From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mx.groups.io with SMTP id smtpd.web12.11004.1633523138135408822 for ; Wed, 06 Oct 2021 05:25:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20210112.gappssmtp.com header.s=20210112 header.b=tWfCULsl; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.44, mailfrom: gjb@semihalf.com) Received: by mail-lf1-f44.google.com with SMTP id y15so9672182lfk.7 for ; Wed, 06 Oct 2021 05:25:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Sgie3PIR4/v6dDc+Z8Qs4zuG8yT/lXE3EGMbYSMgHCY=; b=tWfCULslSh1bCainhV1xeHM22zdJEvsTWVV03nxL8HpDR7JhKU66OfffdtJIFookqo X697wN0NLmQwTJPWPdmKGFBnQmhAOpNIV5a2AUDWVpkvi29nBPavu8O51UJdok+15UuJ T7tYIBmrw1q++ozAioZ8S7KtXFreTTWi7cu2MMqRtactluqT6iQlitbEBpgJP0yZ1PcR FgW/CNWCO4S+1xrjoeFvo2L8+9jp1ye6WhjYIN9PWPDmSx8V2sk1F6m9lWE+a657nCRw SQYnBiPFLhwZFUUAQfSLXEj3sS58PUdy57AzH7GIkoxOlSwN+pluBtyt7kNS3Jw1zvGl LupA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Sgie3PIR4/v6dDc+Z8Qs4zuG8yT/lXE3EGMbYSMgHCY=; b=Bg9lOWWUGK8W8u0Tp6NnOGKKGr4Wb2xnzTNdjtgUEuLLKsgyupAZpshKgHPPM8H1kW LfrDuyYNlgRVsloIVng7Voht8Jz0xUuC3ohlReCS+hKyFKD8cXpiZZxdJmiu9CTwtNd1 5aWuQPzk1gOzxVvzN6X4DC8TE0kT8TVL+Hxx7SrbAu6bja6gE8mvvwX611fypjSYhFqH wj0gNW2CQpuctvEcnYnLwr8kjQ6x/zlqSCs7sCzypP3XTCWxmDJxmJxXWCR3Mq9kULEY XyIfqc0IRNntVNXDJf/k+0hrH99oJQZ3K5nfAE8mc/TqmpcqXwtwm0oDMwOzzqkUL8+e Iriw== X-Gm-Message-State: AOAM532xmWLffDuhdar/MOn+THyNizz9hfzH/MYCnpdwjPtdyYFc4uSD PVBZTNltIvJiPcZRS17jSmYlZT0BU8QZSXhn X-Google-Smtp-Source: ABdhPJz0vaQgG+k8JJo1OkpeDTztLJXbGk/AK4PIoeO8G6od8dqMdJSoVqlL458G6zkNKuYdYH4Onw== X-Received: by 2002:a19:9102:: with SMTP id t2mr3944538lfd.431.1633523135811; Wed, 06 Oct 2021 05:25:35 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id s11sm687460lfd.95.2021.10.06.05.25.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 05:25:35 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: jiewen.yao@intel.com, jian.j.wang@intel.com, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, Grzegorz Bernacki Subject: [PATCH v1] SecurityPkg: Improve initialization of default key variables. Date: Wed, 6 Oct 2021 14:25:25 +0200 Message-Id: <20211006122525.1893234-1-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This commit allows to use data in EFI_VARIABLE_AUTHENTICATION_2 structure format to initialize default secure boot variables. It allows to use revocation list published by UEFI. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 ++++++++++++-------- 1 file changed, 56 insertions(+), 34 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index ff65184713..1f8869b1d2 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -73,20 +73,19 @@ CreateSigList ( /** Adds new signature list to signature database. - @param[in] SigLists A pointer to signature database. - @param[in] SigListAppend A signature list to be added. - @param[out] *SigListOut Created signature database. + @param[in,out] SigLists A pointer to signature database. + @param[in] SigListAppend A signature list to be added. @param[in, out] SigListsSize A size of created signature database. @retval EFI_SUCCESS Signature List was added successfully. