From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.86]) by mx.groups.io with SMTP id smtpd.web10.89811.1670975314524732759 for ; Tue, 13 Dec 2022 15:48:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@nvidia.com header.s=selector2 header.b=Erge6Dfc; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.237.86, mailfrom: jbobek@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eDCwasH0PGn2eoU9rKLgXxfmyg4rS6AFYdAaCVycaOvFYEiWbKEdp8MqV5JxYxgEpEcJha4/pKH96W6ot/4VuV+tCgLmiRdZPq/ieSNJ63FS3PTH7OWfhWtxxqMYVcfPBgyIU7CK169KePVvprNYpwoM1OnQh+zvjY9/uX3mXJ8u8HnBy/CbSZD6xuw9N+NRt4VEilPJ8jTdnNZ/wTiOOwCBGrS1+ajhOcm3eEJPkDRQaAkfdiqf+7okHI1mu7qCIhRHfCelC+ueU9b+xOZ4bSjR3aczXzJSf9az7Qp/quOr/9Zn+mLv/80n/6gxIXxoPollarrIRr2cUqZ//N3gqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/kPp3+3Sq9u6rZwpfzDhePsZ5r9LzSbsgOWEQ+Vf66I=; b=d5INHT65Thg/bOLlI61BzMaFkf4Uhu38aZJXYse0+aKxT1Q0z9d9/CgoFtCqrYR+xHrVJ+Z1wMqhe/UtxaTsVA3gXcXiZOXLYoLMtmEeFS7vgABLt/SWMD6e6vk30szQeFfoRhdTO4cTbl1AeJ2/QeyZEgh+9rxerYTaG+BvWiHs0tcBtbeu71OtjX90t/9f88YkuNeBVRmbrPwLPfO3k8BSifG6bqdBC/RlQ3jepZd++hRugWxUJLpBHuHOM4tzjfwaOXkALhvE4N/IE7wfN8YqDwypAudHjiFsg4tapP9yQTwmrS/g+WTEoizmaM4BFSrJOAAE2klsBViCXH2G1w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/kPp3+3Sq9u6rZwpfzDhePsZ5r9LzSbsgOWEQ+Vf66I=; b=Erge6DfchojRJXT7w0sZPCMczg2//cki9qiWCtlVkXDaM0q3QParz4w1pJV8WIPt25iOlZ5tVy+NYMp+Ye1KeMA/2ClhsicsAsWaHO9gBUl3UQUdFP09Ac1xQFW5KKr89oef54Vsbu6lLeofniS+r4P7OBaoUwQtA6VUgzbvgpLHQVBN8BOGdFepJG33cIId7inXeVRS4jGyACGAOi5Y1Yg+Xe/pDDByI24J5mDyyGApehyjZFPrgaxWPuKEU70D7Lu2DYXeRjJJvLoR2V4j9TZ7D5jK1P64ULRS+istj86bnGr+mikZ20JOoLmpSV/FQhpAKwi0zCU2vPIeGUcR6A== Received: from MW4PR03CA0029.namprd03.prod.outlook.com (2603:10b6:303:8f::34) by PH0PR12MB5605.namprd12.prod.outlook.com (2603:10b6:510:129::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19; Tue, 13 Dec 2022 23:48:32 +0000 Received: from CO1NAM11FT110.eop-nam11.prod.protection.outlook.com (2603:10b6:303:8f:cafe::6e) by MW4PR03CA0029.outlook.office365.com (2603:10b6:303:8f::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.19 via Frontend Transport; Tue, 13 Dec 2022 23:48:32 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by CO1NAM11FT110.mail.protection.outlook.com (10.13.175.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5901.21 via Frontend Transport; Tue, 13 Dec 2022 23:48:31 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 13 Dec 2022 15:48:24 -0800 Received: from localhost (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Tue, 13 Dec 2022 15:48:24 -0800 References: <872cc00fa231a6a5a1edbe6d56082e44c38a0c0f.1670026872.git.jbobek@nvidia.com> User-agent: mu4e 1.4.15; emacs 27.1 From: "Jan Bobek" To: CC: Jeff Brasen , Girish Mahadevan , Jan Bobek , Jiewen Yao , Jian J Wang , Min Xu Subject: Re: [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present In-Reply-To: <872cc00fa231a6a5a1edbe6d56082e44c38a0c0f.1670026872.git.jbobek@nvidia.com> Date: Tue, 13 Dec 2022 16:48:23 -0700 Message-ID: <87y1raoofs.fsf@nvidia.com> MIME-Version: 1.0 Return-Path: jbobek@nvidia.com X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1NAM11FT110:EE_|PH0PR12MB5605:EE_ X-MS-Office365-Filtering-Correlation-Id: 18bce1b1-82e3-4ae6-f286-08dadd648aa7 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: HJyxMo1kZs4B0eA0yDaC6zRB6Emsy4yGxrlJ9b4HBf5DFDxSf/dEkbtIkRY02UpWaLXAXfw6FLqeh6qFM5EJksv29Mo6on6mK7QzinG7N5OCaxxKEXjDNmkdkibG1xiVQpbV6+1U4iLeH5qb+SPq2A/A9IifN5vNd14GrtTVfnEAjtFAEgB+q/4WWAbTarthvqj2atFnZV7j3fWuTw/ltuj8AEnKtAv7V3+o2mDBAcHdR+H98xkXTvlOjIEcq/14XDdznkg91X5LcUZWy2hd1jFD8DWjo0qeXf7eVDFUQwpgKdFa7ACr2OOhv+v3bUFeT/M7AQeviKhTpnOJ3yxiujSsgrWnB8a7sZGa3X4+raO0q/et8kPtyOFLRyjwMHWDb2OIMaXLHvlodd7JCbs5KV0Ce7xi/rw57gP3tPAtCTX+4yTCY79s8iTUy6guHwysKV0jWD5NdnIRc3g1VRJEK/mLBFdL2Ofw6Cz2FhW3VjlzHyRf3YcfxNEXyDP4vvm5pAP/cmkXy8qkc/F2gD3g63Zo8GTRud3fleRalwZtUHpKz8AqEhOQWrvI4sKYiJkcd73cFQBTHnjmkcSfBuHe71Sf5cC+VedmfcwvKKmWBi7yp2UITC7bwahZ6QSZYSVUKkRPmwf8Y09V1DrQlMygLjdvLvae+TfhhbpjxKToh6RL6XU+JoZPijgl6DdHxPuYpxgTBcGOvGliB9m7FPbQ0Q== X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(39860400002)(136003)(346002)(376002)(451199015)(40470700004)(36840700001)(46966006)(86362001)(40480700001)(36860700001)(40460700003)(41300700001)(47076005)(70206006)(356005)(83380400001)(8936002)(7636003)(70586007)(8676002)(5660300002)(4326008)(54906003)(15650500001)(2906002)(6916009)(16526019)(426003)(26005)(336012)(2616005)(316002)(186003)(82310400005)(478600001)(82740400003)(36756003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2022 23:48:31.7983 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 18bce1b1-82e3-4ae6-f286-08dadd648aa7 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT110.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB5605 Content-Type: text/plain Ping. Can I get a review and/or some comments on this patch, please? Thanks, -Jan Jan Bobek writes: > Based on whether the DER-encoded ContentInfo structure is present in > authenticated SetVariable payload or not, the SHA-256 OID can be > located at different places. > > UEFI specification explicitly states the driver shall support both > cases, but the old code assumed ContentInfo was not present and > incorrectly rejected authenticated variable updates when it were > present. > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Min Xu > Signed-off-by: Jan Bobek > --- > .../Library/AuthVariableLib/AuthService.c | 18 +++++++++++------- > 1 file changed, 11 insertions(+), 7 deletions(-) > > diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c > index 054ee4d1d988..de8baccab410 100644 > --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c > +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c > @@ -1933,15 +1933,19 @@ VerifyTimeBasedPayload ( > // .... } > // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm > // in VARIABLE_AUTHENTICATION_2 descriptor. > - // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding. > + // This field has the fixed offset (+13) or (+32) based on whether the DER-encoded > + // ContentInfo structure is present or not, and can be calculated based on two > + // bytes of length encoding. > // > if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { > - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { > - if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) || > - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) > - { > - return EFI_SECURITY_VIOLATION; > - } > + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) > + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > + || (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))) > + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) > + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) > + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))) > + { > + return EFI_SECURITY_VIOLATION; > } > }