From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>
Subject: [PATCH v1 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
Date: Wed, 4 May 2022 11:04:32 -0700 [thread overview]
Message-ID: <20220504180438.1321-7-kuqin12@gmail.com> (raw)
In-Reply-To: <20220504180438.1321-1-kuqin12@gmail.com>
From: Kun Qin <kuqin@microsoft.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
This change is in pair with the previous SecureBootVariableLib, which
removes the explicit invocation of `CreateTimeBasedPayload` and used new
interface `EnrollFromInput` instead.
The original `SecureBootFetchData` is also moved to this library and
incorporated with the newly defined `SecureBootCreateDataFromInput` to
keep the original code flow.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
---
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 ++++++++++++++++----
1 file changed, 115 insertions(+), 30 deletions(-)
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
index 536b0f369907..bed1fe86205d 100644
--- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
@@ -8,10 +8,13 @@
Copyright (c) 2021, Semihalf All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
#include <Library/BaseLib.h>
+#include <Library/BaseCryptLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/UefiLib.h>
@@ -19,6 +22,117 @@
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
#include <Library/SecureBootVariableProvisionLib.h>
+#include <Library/DxeServicesLib.h>
+
+/**
+ Create a EFI Signature List with data fetched from section specified as a argument.
+ Found keys are verified using RsaGetPublicKeyFromX509().
+
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID
+ @param[out] SigListsSize A pointer to size of signature list
+ @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_NOT_FOUND Section with key has not been found.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval Others Unexpected error happens.
+
+**/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+ IN EFI_GUID *KeyFileGuid,
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ EFI_STATUS Status;
+ VOID *Buffer;
+ VOID *RsaPubKey;
+ UINTN Size;
+ UINTN KeyIndex;
+ UINTN Index;
+ SECURE_BOOT_CERTIFICATE_INFO *CertInfo;
+ SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo;
+
+ KeyIndex = 0;
+ EfiSig = NULL;
+ *SigListOut = NULL;
+ *SigListsSize = 0;
+ CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));
+ NewCertInfo = CertInfo;
+ while (1) {
+ if (NewCertInfo == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ break;
+ } else {
+ CertInfo = NewCertInfo;
+ }
+
+ Status = GetSectionFromAnyFv (
+ KeyFileGuid,
+ EFI_SECTION_RAW,
+ KeyIndex,
+ &Buffer,
+ &Size
+ );
+
+ if (Status == EFI_SUCCESS) {
+ RsaPubKey = NULL;
+ if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool (EfiSig);
+ }
+
+ FreePool (Buffer);
+ Status = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ CertInfo[KeyIndex].Data = Buffer;
+ CertInfo[KeyIndex].DataSize = Size;
+ KeyIndex++;
+ NewCertInfo = ReallocatePool (
+ sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,
+ sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),
+ CertInfo
+ );
+ }
+
+ if (Status == EFI_NOT_FOUND) {
+ Status = EFI_SUCCESS;
+ break;
+ }
+ }
+
+ if (EFI_ERROR (Status)) {
+ goto Cleanup;
+ }
+
+ if (KeyIndex == 0) {
+ Status = EFI_NOT_FOUND;
+ goto Cleanup;
+ }
+
+ // Now that we collected all certs from FV, convert it into sig list
+ Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);
+ if (EFI_ERROR (Status)) {
+ goto Cleanup;
+ }
+
+Cleanup:
+ if (CertInfo) {
+ for (Index = 0; Index < KeyIndex; Index++) {
+ FreePool ((VOID *)CertInfo[Index].Data);
+ }
+
+ FreePool (CertInfo);
+ }
+
+ return Status;
+}
/**
Enroll a key/certificate based on a default variable.
@@ -52,36 +166,7 @@ EnrollFromDefault (
return Status;
}
- CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- //
- // Allocate memory for auth variable
- //
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- (EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS |
- EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
- DataSize,
- Data
- );
-
- if (EFI_ERROR (Status)) {
- DEBUG ((
- DEBUG_ERROR,
- "error: %a (\"%s\", %g): %r\n",
- __FUNCTION__,
- VariableName,
- VendorGuid,
- Status
- ));
- }
+ Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);
if (Data != NULL) {
FreePool (Data);
--
2.34.1.windows.1
next prev parent reply other threads:[~2022-05-04 18:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-04 18:04 [PATCH v1 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-05-04 18:04 ` [PATCH v1 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
2022-05-04 18:04 ` [PATCH v1 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Kun Qin
2022-05-04 18:04 ` [PATCH v1 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Kun Qin
2022-05-04 18:04 ` [PATCH v1 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Kun Qin
2022-05-04 18:04 ` [PATCH v1 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Kun Qin
2022-05-04 18:04 ` Kun Qin [this message]
2022-05-04 18:04 ` [PATCH v1 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Kun Qin
2022-05-04 18:04 ` [PATCH v1 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Kun Qin
2022-05-04 18:04 ` [PATCH v1 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Kun Qin
2022-05-04 18:04 ` [PATCH v1 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Kun Qin
2022-05-04 18:04 ` [PATCH v1 11/11] EmulatorPkg: " Kun Qin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220504180438.1321-7-kuqin12@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox