From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web09.11083.1655152801681747743 for ; Mon, 13 Jun 2022 13:40:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=EjtxYl3a; spf=pass (domain: gmail.com, ip: 209.85.215.182, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f182.google.com with SMTP id 123so6595127pgb.5 for ; Mon, 13 Jun 2022 13:40:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MOHOn+zPvcZNPBMBy3Iz425H2msGiE5xutxkuiLcSG0=; b=EjtxYl3aCYm3JIIgccemI7w7i90c1QkCEAV+gvpTQ/2DU0irPpSQEut+Qis/Grqee+ Cs+rSuqhCmhabNGZW1whp4Dpz388tbAUi1Z3rtrsCdMX3kgdW/qK94YH8v1JZeiG8ZN9 752XfGzZBH5NBGElWXYo/1z8YkcIn7hmiJ8CfJLYsrAhBwbTJzwbfo8IRR7E8mmpwGWk G2I/ssaah316FPvjQc8GB4b70tGinbwQ9stcB6jElvHl3J1X4+tDQve7KxQtB8Rmd/uo 0/QwBOZODNgOvUnmf+SqLyfvqMj5u9Fj3eImGXPjE0eldTj1i3RqqrADO8oPl60rdAoq 5EgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MOHOn+zPvcZNPBMBy3Iz425H2msGiE5xutxkuiLcSG0=; b=q0o59oL/xodEpGx2T1HuoVX302TEwEG02Zi2I3q8ElIcRU8vWmsQwc7heISsuP86i1 be/qVrdkpzjaA+NzlVJD4ykuEqOOp+xnq880dBvO2HXWbFkdavFIsH2mePOtNclNaJ3f V6AdHS/55DkoHIu2Eedqf7UfwGpSP6XyIlBIOxKXlJP6/TS85en7Fv7sgjo/0ufsj9b0 nSzjDGRjZxdwVLzY48w242luOD3dfed2qeYDZKygVtejXH5owsPQBPq0pQ69FDD4j+Wi 5OXu/ESihxJ/bSUq0aJKnnmMcDTf07XmTvEhr2AaNChDsFFgWM6MeVktERztO/eMje2y Wtgg== X-Gm-Message-State: AOAM533lU97hoiggdrU5DexZSFg3bnI1Nri77D4CcQ189LjdUS5GbRpO 5QCOW/WYwlmn5+/5PtCCPYo8xWCOVAoCBw== X-Google-Smtp-Source: ABdhPJx6b38/9cgFJrAsCsdhVpHyMSug28v3y1lB5dyCojVwvZ2dMQ17m35+tArZhq0vwZ8VaTzo0w== X-Received: by 2002:a63:5155:0:b0:400:14af:a1e6 with SMTP id r21-20020a635155000000b0040014afa1e6mr1207902pgl.71.1655152801065; Mon, 13 Jun 2022 13:40:01 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.39.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:40:00 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v2 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Date: Mon, 13 Jun 2022 13:39:35 -0700 Message-Id: <20220613203943.704-5-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 +++++++++++--------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 ++++--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356aba3..f56f0322e943 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include +#include #include #include #include -#include #include #include #include @@ -21,7 +21,6 @@ #include #include #include -#include "Library/DxeServicesLib.h" // This time can be used when deleting variables, as it should be greater than any variable time. EFI_TIME mMaxTimestamp = { @@ -130,24 +129,29 @@ ConcatenateSigList ( } /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. **/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ) { EFI_SIGNATURE_LIST *EfiSig; @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; - VOID *RsaPubKey; UINTN Size; + UINTN InputIndex; UINTN KeyIndex; + if ((SigListOut == NULL) || (SigListsSize == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((KeyInfoCount == 0) || (KeyInfo == NULL)) { + return EFI_INVALID_PARAMETER; + } + + InputIndex = 0; KeyIndex = 0; EfiSig = NULL; *SigListsSize = 0; - while (1) { - Status = GetSectionFromAnyFv ( - KeyFileGuid, - EFI_SECTION_RAW, - KeyIndex, - &Buffer, - &Size - ); - - if (Status == EFI_SUCCESS) { - RsaPubKey = NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + while (InputIndex < KeyInfoCount) { + if (KeyInfo[InputIndex].Data != NULL) { + Size = KeyInfo[InputIndex].DataSize; + Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data); + if (Buffer == NULL) { if (EfiSig != NULL) { FreePool (EfiSig); } - FreePool (Buffer); - return EFI_INVALID_PARAMETER; + return EFI_OUT_OF_RESOURCES; } Status = CreateSigList (Buffer, Size, &TmpEfiSig); + if (EFI_ERROR (Status)) { + FreePool (Buffer); + break; + } + // // Concatenate lists if more than one section found // @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer); } - if (Status == EFI_NOT_FOUND) { - break; - } + InputIndex++; } if (KeyIndex == 0) { diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b70..24ff0df067fa 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( ); /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. --*/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ); /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a258021..3d4b77cfb073 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec [LibraryClasses] BaseLib BaseMemoryLib DebugLib MemoryAllocationLib - BaseCryptLib - DxeServicesLib [Guids] ## CONSUMES ## Variable:L"SetupMode" -- 2.35.1.windows.2