From nobody Wed May 15 03:04:57 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+81552+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+81552+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1633523139; cv=none; d=zohomail.com; s=zohoarc; b=kcchfSWYOY7P2JlsVGmZAmPT4EMwBfZgDgSnR0soK2NNh9iwxY/YN/unJ4CTQiy00tl7KR6AdGVpY0p02hnZPNKWQ8iVHsLh3GovZ+u5MgV3/2GgYkpXHbG/n+yZzk0qPOmg20u0+404LEipVq2Nq5QN15xB+8SmLB09B1o+oGQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1633523139; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=dk2r7PrcPDxc9dek84D0A4LN7nS8oUMhCEKG7F6QQ6E=; b=UzE/qWAzuuQr8VYBiTynQqK8msAvyEhLeVaswVHLCSQecP7rAoFg/oAXdtycTV5IZPyDQ3+12F3aqHyx82m3ZFZ/GFrWiTOHE3eA7hNo1IYB/M0fs7rYa32DfMdEhkIJPazFsQfaIX9nPnDqriQcFuOBHxnjN6MrgNHcjvW8imA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+81552+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1633523139424762.6437323334611; Wed, 6 Oct 2021 05:25:39 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id EZIZYY1788612xolVV1jwsxN; Wed, 06 Oct 2021 05:25:39 -0700 X-Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mx.groups.io with SMTP id smtpd.web12.11004.1633523138135408822 for ; Wed, 06 Oct 2021 05:25:38 -0700 X-Received: by mail-lf1-f44.google.com with SMTP id y15so9672182lfk.7 for ; Wed, 06 Oct 2021 05:25:37 -0700 (PDT) X-Gm-Message-State: N2v55okVcYb67uMzU13ramlVx1787277AA= X-Google-Smtp-Source: ABdhPJz0vaQgG+k8JJo1OkpeDTztLJXbGk/AK4PIoeO8G6od8dqMdJSoVqlL458G6zkNKuYdYH4Onw== X-Received: by 2002:a19:9102:: with SMTP id t2mr3944538lfd.431.1633523135811; Wed, 06 Oct 2021 05:25:35 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id s11sm687460lfd.95.2021.10.06.05.25.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Oct 2021 05:25:35 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: jiewen.yao@intel.com, jian.j.wang@intel.com, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v1] SecurityPkg: Improve initialization of default key variables. Date: Wed, 6 Oct 2021 14:25:25 +0200 Message-Id: <20211006122525.1893234-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1633523139; bh=tAnd+Ifqgzb+7IAS5Bq3DKTvGUqNdChUNCjt3y0Vzso=; h=Cc:Date:From:Reply-To:Subject:To; b=KjPuJEwHlmYc3Lyvu9tUiUOOWXxmN/jUDJwBNU2JwJQgRBareGkozIQr4AWVBXZECyz XscH2VQzFjqiygSaMk157Wl0Lv6g4Xl9tXwqNOVxyhSUdSJKftUoMceJcSQxOfU+LPuvE NFVCQHVYhlK+i5oM1nu2dFN56YA5Hxs/Kg8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1633523140114100002 Content-Type: text/plain; charset="utf-8" This commit allows to use data in EFI_VARIABLE_AUTHENTICATION_2 structure format to initialize default secure boot variables. It allows to use revocation list published by UEFI. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 +++= +++++++++-------- 1 file changed, 56 insertions(+), 34 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index ff65184713..1f8869b1d2 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -73,20 +73,19 @@ CreateSigList ( =20 /** Adds new signature list to signature database. =20 - @param[in] SigLists A pointer to signature database. - @param[in] SigListAppend A signature list to be added. - @param[out] *SigListOut Created signature database. + @param[in,out] SigLists A pointer to signature database. + @param[in] SigListAppend A signature list to be added. @param[in, out] SigListsSize A size of created signature database. =20 @retval EFI_SUCCESS Signature List was added successfully. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. + @retval EFI_INVALID_PARAMETER Invalid parameters. **/ STATIC EFI_STATUS ConcatenateSigList ( - IN EFI_SIGNATURE_LIST *SigLists, + IN EFI_SIGNATURE_LIST **SigLists, IN EFI_SIGNATURE_LIST *SigListAppend, - OUT EFI_SIGNATURE_LIST **SigListOut, IN OUT UINTN *SigListsSize ) { @@ -94,6 +93,10 @@ ConcatenateSigList ( UINT8 *Offset; UINTN NewSigListsSize; =20 + if ((SigLists =3D=3D NULL) || (SigListsSize =3D=3D NULL) || (SigListAppe= nd =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; =20 TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize); @@ -101,14 +104,17 @@ ConcatenateSigList ( return EFI_OUT_OF_RESOURCES; } =20 - CopyMem (TmpSigList, SigLists, *SigListsSize); + if (*SigLists !=3D NULL) { + CopyMem (TmpSigList, *SigLists, *SigListsSize); + FreePool(*SigLists); + } =20 Offset =3D (UINT8 *)TmpSigList; Offset +=3D *SigListsSize; CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize= ); =20 *SigListsSize =3D NewSigListsSize; - *SigListOut =3D TmpSigList; + *SigLists =3D TmpSigList; return EFI_SUCCESS; } =20 @@ -133,14 +139,15 @@ SecureBootFetchData ( OUT EFI_SIGNATURE_LIST **SigListOut ) { + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; EFI_SIGNATURE_LIST *EfiSig; EFI_SIGNATURE_LIST *TmpEfiSig; - EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; VOID *RsaPubKey; UINTN Size; UINTN KeyIndex; + UINTN SigListOffset; =20 =20 KeyIndex =3D 0; @@ -154,42 +161,57 @@ SecureBootFetchData ( &Buffer, &Size ); + if (Status =3D=3D EFI_NOT_FOUND && KeyIndex > 0) { + break; + } else if (EFI_ERROR(Status)) { + if (EfiSig !=3D NULL) { + FreePool(EfiSig); + } + return EFI_INVALID_PARAMETER; + } =20 - if (Status =3D=3D EFI_SUCCESS) { - RsaPubKey =3D NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + RsaPubKey =3D NULL; + Auth2 =3D (EFI_VARIABLE_AUTHENTICATION_2 *)Buffer; + if ((Auth2->AuthInfo.Hdr.wCertificateType =3D=3D WIN_CERT_TYPE_EFI_GUI= D) && + (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType) =3D= =3D TRUE)) { + + SigListOffset =3D Auth2->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF= (WIN_CERTIFICATE_UEFI_GUID, CertData)); + TmpEfiSig =3D (EFI_SIGNATURE_LIST *) &Auth2->AuthInfo.CertData[SigLi= stOffset]; + Size -=3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo); + Size -=3D OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + Size -=3D SigListOffset; + + while (Size > 0) { + ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize); + Size -=3D TmpEfiSig->SignatureListSize; + TmpEfiSig =3D (EFI_SIGNATURE_LIST *)((UINT8 *)TmpEfiSig + TmpEfiSi= g->SignatureListSize); + } + } else if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D T= RUE) { + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); + + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot create a sig list\n", __FUNCTION_= _)); if (EfiSig !=3D NULL) { FreePool(EfiSig); } FreePool(Buffer); - return EFI_INVALID_PARAMETER; - } =20 - Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); - - // - // Concatenate lists if more than one section found - // - if (KeyIndex =3D=3D 0) { - EfiSig =3D TmpEfiSig; - *SigListsSize =3D TmpEfiSig->SignatureListSize; - } else { - ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize); - FreePool (EfiSig); - FreePool (TmpEfiSig); - EfiSig =3D TmpEfiSig2; + return Status; } =20 - KeyIndex++; - FreePool (Buffer); - } if (Status =3D=3D EFI_NOT_FOUND) { - break; + ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize); + FreePool (TmpEfiSig); + } else { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, K= eyIndex)); + if (EfiSig !=3D NULL) { + FreePool(EfiSig); + } + FreePool(Buffer); + return EFI_INVALID_PARAMETER; } - }; =20 - if (KeyIndex =3D=3D 0) { - return EFI_NOT_FOUND; + KeyIndex++; + FreePool (Buffer); } =20 *SigListOut =3D EfiSig; --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#81552): https://edk2.groups.io/g/devel/message/81552 Mute This Topic: https://groups.io/mt/86117798/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-