summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/Pkcs7Verify
Commit message (Collapse)AuthorAgeFilesLines
* SecurityPkg: Clean up source filesLiming Gao2018-06-282-5/+5
| | | | | | | | | 1. Do not use tab characters 2. No trailing white space in one line 3. All files must end with CRLF Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liming Gao <liming.gao@intel.com>
* SecurityPkg/Pkcs7Verify: Add the comments to address security problemLong Qin2017-10-181-0/+8
| | | | | | | | | | | | | | | | | | | | Add the comments to address security problems in the Pkcs7Verify Protocol per UEFI 2.7 updates. The Pkcs7Verifier function VerifySignature() has problematic use cases where it might be used to unwittingly bypass security checks. The specific problem is that if the supplied hash is a different algorithm from the blacklist hash, the hash will be approved even if it should have been denied. The added comments place a strong warning about the problem. It is possible to use the protocol reliably, either by agreeing a hash to use for all time (like sha256) or by looping over all supported hashes when using the protocol. Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* Pkcs7VerifyDxe: Don't allow Pkcs7Verify to install protocols twicePeter Jones2017-09-051-2/+11
| | | | | | | | | | | | | This patch makes Pkcs7VerifyDxe check that it has not already been installed before installing its protocols. This prevents the case where loading it as an external driver (either manually, through Driver#### variables, etc.) will refuse to add a second provider of the API. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Peter Jones <pjones@redhat.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg/Pkcs7Verify: Complete the Pkcs7VerifyDxe protocolLong Qin2017-09-051-3/+376
| | | | | | | | | | | | | VerifySignature can be implemented using a mirror of the AuthenticodeVerify function that's already in use in the ImageVerificationDXE environment, so this patch simply wires up VerifySignature using that code. <NOTE: Only Authenticode-signature verification was supported by this VerifySignature() implementation now.) Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Long Qin <qin.long@intel.com>
* SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contentsLong Qin2017-05-051-6/+60
| | | | | | | | | | Add the size check for invalid format detection in AllowedDb, RevokedDb and TimeStampDb list contents. Cc: Chao Zhang <chao.b.zhang@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
* SecurityPkg: Convert all .uni files to utf-8Jordan Justen2015-12-152-0/+0
| | | | | | | | | | | | | To convert these files I ran: $ python3 BaseTools/Scripts/ConvertUni.py SecurityPkg Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19262 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Fix one returned code issue in P7Verify ProtocolQin Long2015-08-261-0/+7
| | | | | | | | | | | | VerifyBuffer() in PKCS7 Verify Protocol should return EFI_UNSUPPORTED when the embedded content is found in SignedData but InData is not NULL. This patch is to comply with the spec definition. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18311 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg/Pkcs7VerifyDxe: Cleanup P7CheckTrust function comments.Qiu Shumin2015-07-141-6/+0
| | | | | | | | | | | | Delete description of non-existent parameters 'Content' and 'ContentSize' from P7CheckTrust() description. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qiu Shumin <shumin.qiu@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> Reviewed-by: Jordan Justen <jordan.l.justen@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17937 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Provide correct file GUID for Pkcs7VerifyDxeChao Zhang2015-06-231-1/+1
| | | | | | | | | | | Provide correct file GUID for Pkcs7VerifyDxe Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17688 6f19259b-4bc3-4df7-8a09-765794883524
* SecurityPkg: Add UEFI-2.5 PKCS7 Verification Protocol SupportQin Long2015-06-194-0/+1117
This patch adds the support for PKCS7 Verification Protocol which was defined in UEFI 2.5. (NOTE: The VerifySignature interface was not supported in this version, due to openssl interface limitation) Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17670 6f19259b-4bc3-4df7-8a09-765794883524