From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.11125.1655152805061859977 for ; Mon, 13 Jun 2022 13:40:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=LGyhoGCv; spf=pass (domain: gmail.com, ip: 209.85.210.179, mailfrom: kuqin12@gmail.com) Received: by mail-pf1-f179.google.com with SMTP id w21so6806558pfc.0 for ; Mon, 13 Jun 2022 13:40:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MAm4rdT/bULUKOmGeAjPXJuVJZl2+JkxSlNum9ugPAA=; b=LGyhoGCvvljTarbsTtDXVYztricGTzy2J+j+6MB+UPa415FQr0i1e+BbsIcuVu1CAR UDIYQQhjAGBD23m+ZOS1gPGdDTFo8c5Kbzpn8cH+0MOc7PAe86yOQ5F4W2JQLLvVwSkf AOq/vfNyTBiCRI+qul+9fLmOnBZeSYrI6fzpoxJprARPCqqfSj8GgxKiDwRZk74anrxF zeq7AYFU+NOYuMlGbcLxpezWUqgUPZKZjXFi64/o3sY2zN81rS90eClW+FwNK9bSfbqi JiFxT5BvKp780rsXGY8U3CHm7nJB0e2w0tznFZiLX5ll2Gdi5ujcCmyS76d4N28qrqMq S0sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MAm4rdT/bULUKOmGeAjPXJuVJZl2+JkxSlNum9ugPAA=; b=SpIKQmWjZKM11Hprj6T52D1W3uZ1IkobYMFzNsW0b1TxTJN/ZJuLvETXhYeVfffqFj izb2JwCVsHjdRaWOAkmPD2G54ghoBcMvhPIhEFkgFAn70eNGmhfmMDnkpEDZsmMp4A41 9ACjs0ErmeCDye5tolizW+NQ2IoxxmffcmOgPmwFsaeF6qx1IVmw5EMtICJ1ixIg3SIb 9ri96QSo2acSsZrk14JGzwUZxET6P9OnYS7ScHi5LUjpr8RFMceNFG97qsWEwS7wFDiQ j77q/hmzuR6YgV8yytDRELg/Bh6jnP29u76wvGSdHb5N9n1VJrQAKI/gASyhA1CxCKn2 Pzjg== X-Gm-Message-State: AOAM533roo7eGTu9g/58uqscZO23QURKNBjCzsgoSkb/qDYqBg3iHonm UUmmqVglNZ3snQ5JJKwBZkL6vih/9ES/mA== X-Google-Smtp-Source: ABdhPJxNkPF562eApP1yjtIGcAmePS6KL1hhU9ria8ODgHJgszjrTNzfWXcx9MnCJwZmrrb5RLRz5g== X-Received: by 2002:a65:48c6:0:b0:401:bf2a:6e0c with SMTP id o6-20020a6548c6000000b00401bf2a6e0cmr1224502pgs.530.1655152804362; Mon, 13 Jun 2022 13:40:04 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.40.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:40:03 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v2 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Date: Mon, 13 Jun 2022 13:39:37 -0700 Message-Id: <20220613203943.704-7-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change is in pair with the previous SecureBootVariableLib, which removes the explicit invocation of `CreateTimeBasedPayload` and used new interface `EnrollFromInput` instead. The original `SecureBootFetchData` is also moved to this library and incorporated with the newly defined `SecureBootCreateDataFromInput` to keep the original code flow. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 ++++++++++++++++---- 1 file changed, 115 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c index 536b0f369907..bed1fe86205d 100644 --- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c @@ -8,10 +8,13 @@ Copyright (c) 2021, Semihalf All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include #include #include #include +#include #include #include #include @@ -19,6 +22,117 @@ #include #include #include +#include + +/** + Create a EFI Signature List with data fetched from section specified as a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +**/ +STATIC +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + UINTN Index; + SECURE_BOOT_CERTIFICATE_INFO *CertInfo; + SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo; + + KeyIndex = 0; + EfiSig = NULL; + *SigListOut = NULL; + *SigListsSize = 0; + CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO)); + NewCertInfo = CertInfo; + while (1) { + if (NewCertInfo == NULL) { + Status = EFI_OUT_OF_RESOURCES; + break; + } else { + CertInfo = NewCertInfo; + } + + Status = GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status == EFI_SUCCESS) { + RsaPubKey = NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + if (EfiSig != NULL) { + FreePool (EfiSig); + } + + FreePool (Buffer); + Status = EFI_INVALID_PARAMETER; + break; + } + + CertInfo[KeyIndex].Data = Buffer; + CertInfo[KeyIndex].DataSize = Size; + KeyIndex++; + NewCertInfo = ReallocatePool ( + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex, + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1), + CertInfo + ); + } + + if (Status == EFI_NOT_FOUND) { + Status = EFI_SUCCESS; + break; + } + } + + if (EFI_ERROR (Status)) { + goto Cleanup; + } + + if (KeyIndex == 0) { + Status = EFI_NOT_FOUND; + goto Cleanup; + } + + // Now that we collected all certs from FV, convert it into sig list + Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo); + if (EFI_ERROR (Status)) { + goto Cleanup; + } + +Cleanup: + if (CertInfo) { + for (Index = 0; Index < KeyIndex; Index++) { + FreePool ((VOID *)CertInfo[Index].Data); + } + + FreePool (CertInfo); + } + + return Status; +} /** Enroll a key/certificate based on a default variable. @@ -52,36 +166,7 @@ EnrollFromDefault ( return Status; } - CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - // - // Allocate memory for auth variable - // - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), - DataSize, - Data - ); - - if (EFI_ERROR (Status)) { - DEBUG (( - DEBUG_ERROR, - "error: %a (\"%s\", %g): %r\n", - __FUNCTION__, - VariableName, - VendorGuid, - Status - )); - } + Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data); if (Data != NULL) { FreePool (Data); -- 2.35.1.windows.2