From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wvervoorn@eltan.com>
Received-SPF: None (no SPF record) identity=mailfrom; client-ip=213.75.39.8;
 helo=cpsmtpb-ews05.kpnxchange.com; envelope-from=wvervoorn@eltan.com;
 receiver=edk2-devel@lists.01.org 
Received: from cpsmtpb-ews05.kpnxchange.com (cpsmtpb-ews05.kpnxchange.com
 [213.75.39.8]) by ml01.01.org (Postfix) with ESMTP id E7AEB220FB322
 for <edk2-devel@lists.01.org>; Mon, 11 Dec 2017 02:36:10 -0800 (PST)
Received: from cpsps-ews08.kpnxchange.com ([10.94.84.175]) by
 cpsmtpb-ews05.kpnxchange.com with Microsoft SMTPSVC(7.5.7601.17514); 
 Mon, 11 Dec 2017 11:40:45 +0100
X-KPN-SpamVerdict: BM:Clean;
X-Brightmail-Tracker: H4sIAAAAAAAAC+NgFjrFLMWRWlGSWpSXmKPExsVyuJJZXHdN
 gl6UwfPWzcfYLPYcOsrswOjRPfsfSwBjFGtmXlJ+RQJrxuuDbawFp3gqTvafZWxgbOTqYu
 TiEBJYxijxddde1i5GTg5mAXGJW0/mM0HYehI3pk5hg7C1JZYtfM0MYrMIdDJLbF9sBtG8
 k1FizcJ+ZghnA6PE+Sm32CGc3YwSB34vARvFJqAh0bN6DtgoEQFzidb5V4DiHBzCAtkSe3
 +7QYQLJDrXNTGDhEWANrcdcIdYpirR+2YeK0iYV8BZ4t0hTxCTUUBWouU1N0iFhICAxJI9
 55khbFGJl4//sULYyhJLu88ygti8AoISJ2c+YQGxhQQUJKYtWsYIURMsMW3rS5YJjGKzkH
 w/C8n3s5B8PwvJqAWMLKsYJZILiguKdVPLiw0s9LIL8oAMvZz85MScTYzASOGKC1m/g/F6
 T+wtRmmOA0xCHGmJxSUFicXFQix5+XmpUkAlIaFFYVINjJWsXx8af/ir78r320biztVXD9
 KOZ/Ivuqt5r4QtpenEvhiVw4wG8stX8Cd1GRYs7dz6VCzg96c/i/4mFgafkdh/iunFcl3H
 lUvv/1PmZVn5ZWJP2Yra0IYQx/VH72kzmirPnTZj6p75e38ZMswQqTfSZNmvvsJ2y3qV/V
 LBLIxN/09FL1pj9USJpTgj0VCLuag4EQAsV6U2XQIAAA==
Received: from CPSMTPM-CMT107.kpnxchange.com ([195.121.3.23]) by
 cpsps-ews08.kpnxchange.com with Microsoft SMTPSVC(8.5.9600.16384); 
 Mon, 11 Dec 2017 11:40:44 +0100
DKIM-Signature: v=1; a=rsa-sha256; d=kpnmail.nl; s=kpnmail01;
 c=relaxed/relaxed; t=1512988844;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=GRtusmKe/9APw4xSAdEQAsg6GL0ZBRahKPJvw00JDYU=;
 b=blgyOHceAM3VA7ODr52tnzwpxVrZoTkhEQyz6ERoP+47jF+57a+Z+z5CIDx3EzFTvGTu4DbE1tj
 S3P4G2s9Mqu/djJ7GKVh/BEOXu+juWLD2mm8ADrNl3O+FheEdKq7AcU2UVeQkytmP+a4ecd1hsj2D
 Dck695cJeRi21D+43Aw=
Received: from Eltsrv03.Eltan.local ([84.85.114.86]) by
 CPSMTPM-CMT107.kpnxchange.com over TLS secured channel with Microsoft
 SMTPSVC(8.5.9600.16384); Mon, 11 Dec 2017 11:40:44 +0100
Received: from Eltsrv03.Eltan.local (192.168.100.3) by Eltsrv03.Eltan.local
 (192.168.100.3) with Microsoft SMTP Server (TLS) id 15.0.847.32; Mon, 11 Dec
 2017 11:40:18 +0100
Received: from Eltsrv03.Eltan.local ([fe80::24e7:1cc6:a76a:a3a8]) by
 Eltsrv03.Eltan.local ([fe80::24e7:1cc6:a76a:a3a8%12]) with mapi id
 15.00.0847.040; Mon, 11 Dec 2017 11:40:18 +0100
From: Wim Vervoorn <wvervoorn@eltan.com>
To: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Thread-Topic: Timebased Auth Variable driver should ensure AuthAlgorithm is
 SHA256 before further verification
Thread-Index: AdNya9oyZYrbEV5DRNS+dLMp5NzAlA==
Date: Mon, 11 Dec 2017 10:40:18 +0000
Message-ID: <5492e8b3cf5e4d48ab401e085a6a25e9@Eltsrv03.Eltan.local>
Accept-Language: nl-NL, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.100.108]
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Dec 2017 10:40:44.0538 (UTC)
 FILETIME=[7F85B5A0:01D3726C]
X-RcptDomain: lists.01.org
Subject: Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 10:36:12 -0000
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,

We ran into issues with the Timebased Authenticated variable handling.

In commit: c035e37335ae43229d7e68de74a65f2c01ebc0af

This was added. This assumed the very first tag will be the Sha256 Oid. We =
have noticed situations where this is the case.

The question is if the check below represents the specification and the too=
ls generating the databuffer should be changed. Or if this check is not cor=
rect. It seems to me that the data should be parsed to check for the correc=
t OID and not assume this is the first one

  if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=
=3D 0) {
    if (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) {
      if (((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) ||=20
           (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidV=
alue)) !=3D 0)) {
          return EFI_SECURITY_VIOLATION;
        }
    }
  }


----
Modified: SecurityPkg/Library/AuthVariableLib/AuthService.c
Modified: SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h


Best Regards,
Wim Vervoorn

Eltan B.V.
Ambachtstraat 23
5481 SM Schijndel
The Netherlands

T : +31-(0)73-594 46 64
E : wvervoorn@eltan.com
W : http://www.eltan.com


"THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDE=
D RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED=
. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE=
 SENDER BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELE=
TE THIS MESSAGE AND ALL COPIES."=A0