From nobody Sun May 5 07:55:13 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78889+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78889+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=posteo.de ARC-Seal: i=1; a=rsa-sha256; t=1628451640; cv=none; d=zohomail.com; s=zohoarc; b=jBWzKHOOSLIrSxNfm9U59yB6oQ/4vBFZ2Ra+nCZGnOzDv1TPkRUJyLbKYPdllB604If1Kli/hmVcnW5DtNFIP3y5YrgglkZT4i7379AQT2bAcYx7wifwggGo1JUKIqhLa32KYx0QMg7NzzqX4PAZECYgzE+KFpPfNjuYUfQRMsQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1628451640; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=AZBesHWrj9je94mjH8Za0C0drulSXtFtmr0lEk7zrfA=; b=KUp4/WXGJOiHr57IN4wRXmNBlqtSMQGyYWerqsBhEco+pu/iVxhV11rvuDwnmWupyvBYTxoQ8j+qKHYf7YEwx8rRZy6b0oM30ITAhzqlfFKortNyrRVK2UOm5A4/T213LZFD+1iJPA0ygLjz4eiaK1Yqcz4INK2NjseNKpnYI08= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78889+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1628451640122897.6272622907825; Sun, 8 Aug 2021 12:40:40 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id BUIkYY1788612xTzEN2JRqZq; Sun, 08 Aug 2021 12:40:39 -0700 X-Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) by mx.groups.io with SMTP id smtpd.web12.13818.1628451638841544741 for ; Sun, 08 Aug 2021 12:40:39 -0700 X-Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 26547240104 for ; Sun, 8 Aug 2021 21:40:37 +0200 (CEST) X-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4GjV1c4gQ8z6tm6; Sun, 8 Aug 2021 21:40:36 +0200 (CEST) From: =?UTF-8?B?TWFydmluIEjDpHVzZXI=?= To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Vitaly Cheptsov Subject: [edk2-devel] [PATCH] SecurityPkg/DxeImageVerificationLib: Always lookup SHA-256 hash in dbx Date: Sun, 8 Aug 2021 19:39:47 +0000 Message-Id: <6810bb96b0c7ef377680112f48bac9cd0a964a52.1628353537.git.mhaeuser@posteo.de> In-Reply-To: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> References: <5df11a13422732b9c03c120775a2b4dd0a49182f.1628444003.git.mhaeuser@posteo.de> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mhaeuser@posteo.de X-Gm-Message-State: hgc9hDUxBdkjQKMFl9ETK36hx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628451639; bh=2SNDKEBMrcjvTZTYUkdN2EYVy5tkfc3wA0EGJ7IeLkQ=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=uKSDG413CpT//8h0N/WWdxhZRl/hzQcuk8GFKYgivOHyBePw5ADr8TdJx4Yo9zpQZKc SEGTpwKghwC405opmG8B8wouKZF+l4JampxSOPzS4pmizd2dxVzs4DxyHPxbxT3h8UqB2 aDvXcKeRVnCGlebDQ3xckhqyPA3NIJHdbUU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628451641756100053 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3461 The UEFI specification prohibits loading any UEFI image of which a matching SHA-256 hash is contained in "dbx" (UEFI 2.9, 32.5.3.3 "Authorization Process", 3.A). Currently, this is only explicitly checked when the image is unsigned and otherwise the hash algorithms of the certificates are used. Align with the UEFI specification by specifically looking up the SHA-256 hash of the image in "dbx". Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Vitaly Cheptsov Signed-off-by: Marvin H=C3=A4user --- SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 60= ++++++++------------ 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index c48861cd6496..1f9bb33e86c3 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1803,34 +1803,36 @@ DxeImageVerificationHandler ( } } =20 + // + // The SHA256 hash value of the image must not be reflected in the secur= ity data base "dbx". + // + if (!HashPeImage (HASHALG_SHA256)) { + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this imag= e using %s.\n", mHashTypeStr)); + goto Failed; + } + + DbStatus =3D IsSignatureFoundInDatabase ( + EFI_IMAGE_SECURITY_DATABASE1, + mImageDigest, + &mCertType, + mImageDigestSize, + &IsFound + ); + if (EFI_ERROR (DbStatus) || IsFound) { + // + // Image Hash is in forbidden database (DBX). + // + DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and = %s hash of image is forbidden by DBX.\n", mHashTypeStr)); + goto Failed; + } + // // Start Image Validation. // if (SecDataDir =3D=3D NULL || SecDataDir->Size =3D=3D 0) { // - // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db", - // and not be reflected in the security data base "dbx". + // This image is not signed. The SHA256 hash value of the image must m= atch a record in the security database "db". // - if (!HashPeImage (HASHALG_SHA256)) { - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this im= age using %s.\n", mHashTypeStr)); - goto Failed; - } - - DbStatus =3D IsSignatureFoundInDatabase ( - EFI_IMAGE_SECURITY_DATABASE1, - mImageDigest, - &mCertType, - mImageDigestSize, - &IsFound - ); - if (EFI_ERROR (DbStatus) || IsFound) { - // - // Image Hash is in forbidden database (DBX). - // - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed an= d %s hash of image is forbidden by DBX.\n", mHashTypeStr)); - goto Failed; - } - DbStatus =3D IsSignatureFoundInDatabase ( EFI_IMAGE_SECURITY_DATABASE, mImageDigest, @@ -1932,20 +1934,6 @@ DxeImageVerificationHandler ( // // Check the image's hash value. // - DbStatus =3D IsSignatureFoundInDatabase ( - EFI_IMAGE_SECURITY_DATABASE1, - mImageDigest, - &mCertType, - mImageDigestSize, - &IsFound - ); - if (EFI_ERROR (DbStatus) || IsFound) { - Action =3D EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; - DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s= hash of image is found in DBX.\n", mHashTypeStr)); - IsVerified =3D FALSE; - break; - } - if (!IsVerified) { DbStatus =3D IsSignatureFoundInDatabase ( EFI_IMAGE_SECURITY_DATABASE, --=20 2.31.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78889): https://edk2.groups.io/g/devel/message/78889 Mute This Topic: https://groups.io/mt/84754063/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-