From: "Bret Barkelew" <bret.barkelew@microsoft.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
gaoliming <gaoliming@byosoft.com.cn>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"bret@corthon.com" <bret@corthon.com>,
"Bi, Dandan" <dandan.bi@intel.com>
Cc: "Wu, Hao A" <hao.a.wu@intel.com>,
liming.gao <liming.gao@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
'Laszlo Ersek' <lersek@redhat.com>,
'Ard Biesheuvel' <ard.biesheuvel@arm.com>,
'Andrew Fish' <afish@apple.com>, "Ni, Ray" <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables
Date: Wed, 16 Sep 2020 21:48:07 +0000 [thread overview]
Message-ID: <CY4PR21MB0743F4397BA477ACE3A9B398EF210@CY4PR21MB0743.namprd21.prod.outlook.com> (raw)
In-Reply-To: <CY4PR11MB128898AD6C156586029F0C508C210@CY4PR11MB1288.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 8944 bytes --]
These are both great points and I’ll make both changes.
Thanks!
- Bret
From: Yao, Jiewen via groups.io<mailto:jiewen.yao=intel.com@groups.io>
Sent: Tuesday, September 15, 2020 7:52 PM
To: Yao, Jiewen<mailto:jiewen.yao@intel.com>; gaoliming<mailto:gaoliming@byosoft.com.cn>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J<mailto:jian.j.wang@intel.com>; bret@corthon.com<mailto:bret@corthon.com>; Bi, Dandan<mailto:dandan.bi@intel.com>
Cc: Wu, Hao A<mailto:hao.a.wu@intel.com>; liming.gao<mailto:liming.gao@intel.com>; Justen, Jordan L<mailto:jordan.l.justen@intel.com>; 'Laszlo Ersek'<mailto:lersek@redhat.com>; 'Ard Biesheuvel'<mailto:ard.biesheuvel@arm.com>; 'Andrew Fish'<mailto:afish@apple.com>; Ni, Ray<mailto:ray.ni@intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables
Hi Bret
I have minor comment below. Please let me know your thought.
> -----邮件原件-----
> 发件人: bounce+27952+64723+4905953+8761045@groups.io
> <bounce+27952+64723+4905953+8761045@groups.io> 代表 Bret Barkelew
> 发送时间: 2020年8月28日 13:51
> 收件人: devel@edk2.groups.io
> 抄送: Jiewen Yao <jiewen.yao@intel.com>; Jian J Wang
> <jian.j.wang@intel.com>; Chao Zhang <chao.b.zhang@intel.com>
> 主题: [edk2-devel] [PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state
> to delete authenticated variables
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C8f1aee9f15a14900a3d508d859eb7222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637358215630854973&sdata=JyDdXC9JRdBdqfmhAc6fI4R5xhh70wcD0NnNIgwfF3w%3D&reserved=0
>
> Causes AuthService to check
> IsVariablePolicyEnabled() before enforcing
> write protections to allow variable deletion
> when policy engine is disabled.
>
> Only allows deletion, not modification.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Bret Barkelew <brbarkel@microsoft.com>
> Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
> ---
> SecurityPkg/Library/AuthVariableLib/AuthService.c | 22
> ++++++++++++++++----
> SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++
> 2 files changed, 20 insertions(+), 4 deletions(-)
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index 2f60331f2c04..aca9a5620c28 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -19,12 +19,16 @@
> to verify the signature.
>
>
>
> Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +Copyright (c) Microsoft Corporation.
>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
>
>
> **/
>
>
>
> #include "AuthServiceInternal.h"
>
>
>
> +#include <Protocol/VariablePolicy.h>
>
> +#include <Library/VariablePolicyLib.h>
>
> +
>
> //
>
> // Public Exponent of RSA Key.
>
> //
>
> @@ -217,9 +221,12 @@ NeedPhysicallyPresent(
> IN EFI_GUID *VendorGuid
>
> )
>
> {
>
> - if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) &&
> (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
>
> - || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp
> (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
>
> - return TRUE;
>
> + // If the VariablePolicy engine is disabled, allow deletion of any
> authenticated variables.
>
> + if (IsVariablePolicyEnabled()) {
>
> + if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) &&
> (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
>
> + || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp
> (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
>
> + return TRUE;
>
> + }
>
> }
[Jiewen] Looks good.
>
>
> return FALSE;
>
> @@ -842,7 +849,8 @@ ProcessVariable (
> &OrgVariableInfo
>
> );
>
>
>
> - if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
> (OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
> UserPhysicalPresent()) {
>
> + // If the VariablePolicy engine is disabled, allow deletion of any
> authenticated variables.
>
> + if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
> (OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
> (UserPhysicalPresent() || !IsVariablePolicyEnabled())) {
>
[Jiewen] Looks good.
