From nobody Mon May 6 22:54:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1520883032398583.3429791764916; Mon, 12 Mar 2018 12:30:32 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 8890022646310; Mon, 12 Mar 2018 12:24:08 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5A6A92263147B for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:26 -0700 Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:25 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877324" From: "Kinney, Michael D" To: edk2-devel@lists.01.org Date: Mon, 12 Mar 2018 12:30:13 -0700 Message-Id: <20180312193017.15156-2-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [edk2] [Patch 1/5] BaseTools/BinToPcd: Add support for multiple binary input files X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Liming Gao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D890 There are use cases where a VOID * PCD needs to be generated from multiple binary input files. This can be in the form of an array of fixed size elements or a set of variable sized elements. Update BinToPcd to support multiple one or more -i INPUTFILE arguments. By default, the contents of each binary input file are concatenated in the order provided. This supports generating a PCD that is an array of fixed size elements Add -x, --xdr flags to BinToPcd to encodes the PCD using the Variable-Length Opaque Data of RFC 4506 External Data Representation Standard (XDR). https://tools.ietf.org/html/rfc4506 https://tools.ietf.org/html/rfc4506#section-4.10 The data format from RFC 4506 meets the requirements for a PCD that is a set of variable sized elements in the Variable-Length Opaque Data format. The overhead of this format is a 32-bit length and 0 to 3 bytes of padding to align the next element at a 32-bit boundary. Cc: Yonghong Zhu Cc: Liming Gao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney Reviewed-by: Kelly Steele --- BaseTools/Scripts/BinToPcd.py | 83 ++++++++++++++++++++++++++++-----------= ---- 1 file changed, 54 insertions(+), 29 deletions(-) diff --git a/BaseTools/Scripts/BinToPcd.py b/BaseTools/Scripts/BinToPcd.py index 68a7ac652d..f2485a27fa 100644 --- a/BaseTools/Scripts/BinToPcd.py +++ b/BaseTools/Scripts/BinToPcd.py @@ -1,7 +1,7 @@ ## @file # Convert a binary file to a VOID* PCD value or DSC file VOID* PCD stateme= nt. # -# Copyright (c) 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the BS= D License # which accompanies this distribution. The full text of the license may b= e found at @@ -18,14 +18,15 @@ BinToPcd import sys import argparse import re +import xdrlib =20 # # Globals for help information # __prog__ =3D 'BinToPcd' -__version__ =3D '%s Version %s' % (__prog__, '0.9 ') -__copyright__ =3D 'Copyright (c) 2016, Intel Corporation. All rights res= erved.' -__description__ =3D 'Convert a binary file to a VOID* PCD value or DSC fil= e VOID* PCD statement.\n' +__version__ =3D '%s Version %s' % (__prog__, '0.91 ') +__copyright__ =3D 'Copyright (c) 2016 - 2018, Intel Corporation. All rig= hts reserved.' +__description__ =3D 'Convert one or more binary files to a VOID* PCD value= or DSC file VOID* PCD statement.\n' =20 if __name__ =3D=3D '__main__': def ValidateUnsignedInteger (Argument): @@ -50,21 +51,35 @@ if __name__ =3D=3D '__main__': Message =3D '%s is not a valid GUID C name' % (Argument) raise argparse.ArgumentTypeError(Message) return Argument - =20 - def ByteArray (Buffer): + + def ByteArray (Buffer, Xdr =3D False): + if Xdr: + # + # If Xdr flag is set then encode data using the Variable-Length Opaq= ue + # Data format of RFC 4506 External Data Representation Standard (XDR= ). + # + XdrEncoder =3D xdrlib.Packer() + for Item in Buffer: + XdrEncoder.pack_bytes(Item) + Buffer =3D XdrEncoder.get_buffer() + else: + # + # If Xdr flag is not set, then concatenate all the data + # + Buffer =3D ''.join(Buffer) # - # Append byte array of values of the form '{0x01, 0x02, ...}' + # Return a PCD value of the form '{0x01, 0x02, ...}' along with the PC= D length in bytes # - return '{%s}' % (', '.join(['0x%02x' % (ord(Item)) for Item in Buffer]= )) - =20 + return '{%s}' % (', '.join(['0x%02x' % (ord(Item)) for Item in Buffer]= )), len (Buffer) + # # Create command line argument parser object # parser =3D argparse.ArgumentParser(prog =3D __prog__, version =3D __vers= ion__, description =3D __description__ + __cop= yright__, conflict_handler =3D 'resolve') - parser.add_argument("-i", "--input", dest =3D 'InputFile', type =3D argp= arse.FileType('rb'), - help =3D "Input binary filename", required =3D True) + parser.add_argument("-i", "--input", dest =3D 'InputFile', type =3D argp= arse.FileType('rb'), action=3D'append', required =3D True, + help =3D "Input binary filename. Multiple input fil= es are combined into a single PCD.") parser.add_argument("-o", "--output", dest =3D 'OutputFile', type =3D ar= gparse.FileType('wb'), help =3D "Output filename for PCD value or PCD state= ment") parser.add_argument("-p", "--pcd", dest =3D 'PcdName', type =3D Validate= PcdName, @@ -79,6 +94,8 @@ if __name__ =3D=3D '__main__': help =3D "UEFI variable name. Only used with --type= HII.") parser.add_argument("-g", "--variable-guid", type =3D ValidateGuidName, = dest =3D 'VariableGuid', help =3D "UEFI variable GUID C name. Only used with= --type HII.") + parser.add_argument("-x", "--xdr", dest =3D 'Xdr', action =3D "store_tru= e", + help =3D "Encode PCD using the Variable-Length Opaqu= e Data format of RFC 4506 External Data Representation Standard (XDR)") parser.add_argument("-v", "--verbose", dest =3D 'Verbose', action =3D "s= tore_true", help =3D "Increase output messages") parser.add_argument("-q", "--quiet", dest =3D 'Quiet', action =3D "store= _true", @@ -92,14 +109,22 @@ if __name__ =3D=3D '__main__': args =3D parser.parse_args() =20 # - # Read binary input file + # Read all binary input files # - try: - Buffer =3D args.InputFile.read() - args.InputFile.close() - except: - print 'BinToPcd: error: can not read binary input file' - sys.exit() + Buffer =3D [] + for File in args.InputFile: + try: + Buffer.append(File.read()) + File.close() + except: + print 'BinToPcd: error: can not read binary input file', File + sys.exit() + + # + # Convert PCD to an encoded string of hex values and determine the size = of + # the encoded PCD in bytes. + # + PcdValue, PcdSize =3D ByteArray (Buffer, args.Xdr) =20 # # Convert binary buffer to a DSC file PCD statement @@ -107,7 +132,8 @@ if __name__ =3D=3D '__main__': if args.PcdName is None: # # If PcdName is None, then only a PCD value is being requested. - Pcd =3D ByteArray (Buffer) + # + Pcd =3D PcdValue if args.Verbose: print 'PcdToBin: Convert binary file to PCD Value' elif args.PcdType is None: @@ -121,14 +147,13 @@ if __name__ =3D=3D '__main__': # If --max-size is not provided, then do not generate the syntax that # includes the maximum size. # - Pcd =3D ' %s|%s' % (args.PcdName, ByteArray (Buffer)) - elif args.MaxSize < len(Buffer): + Pcd =3D ' %s|%s' % (args.PcdName, PcdValue) + elif args.MaxSize < PcdSize: print 'BinToPcd: error: argument --max-size is smaller than input fi= le.' sys.exit() else: - Pcd =3D ' %s|%s|VOID*|%d' % (args.PcdName, ByteArray (Buffer), args= .MaxSize) - args.MaxSize =3D len(Buffer) - =20 + Pcd =3D ' %s|%s|VOID*|%d' % (args.PcdName, PcdValue, args.MaxSize) + if args.Verbose: print 'PcdToBin: Convert binary file to PCD statement compatible wit= h PCD sections:' print ' [PcdsFixedAtBuild]' @@ -141,8 +166,8 @@ if __name__ =3D=3D '__main__': # If --max-size is not provided, then set maximum size to the size o= f the # binary input file # - args.MaxSize =3D len(Buffer) - if args.MaxSize < len(Buffer): + args.MaxSize =3D PcdSize + if args.MaxSize < PcdSize: print 'BinToPcd: error: argument --max-size is smaller than input fi= le.' sys.exit() if args.Offset is None: @@ -150,12 +175,12 @@ if __name__ =3D=3D '__main__': # if --offset is not provided, then set offset field to '*' so build # tools will compute offset of PCD in VPD region. # - Pcd =3D ' %s|*|%d|%s' % (args.PcdName, args.MaxSize, ByteArray (Buf= fer)) + Pcd =3D ' %s|*|%d|%s' % (args.PcdName, args.MaxSize, PcdValue) else: # # Use the --offset value provided. # - Pcd =3D ' %s|%d|%d|%s' % (args.PcdName, args.Offset, args.MaxSize, = ByteArray (Buffer)) + Pcd =3D ' %s|%d|%d|%s' % (args.PcdName, args.Offset, args.MaxSize, = PcdValue) if args.Verbose: print 'PcdToBin: Convert binary file to PCD statement compatible wit= h PCD sections' print ' [PcdsDynamicVpd]' @@ -172,7 +197,7 @@ if __name__ =3D=3D '__main__': # Use UEFI Variable offset of 0 if --offset is not provided # args.Offset =3D 0 - Pcd =3D ' %s|L"%s"|%s|%d|%s' % (args.PcdName, args.VariableName, args= .VariableGuid, args.Offset, ByteArray (Buffer)) + Pcd =3D ' %s|L"%s"|%s|%d|%s' % (args.PcdName, args.VariableName, args= .VariableGuid, args.Offset, PcdValue) if args.Verbose: print 'PcdToBin: Convert binary file to PCD statement compatible wit= h PCD sections' print ' [PcdsDynamicHii]' --=20 2.14.2.windows.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon May 6 22:54:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1520883037659243.41880338204885; Mon, 12 Mar 2018 12:30:37 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 54AEE2264D223; Mon, 12 Mar 2018 12:24:09 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C0F42263149D for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:26 -0700 Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:25 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877330" From: "Kinney, Michael D" To: edk2-devel@lists.01.org Date: Mon, 12 Mar 2018 12:30:14 -0700 Message-Id: <20180312193017.15156-3-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [edk2] [Patch 2/5] SecurityPkg: Add PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Jiewen Yao , Chao Zhang MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D891 Add PcdPkcs7CertBufferXdr that supports one or more PKCS7 certificates encoded using the Variable-Length Opaque Data format of RFC 4506 External Data Representation Standard (XDR). https://tools.ietf.org/html/rfc4506 https://tools.ietf.org/html/rfc4506#section-4.10 The default value for this new PCD is {0}. The enhancements to the BaseTools BinToPcd tool can be used to generate a PCD from multiple input certificate files. https://bugzilla.tianocore.org/show_bug.cgi?id=3D890 Cc: Sean Brogan Cc: Chao Zhang Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney Reviewed-by: Kelly Steele --- SecurityPkg/SecurityPkg.dec | 8 ++++++++ SecurityPkg/SecurityPkg.uni | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 77d6b073d4..bafc7dddaa 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -411,6 +411,14 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,= PcdsDynamicEx] # gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer|{0x30, 0x82, 0x03, 0xec= , 0x30, 0x82, 0x02, 0xd4, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0= xc0, 0x91, 0xc5, 0xe2, 0xb7, 0x66, 0xc0, 0xf8, 0x30, 0x0d, 0x06, 0x09, 0x2a= , 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0= x82, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43= , 0x4e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0= x53, 0x48, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x02= , 0x53, 0x48, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0= x09, 0x54, 0x69, 0x61, 0x6e, 0x6f, 0x43, 0x6f, 0x72, 0x65, 0x31, 0x0e, 0x30= , 0x0c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x05, 0x45, 0x44, 0x4b, 0x49, 0= x49, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54= , 0x65, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0= x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65= , 0x64, 0x6b, 0x69, 0x6 9, 0x40, 0x74, 0x69, 0x61, 0x6e, 0x6f, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x6f,= 0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x31, 0x30, 0x= 30, 0x38, 0x32, 0x37, 0x34, 0x30, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x35,= 0x31, 0x30, 0x30, 0x38, 0x32, 0x37, 0x34, 0x30, 0x5a, 0x30, 0x81, 0x82, 0x= 31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4e,= 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x02, 0x53, 0x= 48, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x02, 0x53,= 0x48, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x= 54, 0x69, 0x61, 0x6e, 0x6f, 0x43, 0x6f, 0x72, 0x65, 0x31, 0x0e, 0x30, 0x0c,= 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x05, 0x45, 0x44, 0x4b, 0x49, 0x49, 0x= 31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65,= 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x= 2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x65, 0x64,= 0x6b, 0x69, 0x69, 0x40 , 0x74, 0x69, 0x61, 0x6e, 0x6f, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x6f, 0x72, = 0x67, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x8= 6, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, = 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb9, 0x29, 0x29, 0x6= c, 0x60, 0x0c, 0xd7, 0x23, 0xf6, 0x7d, 0xee, 0xf0, 0x62, 0xff, 0xd9, 0xc9, = 0xaa, 0x55, 0x8c, 0x81, 0x95, 0x56, 0x3f, 0xb7, 0x56, 0x53, 0xb0, 0xc2, 0x8= 2, 0x12, 0xc5, 0x3b, 0x75, 0x23, 0xb9, 0x4d, 0xd6, 0xc4, 0x55, 0x73, 0xf3, = 0xaa, 0x95, 0xa8, 0x1b, 0xf3, 0x93, 0x7e, 0x9e, 0x40, 0xe4, 0x1d, 0x22, 0x9= c, 0x93, 0x07, 0x0b, 0xd7, 0xaa, 0x5b, 0xd7, 0xe4, 0x1a, 0x21, 0x84, 0xd7, = 0x63, 0x59, 0x03, 0x50, 0x1f, 0xf5, 0x14, 0x55, 0x93, 0x91, 0x9b, 0xf5, 0x5= 2, 0xb0, 0xbf, 0x0e, 0x5c, 0x68, 0x3b, 0x59, 0x52, 0x98, 0x96, 0x56, 0xe1, = 0xab, 0xc4, 0x43, 0xbb, 0x05, 0x57, 0x78, 0x45, 0x01, 0x9f, 0x58, 0x15, 0x5= 3, 0x0e, 0x11, 0x94, 0x2f, 0x0e, 0xf1, 0xa6, 0x19, 0xa2, 0x6e, 0x86, 0x39, = 0x2b, 0x33, 0x8d, 0xc7, 0xc5, 0xeb, 0xee, 0x1e, 0x33, 0xd3, 0x32, 0x94, 0xc1, 0x59, 0xc4, 0x0c, 0= x97, 0x0b, 0x12, 0x48, 0x5f, 0x33, 0xf6, 0x60, 0x74, 0x7d, 0x57, 0xc2, 0x13= , 0x2d, 0x7d, 0xa9, 0x87, 0xa3, 0x35, 0xea, 0x91, 0x83, 0x3f, 0x67, 0x7a, 0= x92, 0x1f, 0x01, 0x53, 0x9f, 0x62, 0x5f, 0x99, 0x12, 0xfd, 0x73, 0x1b, 0x2d= , 0x9e, 0x2b, 0x6c, 0x34, 0x49, 0xaf, 0x4f, 0x07, 0x8f, 0xc0, 0xe9, 0x6b, 0= x9e, 0x5f, 0x79, 0x35, 0xda, 0x2a, 0x5c, 0x88, 0xee, 0xf6, 0x48, 0x61, 0xda= , 0x96, 0xe3, 0x48, 0x46, 0xa0, 0x94, 0x1c, 0x9d, 0xf6, 0x5c, 0x87, 0x0e, 0= xef, 0x74, 0x09, 0x91, 0x0d, 0x3d, 0x5a, 0xe7, 0xc5, 0x4c, 0x8a, 0x7a, 0xac= , 0xa1, 0x85, 0xb6, 0x67, 0x44, 0x17, 0x55, 0x52, 0x3a, 0xe8, 0x11, 0x4d, 0= x58, 0xa2, 0x93, 0x00, 0x62, 0xea, 0x7b, 0x80, 0xed, 0xcf, 0xbd, 0xdf, 0x75= , 0x80, 0x4b, 0xb9, 0x65, 0x63, 0xad, 0x0b, 0x4d, 0x74, 0xfa, 0x59, 0x02, 0= x03, 0x01, 0x00, 0x01, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55= , 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x16, 0xaa, 0xd6, 0x8e, 0x1b, 0x2d, 0= x43, 0xf3, 0x2d, 0xb0,=20 0x24, 0xad, 0x36, 0x65, 0x3f, 0xb2, 0xfa, 0xb1, 0x2c, 0xed, 0x30, 0x1f, 0x= 06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x16, 0xaa,= 0xd6, 0x8e, 0x1b, 0x2d, 0x43, 0xf3, 0x2d, 0xb0, 0x24, 0xad, 0x36, 0x65, 0x= 3f, 0xb2, 0xfa, 0xb1, 0x2c, 0xed, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13,= 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0e, 0x= 06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01,= 0x86, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x= 01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x95, 0xde, 0xdf, 0xa4,= 0x14, 0xdb, 0x92, 0x22, 0x78, 0x1a, 0xbd, 0x31, 0x9d, 0x1e, 0xd7, 0x2f, 0x= 0a, 0x10, 0x11, 0x5d, 0x74, 0x61, 0xe8, 0x30, 0xc4, 0xf3, 0x15, 0xe9, 0x30,= 0x54, 0xf4, 0xbb, 0x0c, 0x04, 0x78, 0x13, 0x5d, 0x2c, 0xdd, 0x8c, 0x92, 0x= 90, 0xd1, 0x9c, 0xd0, 0xd0, 0x18, 0xa3, 0xa3, 0xfc, 0x8c, 0x28, 0x5a, 0xd4,= 0x91, 0x4d, 0x08, 0xc3, 0xf6, 0x1a, 0xc8, 0xdd, 0xa6, 0x08, 0x58, 0xe2, 0x= 15, 0x95, 0xfb, 0x2d, 0 x2d, 0x8a, 0xb1, 0x30, 0x80, 0xbd, 0x9a, 0xb6, 0xe1, 0x2c, 0x20, 0x3e, 0xd= d, 0xc4, 0xc7, 0x55, 0x65, 0xcf, 0x28, 0x17, 0xf4, 0xee, 0xda, 0xbe, 0x77, = 0x70, 0xd5, 0x52, 0xd6, 0x15, 0x7a, 0xfb, 0xad, 0xaf, 0xfd, 0xd5, 0x45, 0x9= 0, 0x5a, 0xe6, 0x31, 0x42, 0xd7, 0x84, 0xb3, 0x49, 0x56, 0x6a, 0xd3, 0x47, = 0xf3, 0xbf, 0x68, 0x60, 0x8b, 0x0f, 0xe2, 0xaf, 0xf4, 0xe3, 0xec, 0x12, 0xb= 9, 0xe2, 0x3a, 0x16, 0x11, 0x4e, 0x4d, 0x73, 0x79, 0xaf, 0x47, 0x85, 0x4c, = 0x76, 0x26, 0x9e, 0x8b, 0x32, 0xc0, 0x8e, 0xc2, 0xdc, 0x27, 0xa6, 0xef, 0xa= c, 0x93, 0x9e, 0xa1, 0x5e, 0xcf, 0x34, 0x45, 0xe0, 0x2a, 0xc7, 0x9d, 0x4d, = 0xd7, 0xd7, 0x37, 0x72, 0x97, 0xf8, 0x58, 0xf9, 0xb6, 0x35, 0x48, 0xf1, 0xd= 1, 0x0a, 0x72, 0x7f, 0xfd, 0x4d, 0x7c, 0xe9, 0xcc, 0xd8, 0x48, 0x1b, 0x49, = 0x52, 0x53, 0xde, 0x51, 0x01, 0x53, 0x35, 0xbc, 0x90, 0xcd, 0x8c, 0x8a, 0xc= c, 0x43, 0x20, 0xa7, 0x45, 0xff, 0x2b, 0x55, 0xb0, 0x8b, 0x2d, 0xff, 0x55, = 0x15, 0x4b, 0x84, 0xd0, 0xc3, 0xd3, 0x90, 0x9c, 0x94, 0x4b, 0x55, 0xd5, 0x6= 2, 0xea, 0x22, 0xab, 0x 62, 0x68, 0xdd, 0x53, 0xc6, 0xdc, 0xa5, 0xdd, 0x9a, 0x2d, 0x8e, 0x79, 0x7c= , 0x2e, 0x9c, 0xe4, 0x66, 0x80, 0x8c, 0x1d}|VOID*|0x00010014 =20 + ## Provides one or more PKCS7 certs used to verify Recovery and Capsule = Update images. + # This PCD is encoded using the Variable-Length Opaque Data format of R= FC 4506 + # External Data Representation Standard (XDR). + # The default value is empty with no keys. + # @Prompt One or more XDR encoded PKCS7 certs used to verify Recovery an= d Capsule Update images + # + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr|{0x0}|VOID*|0x000100= 1E + ## This PCD defines minimum length(in bytes) of the system preboot TCG e= vent log area(LAML). # For PC Client Implementation spec up to and including 1.2 the minimum= log size is 64KB. # @Prompt Minimum length(in bytes) of the system preboot TCG event log a= rea(LAML). diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index aaf77269a3..90d806137a 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -228,6 +228,12 @@ #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPkcs7CertBuffer_HELP #langua= ge en-US "Provides one PKCS7 cert used to verify Recovery and Capsule Updat= e images\n" = "WARNING: The default value is treated as test key. Please do not = use default value in the production." =20 +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPkcs7CertBufferXdr_PROMPT #l= anguage en-US "One or more XDR encoded PKCS7 certs used to verify Recovery = and Capsule Update imagesOne or more XDR encoded PKCS7 certs used to verify= Recovery and Capsule Update images" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPkcs7CertBufferXdr_HELP #lan= guage en-US "Provides one or more PKCS7 certs used to verify Recovery and C= apsule Update images\n" + = "This PCD is encoded using the Variable-Length Opaque Data form= at of RFC 4506 External Data Representation Standard (XDR).\n" + = "The default value is empty with no keys." + #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2PhysicalPresenceFlags_PRO= MPT #language en-US " Initial setting of TCG2 Persistent Firmware Manageme= nt Flags" =20 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2PhysicalPresenceFlags_HEL= P #language en-US "This PCD defines initial setting of TCG2 Persistent Fir= mware Management Flags\n" --=20 2.14.2.windows.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon May 6 22:54:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1520883040286376.86051394214803; Mon, 12 Mar 2018 12:30:40 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id AF9572264D22E; Mon, 12 Mar 2018 12:24:10 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8E1BC226462EF for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:26 -0700 Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:26 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877333" From: "Kinney, Michael D" To: edk2-devel@lists.01.org Date: Mon, 12 Mar 2018 12:30:15 -0700 Message-Id: <20180312193017.15156-4-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [edk2] [Patch 3/5] SecurityPkg/EdkiiSystemCapsuleLib: Use PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Jiewen Yao , Chao Zhang MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D891 Use both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr to authenticate a capsule. The capsule fails authentication if none of the certificates in PcdPkcs7CertBuffer or PcdPkcs7CertBufferXdr pass. Cc: Sean Brogan Cc: Chao Zhang Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney Reviewed-by: Kelly Steele --- .../EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c | 77 ++++++++++++++++++= +--- .../EdkiiSystemCapsuleLib.inf | 3 +- 2 files changed, 70 insertions(+), 10 deletions(-) diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCaps= uleLib.c b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsul= eLib.c index 876d2257b3..5217a63082 100644 --- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c +++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.c @@ -6,7 +6,7 @@ CapsuleAuthenticateSystemFirmware(), ExtractAuthenticatedImage() will re= ceive untrusted input and do basic validation. =20 - Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+ Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BS= D License which accompanies this distribution. The full text of the license may b= e found at @@ -370,6 +370,8 @@ ExtractAuthenticatedImage ( GUID *CertType; VOID *PublicKeyData; UINTN PublicKeyDataLength; + UINT8 *PublicKeyDataXdr; + UINT8 *PublicKeyDataXdrEnd; =20 DEBUG((DEBUG_INFO, "ExtractAuthenticatedImage - Image: 0x%08x - 0x%08x\n= ", (UINTN)Image, (UINTN)ImageSize)); =20 @@ -410,21 +412,78 @@ ExtractAuthenticatedImage ( if (CompareGuid(&gEfiCertPkcs7Guid, CertType)) { PublicKeyData =3D PcdGetPtr(PcdPkcs7CertBuffer); PublicKeyDataLength =3D PcdGetSize(PcdPkcs7CertBuffer); + + ASSERT (PublicKeyData !=3D NULL); + ASSERT (PublicKeyDataLength !=3D 0); + + Status =3D AuthenticateFmpImage( + ImageAuth, + ImageSize, + PublicKeyData, + PublicKeyDataLength + ); + if (EFI_ERROR (Status)) { + PublicKeyDataXdr =3D PcdGetPtr (PcdPkcs7CertBufferXdr); + PublicKeyDataXdrEnd =3D PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertB= ufferXdr); + + ASSERT (PublicKeyDataXdr !=3D NULL); + ASSERT (PublicKeyDataXdr !=3D PublicKeyDataXdrEnd); + + // + // Try each key from PcdPkcs7CertBufferXdr + // + while (PublicKeyDataXdr < PublicKeyDataXdrEnd) { + if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + // + // Read key length stored in big endian format + // + PublicKeyDataLength =3D SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr)= ); + // + // Point to the start of the key data + // + PublicKeyDataXdr +=3D sizeof (UINT32); + if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + PublicKeyData =3D PublicKeyDataXdr; + Status =3D AuthenticateFmpImage ( + ImageAuth, + ImageSize, + PublicKeyData, + PublicKeyDataLength + ); + if (!EFI_ERROR (Status)) { + break; + } + PublicKeyDataXdr +=3D PublicKeyDataLength; + PublicKeyDataXdr =3D (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, siz= eof(UINT32)); + } + } } else if (CompareGuid(&gEfiCertTypeRsa2048Sha256Guid, CertType)) { PublicKeyData =3D PcdGetPtr(PcdRsa2048Sha256PublicKeyBuffer); PublicKeyDataLength =3D PcdGetSize(PcdRsa2048Sha256PublicKeyBuffer); + + ASSERT (PublicKeyData !=3D NULL); + ASSERT (PublicKeyDataLength !=3D 0); + + Status =3D AuthenticateFmpImage( + ImageAuth, + ImageSize, + PublicKeyData, + PublicKeyDataLength + ); } else { return FALSE; } - ASSERT (PublicKeyData !=3D NULL); - ASSERT (PublicKeyDataLength !=3D 0); =20 - Status =3D AuthenticateFmpImage( - ImageAuth, - ImageSize, - PublicKeyData, - PublicKeyDataLength - ); switch (Status) { case RETURN_SUCCESS: *LastAttemptStatus =3D LAST_ATTEMPT_STATUS_SUCCESS; diff --git a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCaps= uleLib.inf b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCaps= uleLib.inf index a721619a67..2b18d918d1 100644 --- a/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.= inf +++ b/SignedCapsulePkg/Library/EdkiiSystemCapsuleLib/EdkiiSystemCapsuleLib.= inf @@ -3,7 +3,7 @@ # # EDKII System Capsule library instance for DXE/PEI post memory phase. # -# Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+# Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the B= SD License # which accompanies this distribution. The full text of the license may = be found at @@ -52,6 +52,7 @@ [Pcd] gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiSystemFirmwareFileGuid = ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer = ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer = ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr = ## CONSUMES =20 [Guids] gEdkiiSystemFirmwareImageDescriptorFileGuid ## SOMETIMES_CONSUM= ES ## GUID --=20 2.14.2.windows.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon May 6 22:54:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1520883035200959.0530130494304; Mon, 12 Mar 2018 12:30:35 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id EEE2A2264631F; Mon, 12 Mar 2018 12:24:08 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 85AA7226462EE for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:26 -0700 Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:26 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877336" From: "Kinney, Michael D" To: edk2-devel@lists.01.org Date: Mon, 12 Mar 2018 12:30:16 -0700 Message-Id: <20180312193017.15156-5-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [edk2] [Patch 4/5] Vlv2TbltDevicePkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , David Wei MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" From: Michael D Kinney https://bugzilla.tianocore.org/show_bug.cgi?id=3D891 Evaluate both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr for the use of the test key. If the test key is found in either PCD, then the warning messages for the use of a test key must be presented. Cc: Sean Brogan Cc: David Wei Cc: Mang Guo Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney Reviewed-by: Kelly Steele Reviewed-by: david wei =20 --- .../Library/PlatformBdsLib/BdsPlatform.c | 57 ++++++++++++++++++= +++- .../Library/PlatformBdsLib/PlatformBdsLib.inf | 22 +++++---- 2 files changed, 68 insertions(+), 11 deletions(-) diff --git a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c b/Vlv2T= bltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c index 7f91777ea1..4aac7a2487 100644 --- a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c +++ b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c @@ -1,6 +1,6 @@ /** @file =20 - Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
