out] IsFound Search result. Only valid if EFI_SUCCESS r= eturned.=0D =0D - @return TRUE The certificate hash is found in the forbidden database.= =0D - @return FALSE The certificate hash is not found in the forbidden databa= se.=0D + @retval EFI_SUCCESS Finished the search without any error.=0D + @retval Others Error occurred in the search of database.= =0D =0D **/=0D -BOOLEAN=0D +EFI_STATUS=0D IsCertHashFoundInDatabase (=0D IN UINT8 *Certificate,=0D IN UINTN CertSize,=0D IN EFI_SIGNATURE_LIST *SignatureList,=0D IN UINTN SignatureListSize,=0D - OUT EFI_TIME *RevocationTime=0D + OUT EFI_TIME *RevocationTime,=0D + OUT BOOLEAN *IsFound=0D )=0D {=0D - BOOLEAN IsFound;=0D - BOOLEAN Status;=0D + EFI_STATUS Status;=0D EFI_SIGNATURE_LIST *DbxList;=0D UINTN DbxSize;=0D EFI_SIGNATURE_DATA *CertHash;=0D @@ -851,21 +852,22 @@ IsCertHashFoundInDatabase ( UINT8 *TBSCert;=0D UINTN TBSCertSize;=0D =0D - IsFound =3D FALSE;=0D + Status =3D EFI_ABORTED;=0D + *IsFound =3D FALSE;=0D DbxList =3D SignatureList;=0D DbxSize =3D SignatureListSize;=0D HashCtx =3D NULL;=0D HashAlg =3D HASHALG_MAX;=0D =0D if ((RevocationTime =3D=3D NULL) || (DbxList =3D=3D NULL)) {=0D - return FALSE;=0D + return EFI_INVALID_PARAMETER;=0D }=0D =0D //=0D // Retrieve the TBSCertificate from the X.509 Certificate.=0D //=0D if (!X509GetTBSCert (Certificate, CertSize, &TBSCert, &TBSCertSize)) {=0D - return FALSE;=0D + return Status;=0D }=0D =0D while ((DbxSize > 0) && (SignatureListSize >=3D DbxList->SignatureListSi= ze)) {=0D @@ -895,16 +897,13 @@ IsCertHashFoundInDatabase ( if (HashCtx =3D=3D NULL) {=0D goto Done;=0D }=0D - Status =3D mHash[HashAlg].HashInit (HashCtx);=0D - if (!Status) {=0D + if (!mHash[HashAlg].HashInit (HashCtx)) {=0D goto Done;=0D }=0D - Status =3D mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);= =0D - if (!Status) {=0D + if (!mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize)) {=0D goto Done;=0D }=0D - Status =3D mHash[HashAlg].HashFinal (HashCtx, CertDigest);=0D - if (!Status) {=0D + if (!mHash[HashAlg].HashFinal (HashCtx, CertDigest)) {=0D goto Done;=0D }=0D =0D @@ -923,7 +922,8 @@ IsCertHashFoundInDatabase ( //=0D // Hash of Certificate is found in forbidden database.=0D //=0D - IsFound =3D TRUE;=0D + Status =3D EFI_SUCCESS;=0D + *IsFound =3D TRUE;=0D =0D //=0D // Return the revocation time.=0D @@ -938,12 +938,14 @@ IsCertHashFoundInDatabase ( DbxList =3D (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->Sign= atureListSize);=0D }=0D =0D + Status =3D EFI_SUCCESS;=0D +=0D Done:=0D if (HashCtx !=3D NULL) {=0D FreePool (HashCtx);=0D }=0D =0D - return IsFound;=0D + return Status;=0D }=0D =0D /**=0D @@ -1216,6 +1218,7 @@ IsForbiddenByDbx ( {=0D EFI_STATUS Status;=0D BOOLEAN IsForbidden;=0D + BOOLEAN IsFound;=0D UINT8 *Data;=0D UINTN DataSize;=0D EFI_SIGNATURE_LIST *CertList;=0D @@ -1344,20 +1347,29 @@ IsForbiddenByDbx ( //=0D CertPtr =3D CertPtr + sizeof (UINT32) + CertSize;=0D =0D - if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)D= ata, DataSize, &RevocationTime)) {=0D + Status =3D IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_L= IST *)Data, DataSize, &RevocationTime, &IsFound);=0D + if (EFI_ERROR (Status)) {=0D //=0D - // Check the timestamp signature and signing time to determine if th= e image can be trusted.=0D + // Error in searching dbx. Consider it as 'found'. RevocationTime mi= ght=0D + // not be valid in such situation.=0D //=0D IsForbidden =3D TRUE;=0D + } else if (IsFound) {=0D + //=0D + // Found Cert in dbx successfully. Check the timestamp signature and= =0D + // signing time to determine if the image can be trusted.=0D + //=0D if (PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime)) {= =0D IsForbidden =3D FALSE;=0D //=0D // Pass DBT check. Continue to check other certs in image signer's= cert list against DBX, DBT=0D //=0D continue;=0D + } else {=0D + IsForbidden =3D TRUE;=0D + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but = signature failed the timestamp check.\n"));=0D + goto Done;=0D }=0D - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but si= gnature failed the timestamp check.\n"));=0D - goto Done;=0D }=0D =0D }=0D @@ -1392,6 +1404,7 @@ IsAllowedByDb ( {=0D EFI_STATUS Status;=0D BOOLEAN VerifyStatus;=0D + BOOLEAN IsFound;=0D EFI_SIGNATURE_LIST *CertList;=0D EFI_SIGNATURE_DATA *CertData;=0D UINTN DataSize;=0D @@ -1498,7 +1511,14 @@ IsAllowedByDb ( //=0D // Here We still need to check if this RootCert's Hash is revo= ked=0D //=0D - if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SI= GNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) {=0D + Status =3D IsCertHashFoundInDatabase (RootCert, RootCertSize, = (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime, &IsFound);=0D + if (EFI_ERROR (Status)) {=0D + //=0D + // Error in searching dbx. Consider it as 'found'. Revocatio= nTime might=0D + // not be valid in such situation.=0D + //=0D + VerifyStatus =3D FALSE;=0D + } else if (IsFound) {=0D //=0D // Check the timestamp signature and signing time to determi= ne if the RootCert can be trusted.=0D //=0D --=20 2.24.0.windows.2