[edk2-devel] [PATCH v1] SecurityPkg: Improve initialization of default key variables.
Sunny Wang
Sunny.Wang at arm.com
Tue Dec 14 15:43:31 UTC 2021
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang at arm.com>
Hi Patrick,
This patch is to address your comment below. Could you give this patch a try on your side?
https://edk2.groups.io/g/devel/message/79766?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3Arecentpostdate%2Fsticky%2C%2CSecurityPkg%3A+Create+library+for+enrolling+Secure+Boot+variables.%2C20%2C2%2C0%2C84608356
Best Regards,
Sunny
-----Original Message-----
From: Grzegorz Bernacki <gjb at semihalf.com>
Sent: 06 October 2021 13:25
To: devel at edk2.groups.io
Cc: jiewen.yao at intel.com; jian.j.wang at intel.com; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud at arm.com>; Sunny Wang <Sunny.Wang at arm.com>; mw at semihalf.com; upstream at semihalf.com; Grzegorz Bernacki <gjb at semihalf.com>
Subject: [PATCH v1] SecurityPkg: Improve initialization of default key variables.
This commit allows to use data in EFI_VARIABLE_AUTHENTICATION_2
structure format to initialize default secure boot variables.
It allows to use revocation list published by UEFI.
Signed-off-by: Grzegorz Bernacki <gjb at semihalf.com>
---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 ++++++++++++--------
1 file changed, 56 insertions(+), 34 deletions(-)
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index ff65184713..1f8869b1d2 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -73,20 +73,19 @@ CreateSigList (
/** Adds new signature list to signature database.
- @param[in] SigLists A pointer to signature database.
- @param[in] SigListAppend A signature list to be added.
- @param[out] *SigListOut Created signature database.
+ @param[in,out] SigLists A pointer to signature database.
+ @param[in] SigListAppend A signature list to be added.
@param[in, out] SigListsSize A size of created signature database.
@retval EFI_SUCCESS Signature List was added successfully.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+ @retval EFI_INVALID_PARAMETER Invalid parameters.
**/
STATIC
EFI_STATUS
ConcatenateSigList (
- IN EFI_SIGNATURE_LIST *SigLists,
+ IN EFI_SIGNATURE_LIST **SigLists,
IN EFI_SIGNATURE_LIST *SigListAppend,
- OUT EFI_SIGNATURE_LIST **SigListOut,
IN OUT UINTN *SigListsSize
)
{
@@ -94,6 +93,10 @@ ConcatenateSigList (
UINT8 *Offset;
UINTN NewSigListsSize;
+ if ((SigLists == NULL) || (SigListsSize == NULL) || (SigListAppend == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
@@ -101,14 +104,17 @@ ConcatenateSigList (
return EFI_OUT_OF_RESOURCES;
}
- CopyMem (TmpSigList, SigLists, *SigListsSize);
+ if (*SigLists != NULL) {
+ CopyMem (TmpSigList, *SigLists, *SigListsSize);
+ FreePool(*SigLists);
+ }
Offset = (UINT8 *)TmpSigList;
Offset += *SigListsSize;
CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
*SigListsSize = NewSigListsSize;
- *SigListOut = TmpSigList;
+ *SigLists = TmpSigList;
return EFI_SUCCESS;
}
@@ -133,14 +139,15 @@ SecureBootFetchData (
OUT EFI_SIGNATURE_LIST **SigListOut
)
{
+ EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
EFI_SIGNATURE_LIST *EfiSig;
EFI_SIGNATURE_LIST *TmpEfiSig;
- EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
VOID *RsaPubKey;
UINTN Size;
UINTN KeyIndex;
+ UINTN SigListOffset;
KeyIndex = 0;
@@ -154,42 +161,57 @@ SecureBootFetchData (
&Buffer,
&Size
);
+ if (Status == EFI_NOT_FOUND && KeyIndex > 0) {
+ break;
+ } else if (EFI_ERROR(Status)) {
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ return EFI_INVALID_PARAMETER;
+ }
- if (Status == EFI_SUCCESS) {
- RsaPubKey = NULL;
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ RsaPubKey = NULL;
+ Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Buffer;
+ if ((Auth2->AuthInfo.Hdr.wCertificateType == WIN_CERT_TYPE_EFI_GUID) &&
+ (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType) == TRUE)) {
+
+ SigListOffset = Auth2->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
+ TmpEfiSig = (EFI_SIGNATURE_LIST *) &Auth2->AuthInfo.CertData[SigListOffset];
+ Size -= OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo);
+ Size -= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ Size -= SigListOffset;
+
+ while (Size > 0) {
+ ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+ Size -= TmpEfiSig->SignatureListSize;
+ TmpEfiSig = (EFI_SIGNATURE_LIST *)((UINT8 *)TmpEfiSig + TmpEfiSig->SignatureListSize);
+ }
+ } else if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == TRUE) {
+ Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+ if (EFI_ERROR(Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot create a sig list\n", __FUNCTION__));
if (EfiSig != NULL) {
FreePool(EfiSig);
}
FreePool(Buffer);
- return EFI_INVALID_PARAMETER;
- }
- Status = CreateSigList (Buffer, Size, &TmpEfiSig);
-
- //
- // Concatenate lists if more than one section found
- //
- if (KeyIndex == 0) {
- EfiSig = TmpEfiSig;
- *SigListsSize = TmpEfiSig->SignatureListSize;
- } else {
- ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
- FreePool (EfiSig);
- FreePool (TmpEfiSig);
- EfiSig = TmpEfiSig2;
+ return Status;
}
- KeyIndex++;
- FreePool (Buffer);
- } if (Status == EFI_NOT_FOUND) {
- break;
+ ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+ FreePool (TmpEfiSig);
+ } else {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ FreePool(Buffer);
+ return EFI_INVALID_PARAMETER;
}
- };
- if (KeyIndex == 0) {
- return EFI_NOT_FOUND;
+ KeyIndex++;
+ FreePool (Buffer);
}
*SigListOut = EfiSig;
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#84821): https://edk2.groups.io/g/devel/message/84821
Mute This Topic: https://groups.io/mt/86117798/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list