= =20 This program and the accompanying materials are licensed and made availa= ble under the terms and conditions of the BSD License that accompanies this distri= bution. =20 @@ -2417,6 +2417,10 @@ ShowProgressHotKey ( UINTN TmpStrSize; VOID *Buffer; UINTN Size; + VOID *PublicKeyData; + UINTN PublicKeyDataLength; + UINT8 *PublicKeyDataXdr; + UINT8 *PublicKeyDataXdrEnd; =20 if (TimeoutDefault =3D=3D 0) { return EFI_TIMEOUT; @@ -2484,6 +2488,57 @@ ShowProgressHotKey ( } PcdSetBoolS(PcdTestKeyUsed, TRUE); } + + // + // Make sure none of the keys in PcdPkcs7CertBufferXdr match the test = key + // + PublicKeyDataXdr =3D PcdGetPtr (PcdPkcs7CertBufferXdr); + PublicKeyDataXdrEnd =3D PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertBuf= ferXdr); + + ASSERT (PublicKeyDataXdr !=3D NULL); + ASSERT (PublicKeyDataXdr !=3D PublicKeyDataXdrEnd); + + // + // Try each key from PcdPkcs7CertBufferXdr + // + while (PublicKeyDataXdr < PublicKeyDataXdrEnd) { + if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + // + // Read key length stored in big endian format + // + PublicKeyDataLength =3D SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr)); + // + // Point to the start of the key data + // + PublicKeyDataXdr +=3D sizeof (UINT32); + if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + PublicKeyData =3D PublicKeyDataXdr; + + if ((Size =3D=3D PublicKeyDataLength) && + (CompareMem(Buffer, PublicKeyData, Size) =3D=3D 0)) { + TmpStr3 =3D L"WARNING: Capsule Test Key is used.\r\n"; + if (DebugAssertEnabled()) { + DEBUG ((DEBUG_INFO, "\n\nWARNING: Capsule Test Key is used.\r\n"= )); + } else { + SerialPortWrite((UINT8 *)"\n\nWARNING: Capsule Test Key is used.= ", sizeof("\n\nWARNING: Capsule Test Key is used.")); + } + PcdSetBoolS(PcdTestKeyUsed, TRUE); + } + + PublicKeyDataXdr +=3D PublicKeyDataLength; + PublicKeyDataXdr =3D (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeo= f(UINT32)); + } + FreePool(Buffer); } =20 diff --git a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf b/= Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf index 7512556bb7..9f84d7b2e0 100644 --- a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf +++ b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf @@ -1,16 +1,17 @@ #/** @file # Component name for module PlatformBootManagerLib # -# Copyright (c) 2008 - 2016, Intel Corporation. All rights reserved.
-# = =20 -# This program and the accompanying materials are licensed and made availa= ble under -# the terms and conditions of the BSD License that accompanies this distri= bution. =20 -# The full text of the license may be found at = =20 -# http://opensource.org/licenses/bsd-license.php. = =20 -# = =20 -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, = =20 -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. =20 -# = =20 +# Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.
+# +# This program and the accompanying materials are licensed and made availa= ble under +# the terms and conditions of the BSD License that accompanies this distri= bution. +# The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php. +# + +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. +# # # # @@ -108,6 +109,7 @@ [Pcd] gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiPkcs7TestPublicKeyFileGuid gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr gEfiMdeModulePkgTokenSpaceGuid.PcdTestKeyUsed gPlatformModuleTokenSpaceGuid.PcdFlashFvRecovery2Base gPlatformModuleTokenSpaceGuid.PcdFlashFvMainBase --=20 2.14.2.windows.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel From nobody Mon May 6 22:54:09 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 152088304283562.722295043952045; Mon, 12 Mar 2018 12:30:42 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 1401E2264D23D; Mon, 12 Mar 2018 12:24:11 -0700 (PDT) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 94C99226462F3 for ; Mon, 12 Mar 2018 12:24:06 -0700 (PDT) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2018 12:30:27 -0700 Received: from mdkinney-mobl2.amr.corp.intel.com ([10.241.98.52]) by fmsmga005.fm.intel.com with ESMTP; 12 Mar 2018 12:30:26 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.31; helo=mga06.intel.com; envelope-from=michael.d.kinney@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,462,1515484800"; d="scan'208";a="210877339" From: "Kinney, Michael D" To: edk2-devel@lists.01.org Date: Mon, 12 Mar 2018 12:30:17 -0700 Message-Id: <20180312193017.15156-6-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.14.2.windows.3 In-Reply-To: <20180312193017.15156-1-michael.d.kinney@intel.com> References: <20180312193017.15156-1-michael.d.kinney@intel.com> Subject: [edk2] [Patch 5/5] QuarkPlatformPkg/PlatformBootManagerLib: Check PcdPkcs7CertBufferXdr X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael D Kinney , Jiewen Yao MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D891 Evaluate both PcdPkcs7CertBuffer and PcdPkcs7CertBufferXdr for the use of the test key. If the test key is found in either PCD, then the warning messages for the use of a test key must be presented. Cc: Sean Brogan Cc: Kelly Steele Cc: Jiewen Yao Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Michael D Kinney Reviewed-by: Kelly Steele --- .../PlatformBootManagerLib/PlatformBootManager.c | 51 ++++++++++++++++++= +++- .../PlatformBootManagerLib.inf | 3 +- 2 files changed, 52 insertions(+), 2 deletions(-) diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootMa= nager.c b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManag= er.c index 53391c6077..829f852b61 100644 --- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c +++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c @@ -2,7 +2,7 @@ This file include all platform action which can be customized by IBV/OEM. =20 -Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -347,6 +347,10 @@ PlatformBootManagerAfterConsole ( ESRT_MANAGEMENT_PROTOCOL *EsrtManagement; VOID *Buffer; UINTN Size; + VOID *PublicKeyData; + UINTN PublicKeyDataLength; + UINT8 *PublicKeyDataXdr; + UINT8 *PublicKeyDataXdrEnd; =20 Status =3D gBS->LocateProtocol(&gEsrtManagementProtocolGuid, NULL, (VOID= **)&EsrtManagement); if (EFI_ERROR(Status)) { @@ -433,6 +437,51 @@ PlatformBootManagerAfterConsole ( Print(L"WARNING: Capsule Test Key is used.\n"); PcdSetBoolS(PcdTestKeyUsed, TRUE); } + + // + // Make sure none of the keys in PcdPkcs7CertBufferXdr match the test = key + // + PublicKeyDataXdr =3D PcdGetPtr (PcdPkcs7CertBufferXdr); + PublicKeyDataXdrEnd =3D PublicKeyDataXdr + PcdGetSize (PcdPkcs7CertBuf= ferXdr); + + ASSERT (PublicKeyDataXdr !=3D NULL); + ASSERT (PublicKeyDataXdr !=3D PublicKeyDataXdrEnd); + + // + // Try each key from PcdPkcs7CertBufferXdr + // + while (PublicKeyDataXdr < PublicKeyDataXdrEnd) { + if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + // + // Read key length stored in big endian format + // + PublicKeyDataLength =3D SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr)); + // + // Point to the start of the key data + // + PublicKeyDataXdr +=3D sizeof (UINT32); + if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) { + // + // Key data extends beyond end of PCD + // + break; + } + PublicKeyData =3D PublicKeyDataXdr; + if ((Size =3D=3D PublicKeyDataLength) && + (CompareMem(Buffer, PublicKeyData, Size) =3D=3D 0)) { + Print(L"WARNING: Capsule Test Key is used.\n"); + PcdSetBoolS(PcdTestKeyUsed, TRUE); + } + + PublicKeyDataXdr +=3D PublicKeyDataLength; + PublicKeyDataXdr =3D (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeo= f(UINT32)); + } + FreePool(Buffer); } =20 diff --git a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootMa= nagerLib.inf b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBoot= ManagerLib.inf index 25394d8ca0..95a65ca88a 100644 --- a/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLi= b.inf +++ b/QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLi= b.inf @@ -1,7 +1,7 @@ ## @file # Include all platform action which can be customized by IBV/OEM. # -# Copyright (c) 2012 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
# This program and the accompanying materials # are licensed and made available under the terms and conditions of the B= SD License # which accompanies this distribution. The full text of the license may = be found at @@ -85,5 +85,6 @@ [Pcd] gEfiSignedCapsulePkgTokenSpaceGuid.PcdEdkiiPkcs7TestPublicKeyFileGuid gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer + gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBufferXdr gEfiMdeModulePkgTokenSpaceGuid.PcdTestKeyUsed =20 --=20 2.14.2.windows.3 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel