From nobody Tue Feb 10 01:15:57 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89511+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89511+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1651687495; cv=none; d=zohomail.com; s=zohoarc; b=HEaLmWF13UX69zL0A75yZYO00v7riyRGMYnITvUDaQvtkN8mSHYjUquNYqDwzl8EERCW9NS6cfCR5wDih+5Wf53B+HBRLKOsxDlDgte68Gny2TUYE28e9eehmZQ9JNa5yP3DrKRQWEAug2tY0/5nzzgJ2AKLMNW/UF1qeMbIgF4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1651687495; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=kctgmUbasNZtR4A9vm3tCaxyHz+Gd1PV9qK8v/TdYsE=; b=COZIjtJ6hvcvd2L00TenfZnmg7zG6+uyWzzuIWM46wS/BxNh24DQnPD3ImdyzqwWCBmFYJ7YK6lPV3bzH7KrINhR89k2edjX4qMbqMI/O9nn1M3WGcS8mZtKD99b0AGENVJaX3ZMVhdrhUT186ok9xxQMcT1y1GC8l42bjiByUo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89511+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1651687495560249.98315726617375; Wed, 4 May 2022 11:04:55 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id pdyoYY1788612xR3qbYhPsxQ; Wed, 04 May 2022 11:04:55 -0700 X-Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180]) by mx.groups.io with SMTP id smtpd.web08.733.1651687494569713531 for ; Wed, 04 May 2022 11:04:54 -0700 X-Received: by mail-pg1-f180.google.com with SMTP id k14so1793382pga.0 for ; Wed, 04 May 2022 11:04:54 -0700 (PDT) X-Gm-Message-State: nbDzfYFQQrqZtFOnfsaA4MuCx1787277AA= X-Google-Smtp-Source: ABdhPJwhp+LuNUzO33au7AVRrTlvY6RfOMmJrOs+xIx9JJWLLvR2Br37MuAjE7I5aV3j7+65Pp5jXw== X-Received: by 2002:a65:638d:0:b0:39d:74ad:ce0b with SMTP id h13-20020a65638d000000b0039d74adce0bmr19278594pgv.103.1651687493988; Wed, 04 May 2022 11:04:53 -0700 (PDT) X-Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id n5-20020aa79045000000b0050dc7628143sm8496347pfo.29.2022.05.04.11.04.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 11:04:53 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [edk2-devel] [PATCH v1 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Date: Wed, 4 May 2022 11:04:30 -0700 Message-Id: <20220504180438.1321-5-kuqin12@gmail.com> In-Reply-To: <20220504180438.1321-1-kuqin12@gmail.com> References: <20220504180438.1321-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1651687495; bh=uI7qclALzm6GcWga2/mYbRDRVadIwyjJU6tuna7UjpE=; h=Cc:Date:From:Reply-To:Subject:To; b=GyCgu7joWgy2nmZgaw5LnM0hKQ3DUfS1tNFpMUbdCee5E3x456XIqDM14aiQzoyR9gx NOCjqDAY7vDHJArsgJ9Viw9mJp369t2Q/aQpT4pZlS8ulWuoXkp0+qImLrEOQXNETKEJZ ubaHaPi/jzdXEiBr80bNJK8OeirKdhuyb7g= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1651687497783100018 Content-Type: text/plain; charset="utf-8" From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 += ++++++++++--------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 += +++--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356aba3..f56f0322e943 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include +#include #include #include #include -#include #include #include #include @@ -21,7 +21,6 @@ #include #include #include -#include "Library/DxeServicesLib.h" =20 // This time can be used when deleting variables, as it should be greater = than any variable time. EFI_TIME mMaxTimestamp =3D { @@ -130,24 +129,29 @@ ConcatenateSigList ( } =20 /** - Create a EFI Signature List with data fetched from section specified as = a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. =20 - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded, + to be concatenated into signature lists. =20 - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload suc= cessfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL. @retval Others Unexpected error happens. =20 **/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ) { EFI_SIGNATURE_LIST *EfiSig; @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; - VOID *RsaPubKey; UINTN Size; + UINTN InputIndex; UINTN KeyIndex; =20 + if ((SigListOut =3D=3D NULL) || (SigListsSize =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((KeyInfoCount =3D=3D 0) || (KeyInfo =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + InputIndex =3D 0; KeyIndex =3D 0; EfiSig =3D NULL; *SigListsSize =3D 0; - while (1) { - Status =3D GetSectionFromAnyFv ( - KeyFileGuid, - EFI_SECTION_RAW, - KeyIndex, - &Buffer, - &Size - ); - - if (Status =3D=3D EFI_SUCCESS) { - RsaPubKey =3D NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + while (InputIndex < KeyInfoCount) { + if (KeyInfo[InputIndex].Data !=3D NULL) { + Size =3D KeyInfo[InputIndex].DataSize; + Buffer =3D AllocateCopyPool (Size, KeyInfo[InputIndex].Data); + if (Buffer =3D=3D NULL) { if (EfiSig !=3D NULL) { FreePool (EfiSig); } =20 - FreePool (Buffer); - return EFI_INVALID_PARAMETER; + return EFI_OUT_OF_RESOURCES; } =20 Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); =20 + if (EFI_ERROR (Status)) { + FreePool (Buffer); + break; + } + // // Concatenate lists if more than one section found // @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer); } =20 - if (Status =3D=3D EFI_NOT_FOUND) { - break; - } + InputIndex++; } =20 if (KeyIndex =3D=3D 0) { diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b70..24ff0df067fa 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( ); =20 /** - Create a EFI Signature List with data fetched from section specified as = a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. =20 - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded, + to be concatenated into signature lists. =20 - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload suc= cessfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL. @retval Others Unexpected error happens. =20 --*/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ); =20 /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a258021..3d4b77cfb073 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec =20 [LibraryClasses] BaseLib BaseMemoryLib DebugLib MemoryAllocationLib - BaseCryptLib - DxeServicesLib =20 [Guids] ## CONSUMES ## Variable:L"SetupMode" --=20 2.34.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89511): https://edk2.groups.io/g/devel/message/89511 Mute This Topic: https://groups.io/mt/90893932/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-