summaryrefslogtreecommitdiffstats
path: root/SecurityPkg
diff options
context:
space:
mode:
authorKun Qin <kuqin@microsoft.com>2022-04-10 15:36:53 -0700
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2022-07-07 01:07:00 +0000
commitfe73e9cd8952083a23b26b2eeb705fc2c2758f32 (patch)
treef3da2193cac194694bb5b868401c5fdac8d9d71c /SecurityPkg
parent6eb407947592e084110a124be089bef167af1383 (diff)
downloadedk2-fe73e9cd8952083a23b26b2eeb705fc2c2758f32.tar.gz
edk2-fe73e9cd8952083a23b26b2eeb705fc2c2758f32.tar.bz2
edk2-fe73e9cd8952083a23b26b2eeb705fc2c2758f32.zip
SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change is in pair with the previous SecureBootVariableLib, which removes the explicit invocation of `CreateTimeBasedPayload` and used new interface `EnrollFromInput` instead. The original `SecureBootFetchData` is also moved to this library and incorporated with the newly defined `SecureBootCreateDataFromInput` to keep the original code flow. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Signed-off-by: Kun Qin <kun.qin@microsoft.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
Diffstat (limited to 'SecurityPkg')
-rw-r--r--SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c145
1 files changed, 115 insertions, 30 deletions
diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
index 536b0f3699..bed1fe8620 100644
--- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
+++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
@@ -8,10 +8,13 @@
Copyright (c) 2021, Semihalf All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
+#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
#include <Library/BaseLib.h>
+#include <Library/BaseCryptLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/UefiLib.h>
@@ -19,6 +22,117 @@
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
#include <Library/SecureBootVariableProvisionLib.h>
+#include <Library/DxeServicesLib.h>
+
+/**
+ Create a EFI Signature List with data fetched from section specified as a argument.
+ Found keys are verified using RsaGetPublicKeyFromX509().
+
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID
+ @param[out] SigListsSize A pointer to size of signature list
+ @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_NOT_FOUND Section with key has not been found.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval Others Unexpected error happens.
+
+**/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+ IN EFI_GUID *KeyFileGuid,
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ EFI_STATUS Status;
+ VOID *Buffer;
+ VOID *RsaPubKey;
+ UINTN Size;
+ UINTN KeyIndex;
+ UINTN Index;
+ SECURE_BOOT_CERTIFICATE_INFO *CertInfo;
+ SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo;
+
+ KeyIndex = 0;
+ EfiSig = NULL;
+ *SigListOut = NULL;
+ *SigListsSize = 0;
+ CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));
+ NewCertInfo = CertInfo;
+ while (1) {
+ if (NewCertInfo == NULL) {
+ Status = EFI_OUT_OF_RESOURCES;
+ break;
+ } else {
+ CertInfo = NewCertInfo;
+ }
+
+ Status = GetSectionFromAnyFv (
+ KeyFileGuid,
+ EFI_SECTION_RAW,
+ KeyIndex,
+ &Buffer,
+ &Size
+ );
+
+ if (Status == EFI_SUCCESS) {
+ RsaPubKey = NULL;
+ if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool (EfiSig);
+ }
+
+ FreePool (Buffer);
+ Status = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ CertInfo[KeyIndex].Data = Buffer;
+ CertInfo[KeyIndex].DataSize = Size;
+ KeyIndex++;
+ NewCertInfo = ReallocatePool (
+ sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,
+ sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),
+ CertInfo
+ );
+ }
+
+ if (Status == EFI_NOT_FOUND) {
+ Status = EFI_SUCCESS;
+ break;
+ }
+ }
+
+ if (EFI_ERROR (Status)) {
+ goto Cleanup;
+ }
+
+ if (KeyIndex == 0) {
+ Status = EFI_NOT_FOUND;
+ goto Cleanup;
+ }
+
+ // Now that we collected all certs from FV, convert it into sig list
+ Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);
+ if (EFI_ERROR (Status)) {
+ goto Cleanup;
+ }
+
+Cleanup:
+ if (CertInfo) {
+ for (Index = 0; Index < KeyIndex; Index++) {
+ FreePool ((VOID *)CertInfo[Index].Data);
+ }
+
+ FreePool (CertInfo);
+ }
+
+ return Status;
+}
/**
Enroll a key/certificate based on a default variable.
@@ -52,36 +166,7 @@ EnrollFromDefault (
return Status;
}
- CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- //
- // Allocate memory for auth variable
- //
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- (EFI_VARIABLE_NON_VOLATILE |
- EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_RUNTIME_ACCESS |
- EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
- DataSize,
- Data
- );
-
- if (EFI_ERROR (Status)) {
- DEBUG ((
- DEBUG_ERROR,
- "error: %a (\"%s\", %g): %r\n",
- __FUNCTION__,
- VariableName,
- VendorGuid,
- Status
- ));
- }
+ Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);
if (Data != NULL) {
FreePool (Data);