From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.4478.1581589220627420378 for ; Thu, 13 Feb 2020 02:20:20 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2020 02:20:20 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,436,1574150400"; d="scan'208";a="257131620" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga004.fm.intel.com with ESMTP; 13 Feb 2020 02:20:20 -0800 Received: from fmsmsx126.amr.corp.intel.com (10.18.125.43) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 13 Feb 2020 02:20:19 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX126.amr.corp.intel.com (10.18.125.43) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 13 Feb 2020 02:20:19 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.126]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.222]) with mapi id 14.03.0439.000; Thu, 13 Feb 2020 18:20:17 +0800 From: "Yao, Jiewen" To: "Wang, Jian J" , "devel@edk2.groups.io" CC: "Zhang, Chao B" Subject: Re: [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsSignatureFoundInDatabase(CVE-2019-14575) Thread-Topic: [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate error and search result in IsSignatureFoundInDatabase(CVE-2019-14575) Thread-Index: AQHV3PiBOsuMK6Pf2UOS2q+6tIDTwagY8/+A Date: Thu, 13 Feb 2020 10:20:17 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F92CCE5@shsmsx102.ccr.corp.intel.com> References: <20200206141933.356-1-jian.j.wang@intel.com> <20200206141933.356-10-jian.j.wang@intel.com> In-Reply-To: <20200206141933.356-10-jian.j.wang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Wang, Jian J > Sent: Thursday, February 6, 2020 10:20 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Zhang, Chao B > > Subject: [PATCH 9/9] SecurityPkg/DxeImageVerificationLib: Differentiate e= rror > and search result in IsSignatureFoundInDatabase(CVE-2019-14575) >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1608 >=20 > To avoid false-negative issue in check hash against dbx, both error > condition (as return value) and check result (as out parameter) of > IsSignatureFoundInDatabase() are added. So the caller of this function > will know exactly if a failure is caused by a black list hit or > other error happening, and enforce a more secure operation to prevent > secure boot from being bypassed. For a white list check (db), there's > no such necessity. >=20 > All intermediate results inside this function will be checked and > returned immediately upon any failure or error, like out-of-resource, > hash calculation error or certificate retrieval failure. >=20 > Cc: Jiewen Yao > Cc: Chao Zhang > Signed-off-by: Jian J Wang > --- > .../DxeImageVerificationLib.c | 77 ++++++++++++++----- > 1 file changed, 58 insertions(+), 19 deletions(-) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 5b7a67f811..8e599ca0be 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -955,17 +955,19 @@ Done: > @param[in] Signature Pointer to signature that is searched = for. >=20 > @param[in] CertType Pointer to hash algorithm. >=20 > @param[in] SignatureSize Size of Signature. >=20 > + @param[out] IsFound Search result. Only valid if EFI_SUCCE= SS returned >=20 >=20 >=20 > - @return TRUE Found the signature in the variable da= tabase. >=20 > - @return FALSE Not found the signature in the variabl= e database. >=20 > + @retval EFI_SUCCESS Finished the search without any error. >=20 > + @retval Others Error occurred in the search of databa= se. >=20 >=20 >=20 > **/ >=20 > -BOOLEAN >=20 > +EFI_STATUS >=20 > IsSignatureFoundInDatabase ( >=20 > - IN CHAR16 *VariableName, >=20 > - IN UINT8 *Signature, >=20 > - IN EFI_GUID *CertType, >=20 > - IN UINTN SignatureSize >=20 > + IN CHAR16 *VariableName, >=20 > + IN UINT8 *Signature, >=20 > + IN EFI_GUID *CertType, >=20 > + IN UINTN SignatureSize, >=20 > + OUT BOOLEAN *IsFound >=20 > ) >=20 > { >=20 > EFI_STATUS Status; >=20 > @@ -975,22 +977,28 @@ IsSignatureFoundInDatabase ( > UINT8 *Data; >=20 > UINTN Index; >=20 > UINTN CertCount; >=20 > - BOOLEAN IsFound; >=20 >=20 >=20 > // >=20 > // Read signature database variable. >=20 > // >=20 > - IsFound =3D FALSE; >=20 > + *IsFound =3D FALSE; >=20 > Data =3D NULL; >=20 > DataSize =3D 0; >=20 > Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDataba= seGuid, > NULL, &DataSize, NULL); >=20 > if (Status !