> //
>
> // Allow the delete operation of common authenticated variable(AT or
> AW) at user physical presence.
>
> //
>
> @@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload (
>
>
> CopyMem (Buffer, PayloadPtr, PayloadSize);
>
>
>
> + // If the VariablePolicy engine is disabled, allow deletion of any
> authenticated variables.
>
> + if (PayloadSize == 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) == 0 &&
> !IsVariablePolicyEnabled()) {
>
> + VerifyStatus = TRUE;
>
> + goto Exit;
>
> + }
>
[Jiewen] I checked the programming context.
If we are going to skip the check, I feel the GetScratchBuffer() and CopyMem () may be avoided.
Also, I do not find any those data are used at Exit.
How about we move the check just after getting PayloadSize?
//
// Find out the new data payload which follows Pkcs7 SignedData directly.
//
PayloadPtr = SigData + SigDataSize;
PayloadSize = DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN) SigDataSize;
I hope it can make logic clearer.
One more thing is about below action at Exit.
Pkcs7FreeSigners (TopLevelCert);
Pkcs7FreeSigners (SignerCerts);
With new short path, we can come here with NULL point for Pkcs7FreeSigners().
I don't know the result if we pass a NULL pointer according to Pkcs7FreeSigners() API definition.
/**
Wrap function to use free() to free allocated memory for certificates.
If this interface is not supported, then ASSERT().
@param[in] Certs Pointer to the certificates to be freed.
**/
VOID
EFIAPI
Pkcs7FreeSigners (
IN UINT8 *Certs
);
I notice the current openssl version BaseCryptoLib implementation will check NULL and return.
We are safe in the default one. But I am not sure about other implementation.
I recommend we either document NULL pointer behavior in Pkcs7FreeSigners(), or add NULL pointer check at Exit to avoid calling Pkcs7FreeSigners().
With above two update, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> +
>
> if (AuthVarType == AuthVarTypePk) {
>
> //
>
> // Verify that the signature has been made with the current Platform
> Key (no chaining for PK).
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> index 8d4ce14df494..8eadeebcebd7 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> @@ -3,6 +3,7 @@
> #
>
> # Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
>
> # Copyright (c) 2018, ARM Limited. All rights reserved.<BR>
>
> +# Copyright (c) Microsoft Corporation.
>
> #
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -41,6 +42,7 @@ [LibraryClasses]
> MemoryAllocationLib
>
> BaseCryptLib
>
> PlatformSecureLib
>
> + VariablePolicyLib
>
>
>
> [Guids]
>
> ## CONSUMES ## Variable:L"SetupMode"
>
> --
> 2.28.0.windows.1
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
>
> View/Reply Online (#64723): https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F64723&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C8f1aee9f15a14900a3d508d859eb7222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637358215630864971&sdata=JpxigghyweSgGoxS3lF6P6giUqI6WkIkDfX6%2FTqcog4%3D&reserved=0
> Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.io%2Fmt%2F76468137%2F4905953&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C8f1aee9f15a14900a3d508d859eb7222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637358215630864971&sdata=FUAT8j4ic9AokVjXWRNAgC2GRTKg581rra%2BHcnJ%2F%2BBc%3D&reserved=0
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C8f1aee9f15a14900a3d508d859eb7222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637358215630864971&sdata=kTY8I2s1WrJMc0r43wy0d1LwHJfnVe3WuYnx%2BCMuT4k%3D&reserved=0
> [gaoliming@byosoft.com.cn]
> -=-=-=-=-=-=
>
>
[-- Attachment #2: Type: text/html, Size: 16438 bytes --]
next prev parent reply other threads:[~2020-09-16 21:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-28 5:51 [PATCH v7 00/14] Add the VariablePolicy feature Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 02/14] MdeModulePkg: Define the VariablePolicyLib Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 03/14] MdeModulePkg: Define the VariablePolicyHelperLib Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 06/14] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform Bret Barkelew
2020-09-23 2:47 ` [edk2-devel] " Ni, Ray
2020-09-23 4:29 ` Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 08/14] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Bret Barkelew
[not found] ` <007a01d68bc9$744d2af0$5ce780d0$@byosoft.com.cn>
2020-09-16 2:51 ` [edk2-devel] " Yao, Jiewen
2020-09-16 21:48 ` Bret Barkelew [this message]
2020-08-28 5:51 ` [PATCH v7 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 14/14] MdeModulePkg: Add a shell-based functional test for VariablePolicy Bret Barkelew
2020-09-08 1:09 ` 回复: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature gaoliming
2020-09-15 15:44 ` Dandan Bi
2020-09-15 20:00 ` Bret Barkelew
2020-09-22 15:35 ` Wang, Jian J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR21MB0743F4397BA477ACE3A9B398EF210@CY4PR21MB0743.namprd21.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox