From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
Jiewen Yao <Jiewen.yao@intel.com>,
Michael Kubacki <michael.kubacki@microsoft.com>
Subject: [PATCH v3 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator
Date: Thu, 30 Jun 2022 16:53:34 -0700 [thread overview]
Message-ID: <20220630235341.1746-5-kuqin12@gmail.com> (raw)
In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com>
From: kuqin <kuqin@microsoft.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
This change removes the interface of SecureBootFetchData, and replaced
it with `SecureBootCreateDataFromInput`, which will require caller to
prepare available certificates in defined structures.
This improvement will eliminate the dependency of reading from FV,
extending the availability of this library instance.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Notes:
v3:
- Added reviewed-by tag [Jiewen]
- Added acked-by tag [Michael Kubacki]
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 +++++++++++---------
SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 ++++---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 -
3 files changed, 53 insertions(+), 44 deletions(-)
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index 3b33a356aba3..f56f0322e943 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -10,10 +10,10 @@
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
-#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
@@ -21,7 +21,6 @@
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
-#include "Library/DxeServicesLib.h"
// This time can be used when deleting variables, as it should be greater than any variable time.
EFI_TIME mMaxTimestamp = {
@@ -130,24 +129,29 @@ ConcatenateSigList (
}
/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.
- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.
**/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
)
{
EFI_SIGNATURE_LIST *EfiSig;
@@ -155,36 +159,41 @@ SecureBootFetchData (
EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
- VOID *RsaPubKey;
UINTN Size;
+ UINTN InputIndex;
UINTN KeyIndex;
+ if ((SigListOut == NULL) || (SigListsSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((KeyInfoCount == 0) || (KeyInfo == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ InputIndex = 0;
KeyIndex = 0;
EfiSig = NULL;
*SigListsSize = 0;
- while (1) {
- Status = GetSectionFromAnyFv (
- KeyFileGuid,
- EFI_SECTION_RAW,
- KeyIndex,
- &Buffer,
- &Size
- );
-
- if (Status == EFI_SUCCESS) {
- RsaPubKey = NULL;
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ while (InputIndex < KeyInfoCount) {
+ if (KeyInfo[InputIndex].Data != NULL) {
+ Size = KeyInfo[InputIndex].DataSize;
+ Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data);
+ if (Buffer == NULL) {
if (EfiSig != NULL) {
FreePool (EfiSig);
}
- FreePool (Buffer);
- return EFI_INVALID_PARAMETER;
+ return EFI_OUT_OF_RESOURCES;
}
Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+ if (EFI_ERROR (Status)) {
+ FreePool (Buffer);
+ break;
+ }
+
//
// Concatenate lists if more than one section found
//
@@ -202,9 +211,7 @@ SecureBootFetchData (
FreePool (Buffer);
}
- if (Status == EFI_NOT_FOUND) {
- break;
- }
+ InputIndex++;
}
if (KeyIndex == 0) {
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
index 9f2d41220b70..24ff0df067fa 100644
--- a/SecurityPkg/Include/Library/SecureBootVariableLib.h
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -44,24 +44,29 @@ GetSetupMode (
);
/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.
- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.
--*/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
);
/**
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
index 87db5a258021..3d4b77cfb073 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -32,15 +32,12 @@ [Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
DebugLib
MemoryAllocationLib
- BaseCryptLib
- DxeServicesLib
[Guids]
## CONSUMES ## Variable:L"SetupMode"
--
2.36.0.windows.1
next prev parent reply other threads:[~2022-06-30 23:53 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 23:53 [PATCH v3 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-06-30 23:53 ` [PATCH v3 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
2022-06-30 23:53 ` [PATCH v3 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Kun Qin
2022-06-30 23:53 ` [PATCH v3 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Kun Qin
2022-06-30 23:53 ` Kun Qin [this message]
2022-06-30 23:53 ` [PATCH v3 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Kun Qin
2022-06-30 23:53 ` [PATCH v3 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Kun Qin
2022-06-30 23:53 ` [PATCH v3 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Kun Qin
2022-06-30 23:53 ` [PATCH v3 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Kun Qin
2022-06-30 23:53 ` [PATCH v3 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Kun Qin
2022-06-30 23:53 ` [PATCH v3 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Kun Qin
2022-06-30 23:53 ` [PATCH v3 11/11] EmulatorPkg: " Kun Qin
2022-07-06 5:19 ` [edk2-devel] [PATCH v3 00/11] Enhance Secure Boot Variable Libraries Yao, Jiewen
2022-07-06 17:44 ` Kun Qin
2022-07-07 1:09 ` Yao, Jiewen
2022-07-07 1:10 ` Kun Qin
2022-07-08 16:38 ` Ard Biesheuvel
2022-07-08 20:03 ` Kun Qin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220630235341.1746-5-kuqin12@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox