From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web12.32570.1656633239877360344 for ; Thu, 30 Jun 2022 16:53:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=BEH0mb3G; spf=pass (domain: gmail.com, ip: 209.85.210.180, mailfrom: kuqin12@gmail.com) Received: by mail-pf1-f180.google.com with SMTP id a15so849216pfv.13 for ; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cS8KWMxtlDItspHdhlnXxQdbjSCua28xDUo6RmIsiYA=; b=BEH0mb3Gb+zo2fd8UuL4Bj7Lz2ydxUULDB15tXKNfUGmcIqptl/D6c8R6OiDlmaSjp Enrf2hd3AHHMeRYZhRruZtYaDH5tBuvi6EDQ+6s2wtv1cKH8LdW93NntRgT2P3UjXh3T 6GJSKYo6q+nrOkPJuq3lyL4SneoTl5zNH8o3DqiKHAnpHE9jBAOyKPPadzzlnlUlz1uQ S6AyDbuV3bQGOwmx/nGL+TPUHXVPEpC2NgoBYPNsUbi9+uQvEL3JaY3/2oZGtDnHFoEl iUdkVS445BSQcWkAITL33RrTY1d88FYEd5MQqbRkUx3NpO1X4E4uWP0uA0G3b0dKXXj7 PeZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cS8KWMxtlDItspHdhlnXxQdbjSCua28xDUo6RmIsiYA=; b=3376rYUQ47qaoZ/SxV5gSvrUllo3NNnVBOvlzxWdxD80JVzRGl1eoQ3KG3jIRY6YC+ K9Tz6ZdmJOawXlt/iFAapgm7Hbw2mnfn6WCQWQjzRTSzM2ZmOutcgYGKW3IZlePsTU8H sM/LDwAef+j0aNjvyUuzuMnn1x6r+JzYQL1PYV2G1L+N3bErO0TWjahtaIdpzDumEJET Sq2I25MlnzdjbAEqU9N6n1YAeTZmOQiPz3pZWLszH/qjUmKj+O81P3H/pEMSebCCdPmh o7/ywZKxkykdlFNinSXHN2X2qllOiBETpKDZLLM6x6FRQaBVLBAuesAc6holwKcn5SG0 L14w== X-Gm-Message-State: AJIora+c7LBJndNbGe2/6QTxk7kGw/22yPqLeugA9+jbzHJKGuxRBHNf mvU4LJgd86YUwMXLl63v33qHie37LtQ= X-Google-Smtp-Source: AGRyM1syaX4jGucvksqTDxFFWoaAzFFtR5GktazDEspD0iBHluigh2MLxpIkIvl+g7F/9msgb249+g== X-Received: by 2002:a63:7417:0:b0:40c:99b5:a866 with SMTP id p23-20020a637417000000b0040c99b5a866mr10097942pgc.73.1656633239265; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) Return-Path: Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:59 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [PATCH v3 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Date: Thu, 30 Jun 2022 16:53:34 -0700 Message-Id: <20220630235341.1746-5-kuqin12@gmail.com> X-Mailer: git-send-email 2.36.0.windows.1 In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 += ++++++++++--------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 += +++--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356aba3..f56f0322e943 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent=0D **/=0D #include =0D +#include =0D #include =0D #include =0D #include =0D -#include =0D #include =0D #include =0D #include =0D @@ -21,7 +21,6 @@ #include =0D #include =0D #include =0D -#include "Library/DxeServicesLib.h"=0D =0D // This time can be used when deleting variables, as it should be greater = than any variable time.=0D EFI_TIME mMaxTimestamp =3D {=0D @@ -130,24 +129,29 @@ ConcatenateSigList ( }=0D =0D /**=0D - Create a EFI Signature List with data fetched from section specified as = a argument.=0D - Found keys are verified using RsaGetPublicKeyFromX509().=0D + Create a EFI Signature List with data supplied from input argument.=0D + The input certificates from KeyInfo parameter should be DER-encoded=0D + format.=0D =0D - @param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D @param[out] SigListsSize A pointer to size of signature list=0D - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists=0D + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists=0D + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo.=0D + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded,=0D + to be concatenated into signature lists= .=0D =0D - @retval EFI_SUCCESS Create time based payload successfully.= =0D + @retval EFI_SUCCESS Created signature list from payload suc= cessfully.=0D @retval EFI_NOT_FOUND Section with key has not been found.=0D - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.=0D + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL.=0D @retval Others Unexpected error happens.=0D =0D **/=0D EFI_STATUS=0D -SecureBootFetchData (=0D - IN EFI_GUID *KeyFileGuid,=0D - OUT UINTN *SigListsSize,=0D - OUT EFI_SIGNATURE_LIST **SigListOut=0D +EFIAPI=0D +SecureBootCreateDataFromInput (=0D + OUT UINTN *SigListsSize,=0D + OUT EFI_SIGNATURE_LIST **SigListOut,=0D + IN UINTN KeyInfoCount,=0D + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo=0D )=0D {=0D EFI_SIGNATURE_LIST *EfiSig;=0D @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2;=0D EFI_STATUS Status;=0D VOID *Buffer;=0D - VOID *RsaPubKey;=0D UINTN Size;=0D + UINTN InputIndex;=0D UINTN KeyIndex;=0D =0D + if ((SigListOut =3D=3D NULL) || (SigListsSize =3D=3D NULL)) {=0D + return EFI_INVALID_PARAMETER;=0D + }=0D +=0D + if ((KeyInfoCount =3D=3D 0) || (KeyInfo =3D=3D NULL)) {=0D + return EFI_INVALID_PARAMETER;=0D + }=0D +=0D + InputIndex =3D 0;=0D KeyIndex =3D 0;=0D EfiSig =3D NULL;=0D *SigListsSize =3D 0;=0D - while (1) {=0D - Status =3D GetSectionFromAnyFv (=0D - KeyFileGuid,=0D - EFI_SECTION_RAW,=0D - KeyIndex,=0D - &Buffer,=0D - &Size=0D - );=0D -=0D - if (Status =3D=3D EFI_SUCCESS) {=0D - RsaPubKey =3D NULL;=0D - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= {=0D - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex));=0D + while (InputIndex < KeyInfoCount) {=0D + if (KeyInfo[InputIndex].Data !=3D NULL) {=0D + Size =3D KeyInfo[InputIndex].DataSize;=0D + Buffer =3D AllocateCopyPool (Size, KeyInfo[InputIndex].Data);=0D + if (Buffer =3D=3D NULL) {=0D if (EfiSig !=3D NULL) {=0D FreePool (EfiSig);=0D }=0D =0D - FreePool (Buffer);=0D - return EFI_INVALID_PARAMETER;=0D + return EFI_OUT_OF_RESOURCES;=0D }=0D =0D Status =3D CreateSigList (Buffer, Size, &TmpEfiSig);=0D =0D + if (EFI_ERROR (Status)) {=0D + FreePool (Buffer);=0D + break;=0D + }=0D +=0D //=0D // Concatenate lists if more than one section found=0D //=0D @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer);=0D }=0D =0D - if (Status =3D=3D EFI_NOT_FOUND) {=0D - break;=0D - }=0D + InputIndex++;=0D }=0D =0D if (KeyIndex =3D=3D 0) {=0D diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b70..24ff0df067fa 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( );=0D =0D /**=0D - Create a EFI Signature List with data fetched from section specified as = a argument.=0D - Found keys are verified using RsaGetPublicKeyFromX509().=0D + Create a EFI Signature List with data supplied from input argument.=0D + The input certificates from KeyInfo parameter should be DER-encoded=0D + format.=0D =0D - @param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D @param[out] SigListsSize A pointer to size of signature list=0D - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists=0D + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists=0D + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo.=0D + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded,=0D + to be concatenated into signature lists= .=0D =0D - @retval EFI_SUCCESS Create time based payload successfully.= =0D + @retval EFI_SUCCESS Created signature list from payload suc= cessfully.=0D @retval EFI_NOT_FOUND Section with key has not been found.=0D - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.=0D + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL.=0D @retval Others Unexpected error happens.=0D =0D --*/=0D EFI_STATUS=0D -SecureBootFetchData (=0D - IN EFI_GUID *KeyFileGuid,=0D - OUT UINTN *SigListsSize,=0D - OUT EFI_SIGNATURE_LIST **SigListOut=0D +EFIAPI=0D +SecureBootCreateDataFromInput (=0D + OUT UINTN *SigListsSize,=0D + OUT EFI_SIGNATURE_LIST **SigListOut,=0D + IN UINTN KeyInfoCount,=0D + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo=0D );=0D =0D /**=0D diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a258021..3d4b77cfb073 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ [Packages] MdePkg/MdePkg.dec=0D MdeModulePkg/MdeModulePkg.dec=0D SecurityPkg/SecurityPkg.dec=0D - CryptoPkg/CryptoPkg.dec=0D =0D [LibraryClasses]=0D BaseLib=0D BaseMemoryLib=0D DebugLib=0D MemoryAllocationLib=0D - BaseCryptLib=0D - DxeServicesLib=0D =0D [Guids]=0D ## CONSUMES ## Variable:L"SetupMode"=0D --=20 2.36.0.windows.1