[edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx
Marvin Häuser
mhaeuser at posteo.de
Sun Aug 8 19:39:47 UTC 2021
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3461
The UEFI specification prohibits loading any UEFI image of which a
matching SHA-256 hash is contained in "dbx" (UEFI 2.9, 32.5.3.3
"Authorization Process", 3.A). Currently, this is only explicitly
checked when the image is unsigned and otherwise the hash algorithms
of the certificates are used.
Align with the UEFI specification by specifically looking up the
SHA-256 hash of the image in "dbx".
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Vitaly Cheptsov <vit9696 at protonmail.com>
Signed-off-by: Marvin Häuser <mhaeuser at posteo.de>
---
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 60 ++++++++------------
1 file changed, 24 insertions(+), 36 deletions(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index c48861cd6496..1f9bb33e86c3 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1803,34 +1803,36 @@ DxeImageVerificationHandler (
}
}
+ //
+ // The SHA256 hash value of the image must not be reflected in the security data base "dbx".
+ //
+ if (!HashPeImage (HASHALG_SHA256)) {
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
+ goto Failed;
+ }
+
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (EFI_ERROR (DbStatus) || IsFound) {
+ //
+ // Image Hash is in forbidden database (DBX).
+ //
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
+ goto Failed;
+ }
+
//
// Start Image Validation.
//
if (SecDataDir == NULL || SecDataDir->Size == 0) {
//
- // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
- // and not be reflected in the security data base "dbx".
+ // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db".
//
- if (!HashPeImage (HASHALG_SHA256)) {
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
- goto Failed;
- }
-
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- //
- // Image Hash is in forbidden database (DBX).
- //
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
- goto Failed;
- }
-
DbStatus = IsSignatureFoundInDatabase (
EFI_IMAGE_SECURITY_DATABASE,
mImageDigest,
@@ -1932,20 +1934,6 @@ DxeImageVerificationHandler (
//
// Check the image's hash value.
//
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));
- IsVerified = FALSE;
- break;
- }
-
if (!IsVerified) {
DbStatus = IsSignatureFoundInDatabase (
EFI_IMAGE_SECURITY_DATABASE,
--
2.31.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78889): https://edk2.groups.io/g/devel/message/78889
Mute This Topic: https://groups.io/mt/84754063/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list