From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io
Cc: jiewen.yao@intel.com, jian.j.wang@intel.com,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com,
mw@semihalf.com, upstream@semihalf.com,
Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v1] SecurityPkg: Improve initialization of default key variables.
Date: Wed, 6 Oct 2021 14:25:25 +0200 [thread overview]
Message-ID: <20211006122525.1893234-1-gjb@semihalf.com> (raw)
This commit allows to use data in EFI_VARIABLE_AUTHENTICATION_2
structure format to initialize default secure boot variables.
It allows to use revocation list published by UEFI.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 ++++++++++++--------
1 file changed, 56 insertions(+), 34 deletions(-)
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index ff65184713..1f8869b1d2 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -73,20 +73,19 @@ CreateSigList (
/** Adds new signature list to signature database.
- @param[in] SigLists A pointer to signature database.
- @param[in] SigListAppend A signature list to be added.
- @param[out] *SigListOut Created signature database.
+ @param[in,out] SigLists A pointer to signature database.
+ @param[in] SigListAppend A signature list to be added.
@param[in, out] SigListsSize A size of created signature database.
@retval EFI_SUCCESS Signature List was added successfully.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_INVALID_PARAMETER Invalid parameters.
**/
STATIC
EFI_STATUS
ConcatenateSigList (
- IN EFI_SIGNATURE_LIST *SigLists,
+ IN EFI_SIGNATURE_LIST **SigLists,
IN EFI_SIGNATURE_LIST *SigListAppend,
- OUT EFI_SIGNATURE_LIST **SigListOut,
IN OUT UINTN *SigListsSize
)
{
@@ -94,6 +93,10 @@ ConcatenateSigList (
UINT8 *Offset;
UINTN NewSigListsSize;
+ if ((SigLists == NULL) || (SigListsSize == NULL) || (SigListAppend == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
@@ -101,14 +104,17 @@ ConcatenateSigList (
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (TmpSigList, SigLists, *SigListsSize);
+ if (*SigLists != NULL) {
+ CopyMem (TmpSigList, *SigLists, *SigListsSize);
+ FreePool(*SigLists);
+ }
Offset = (UINT8 *)TmpSigList;
Offset += *SigListsSize;
CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
*SigListsSize = NewSigListsSize;
- *SigListOut = TmpSigList;
+ *SigLists = TmpSigList;
return EFI_SUCCESS;
}
@@ -133,14 +139,15 @@ SecureBootFetchData (
OUT EFI_SIGNATURE_LIST **SigListOut
)
{
+ EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
EFI_SIGNATURE_LIST *EfiSig;
EFI_SIGNATURE_LIST *TmpEfiSig;
- EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
VOID *RsaPubKey;
UINTN Size;
UINTN KeyIndex;
+ UINTN SigListOffset;
KeyIndex = 0;
@@ -154,42 +161,57 @@ SecureBootFetchData (
&Buffer,
&Size
);
+ if (Status == EFI_NOT_FOUND && KeyIndex > 0) {
+ break;
+ } else if (EFI_ERROR(Status)) {
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ return EFI_INVALID_PARAMETER;
+ }
- if (Status == EFI_SUCCESS) {
- RsaPubKey = NULL;
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ RsaPubKey = NULL;
+ Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Buffer;
+ if ((Auth2->AuthInfo.Hdr.wCertificateType == WIN_CERT_TYPE_EFI_GUID) &&
+ (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType) == TRUE)) {
+
+ SigListOffset = Auth2->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
+ TmpEfiSig = (EFI_SIGNATURE_LIST *) &Auth2->AuthInfo.CertData[SigListOffset];
+ Size -= OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo);
+ Size -= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ Size -= SigListOffset;
+
+ while (Size > 0) {
+ ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+ Size -= TmpEfiSig->SignatureListSize;
+ TmpEfiSig = (EFI_SIGNATURE_LIST *)((UINT8 *)TmpEfiSig + TmpEfiSig->SignatureListSize);
+ }
+ } else if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == TRUE) {
+ Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+ if (EFI_ERROR(Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot create a sig list\n", __FUNCTION__));
if (EfiSig != NULL) {
FreePool(EfiSig);
}
FreePool(Buffer);
- return EFI_INVALID_PARAMETER;
- }
- Status = CreateSigList (Buffer, Size, &TmpEfiSig);
-
- //
- // Concatenate lists if more than one section found
- //
- if (KeyIndex == 0) {
- EfiSig = TmpEfiSig;
- *SigListsSize = TmpEfiSig->SignatureListSize;
- } else {
- ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
- FreePool (EfiSig);
- FreePool (TmpEfiSig);
- EfiSig = TmpEfiSig2;
+ return Status;
}
- KeyIndex++;
- FreePool (Buffer);
- } if (Status == EFI_NOT_FOUND) {
- break;
+ ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+ FreePool (TmpEfiSig);
+ } else {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ FreePool(Buffer);
+ return EFI_INVALID_PARAMETER;
}
- };
- if (KeyIndex == 0) {
- return EFI_NOT_FOUND;
+ KeyIndex++;
+ FreePool (Buffer);
}
*SigListOut = EfiSig;
--
2.25.1
next reply other threads:[~2021-10-06 12:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-06 12:25 Grzegorz Bernacki [this message]
2021-12-14 15:43 ` [PATCH v1] SecurityPkg: Improve initialization of default key variables Sunny Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211006122525.1893234-1-gjb@semihalf.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox