From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Marvin Häuser" <mhaeuser@posteo.de>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>,
Vitaly Cheptsov <vit9696@protonmail.com>
Subject: Re: [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx
Date: Mon, 9 Aug 2021 02:48:48 +0000 [thread overview]
Message-ID: <PH0PR11MB4885B742EBC88D6F14D8D7D98CF69@PH0PR11MB4885.namprd11.prod.outlook.com> (raw)
In-Reply-To: <6810bb96b0c7ef377680112f48bac9cd0a964a52.1628353537.git.mhaeuser@posteo.de>
Hi Marvin
With this patch, the path "Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND" no longer exists.
Do you think we should remove EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND as well?
Thank you
Yao Jiewen
> -----Original Message-----
> From: Marvin Häuser <mhaeuser@posteo.de>
> Sent: Monday, August 9, 2021 3:40 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Xu, Min M <min.m.xu@intel.com>; Vitaly Cheptsov <vit9696@protonmail.com>
> Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256
> hash in dbx
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3461
>
> The UEFI specification prohibits loading any UEFI image of which a
> matching SHA-256 hash is contained in "dbx" (UEFI 2.9, 32.5.3.3
> "Authorization Process", 3.A). Currently, this is only explicitly
> checked when the image is unsigned and otherwise the hash algorithms
> of the certificates are used.
>
> Align with the UEFI specification by specifically looking up the
> SHA-256 hash of the image in "dbx".
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Vitaly Cheptsov <vit9696@protonmail.com>
> Signed-off-by: Marvin Häuser <mhaeuser@posteo.de>
> ---
> SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 60
> ++++++++------------
> 1 file changed, 24 insertions(+), 36 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index c48861cd6496..1f9bb33e86c3 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -1803,34 +1803,36 @@ DxeImageVerificationHandler (
> }
>
> }
>
>
>
> + //
>
> + // The SHA256 hash value of the image must not be reflected in the security
> data base "dbx".
>
> + //
>
> + if (!HashPeImage (HASHALG_SHA256)) {
>
> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
> using %s.\n", mHashTypeStr));
>
> + goto Failed;
>
> + }
>
> +
>
> + DbStatus = IsSignatureFoundInDatabase (
>
> + EFI_IMAGE_SECURITY_DATABASE1,
>
> + mImageDigest,
>
> + &mCertType,
>
> + mImageDigestSize,
>
> + &IsFound
>
> + );
>
> + if (EFI_ERROR (DbStatus) || IsFound) {
>
> + //
>
> + // Image Hash is in forbidden database (DBX).
>
> + //
>
> + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
>
> + goto Failed;
>
> + }
>
> +
>
> //
>
> // Start Image Validation.
>
> //
>
> if (SecDataDir == NULL || SecDataDir->Size == 0) {
>
> //
>
> - // This image is not signed. The SHA256 hash value of the image must match
> a record in the security database "db",
>
> - // and not be reflected in the security data base "dbx".
>
> + // This image is not signed. The SHA256 hash value of the image must match
> a record in the security database "db".
>
> //
>
> - if (!HashPeImage (HASHALG_SHA256)) {
>
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
> using %s.\n", mHashTypeStr));
>
> - goto Failed;
>
> - }
>
> -
>
> - DbStatus = IsSignatureFoundInDatabase (
>
> - EFI_IMAGE_SECURITY_DATABASE1,
>
> - mImageDigest,
>
> - &mCertType,
>
> - mImageDigestSize,
>
> - &IsFound
>
> - );
>
> - if (EFI_ERROR (DbStatus) || IsFound) {
>
> - //
>
> - // Image Hash is in forbidden database (DBX).
>
> - //
>
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed
> and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
>
> - goto Failed;
>
> - }
>
> -
>
> DbStatus = IsSignatureFoundInDatabase (
>
> EFI_IMAGE_SECURITY_DATABASE,
>
> mImageDigest,
>
> @@ -1932,20 +1934,6 @@ DxeImageVerificationHandler (
> //
>
> // Check the image's hash value.
>
> //
>
> - DbStatus = IsSignatureFoundInDatabase (
>
> - EFI_IMAGE_SECURITY_DATABASE1,
>
> - mImageDigest,
>
> - &mCertType,
>
> - mImageDigestSize,
>
> - &IsFound
>
> - );
>
> - if (EFI_ERROR (DbStatus) || IsFound) {
>
> - Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
>
> - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s
> hash of image is found in DBX.\n", mHashTypeStr));
>
> - IsVerified = FALSE;
>
> - break;
>
> - }
>
> -
>
> if (!IsVerified) {
>
> DbStatus = IsSignatureFoundInDatabase (
>
> EFI_IMAGE_SECURITY_DATABASE,
>
> --
> 2.31.1
next prev parent reply other threads:[~2021-08-09 2:48 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-08 19:39 [PATCH] ArmPkg/DefaultExceptionHandlerLib: Fix DebugImageInfoTable lookup Marvin Häuser
2021-08-08 19:39 ` [PATCH] BaseTools: Define the read-only data section name per toolchain Marvin Häuser
2021-08-08 19:39 ` [PATCH] UefiCpuPkg/BaseUefiCpuLib: Use toolchain-specific rodata section name Marvin Häuser
2021-08-08 19:39 ` [PATCH] BaseTools/tools_def: Fix CLANGPDB X64 RCPATH Marvin Häuser
2021-08-08 19:39 ` [PATCH] EmulatorPkg/Host/Unix: Drop dlopen() usage Marvin Häuser
2021-08-08 19:39 ` [PATCH] EmulatorPkg/Host/Unix: Remove unused declarations Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/CoreDxe: Drop caller-allocated image buffers Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Consistent DebugImageInfoTable updates Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Fix DebugImageInfoTable size report Marvin Häuser
2021-08-08 19:39 ` [PATCH] EmbeddedPkg/GdbStub: Check DebugImageInfoTable type safely Marvin Häuser
2021-08-08 19:39 ` [PATCH] ArmPkg/DefaultExceptionHandlerLib: " Marvin Häuser
2021-08-08 19:40 ` [PATCH] MdeModulePkg/CoreDxe: Mandatory LoadedImage for DebugImageInfoTable Marvin Häuser
2021-08-08 19:40 ` [PATCH] EmbeddedPkg/GdbStub: " Marvin Häuser
2021-08-08 19:40 ` [PATCH] ArmPkg/DefaultExceptionHandlerLib: " Marvin Häuser
2021-08-09 6:10 ` [PATCH] MdeModulePkg/DxeCore: Consistent DebugImageInfoTable updates Wu, Hao A
2021-08-09 6:15 ` Marvin Häuser
2021-08-09 6:52 ` [edk2-devel] " Wu, Hao A
2021-08-09 6:55 ` Wu, Hao A
2021-08-09 7:21 ` Marvin Häuser
2021-08-09 7:26 ` Wu, Hao A
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Drop unnecessary pointer indirection Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/DxeCore: Use the correct source for fixed load address Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/PiSmmCore: Drop deprecated image profiling commands Marvin Häuser
2021-08-09 4:23 ` Ni, Ray
2021-08-09 5:33 ` Yao, Jiewen
2021-08-09 5:43 ` [edk2-devel] " Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdeModulePkg/PiSmmIpl: Correct fixed load address bounds check Marvin Häuser
2021-08-08 19:39 ` [PATCH] MdePkg/Base.h: Introduce various alignment-related macros Marvin Häuser
2021-08-13 7:27 ` Wu, Hao A
2021-08-13 8:41 ` [edk2-devel] " Marvin Häuser
2021-08-13 8:45 ` Wu, Hao A
2021-08-08 19:39 ` [PATCH] MdePkg/BaseLib: Fix unaligned API prototypes Marvin Häuser
2021-08-08 19:39 ` [PATCH] BaseTools/CommonLib: " Marvin Häuser
2021-08-08 19:39 ` [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx Marvin Häuser
2021-08-09 0:02 ` Min Xu
2021-08-09 5:25 ` [edk2-devel] " Marvin Häuser
2021-08-09 2:48 ` Yao, Jiewen [this message]
2021-08-09 5:42 ` Marvin Häuser
2021-08-08 19:39 ` [PATCH] SecurityPkg/DxeImageVerificationLib: Fix certificate lookup algorithm Marvin Häuser
2021-08-08 19:39 ` [PATCH] SecurityPkg/SecureBootConfigDxe: " Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/FvLib: Correct FV section data size Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/StandaloneMmCore: Drop code for traditional drivers Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg/StandaloneMmCore: Drop unused fixed address feature Marvin Häuser
2021-08-08 19:39 ` [PATCH] StandaloneMmPkg: Support CLANGPDB X64 builds Marvin Häuser
2021-10-11 1:04 ` [edk2-devel] " Steven Shi
2021-08-08 19:39 ` [PATCH] UefiPayloadPkg/UefiPayloadEntry: Fix memory corruption Marvin Häuser
2021-08-09 4:20 ` Ni, Ray
2021-08-09 5:47 ` Marvin Häuser
2021-08-10 19:13 ` Guo Dong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PH0PR11MB4885B742EBC88D6F14D8D7D98CF69@PH0PR11MB4885.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox