[edk2-devel] [PATCH v1] SecurityPkg: Improve initialization of default key variables.

Grzegorz Bernacki posted 1 patch 2 weeks, 2 days ago
Failed in applying to current master (apply log)
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 ++++++++++++--------
1 file changed, 56 insertions(+), 34 deletions(-)

[edk2-devel] [PATCH v1] SecurityPkg: Improve initialization of default key variables.

Posted by Grzegorz Bernacki 2 weeks, 2 days ago
This commit allows to use data in  EFI_VARIABLE_AUTHENTICATION_2
structure format to initialize default secure boot variables.
It allows to use revocation list published by UEFI.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 90 ++++++++++++--------
 1 file changed, 56 insertions(+), 34 deletions(-)

diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index ff65184713..1f8869b1d2 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -73,20 +73,19 @@ CreateSigList (
 
 /** Adds new signature list to signature database.
 
-  @param[in]      SigLists        A pointer to signature database.
-  @param[in]      SigListAppend  A signature list to be added.
-  @param[out]     *SigListOut     Created signature database.
+  @param[in,out]  SigLists        A pointer to signature database.
+  @param[in]      SigListAppend   A signature list to be added.
   @param[in, out] SigListsSize    A size of created signature database.
 
   @retval  EFI_SUCCESS           Signature List was added successfully.
   @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
+  @retval  EFI_INVALID_PARAMETER Invalid parameters.
 **/
 STATIC
 EFI_STATUS
 ConcatenateSigList (
-  IN  EFI_SIGNATURE_LIST *SigLists,
+  IN  EFI_SIGNATURE_LIST **SigLists,
   IN  EFI_SIGNATURE_LIST *SigListAppend,
-  OUT EFI_SIGNATURE_LIST **SigListOut,
   IN OUT UINTN           *SigListsSize
 )
 {
@@ -94,6 +93,10 @@ ConcatenateSigList (
   UINT8              *Offset;
   UINTN              NewSigListsSize;
 
+  if ((SigLists == NULL) || (SigListsSize == NULL) || (SigListAppend == NULL)) {
+    return EFI_INVALID_PARAMETER;
+  }
+
   NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
 
   TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
@@ -101,14 +104,17 @@ ConcatenateSigList (
     return EFI_OUT_OF_RESOURCES;
   }
 
-  CopyMem (TmpSigList, SigLists, *SigListsSize);
+  if (*SigLists != NULL) {
+    CopyMem (TmpSigList, *SigLists, *SigListsSize);
+    FreePool(*SigLists);
+  }
 
   Offset = (UINT8 *)TmpSigList;
   Offset += *SigListsSize;
   CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
 
   *SigListsSize = NewSigListsSize;
-  *SigListOut = TmpSigList;
+  *SigLists = TmpSigList;
   return EFI_SUCCESS;
 }
 
@@ -133,14 +139,15 @@ SecureBootFetchData (
     OUT EFI_SIGNATURE_LIST **SigListOut
 )
 {
+  EFI_VARIABLE_AUTHENTICATION_2  *Auth2;
   EFI_SIGNATURE_LIST *EfiSig;
   EFI_SIGNATURE_LIST *TmpEfiSig;
-  EFI_SIGNATURE_LIST *TmpEfiSig2;
   EFI_STATUS         Status;
   VOID               *Buffer;
   VOID               *RsaPubKey;
   UINTN               Size;
   UINTN               KeyIndex;
+  UINTN               SigListOffset;
 
 
   KeyIndex = 0;
@@ -154,42 +161,57 @@ SecureBootFetchData (
                &Buffer,
                &Size
                );
+    if (Status == EFI_NOT_FOUND && KeyIndex > 0) {
+      break;
+    } else if (EFI_ERROR(Status)) {
+      if (EfiSig != NULL) {
+        FreePool(EfiSig);
+      }
+      return EFI_INVALID_PARAMETER;
+    }
 
-    if (Status == EFI_SUCCESS) {
-      RsaPubKey = NULL;
-      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
-        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+    RsaPubKey = NULL;
+    Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)Buffer;
+    if ((Auth2->AuthInfo.Hdr.wCertificateType == WIN_CERT_TYPE_EFI_GUID) &&
+        (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType) == TRUE)) {
+
+      SigListOffset = Auth2->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
+      TmpEfiSig = (EFI_SIGNATURE_LIST *) &Auth2->AuthInfo.CertData[SigListOffset];
+      Size -= OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo);
+      Size -= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+      Size -= SigListOffset;
+
+      while (Size > 0) {
+        ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+        Size -= TmpEfiSig->SignatureListSize;
+        TmpEfiSig = (EFI_SIGNATURE_LIST *)((UINT8 *)TmpEfiSig + TmpEfiSig->SignatureListSize);
+      }
+    } else if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == TRUE) {
+      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+      if (EFI_ERROR(Status)) {
+        DEBUG ((DEBUG_ERROR, "%a: Cannot create a sig list\n", __FUNCTION__));
         if (EfiSig != NULL) {
           FreePool(EfiSig);
         }
         FreePool(Buffer);
-        return EFI_INVALID_PARAMETER;
-      }
 
-      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
-
-      //
-      // Concatenate lists if more than one section found
-      //
-      if (KeyIndex == 0) {
-        EfiSig = TmpEfiSig;
-        *SigListsSize = TmpEfiSig->SignatureListSize;
-      } else {
-        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
-        FreePool (EfiSig);
-        FreePool (TmpEfiSig);
-        EfiSig = TmpEfiSig2;
+        return Status;
       }
 
-      KeyIndex++;
-      FreePool (Buffer);
-    } if (Status == EFI_NOT_FOUND) {
-      break;
+      ConcatenateSigList (&EfiSig, TmpEfiSig, SigListsSize);
+      FreePool (TmpEfiSig);
+    } else {
+      DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+      if (EfiSig != NULL) {
+        FreePool(EfiSig);
+      }
+      FreePool(Buffer);
+      return EFI_INVALID_PARAMETER;
     }
-  };
 
-  if (KeyIndex == 0) {
-    return EFI_NOT_FOUND;
+    KeyIndex++;
+    FreePool (Buffer);
   }
 
   *SigListOut = EfiSig;
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#81552): https://edk2.groups.io/g/devel/message/81552
Mute This Topic: https://groups.io/mt/86117798/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-