=3D EFI_BUFFER_TOO_SMALL) { >=20 > - return FALSE; >=20 > + if (Status =3D=3D EFI_NOT_FOUND) { >=20 > + // >=20 > + // No database, no need to search. >=20 > + // >=20 > + Status =3D EFI_SUCCESS; >=20 > + } >=20 > + >=20 > + return Status; >=20 > } >=20 >=20 >=20 > Data =3D (UINT8 *) AllocateZeroPool (DataSize); >=20 > if (Data =3D=3D NULL) { >=20 > - return FALSE; >=20 > + return EFI_OUT_OF_RESOURCES; >=20 > } >=20 >=20 >=20 > Status =3D gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseG= uid, > NULL, &DataSize, Data); >=20 > @@ -1010,7 +1018,7 @@ IsSignatureFoundInDatabase ( > // >=20 > // Find the signature in database. >=20 > // >=20 > - IsFound =3D TRUE; >=20 > + *IsFound =3D TRUE; >=20 > // >=20 > // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to va= lidate > image should be measured >=20 > // >=20 > @@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase ( > Cert =3D (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->Sign= atureSize); >=20 > } >=20 >=20 >=20 > - if (IsFound) { >=20 > + if (*IsFound) { >=20 > break; >=20 > } >=20 > } >=20 > @@ -1037,7 +1045,7 @@ Done: > FreePool (Data); >=20 > } >=20 >=20 >=20 > - return IsFound; >=20 > + return Status; >=20 > } >=20 >=20 >=20 > /** >=20 > @@ -1642,6 +1650,8 @@ DxeImageVerificationHandler ( > CHAR16 *NameStr; >=20 > RETURN_STATUS PeCoffStatus; >=20 > EFI_STATUS HashStatus; >=20 > + EFI_STATUS DbStatus; >=20 > + BOOLEAN IsFound; >=20 >=20 >=20 > SignatureList =3D NULL; >=20 > SignatureListSize =3D 0; >=20 > @@ -1650,7 +1660,7 @@ DxeImageVerificationHandler ( > PkcsCertData =3D NULL; >=20 > Action =3D EFI_IMAGE_EXECUTION_AUTH_UNTESTED; >=20 > IsVerified =3D FALSE; >=20 > - >=20 > + IsFound =3D FALSE; >=20 >=20 >=20 > // >=20 > // Check the image type and get policy setting. >=20 > @@ -1792,7 +1802,14 @@ DxeImageVerificationHandler ( > goto Failed; >=20 > } >=20 >=20 >=20 > - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, > mImageDigest, &mCertType, mImageDigestSize)) { >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE1, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (EFI_ERROR (DbStatus) || IsFound) { >=20 > // >=20 > // Image Hash is in forbidden database (DBX). >=20 > // >=20 > @@ -1800,7 +1817,14 @@ DxeImageVerificationHandler ( > goto Failed; >=20 > } >=20 >=20 >=20 > - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, > mImageDigest, &mCertType, mImageDigestSize)) { >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (!EFI_ERROR (DbStatus) && IsFound) { >=20 > // >=20 > // Image Hash is in allowed database (DB). >=20 > // >=20 > @@ -1888,14 +1912,29 @@ DxeImageVerificationHandler ( > // >=20 > // Check the image's hash value. >=20 > // >=20 > - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, > mImageDigest, &mCertType, mImageDigestSize)) { >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE1, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (EFI_ERROR (DbStatus) || IsFound) { >=20 > Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; >=20 > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but = %s > hash of image is found in DBX.\n", mHashTypeStr)); >=20 > IsVerified =3D FALSE; >=20 > break; >=20 > } >=20 > + >=20 > if (!IsVerified) { >=20 > - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, > mImageDigest, &mCertType, mImageDigestSize)) { >=20 > + DbStatus =3D IsSignatureFoundInDatabase ( >=20 > + EFI_IMAGE_SECURITY_DATABASE, >=20 > + mImageDigest, >=20 > + &mCertType, >=20 > + mImageDigestSize, >=20 > + &IsFound >=20 > + ); >=20 > + if (!EFI_ERROR (DbStatus) && IsFound) { >=20 > IsVerified =3D TRUE; >=20 > } else { >=20 > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed bu= t > signature is not allowed by DB and %s hash of image is not found in DB/DB= X.\n", > mHashTypeStr)); >=20 > -- > 2.24.0.windows.2