From fe73e9cd8952083a23b26b2eeb705fc2c2758f32 Mon Sep 17 00:00:00 2001 From: Kun Qin Date: Sun, 10 Apr 2022 15:36:53 -0700 Subject: SecurityPkg: SecureBootVariableProvisionLib: Updated implementation REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 This change is in pair with the previous SecureBootVariableLib, which removes the explicit invocation of `CreateTimeBasedPayload` and used new interface `EnrollFromInput` instead. The original `SecureBootFetchData` is also moved to this library and incorporated with the newly defined `SecureBootCreateDataFromInput` to keep the original code flow. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- .../SecureBootVariableProvisionLib.c | 145 ++++++++++++++++----- 1 file changed, 115 insertions(+), 30 deletions(-) (limited to 'SecurityPkg') diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c index 536b0f3699..bed1fe8620 100644 --- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c @@ -8,10 +8,13 @@ Copyright (c) 2021, Semihalf All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include #include #include #include +#include #include #include #include @@ -19,6 +22,117 @@ #include #include #include +#include + +/** + Create a EFI Signature List with data fetched from section specified as a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +**/ +STATIC +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + UINTN Index; + SECURE_BOOT_CERTIFICATE_INFO *CertInfo; + SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo; + + KeyIndex = 0; + EfiSig = NULL; + *SigListOut = NULL; + *SigListsSize = 0; + CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO)); + NewCertInfo = CertInfo; + while (1) { + if (NewCertInfo == NULL) { + Status = EFI_OUT_OF_RESOURCES; + break; + } else { + CertInfo = NewCertInfo; + } + + Status = GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status == EFI_SUCCESS) { + RsaPubKey = NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex)); + if (EfiSig != NULL) { + FreePool (EfiSig); + } + + FreePool (Buffer); + Status = EFI_INVALID_PARAMETER; + break; + } + + CertInfo[KeyIndex].Data = Buffer; + CertInfo[KeyIndex].DataSize = Size; + KeyIndex++; + NewCertInfo = ReallocatePool ( + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex, + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1), + CertInfo + ); + } + + if (Status == EFI_NOT_FOUND) { + Status = EFI_SUCCESS; + break; + } + } + + if (EFI_ERROR (Status)) { + goto Cleanup; + } + + if (KeyIndex == 0) { + Status = EFI_NOT_FOUND; + goto Cleanup; + } + + // Now that we collected all certs from FV, convert it into sig list + Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo); + if (EFI_ERROR (Status)) { + goto Cleanup; + } + +Cleanup: + if (CertInfo) { + for (Index = 0; Index < KeyIndex; Index++) { + FreePool ((VOID *)CertInfo[Index].Data); + } + + FreePool (CertInfo); + } + + return Status; +} /** Enroll a key/certificate based on a default variable. @@ -52,36 +166,7 @@ EnrollFromDefault ( return Status; } - CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - // - // Allocate memory for auth variable - // - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), - DataSize, - Data - ); - - if (EFI_ERROR (Status)) { - DEBUG (( - DEBUG_ERROR, - "error: %a (\"%s\", %g): %r\n", - __FUNCTION__, - VariableName, - VendorGuid, - Status - )); - } + Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data); if (Data != NULL) { FreePool (Data); -- cgit v1.2.3