public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
	Jiewen Yao <Jiewen.yao@intel.com>,
	Michael Kubacki <michael.kubacki@microsoft.com>
Subject: [PATCH v3 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
Date: Thu, 30 Jun 2022 16:53:36 -0700	[thread overview]
Message-ID: <20220630235341.1746-7-kuqin12@gmail.com> (raw)
In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com>

From: Kun Qin <kuqin@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910

This change is in pair with the previous SecureBootVariableLib, which
removes the explicit invocation of `CreateTimeBasedPayload` and used new
interface `EnrollFromInput` instead.

The original `SecureBootFetchData` is also moved to this library and
incorporated with the newly defined `SecureBootCreateDataFromInput` to
keep the original code flow.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>

Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
---

Notes:
    v3:
    - Added reviewed-by tag [Jiewen]
    - Added acked-by tag [Michael Kubacki]

 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 ++++++++++++++++----
 1 file changed, 115 insertions(+), 30 deletions(-)

diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
index 536b0f369907..bed1fe86205d 100644
--- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
@@ -8,10 +8,13 @@
   Copyright (c) 2021, Semihalf All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
+#include <Uefi.h>
+#include <UefiSecureBoot.h>
 #include <Guid/GlobalVariable.h>
 #include <Guid/AuthenticatedVariableFormat.h>
 #include <Guid/ImageAuthentication.h>
 #include <Library/BaseLib.h>
+#include <Library/BaseCryptLib.h>
 #include <Library/BaseMemoryLib.h>
 #include <Library/DebugLib.h>
 #include <Library/UefiLib.h>
@@ -19,6 +22,117 @@
 #include <Library/UefiRuntimeServicesTableLib.h>
 #include <Library/SecureBootVariableLib.h>
 #include <Library/SecureBootVariableProvisionLib.h>
+#include <Library/DxeServicesLib.h>
+
+/**
+  Create a EFI Signature List with data fetched from section specified as a argument.
+  Found keys are verified using RsaGetPublicKeyFromX509().
+
+  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
+  @param[out]       SigListsSize   A pointer to size of signature list
+  @param[out]       SigListOut    a pointer to a callee-allocated buffer with signature lists
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_NOT_FOUND            Section with key has not been found.
+  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
+  @retval Others                   Unexpected error happens.
+
+**/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+  IN  EFI_GUID            *KeyFileGuid,
+  OUT UINTN               *SigListsSize,
+  OUT EFI_SIGNATURE_LIST  **SigListOut
+  )
+{
+  EFI_SIGNATURE_LIST            *EfiSig;
+  EFI_STATUS                    Status;
+  VOID                          *Buffer;
+  VOID                          *RsaPubKey;
+  UINTN                         Size;
+  UINTN                         KeyIndex;
+  UINTN                         Index;
+  SECURE_BOOT_CERTIFICATE_INFO  *CertInfo;
+  SECURE_BOOT_CERTIFICATE_INFO  *NewCertInfo;
+
+  KeyIndex      = 0;
+  EfiSig        = NULL;
+  *SigListOut   = NULL;
+  *SigListsSize = 0;
+  CertInfo      = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));
+  NewCertInfo   = CertInfo;
+  while (1) {
+    if (NewCertInfo == NULL) {
+      Status = EFI_OUT_OF_RESOURCES;
+      break;
+    } else {
+      CertInfo = NewCertInfo;
+    }
+
+    Status = GetSectionFromAnyFv (
+               KeyFileGuid,
+               EFI_SECTION_RAW,
+               KeyIndex,
+               &Buffer,
+               &Size
+               );
+
+    if (Status == EFI_SUCCESS) {
+      RsaPubKey = NULL;
+      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+        if (EfiSig != NULL) {
+          FreePool (EfiSig);
+        }
+
+        FreePool (Buffer);
+        Status = EFI_INVALID_PARAMETER;
+        break;
+      }
+
+      CertInfo[KeyIndex].Data     = Buffer;
+      CertInfo[KeyIndex].DataSize = Size;
+      KeyIndex++;
+      NewCertInfo = ReallocatePool (
+                      sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,
+                      sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),
+                      CertInfo
+                      );
+    }
+
+    if (Status == EFI_NOT_FOUND) {
+      Status = EFI_SUCCESS;
+      break;
+    }
+  }
+
+  if (EFI_ERROR (Status)) {
+    goto Cleanup;
+  }
+
+  if (KeyIndex == 0) {
+    Status = EFI_NOT_FOUND;
+    goto Cleanup;
+  }
+
+  // Now that we collected all certs from FV, convert it into sig list
+  Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);
+  if (EFI_ERROR (Status)) {
+    goto Cleanup;
+  }
+
+Cleanup:
+  if (CertInfo) {
+    for (Index = 0; Index < KeyIndex; Index++) {
+      FreePool ((VOID *)CertInfo[Index].Data);
+    }
+
+    FreePool (CertInfo);
+  }
+
+  return Status;
+}
 
 /**
   Enroll a key/certificate based on a default variable.
@@ -52,36 +166,7 @@ EnrollFromDefault (
     return Status;
   }
 
-  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
-    return Status;
-  }
-
-  //
-  // Allocate memory for auth variable
-  //
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  (EFI_VARIABLE_NON_VOLATILE |
-                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
-                   EFI_VARIABLE_RUNTIME_ACCESS |
-                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
-                  DataSize,
-                  Data
-                  );
-
-  if (EFI_ERROR (Status)) {
-    DEBUG ((
-      DEBUG_ERROR,
-      "error: %a (\"%s\", %g): %r\n",
-      __FUNCTION__,
-      VariableName,
-      VendorGuid,
-      Status
-      ));
-  }
+  Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);
 
   if (Data != NULL) {
     FreePool (Data);
-- 
2.36.0.windows.1


  parent reply	other threads:[~2022-06-30 23:54 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-06-30 23:53 [PATCH v3 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-06-30 23:53 ` [PATCH v3 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
2022-06-30 23:53 ` [PATCH v3 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Kun Qin
2022-06-30 23:53 ` [PATCH v3 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Kun Qin
2022-06-30 23:53 ` [PATCH v3 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Kun Qin
2022-06-30 23:53 ` [PATCH v3 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Kun Qin
2022-06-30 23:53 ` Kun Qin [this message]
2022-06-30 23:53 ` [PATCH v3 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Kun Qin
2022-06-30 23:53 ` [PATCH v3 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Kun Qin
2022-06-30 23:53 ` [PATCH v3 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Kun Qin
2022-06-30 23:53 ` [PATCH v3 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Kun Qin
2022-06-30 23:53 ` [PATCH v3 11/11] EmulatorPkg: " Kun Qin
2022-07-06  5:19 ` [edk2-devel] [PATCH v3 00/11] Enhance Secure Boot Variable Libraries Yao, Jiewen
2022-07-06 17:44   ` Kun Qin
2022-07-07  1:09     ` Yao, Jiewen
2022-07-07  1:10       ` Kun Qin
2022-07-08 16:38       ` Ard Biesheuvel
2022-07-08 20:03         ` Kun Qin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220630235341.1746-7-kuqin12@gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox