From 6de7c084dbb6d02f3b8cdb68dc4716df96c6758f Mon Sep 17 00:00:00 2001 From: kuqin Date: Fri, 15 Apr 2022 13:38:11 -0700 Subject: SecurityPkg: SecureBootVariableLib: Updated signature list creator REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- .../Include/Library/SecureBootVariableLib.h | 25 ++++---- .../SecureBootVariableLib/SecureBootVariableLib.c | 69 ++++++++++++---------- .../SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) (limited to 'SecurityPkg') diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b..24ff0df067 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( ); /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. --*/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ); /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356ab..f56f0322e9 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include +#include #include #include #include -#include #include #include #include @@ -21,7 +21,6 @@ #include #include #include -#include "Library/DxeServicesLib.h" // This time can be used when deleting variables, as it should be greater than any variable time. EFI_TIME mMaxTimestamp = { @@ -130,24 +129,29 @@ ConcatenateSigList ( } /** - Create a EFI Signature List with data fetched from section specified as a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists + @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded, + to be concatenated into signature lists. - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL. @retval Others Unexpected error happens. **/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ) { EFI_SIGNATURE_LIST *EfiSig; @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; - VOID *RsaPubKey; UINTN Size; + UINTN InputIndex; UINTN KeyIndex; + if ((SigListOut == NULL) || (SigListsSize == NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((KeyInfoCount == 0) || (KeyInfo == NULL)) { + return EFI_INVALID_PARAMETER; + } + + InputIndex = 0; KeyIndex = 0; EfiSig = NULL; *SigListsSize = 0; - while (1) { - Status = GetSectionFromAnyFv ( - KeyFileGuid, - EFI_SECTION_RAW, - KeyIndex, - &Buffer, - &Size - ); - - if (Status == EFI_SUCCESS) { - RsaPubKey = NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + while (InputIndex < KeyInfoCount) { + if (KeyInfo[InputIndex].Data != NULL) { + Size = KeyInfo[InputIndex].DataSize; + Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data); + if (Buffer == NULL) { if (EfiSig != NULL) { FreePool (EfiSig); } - FreePool (Buffer); - return EFI_INVALID_PARAMETER; + return EFI_OUT_OF_RESOURCES; } Status = CreateSigList (Buffer, Size, &TmpEfiSig); + if (EFI_ERROR (Status)) { + FreePool (Buffer); + break; + } + // // Concatenate lists if more than one section found // @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer); } - if (Status == EFI_NOT_FOUND) { - break; - } + InputIndex++; } if (KeyIndex == 0) { diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a2580..3d4b77cfb0 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec [LibraryClasses] BaseLib BaseMemoryLib DebugLib MemoryAllocationLib - BaseCryptLib - DxeServicesLib [Guids] ## CONSUMES ## Variable:L"SetupMode" -- cgit v1.2.3