From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"jbobek@nvidia.com" <jbobek@nvidia.com>
Cc: Jeff Brasen <jbrasen@nvidia.com>,
Girish Mahadevan <gmahadevan@nvidia.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present
Date: Fri, 6 Jan 2023 09:41:28 +0000 [thread overview]
Message-ID: <MW4PR11MB58721CA0465D283F4F5A1AF38CFB9@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <87pmbvz219.fsf@nvidia.com>
Hi
That is good catch!
My apology to miss it before.
1) Please file a bugzilla (https://bugzilla.tianocore.org/) to record the issue and associate to the patch.
2) Would you please share with us that how you discover the issue?
For example, any real use case to include ContentInfo? If yes, please share a URL.
Or this is just a purely spec compliance fix ?
3) Please describe how you validate the fix.
If possible, would you please share your test case?
4) Since the new code is handling ContentInfo structure is present, I believe we need also check if the ContentInfo structure is valid.
For example:
============
c SignedData.contentInfo.contentType shall be set to id-data
d SignedData.contentInfo.content shall be absent
============
What do you think?
Thank you
Yao, Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Jan
> Bobek via groups.io
> Sent: Wednesday, January 4, 2023 6:30 AM
> To: devel@edk2.groups.io
> Cc: Jeff Brasen <jbrasen@nvidia.com>; Girish Mahadevan
> <gmahadevan@nvidia.com>; Jan Bobek <jbobek@nvidia.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> <min.m.xu@intel.com>
> Subject: Re: [edk2-devel] [PATCH 1/1] SecurityPkg/AuthVariableLib: Check
> SHA-256 OID with ContentInfo present
>
> Anothing ping. Comments/reviews/merge highly appreciated.
>
> Thank you,
> -Jan
>
> Jan Bobek writes:
>
> > Ping. Can I get a review and/or some comments on this patch, please?
> >
> > Thanks,
> > -Jan
> >
> > Jan Bobek writes:
> >
> >> Based on whether the DER-encoded ContentInfo structure is present in
> >> authenticated SetVariable payload or not, the SHA-256 OID can be
> >> located at different places.
> >>
> >> UEFI specification explicitly states the driver shall support both
> >> cases, but the old code assumed ContentInfo was not present and
> >> incorrectly rejected authenticated variable updates when it were
> >> present.
> >>
> >> Cc: Jiewen Yao <jiewen.yao@intel.com>
> >> Cc: Jian J Wang <jian.j.wang@intel.com>
> >> Cc: Min Xu <min.m.xu@intel.com>
> >> Signed-off-by: Jan Bobek <jbobek@nvidia.com>
> >> ---
> >> .../Library/AuthVariableLib/AuthService.c | 18 +++++++++++-------
> >> 1 file changed, 11 insertions(+), 7 deletions(-)
> >>
> >> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> >> index 054ee4d1d988..de8baccab410 100644
> >> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> >> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> >> @@ -1933,15 +1933,19 @@ VerifyTimeBasedPayload (
> >> // .... }
> >> // The DigestAlgorithmIdentifiers can be used to determine the hash
> algorithm
> >> // in VARIABLE_AUTHENTICATION_2 descriptor.
> >> - // This field has the fixed offset (+13) and be calculated based on two
> bytes of length encoding.
> >> + // This field has the fixed offset (+13) or (+32) based on whether the
> DER-encoded
> >> + // ContentInfo structure is present or not, and can be calculated
> based on two
> >> + // bytes of length encoding.
> >> //
> >> if ((Attributes &
> EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
> >> - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
> >> - if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
> >> - (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))
> >> - {
> >> - return EFI_SECURITY_VIOLATION;
> >> - }
> >> + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> >> + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) !=
> TWO_BYTE_ENCODE)
> >> + || (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0)))
> >> + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> >> + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) !=
> TWO_BYTE_ENCODE)
> >> + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))))
> >> + {
> >> + return EFI_SECURITY_VIOLATION;
> >> }
> >> }
>
>
>
>
next prev parent reply other threads:[~2023-01-06 9:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-03 0:44 [PATCH 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Jan Bobek
2022-12-13 23:48 ` Jan Bobek
2023-01-03 22:29 ` Jan Bobek
2023-01-06 9:41 ` Yao, Jiewen [this message]
2023-01-16 22:29 ` [edk2-devel] " Jan Bobek
2023-01-17 0:24 ` Yao, Jiewen
2023-01-17 0:40 ` Jan Bobek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB58721CA0465D283F4F5A1AF38CFB9@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox