From: "Jan Bobek" <jbobek@nvidia.com>
To: <devel@edk2.groups.io>
Cc: Jeff Brasen <jbrasen@nvidia.com>,
Girish Mahadevan <gmahadevan@nvidia.com>,
Jan Bobek <jbobek@nvidia.com>, Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>
Subject: Re: [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present
Date: Tue, 3 Jan 2023 15:29:47 -0700 [thread overview]
Message-ID: <87pmbvz219.fsf@nvidia.com> (raw)
In-Reply-To: <87y1raoofs.fsf@nvidia.com>
Anothing ping. Comments/reviews/merge highly appreciated.
Thank you,
-Jan
Jan Bobek writes:
> Ping. Can I get a review and/or some comments on this patch, please?
>
> Thanks,
> -Jan
>
> Jan Bobek writes:
>
>> Based on whether the DER-encoded ContentInfo structure is present in
>> authenticated SetVariable payload or not, the SHA-256 OID can be
>> located at different places.
>>
>> UEFI specification explicitly states the driver shall support both
>> cases, but the old code assumed ContentInfo was not present and
>> incorrectly rejected authenticated variable updates when it were
>> present.
>>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Min Xu <min.m.xu@intel.com>
>> Signed-off-by: Jan Bobek <jbobek@nvidia.com>
>> ---
>> .../Library/AuthVariableLib/AuthService.c | 18 +++++++++++-------
>> 1 file changed, 11 insertions(+), 7 deletions(-)
>>
>> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
>> index 054ee4d1d988..de8baccab410 100644
>> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
>> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
>> @@ -1933,15 +1933,19 @@ VerifyTimeBasedPayload (
>> // .... }
>> // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm
>> // in VARIABLE_AUTHENTICATION_2 descriptor.
>> - // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding.
>> + // This field has the fixed offset (+13) or (+32) based on whether the DER-encoded
>> + // ContentInfo structure is present or not, and can be calculated based on two
>> + // bytes of length encoding.
>> //
>> if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
>> - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
>> - if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
>> - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))
>> - {
>> - return EFI_SECURITY_VIOLATION;
>> - }
>> + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
>> + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
>> + || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))
>> + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
>> + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
>> + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))))
>> + {
>> + return EFI_SECURITY_VIOLATION;
>> }
>> }
next prev parent reply other threads:[~2023-01-03 22:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-03 0:44 [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Jan Bobek
2022-12-13 23:48 ` Jan Bobek
2023-01-03 22:29 ` Jan Bobek [this message]
2023-01-06 9:41 ` [edk2-devel] " Yao, Jiewen
2023-01-16 22:29 ` Jan Bobek
2023-01-17 0:24 ` Yao, Jiewen
2023-01-17 0:40 ` Jan Bobek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmbvz219.fsf@nvidia.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox