From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web08.731.1651687492325690492 for ; Wed, 04 May 2022 11:04:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=KCt0DooT; spf=pass (domain: gmail.com, ip: 209.85.216.45, mailfrom: kuqin12@gmail.com) Received: by mail-pj1-f45.google.com with SMTP id w5-20020a17090aaf8500b001d74c754128so5890219pjq.0 for ; Wed, 04 May 2022 11:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xJy6UwdCTLhi2vqFsEdPctY8Omuf8TP+RIOsz5Ml/4E=; b=KCt0DooTWNVyLLgQX+bge6GiU6J159Jdf4rYeZJV6MB2uN8E94Pd5KiOEGTg0dhujQ 8tJvJPSzJxlX5Nz09eXtyO+V+TX8zlwywe4Fb56ctZl7rpOVkbAdvh3tMJgJMRo61nc0 Cj62CQxshMf6gXJAChQ+Z98S2/ketYsUFs+Wa2HlxP0mxZC68ReDx17VtRSccPmef9dy zn2G4EQR7n+obtUZZsorcpQ60JRIwwtRhysXHoggESan73nFBjaZw0Hk41drLaSIqFmG pz1I+qo5j7BRF1yHejFcxdz0kADTKoojjxP8LdZE6ksooagsHKl2NoPnS2x56QcM2MbC 21LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xJy6UwdCTLhi2vqFsEdPctY8Omuf8TP+RIOsz5Ml/4E=; b=S4csAgLW/znzyuPs2kfMkrxhXBQNAzTZtgXwHsyK+l0IqpCjBRMape8GwAw7512CBp 4FjW2b8WupW1LOsefd3iClOtKKGJAXSSM1XjNc4KlKjo3uUG10mxCGGKWA6i7uQzGdk4 4y92g/Cku+bTmUbiAKmDHMKqhCuZQvygu4zkGrwUvvSw/1BpWS0wSJCl3pj39jKi/kO3 iVZPYkhElxmCRz1OjBz+YL/YQjSIObMzIQ+R1rJO03ITZ/02HpJ2eBzLPGsjfFIwWaMs tTNMzN7D0DKnYvhZ4ZVLzLLn/RFluQDMtAONOiuolw9CKLT1RXj6HLBia6bkWnDWwGC+ bFvQ== X-Gm-Message-State: AOAM530uKHfIP5ifg5pjVyHu+sAEHU00zMn9bJ22MnUES9Xbdp4+jM6j NJUoWfZcoTxsmzB2KpNVGW9XT1YwZrcetg== X-Google-Smtp-Source: ABdhPJwbxYxRu7DFn9jKJhiQI+HAaH35WdlIXVGiD2ir+NgpWF9Pgk6AMWUWpP48WIeHmZHXtHNvyg== X-Received: by 2002:a17:902:7e06:b0:159:6c1:ea2b with SMTP id b6-20020a1709027e0600b0015906c1ea2bmr22349954plm.105.1651687495897; Wed, 04 May 2022 11:04:55 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id n5-20020aa79045000000b0050dc7628143sm8496347pfo.29.2022.05.04.11.04.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 11:04:55 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v1 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Date: Wed, 4 May 2022 11:04:32 -0700 Message-Id: <20220504180438.1321-7-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220504180438.1321-1-kuqin12@gmail.com> References: <20220504180438.1321-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change is in pair with the previous SecureBootVariableLib, which removes the explicit invocation of `CreateTimeBasedPayload` and used new interface `EnrollFromInput` instead. The original `SecureBootFetchData` is also moved to this library and incorporated with the newly defined `SecureBootCreateDataFromInput` to keep the original code flow. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 ++++++++++++++++---- 1 file changed, 115 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c index 536b0f369907..bed1fe86205d 100644 --- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c @@ -8,10 +8,13 @@ Copyright (c) 2021, Semihalf All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include #include #include #include +#include #include #include #include @@ -19,6 +22,117 @@ #include #include #include +#include + +/** + Create a EFI Signature List with data fetched from section specified as a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +**/ +STATIC +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + UINTN Index; + SECURE_BOOT_CERTIFICATE_INFO *CertInfo; + SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo; + + KeyIndex = 0; + EfiSig = NULL; + *SigListOut = NULL; + *SigListsSize = 0; + CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO)); + NewCertInfo = CertInfo; + while (1) { + if (NewCertInfo == NULL) { + Status = EFI_OUT_OF_RESOURCES; + break; + } else { + CertInfo = NewCertInfo; + } + + Status = GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status == EFI_SUCCESS) { + RsaPubKey = NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + if (EfiSig != NULL) { + FreePool (EfiSig); + } + + FreePool (Buffer); + Status = EFI_INVALID_PARAMETER; + break; + } + + CertInfo[KeyIndex].Data = Buffer; + CertInfo[KeyIndex].DataSize = Size; + KeyIndex++; + NewCertInfo = ReallocatePool ( + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex, + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1), + CertInfo + ); + } + + if (Status == EFI_NOT_FOUND) { + Status = EFI_SUCCESS; + break; + } + } + + if (EFI_ERROR (Status)) { + goto Cleanup; + } + + if (KeyIndex == 0) { + Status = EFI_NOT_FOUND; + goto Cleanup; + } + + // Now that we collected all certs from FV, convert it into sig list + Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo); + if (EFI_ERROR (Status)) { + goto Cleanup; + } + +Cleanup: + if (CertInfo) { + for (Index = 0; Index < KeyIndex; Index++) { + FreePool ((VOID *)CertInfo[Index].Data); + } + + FreePool (CertInfo); + } + + return Status; +} /** Enroll a key/certificate based on a default variable. @@ -52,36 +166,7 @@ EnrollFromDefault ( return Status; } - CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - // - // Allocate memory for auth variable - // - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), - DataSize, - Data - ); - - if (EFI_ERROR (Status)) { - DEBUG (( - DEBUG_ERROR, - "error: %a (\"%s\", %g): %r\n", - __FUNCTION__, - VariableName, - VendorGuid, - Status - )); - } + Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data); if (Data != NULL) { FreePool (Data); -- 2.34.1.windows.1