From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web08.733.1651687494569713531 for ; Wed, 04 May 2022 11:04:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VUNZAE//; spf=pass (domain: gmail.com, ip: 209.85.215.180, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f180.google.com with SMTP id k14so1793382pga.0 for ; Wed, 04 May 2022 11:04:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=n8XTjeAmiKdIcACyKrh8vv/N3jOTDNlUWhlbp3MDcio=; b=VUNZAE//KMJsas88+q6RIgKwdl2Y0honDTwz5gdVd+Ffirk4TLeUS0HgiG2FJA3+Mq tXdMtHXDuVDPZfRxupQGbdsnmOurgUbsoWTSxlBt+D+Y9E3ipYEHPQPgQii6L2HeTtDq sbXle4tj5YawdCWzTiVyfnvfzmXGamGqe/kVcPs8e9+EqVVLvu0sFFET8/UKhwr66Q9d Uo3UYAjXMKhfSM3UjoP4/2UuPxJOoAsMJUTv647ytN/Xy8pzTnVaTt4JgmwbLGm+ZnmB 4hg5ickKni6BaQr/z+mh9zZBjME8CCnwCijXJ1m6QoRVFXEJhiLlUKqdzF2taHus6aLg swww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n8XTjeAmiKdIcACyKrh8vv/N3jOTDNlUWhlbp3MDcio=; b=cM8tGpEQe38w+Q79tfDp34BYCoUtSt/Azl0t+C8LbrftHrZF37bNzbhIjhCBhq40C7 1KUKMOppXwckomphvGzRJyNp295QQevRCZslNZpatI4JaU1839Cjv0s/XKHyD/h+eFGC OT5CgndSg7ttgVO100OzcSl+3hx9N5wbawbr8a9s/HWVzpeqHhFTHhG9MbyMApR2K5Hc +fsyggXjTDNtiFnNl32zhfzauYLNF3xmTMKNkqZax+MMYBKDAr9OArvs/e3jCL4EcCQo jYfd2RZJ6vOPjjTk/xT9Mhd9EGJoffGfVuDX4iHWbs1lnOr1SZjTJO3N1uQ0YFlB/vSr c0Nw== X-Gm-Message-State: AOAM5329mVN3xJoH8oPQxdaZuinlxQ43my6Xei6WSeoaEpO3XfDBYTYY Wxk159yn/1Mt7Now0y0Qb88LvLXmsx+pNg== X-Google-Smtp-Source: ABdhPJwhp+LuNUzO33au7AVRrTlvY6RfOMmJrOs+xIx9JJWLLvR2Br37MuAjE7I5aV3j7+65Pp5jXw== X-Received: by 2002:a65:638d:0:b0:39d:74ad:ce0b with SMTP id h13-20020a65638d000000b0039d74adce0bmr19278594pgv.103.1651687493988; Wed, 04 May 2022 11:04:53 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id n5-20020aa79045000000b0050dc7628143sm8496347pfo.29.2022.05.04.11.04.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 11:04:53 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v1 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Date: Wed, 4 May 2022 11:04:30 -0700 Message-Id: <20220504180438.1321-5-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220504180438.1321-1-kuqin12@gmail.com> References: <20220504180438.1321-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 +++++++++++--------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 ++++--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356aba3..f56f0322e943 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include +#include #include #include #include -#include #include #include #include @@ -21,7 +21,6 @@ #include #include #include -#include "Library/DxeServicesLib.h" // This time can be used when deleting variables, as it should be greater than any variable time. EFI_TIME mMaxTimestamp = { @@ -130,24 +129,29 @@ ConcatenateSigList ( } /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. **/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ) { EFI_SIGNATURE_LIST *EfiSig; @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; - VOID *RsaPubKey; UINTN Size; + UINTN InputIndex; UINTN KeyIndex; + if ((SigListOut == NULL) || (SigListsSize == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((KeyInfoCount == 0) || (KeyInfo == NULL)) { + return EFI_INVALID_PARAMETER; + } + + InputIndex = 0; KeyIndex = 0; EfiSig = NULL; *SigListsSize = 0; - while (1) { - Status = GetSectionFromAnyFv ( - KeyFileGuid, - EFI_SECTION_RAW, - KeyIndex, - &Buffer, - &Size - ); - - if (Status == EFI_SUCCESS) { - RsaPubKey = NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + while (InputIndex < KeyInfoCount) { + if (KeyInfo[InputIndex].Data != NULL) { + Size = KeyInfo[InputIndex].DataSize; + Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data); + if (Buffer == NULL) { if (EfiSig != NULL) { FreePool (EfiSig); } - FreePool (Buffer); - return EFI_INVALID_PARAMETER; + return EFI_OUT_OF_RESOURCES; } Status = CreateSigList (Buffer, Size, &TmpEfiSig); + if (EFI_ERROR (Status)) { + FreePool (Buffer); + break; + } + // // Concatenate lists if more than one section found // @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer); } - if (Status == EFI_NOT_FOUND) { - break; - } + InputIndex++; } if (KeyIndex == 0) { diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b70..24ff0df067fa 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( ); /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. --*/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ); /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a258021..3d4b77cfb073 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec [LibraryClasses] BaseLib BaseMemoryLib DebugLib MemoryAllocationLib - BaseCryptLib - DxeServicesLib [Guids] ## CONSUMES ## Variable:L"SetupMode" -- 2.34.1.windows.1