diff options
| author | kuqin <kuqin@microsoft.com> | 2022-04-15 13:38:11 -0700 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2022-07-07 01:07:00 +0000 |
| commit | 6de7c084dbb6d02f3b8cdb68dc4716df96c6758f (patch) | |
| tree | 98f705659b9da105c92db95852b6477308953ecc /SecurityPkg | |
| parent | 56c717aafa037f8d1fa3ef8c7cf7f4de91c2575e (diff) | |
| download | edk2-6de7c084dbb6d02f3b8cdb68dc4716df96c6758f.tar.gz edk2-6de7c084dbb6d02f3b8cdb68dc4716df96c6758f.tar.bz2 edk2-6de7c084dbb6d02f3b8cdb68dc4716df96c6758f.zip | |
SecurityPkg: SecureBootVariableLib: Updated signature list creator
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
This change removes the interface of SecureBootFetchData, and replaced
it with `SecureBootCreateDataFromInput`, which will require caller to
prepare available certificates in defined structures.
This improvement will eliminate the dependency of reading from FV,
extending the availability of this library instance.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
Diffstat (limited to 'SecurityPkg')
3 files changed, 53 insertions, 44 deletions
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b..24ff0df067 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( );
/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.
- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.
--*/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
);
/**
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356ab..f56f0322e9 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
-#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
@@ -21,7 +21,6 @@ #include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
-#include "Library/DxeServicesLib.h"
// This time can be used when deleting variables, as it should be greater than any variable time.
EFI_TIME mMaxTimestamp = {
@@ -130,24 +129,29 @@ ConcatenateSigList ( }
/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.
- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.
**/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
)
{
EFI_SIGNATURE_LIST *EfiSig;
@@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
- VOID *RsaPubKey;
UINTN Size;
+ UINTN InputIndex;
UINTN KeyIndex;
+ if ((SigListOut == NULL) || (SigListsSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((KeyInfoCount == 0) || (KeyInfo == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ InputIndex = 0;
KeyIndex = 0;
EfiSig = NULL;
*SigListsSize = 0;
- while (1) {
- Status = GetSectionFromAnyFv (
- KeyFileGuid,
- EFI_SECTION_RAW,
- KeyIndex,
- &Buffer,
- &Size
- );
-
- if (Status == EFI_SUCCESS) {
- RsaPubKey = NULL;
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ while (InputIndex < KeyInfoCount) {
+ if (KeyInfo[InputIndex].Data != NULL) {
+ Size = KeyInfo[InputIndex].DataSize;
+ Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data);
+ if (Buffer == NULL) {
if (EfiSig != NULL) {
FreePool (EfiSig);
}
- FreePool (Buffer);
- return EFI_INVALID_PARAMETER;
+ return EFI_OUT_OF_RESOURCES;
}
Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+ if (EFI_ERROR (Status)) {
+ FreePool (Buffer);
+ break;
+ }
+
//
// Concatenate lists if more than one section found
//
@@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer);
}
- if (Status == EFI_NOT_FOUND) {
- break;
- }
+ InputIndex++;
}
if (KeyIndex == 0) {
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a2580..3d4b77cfb0 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
BaseMemoryLib
DebugLib
MemoryAllocationLib
- BaseCryptLib
- DxeServicesLib
[Guids]
## CONSUMES ## Variable:L"SetupMode"
|