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_INVALID_PARAMETER Invalid parameters. **/ STATIC EFI_STATUS ConcatenateSigList ( - IN EFI_SIGNATURE_LIST *SigLists, + IN EFI_SIGNATURE_LIST **SigLists, IN EFI_SIGNATURE_LIST *SigListAppend, - OUT EFI_SIGNATURE_LIST **SigListOut, IN OUT UINTN *SigListsSize ) { @@ -94,6 +93,10 @@ ConcatenateSigList ( UINT8 *Offset; UINTN NewSigListsSize; + if ((SigLists == NULL) || (SigListsSize == NULL) || (SigListAppend == NULL)) { + return EFI_INVALID_PARAMETER; + } + NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize; TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize); @@ -101,14 +104,17 @@ ConcatenateSigList ( return EFI_OUT_OF_RESOURCES; } - CopyMem (TmpSigList, SigLists, *SigListsSize); + if (*SigLists != NULL) { + CopyMem (TmpSigList, *SigLists, *SigListsSize); + FreePool(*SigLists); + } Offset = (UINT8 *)TmpSigList; Offset += *SigListsSize; CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize); *SigListsSize = NewSigListsSize; - *SigListOut = TmpSigList; + *SigLists = TmpSigList; return EFI_SUCCESS; } @@ -133,14 +139,15 @@ SecureBootFetchData ( OUT EFI_SIGNATURE_LIST **SigListOut ) { + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; EFI_SIGNATURE_LIST *EfiSig; EFI_SIGNATURE_LIST *TmpEfiSig; - EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; VOID *RsaPubKey; UINTN Size; UINTN KeyIndex; + UINTN SigListOffset; KeyIndex = 0; @@ -154,42 +161,57 @@ SecureBootFetchData ( &Buffer, &Size ); + if (Status == EFI_NOT_FOUND && KeyIndex > 0) { + break; + } else if (EFI_ERROR(Status)) { + if (EfiSig != NULL) { + FreePool(EfiSig); + } + return EFI_INVALID_PARAMETER; + } - if (Status == EFI_SUCCESS) { - RsaPubKey = NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + RsaPubKey = NULL; + Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Buffer; + if ((Auth2->AuthInfo.Hdr.wCertificateType == WIN_CERT_TYPE_EFI_GUID) && + (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType) == TRUE)) { + + SigListOffset = Auth2->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)); + TmpEfiSig = (EFI_SIGNATURE_LIST *) &Auth2->AuthInfo.CertData[SigListOffset]; + Size -= OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo); + Size -= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + Size -= SigListOffset; + + while (Size > 0) { + ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize); + Size -= TmpEfiSig->SignatureListSize; + TmpEfiSig = (EFI_SIGNATURE_LIST *)((UINT8 *)TmpEfiSig + TmpEfiSig->SignatureListSize); + } + } else if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == TRUE) { + Status = CreateSigList (Buffer, Size, &TmpEfiSig); + + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot create a sig list\n", __FUNCTION__)); if (EfiSig != NULL) { FreePool(EfiSig); } FreePool(Buffer); - return EFI_INVALID_PARAMETER; - } - Status = CreateSigList (Buffer, Size, &TmpEfiSig); - - // - // Concatenate lists if more than one section found - // - if (KeyIndex == 0) { - EfiSig = TmpEfiSig; - *SigListsSize = TmpEfiSig->SignatureListSize; - } else { - ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize); - FreePool (EfiSig); - FreePool (TmpEfiSig); - EfiSig = TmpEfiSig2; + return Status; } - KeyIndex++; - FreePool (Buffer); - } if (Status == EFI_NOT_FOUND) { - break; + ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize); + FreePool (TmpEfiSig); + } else { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + if (EfiSig != NULL) { + FreePool(EfiSig); + } + FreePool(Buffer); + return EFI_INVALID_PARAMETER; } - }; - if (KeyIndex == 0) { - return EFI_NOT_FOUND; + KeyIndex++; + FreePool (Buffer); } *SigListOut = EfiSig; -- 2.25.1