From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web12.13818.1628451638841544741 for ; Sun, 08 Aug 2021 12:40:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@posteo.de header.s=2017 header.b=N12mvDYd; spf=pass (domain: posteo.de, ip: 185.67.36.66, mailfrom: mhaeuser@posteo.de) Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 26547240104 for ; Sun, 8 Aug 2021 21:40:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1628451637; bh=sfVxD4wbJn+iaEPhhpoPJ10lGKeMFdkjBvxOOaqJDBM=; h=From:To:Cc:Subject:Date:From; b=N12mvDYdLbHX6RGbHdREtaoWOYlKx+QmyAPuTIHnHIAmOuK1/TqiIsidlFbublw1n MsIQyQVuD2iJZDm4YhAh+opCeQVtopF33rM2RgeRdf8biE5x0ZHgcPMfSaChaHRUWU W+M4B9DhjRu0iHLM1fTQHVO+OELGYh62iU8Y2uw3Fh3zuJyp+1Oa2czN0VJh976ZHf gt8UTzfl2aM2fH9MnF+w27WaOfzM6QXJHUxdfKxt1QHmsSa9R+dYKMyNdEad6yQvC9 faHRXGSa9HK7X4eoBClRaJ3QDs7v7o+Ujac7Q55ZscKM8P2C34iIr9tl87xSdWzlXm nAf/wEQluUQBw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4GjV1c4gQ8z6tm6; Sun, 8 Aug 2021 21:40:36 +0200 (CEST) From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Vitaly Cheptsov Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx Date: Sun, 8 Aug 2021 19:39:47 +0000 Message-Id: <6810bb96b0c7ef377680112f48bac9cd0a964a52.1628353537.git.mhaeuser@posteo.de> In-Reply-To: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> References: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3461 The UEFI specification prohibits loading any UEFI image of which a matching SHA-256 hash is contained in "dbx" (UEFI 2.9, 32.5.3.3 "Authorization Process", 3.A). Currently, this is only explicitly checked when the image is unsigned and otherwise the hash algorithms of the certificates are used. Align with the UEFI specification by specifically looking up the SHA-256 hash of the image in "dbx". Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Vitaly Cheptsov Signed-off-by: Marvin H=C3=A4user --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 60= ++++++++------------ 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index c48861cd6496..1f9bb33e86c3 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1803,34 +1803,36 @@ DxeImageVerificationHandler ( }=0D }=0D =0D + //=0D + // The SHA256 hash value of the image must not be reflected in the secur= ity data base "dbx".=0D + //=0D + if (!HashPeImage (HASHALG_SHA256)) {=0D + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this imag= e using %s.\n", mHashTypeStr));=0D + goto Failed;=0D + }=0D +=0D + DbStatus =3D IsSignatureFoundInDatabase (=0D + EFI_IMAGE_SECURITY_DATABASE1,=0D + mImageDigest,=0D + &mCertType,=0D + mImageDigestSize,=0D + &IsFound=0D + );=0D + if (EFI_ERROR (DbStatus) || IsFound) {=0D + //=0D + // Image Hash is in forbidden database (DBX).=0D + //=0D + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and = %s hash of image is forbidden by DBX.\n", mHashTypeStr));=0D + goto Failed;=0D + }=0D +=0D //=0D // Start Image Validation.=0D //=0D if (SecDataDir =3D=3D NULL || SecDataDir->Size =3D=3D 0) {=0D //=0D - // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db",=0D - // and not be reflected in the security data base "dbx".=0D + // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db".=0D //=0D - if (!HashPeImage (HASHALG_SHA256)) {=0D - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this im= age using %s.\n", mHashTypeStr));=0D - goto Failed;=0D - }=0D -=0D - DbStatus =3D IsSignatureFoundInDatabase (=0D - EFI_IMAGE_SECURITY_DATABASE1,=0D - mImageDigest,=0D - &mCertType,=0D - mImageDigestSize,=0D - &IsFound=0D - );=0D - if (EFI_ERROR (DbStatus) || IsFound) {=0D - //=0D - // Image Hash is in forbidden database (DBX).=0D - //=0D - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed an= d %s hash of image is forbidden by DBX.\n", mHashTypeStr));=0D - goto Failed;=0D - }=0D -=0D DbStatus =3D IsSignatureFoundInDatabase (=0D EFI_IMAGE_SECURITY_DATABASE,=0D mImageDigest,=0D @@ -1932,20 +1934,6 @@ DxeImageVerificationHandler ( //=0D // Check the image's hash value.=0D //=0D - DbStatus =3D IsSignatureFoundInDatabase (=0D - EFI_IMAGE_SECURITY_DATABASE1,=0D - mImageDigest,=0D - &mCertType,=0D - mImageDigestSize,=0D - &IsFound=0D - );=0D - if (EFI_ERROR (DbStatus) || IsFound) {=0D - Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;=0D - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s= hash of image is found in DBX.\n", mHashTypeStr));=0D - IsVerified =3D FALSE;=0D - break;=0D - }=0D -=0D if (!IsVerified) {=0D DbStatus =3D IsSignatureFoundInDatabase (=0D EFI_IMAGE_SECURITY_DATABASE,=0D --=20 2.31.1