From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=liming.gao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 318A420956095 for ; Wed, 14 Mar 2018 23:30:29 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Mar 2018 23:36:52 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,308,1517904000"; d="scan'208";a="211481791" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga006.fm.intel.com with ESMTP; 14 Mar 2018 23:36:52 -0700 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 14 Mar 2018 23:36:52 -0700 Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.226]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.235]) with mapi id 14.03.0319.002; Thu, 15 Mar 2018 14:36:50 +0800 From: "Gao, Liming" To: "Kinney, Michael D" , "edk2-devel@lists.01.org" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Zhang, Chao B" Thread-Topic: [edk2] [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr Thread-Index: AQHTujiicxjWz+jyV0yx4nI5Uz3UfqPQ1o5w Date: Thu, 15 Mar 2018 06:36:49 +0000 Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E1E71B1@SHSMSX104.ccr.corp.intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> <20180312193017.15156-4-michael.d.kinney@intel.com> In-Reply-To: <20180312193017.15156-4-michael.d.kinney@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 06:30:30 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Mike:=20 The title should be SignedCapsulePkg EdkiiSystemCapsuleLib instead of Sec= urityPkg.=20 =20 > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Ki= nney, Michael D > Sent: Tuesday, March 13, 2018 3:30 AM > To: edk2-devel@lists.01.org > Cc: Kinney, Michael D ; Yao, Jiewen ; Zhang, Chao B > Subject: [edk2] [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkc= s7CertBufferXdr >=20 > https://bugzilla.tianocore.org/show_bug.cgi?id=3D891 >=20 > Use both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr to authenticate > a capsule. The capsule fails authentication if none of the certificates > in PcdPkcs7CertBuffer or PcdPkcs7CertBufferXdr pass. >=20 > Cc: Sean Brogan > Cc: Chao Zhang > Cc: Jiewen Yao > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Michael D Kinney > --- > .../EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c | 77 ++++++++++++++++= +++--- > .../EdkiiSystemCapsuleLib.inf | 3 +- > 2 files changed, 70 insertions(+), 10 deletions(-) >=20 > diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCa= psuleLib.c > b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c > index 876d2257b3..5217a63082 100644 > --- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLi= b.c > +++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLi= b.c > @@ -6,7 +6,7 @@ > CapsuleAuthenticateSystemFirmware(), ExtractAuthenticatedImage() will = receive > untrusted input and do basic validation. >=20 > - Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
> + Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the = BSD License > which accompanies this distribution. The full text of the license may= be found at > @@ -370,6 +370,8 @@ ExtractAuthenticatedImage ( > GUID *CertType; > VOID *PublicKeyData; > UINTN PublicKeyDataLength; > + UINT8 *PublicKeyDataXdr; > + UINT8 *PublicKeyDataXdrEnd; >=20 > DEBUG((DEBUG_INFO, "ExtractAuthenticatedImage - Image: 0x%08x - 0x%08x= \n", (UINTN)Image, (UINTN)ImageSize)); >=20 > @@ -410,21 +412,78 @@ ExtractAuthenticatedImage ( > if (CompareGuid(&gEfiCertPkcs7Guid, CertType)) { > PublicKeyData =3D PcdGetPtr(PcdPkcs7CertBuffer); > PublicKeyDataLength =3D PcdGetSize(PcdPkcs7CertBuffer); > + > + ASSERT (PublicKeyData !=3D NULL); > + ASSERT (PublicKeyDataLength !=3D 0); > + > + Status =3D AuthenticateFmpImage( > + ImageAuth, > + ImageSize, > + PublicKeyData, > + PublicKeyDataLength > + ); > + if (EFI_ERROR (Status)) { > + PublicKeyDataXdr =3D PcdGetPtr (PcdPkcs7CertBufferXdr); > + PublicKeyDataXdrEnd =3D PublicKeyDataXdr + PcdGetSize (PcdPkcs7Cer= tBufferXdr); > + > + ASSERT (PublicKeyDataXdr !=3D NULL); > + ASSERT (PublicKeyDataXdr !=3D PublicKeyDataXdrEnd); > + > + // > + // Try each key from PcdPkcs7CertBufferXdr > + // > + while (PublicKeyDataXdr < PublicKeyDataXdrEnd) { > + if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) { > + // > + // Key data extends beyond end of PCD > + // > + break; > + } > + // > + // Read key length stored in big endian format > + // > + PublicKeyDataLength =3D SwapBytes32 (*(UINT32 *)(PublicKeyDataXd= r)); > + // > + // Point to the start of the key data > + // > + PublicKeyDataXdr +=3D sizeof (UINT32); > + if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd= ) { > + // > + // Key data extends beyond end of PCD > + // > + break; > + } > + PublicKeyData =3D PublicKeyDataXdr; > + Status =3D AuthenticateFmpImage ( > + ImageAuth, > + ImageSize, > + PublicKeyData, > + PublicKeyDataLength > + ); > + if (!EFI_ERROR (Status)) { > + break; > + } > + PublicKeyDataXdr +=3D PublicKeyDataLength; > + PublicKeyDataXdr =3D (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, s= izeof(UINT32)); > + } > + } > } else if (CompareGuid(&gEfiCertTypeRsa2048Sha256Guid, CertType)) { > PublicKeyData =3D PcdGetPtr(PcdRsa2048Sha256PublicKeyBuffer); > PublicKeyDataLength =3D PcdGetSize(PcdRsa2048Sha256PublicKeyBuffer); > + > + ASSERT (PublicKeyData !=3D NULL); > + ASSERT (PublicKeyDataLength !=3D 0); > + > + Status =3D AuthenticateFmpImage( > + ImageAuth, > + ImageSize, > + PublicKeyData, > + PublicKeyDataLength > + ); > } else { > return FALSE; > } > - ASSERT (PublicKeyData !=3D NULL); > - ASSERT (PublicKeyDataLength !=3D 0); >=20 > - Status =3D AuthenticateFmpImage( > - ImageAuth, > - ImageSize, > - PublicKeyData, > - PublicKeyDataLength > - ); > switch (Status) { > case RETURN_SUCCESS: > *LastAttemptStatus =3D LAST_ATTEMPT_STATUS_SUCCESS; > diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCa= psuleLib.inf > b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.in= f > index a721619a67..2b18d918d1 100644 > --- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLi= b.inf > +++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLi= b.inf > @@ -3,7 +3,7 @@ > # > # EDKII System Capsule library instance for DXE/PEI post memory phase. > # > -# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved. > +# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved. > # This program and the accompanying materials > # are licensed and made available under the terms and conditions of the= BSD License > # which accompanies this distribution. The full text of the license ma= y be found at > @@ -52,6 +52,7 @@ [Pcd] > gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid = ## CONSUMES > gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer = ## CONSUMES > gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer = ## CONSUMES > + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr = ## CONSUMES >=20 > [Guids] > gEdkiiSystemFirmwareImageDescriptorFileGuid ## SOMETIMES_CONS= UMES ## GUID > -- > 2.14.2.windows.3 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel