diff options
| author | Jeff Fan <jeff.fan@intel.com> | 2016-05-18 16:13:23 +0800 |
|---|---|---|
| committer | Jeff Fan <jeff.fan@intel.com> | 2016-05-19 09:12:26 +0800 |
| commit | 7dc0b3dfe18b67598b5cde64cfba9202f0563aaa (patch) | |
| tree | d4f9f024d961309c8abf3572c76fca0cb2bc4327 /SecurityPkg/Library/DxeImageVerificationLib | |
| parent | c0e2be586a3388d6c7b6a107fa72d51c6da7021c (diff) | |
| download | edk2-platforms-7dc0b3dfe18b67598b5cde64cfba9202f0563aaa.tar.xz | |
SecurityPkg: Revert 277a82548ac1a6d72be2c869cbd4a2b365f8d7c3
SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition.
Implement Customized SecureBoot Mode transition logic according to Mantis 1263, including AuditMode/DeployedMode/PK update management.
Also implement image verification logic in AuditMode. Image Certificate & Hash are recorded to EFI Image Execution Table.
https://mantis.uefi.org/mantis/view.php?id=1263
(Sync patch r19133 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Zeng Star <star.zeng@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Diffstat (limited to 'SecurityPkg/Library/DxeImageVerificationLib')
| -rw-r--r-- | SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 670 |
1 files changed, 36 insertions, 634 deletions
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 4b4d3bf77d..5cb9f8144e 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -712,58 +712,6 @@ GetImageExeInfoTableSize ( }
/**
- Create signature list based on input signature data and certificate type GUID. Caller is reposible
- to free new created SignatureList.
-
- @param[in] SignatureData Signature data in SignatureList.
- @param[in] SignatureDataSize Signature data size.
- @param[in] CertType Certificate Type.
- @param[out] SignatureList Created SignatureList.
- @param[out] SignatureListSize Created SignatureListSize.
-
- @return EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.
- @retval EFI_SUCCESS Successfully create signature list.
-
-**/
-EFI_STATUS
-CreateSignatureList(
- IN UINT8 *SignatureData,
- IN UINTN SignatureDataSize,
- IN EFI_GUID *CertType,
- OUT EFI_SIGNATURE_LIST **SignatureList,
- OUT UINTN *SignatureListSize
- )
-{
- EFI_SIGNATURE_LIST *SignList;
- UINTN SignListSize;
- EFI_SIGNATURE_DATA *Signature;
-
- SignList = NULL;
- *SignatureList = NULL;
-
- SignListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + SignatureDataSize;
- SignList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignListSize);
- if (SignList == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- SignList->SignatureHeaderSize = 0;
- SignList->SignatureListSize = (UINT32) SignListSize;
- SignList->SignatureSize = (UINT32) SignatureDataSize + sizeof (EFI_SIGNATURE_DATA) - 1;
- CopyMem (&SignList->SignatureType, CertType, sizeof (EFI_GUID));
-
- DEBUG((EFI_D_INFO, "SignatureDataSize %x\n", SignatureDataSize));
- Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignList + sizeof (EFI_SIGNATURE_LIST));
- CopyMem (Signature->SignatureData, SignatureData, SignatureDataSize);
-
- *SignatureList = SignList;
- *SignatureListSize = SignListSize;
-
- return EFI_SUCCESS;
-
-}
-
-/**
Create an Image Execution Information Table entry and add it to system configuration table.
@param[in] Action Describes the action taken by the firmware regarding this image.
@@ -789,13 +737,11 @@ AddImageExeInfo ( UINTN NewImageExeInfoEntrySize;
UINTN NameStringLen;
UINTN DevicePathSize;
- CHAR16 *NameStr;
ImageExeInfoTable = NULL;
NewImageExeInfoTable = NULL;
ImageExeInfoEntry = NULL;
NameStringLen = 0;
- NameStr = NULL;
if (DevicePath == NULL) {
return ;
@@ -823,12 +769,7 @@ AddImageExeInfo ( }
DevicePathSize = GetDevicePathSize (DevicePath);
-
- //
- // Signature size can be odd. Pad after signature to ensure next EXECUTION_INFO entry align
- //
- NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize;
-
+ NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize;
NewImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize + NewImageExeInfoEntrySize);
if (NewImageExeInfoTable == NULL) {
return ;
@@ -847,21 +788,19 @@ AddImageExeInfo ( WriteUnaligned32 ((UINT32 *) ImageExeInfoEntry, Action);
WriteUnaligned32 ((UINT32 *) ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION)), (UINT32) NewImageExeInfoEntrySize);
- NameStr = (CHAR16 *)(ImageExeInfoEntry + 1);
if (Name != NULL) {
- CopyMem ((UINT8 *) NameStr, Name, NameStringLen);
+ CopyMem ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32), Name, NameStringLen);
} else {
- ZeroMem ((UINT8 *) NameStr, sizeof (CHAR16));
+ ZeroMem ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32), sizeof (CHAR16));
}
-
CopyMem (
- (UINT8 *) NameStr + NameStringLen,
+ (UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32) + NameStringLen,
DevicePath,
DevicePathSize
);
if (Signature != NULL) {
CopyMem (
- (UINT8 *) NameStr + NameStringLen + DevicePathSize,
+ (UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32) + NameStringLen + DevicePathSize,
Signature,
SignatureSize
);
@@ -1149,53 +1088,6 @@ IsTimeZero ( }
/**
- Record multiple certificate list & verification state of a verified image to
- IMAGE_EXECUTION_TABLE.
-
- @param[in] CertBuf Certificate list buffer.
- @param[in] CertBufLength Certificate list buffer.
- @param[in] Action Certificate list action to be record.
- @param[in] ImageName Image name.
- @param[in] ImageDevicePath Image device path.
-
-**/
-VOID
-RecordCertListToImageExeuctionTable(
- IN UINT8 *CertBuf,
- IN UINTN CertBufLength,
- IN EFI_IMAGE_EXECUTION_ACTION Action,
- IN CHAR16 *ImageName OPTIONAL,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath OPTIONAL
- )
-{
- UINT8 CertNumber;
- UINT8 *CertPtr;
- UINTN Index;
- UINT8 *Cert;
- UINTN CertSize;
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SignatureList;
- UINTN SignatureListSize;
-
- CertNumber = (UINT8) (*CertBuf);
- CertPtr = CertBuf + 1;
- for (Index = 0; Index < CertNumber; Index++) {
- CertSize = (UINTN) ReadUnaligned32 ((UINT32 *)CertPtr);
- Cert = (UINT8 *)CertPtr + sizeof (UINT32);
-
- //
- // Record all cert in cert chain to be passed
- //
- Status = CreateSignatureList(Cert, CertSize, &gEfiCertX509Guid, &SignatureList, &SignatureListSize);
- if (!EFI_ERROR(Status)) {
- AddImageExeInfo (Action, ImageName, ImageDevicePath, SignatureList, SignatureListSize);
- FreePool (SignatureList);
- }
- }
-}
-
-
-/**
Check whether the timestamp signature is valid and the signing time is also earlier than
the revocation time.
@@ -1305,11 +1197,8 @@ Done: Check whether the image signature is forbidden by the forbidden database (dbx).
The image is forbidden to load if any certificates for signing are revoked before signing time.
- @param[in] AuthData Pointer to the Authenticode signature retrieved from the signed image.
- @param[in] AuthDataSize Size of the Authenticode signature in bytes.
- @param[in] IsAuditMode Whether system Secure Boot Mode is in AuditMode.
- @param[in] ImageName Name of the image to verify.
- @param[in] ImageDevicePath DevicePath of the image to verify.
+ @param[in] AuthData Pointer to the Authenticode signature retrieved from the signed image.
+ @param[in] AuthDataSize Size of the Authenticode signature in bytes.
@retval TRUE Image is forbidden by dbx.
@retval FALSE Image is not forbidden by dbx.
@@ -1317,11 +1206,8 @@ Done: **/
BOOLEAN
IsForbiddenByDbx (
- IN UINT8 *AuthData,
- IN UINTN AuthDataSize,
- IN BOOLEAN IsAuditMode,
- IN CHAR16 *ImageName OPTIONAL,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath OPTIONAL
+ IN UINT8 *AuthData,
+ IN UINTN AuthDataSize
)
{
EFI_STATUS Status;
@@ -1344,10 +1230,7 @@ IsForbiddenByDbx ( UINT8 *Cert;
UINTN CertSize;
EFI_TIME RevocationTime;
- UINT8 *SignerCert;
- UINTN SignerCertLength;
- UINT8 *UnchainCert;
- UINTN UnchainCertLength;
+
//
// Variable Initialization
//
@@ -1362,10 +1245,6 @@ IsForbiddenByDbx ( BufferLength = 0;
TrustedCert = NULL;
TrustedCertLength = 0;
- SignerCert = NULL;
- SignerCertLength = 0;
- UnchainCert = NULL;
- UnchainCertLength = 0;
//
// The image will not be forbidden if dbx can't be got.
@@ -1473,54 +1352,21 @@ IsForbiddenByDbx ( }
Done:
- if (IsForbidden && IsAuditMode) {
- Pkcs7GetCertificatesList(AuthData, AuthDataSize, &SignerCert, &SignerCertLength, &UnchainCert, &UnchainCertLength);
-
- //
- // Record all certs in image to be failed
- //
- if ((SignerCertLength != 0) && (SignerCert != NULL)) {
- RecordCertListToImageExeuctionTable(
- SignerCert,
- SignerCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
-
- if ((UnchainCertLength != 0) && (UnchainCert != NULL)) {
- RecordCertListToImageExeuctionTable(
- UnchainCert,
- UnchainCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
- }
-
if (Data != NULL) {
FreePool (Data);
}
Pkcs7FreeSigners (CertBuffer);
Pkcs7FreeSigners (TrustedCert);
- Pkcs7FreeSigners (SignerCert);
- Pkcs7FreeSigners (UnchainCert);
return IsForbidden;
}
-
/**
Check whether the image signature can be verified by the trusted certificates in DB database.
- @param[in] AuthData Pointer to the Authenticode signature retrieved from signed image.
- @param[in] AuthDataSize Size of the Authenticode signature in bytes.
- @param[in] IsAuditMode Whether system Secure Boot Mode is in AuditMode.
- @param[in] ImageName Name of the image to verify.
- @param[in] ImageDevicePath DevicePath of the image to verify.
+ @param[in] AuthData Pointer to the Authenticode signature retrieved from signed image.
+ @param[in] AuthDataSize Size of the Authenticode signature in bytes.
@retval TRUE Image passed verification using certificate in db.
@retval FALSE Image didn't pass verification using certificate in db.
@@ -1528,17 +1374,14 @@ Done: **/
BOOLEAN
IsAllowedByDb (
- IN UINT8 *AuthData,
- IN UINTN AuthDataSize,
- IN BOOLEAN IsAuditMode,
- IN CHAR16 *ImageName OPTIONAL,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath OPTIONAL
+ IN UINT8 *AuthData,
+ IN UINTN AuthDataSize
)
{
EFI_STATUS Status;
BOOLEAN VerifyStatus;
EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *CertData;
+ EFI_SIGNATURE_DATA *Cert;
UINTN DataSize;
UINT8 *Data;
UINT8 *RootCert;
@@ -1548,22 +1391,14 @@ IsAllowedByDb ( UINTN DbxDataSize;
UINT8 *DbxData;
EFI_TIME RevocationTime;
- UINT8 *SignerCert;
- UINTN SignerCertLength;
- UINT8 *UnchainCert;
- UINTN UnchainCertLength;
- Data = NULL;
- CertList = NULL;
- CertData = NULL;
- RootCert = NULL;
- DbxData = NULL;
- RootCertSize = 0;
- VerifyStatus = FALSE;
- SignerCert = NULL;
- SignerCertLength = 0;
- UnchainCert = NULL;
- UnchainCertLength = 0;
+ Data = NULL;
+ CertList = NULL;
+ Cert = NULL;
+ RootCert = NULL;
+ DbxData = NULL;
+ RootCertSize = 0;
+ VerifyStatus = FALSE;
DataSize = 0;
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
@@ -1584,14 +1419,14 @@ IsAllowedByDb ( CertList = (EFI_SIGNATURE_LIST *) Data;
while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
for (Index = 0; Index < CertCount; Index++) {
//
// Iterate each Signature Data Node within this CertList for verify.
//
- RootCert = CertData->SignatureData;
+ RootCert = Cert->SignatureData;
RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);
//
@@ -1633,7 +1468,7 @@ IsAllowedByDb ( goto Done;
}
- CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertData + CertList->SignatureSize);
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
}
}
@@ -1643,67 +1478,10 @@ IsAllowedByDb ( }
Done:
-
if (VerifyStatus) {
- SecureBootHook (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
- }
-
- if (IsAuditMode) {
-
- Pkcs7GetCertificatesList(AuthData, AuthDataSize, &SignerCert, &SignerCertLength, &UnchainCert, &UnchainCertLength);
- if (VerifyStatus) {
- if ((SignerCertLength != 0) && (SignerCert != NULL)) {
- //
- // Record all cert in signer's cert chain to be passed
- //
- RecordCertListToImageExeuctionTable(
- SignerCert,
- SignerCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
-
- if ((UnchainCertLength != 0) && (UnchainCert != NULL)) {
- //
- // Record all certs in unchained certificates lists to be failed
- //
- RecordCertListToImageExeuctionTable(
- UnchainCert,
- UnchainCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
- } else {
- //
- // Record all certs in image to be failed
- //
- if ((SignerCertLength != 0) && (SignerCert != NULL)) {
- RecordCertListToImageExeuctionTable(
- SignerCert,
- SignerCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
-
- if ((UnchainCertLength != 0) && (UnchainCert != NULL)) {
- RecordCertListToImageExeuctionTable(
- UnchainCert,
- UnchainCertLength,
- EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED,
- ImageName,
- ImageDevicePath
- );
- }
- }
+ SecureBootHook (EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
}
-
if (Data != NULL) {
FreePool (Data);
}
@@ -1711,370 +1489,10 @@ Done: FreePool (DbxData);
}
- Pkcs7FreeSigners (SignerCert);
- Pkcs7FreeSigners (UnchainCert);
-
return VerifyStatus;
}
/**
- Provide verification service for signed images in AuditMode, which include both signature validation
- and platform policy control. For signature types, both UEFI WIN_CERTIFICATE_UEFI_GUID and
- MSFT Authenticode type signatures are supported.
-
- In this implementation, only verify external executables when in AuditMode.
- Executables from FV is bypass, so pass in AuthenticationStatus is ignored. Other authentication status
- are record into IMAGE_EXECUTION_TABLE.
-
- The image verification policy is:
- If the image is signed,
- At least one valid signature or at least one hash value of the image must match a record
- in the security database "db", and no valid signature nor any hash value of the image may
- be reflected in the security database "dbx".
- Otherwise, the image is not signed,
- The SHA256 hash value of the image must match a record in the security database "db", and
- not be reflected in the security data base "dbx".
-
- Caution: This function may receive untrusted input.
- PE/COFF image is external input, so this function will validate its data structure
- within this image buffer before use.
-
- @param[in] AuthenticationStatus
- This is the authentication status returned from the security
- measurement services for the input file.
- @param[in] File This is a pointer to the device path of the file that is
- being dispatched. This will optionally be used for logging.
- @param[in] FileBuffer File buffer matches the input file device path.
- @param[in] FileSize Size of File buffer matches the input file device path.
- @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
-
- @retval EFI_SUCCESS The authenticate info is sucessfully stored for the file
- specified by DevicePath and non-NULL FileBuffer
- @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
- authenticate, and the platform policy dictates that the DXE
- Foundation many not use File.
-
-**/
-EFI_STATUS
-EFIAPI
-ImageVerificationInAuditMode (
- IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
- IN VOID *FileBuffer,
- IN UINTN FileSize,
- IN BOOLEAN BootPolicy
- )
-{
- EFI_STATUS Status;
- UINT16 Magic;
- EFI_IMAGE_DOS_HEADER *DosHdr;
- EFI_SIGNATURE_LIST *SignatureList;
- EFI_IMAGE_EXECUTION_ACTION Action;
- WIN_CERTIFICATE *WinCertificate;
- UINT32 Policy;
- PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
- UINT32 NumberOfRvaAndSizes;
- WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
- WIN_CERTIFICATE_UEFI_GUID *WinCertUefiGuid;
- UINT8 *AuthData;
- UINTN AuthDataSize;
- EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
- UINT32 OffSet;
- CHAR16 *FilePathStr;
- UINTN SignatureListSize;
-
- SignatureList = NULL;
- WinCertificate = NULL;
- SecDataDir = NULL;
- PkcsCertData = NULL;
- FilePathStr = NULL;
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED;
- Status = EFI_ACCESS_DENIED;
-
-
- //
- // Check the image type and get policy setting.
- //
- switch (GetImageType (File)) {
-
- case IMAGE_FROM_FV:
- Policy = ALWAYS_EXECUTE;
- break;
-
- case IMAGE_FROM_OPTION_ROM:
- Policy = PcdGet32 (PcdOptionRomImageVerificationPolicy);
- break;
-
- case IMAGE_FROM_REMOVABLE_MEDIA:
- Policy = PcdGet32 (PcdRemovableMediaImageVerificationPolicy);
- break;
-
- case IMAGE_FROM_FIXED_MEDIA:
- Policy = PcdGet32 (PcdFixedMediaImageVerificationPolicy);
- break;
-
- default:
- Policy = DENY_EXECUTE_ON_SECURITY_VIOLATION;
- break;
- }
-
- //
- // If policy is always/never execute, return directly.
- //
- if (Policy == ALWAYS_EXECUTE) {
- return EFI_SUCCESS;
- }
-
- //
- // Get Image Device Path Str
- //
- FilePathStr = ConvertDevicePathToText (File, FALSE, TRUE);
-
- //
- // Authentication failed because of (unspecified) firmware security policy
- //
- if (Policy == NEVER_EXECUTE) {
- //
- // No signature, record FilePath/FilePathStr only
- //
- AddImageExeInfo (EFI_IMAGE_EXECUTION_POLICY_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED, FilePathStr, File, NULL, 0);
- goto END;
- }
-
- //
- // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION
- // violates the UEFI spec and has been removed.
- //
- ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION);
- if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) {
- CpuDeadLoop ();
- }
-
- //
- // Read the Dos header.
- //
- if (FileBuffer == NULL) {
- Status = EFI_INVALID_PARAMETER;
- goto END;
- }
-
- mImageBase = (UINT8 *) FileBuffer;
- mImageSize = FileSize;
-
- ZeroMem (&ImageContext, sizeof (ImageContext));
- ImageContext.Handle = (VOID *) FileBuffer;
- ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE) DxeImageVerificationLibImageRead;
-
- //
- // Get information about the image being loaded
- //
- Status = PeCoffLoaderGetImageInfo (&ImageContext);
- if (EFI_ERROR (Status)) {
- //
- // The information can't be got from the invalid PeImage
- //
- goto END;
- }
-
-
- DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase;
- if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {
- //
- // DOS image header is present,
- // so read the PE header after the DOS image header.
- //
- mPeCoffHeaderOffset = DosHdr->e_lfanew;
- } else {
- mPeCoffHeaderOffset = 0;
- }
-
- //
- // Check PE/COFF image.
- //
- mNtHeader.Pe32 = (EFI_IMAGE_NT_HEADERS32 *) (mImageBase + mPeCoffHeaderOffset);
- if (mNtHeader.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) {
- //
- // It is not a valid Pe/Coff file.
- //
- Status = EFI_ACCESS_DENIED;
- goto END;
- }
-
- if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value
- // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the
- // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC
- // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC
- //
- Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC;
- } else {
- //
- // Get the magic value from the PE/COFF Optional Header
- //
- Magic = mNtHeader.Pe32->OptionalHeader.Magic;
- }
-
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- NumberOfRvaAndSizes = mNtHeader.Pe32->OptionalHeader.NumberOfRvaAndSizes;
- if (NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {
- SecDataDir = (EFI_IMAGE_DATA_DIRECTORY *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- }
- } else {
- //
- // Use PE32+ offset.
- //
- NumberOfRvaAndSizes = mNtHeader.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes;
- if (NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {
- SecDataDir = (EFI_IMAGE_DATA_DIRECTORY *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- }
- }
-
- //
- // Start Image Validation.
- //
- if (SecDataDir == NULL || SecDataDir->Size == 0) {
- //
- // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db",
- // and not be reflected in the security data base "dbx".
- //
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_ACCESS_DENIED;
- goto END;
- }
-
- //
- // Image Hash is in forbidden database (DBX).
- //
- if (!IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
- //
- // Image Hash is in allowed database (DB).
- //
- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED | EFI_IMAGE_EXECUTION_INITIALIZED;
- }
- }
-
- //
- // Add HASH digest for image without signature
- //
- Status = CreateSignatureList(mImageDigest, mImageDigestSize, &mCertType, &SignatureList, &SignatureListSize);
- if (!EFI_ERROR(Status)) {
- AddImageExeInfo (Action, FilePathStr, File, SignatureList, SignatureListSize);
- FreePool (SignatureList);
- }
- goto END;
- }
-
- //
- // Verify the signature of the image, multiple signatures are allowed as per PE/COFF Section 4.7
- // "Attribute Certificate Table".
- // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.
- //
- for (OffSet = SecDataDir->VirtualAddress;
- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
- OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {
- WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
- if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||
- (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {
- break;
- }
-
- //
- // Verify the image's Authenticode signature, only DER-encoded PKCS#7 signed data is supported.
- //
- if (WinCertificate->wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
- //
- // The certificate is formatted as WIN_CERTIFICATE_EFI_PKCS which is described in the
- // Authenticode specification.
- //
- PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) WinCertificate;
- if (PkcsCertData->Hdr.dwLength <= sizeof (PkcsCertData->Hdr)) {
- break;
- }
- AuthData = PkcsCertData->CertData;
- AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof(PkcsCertData->Hdr);
- } else if (WinCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
- //
- // The certificate is formatted as WIN_CERTIFICATE_UEFI_GUID which is described in UEFI Spec.
- //
- WinCertUefiGuid = (WIN_CERTIFICATE_UEFI_GUID *) WinCertificate;
- if (WinCertUefiGuid->Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
- break;
- }
- if (!CompareGuid (&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid)) {
- continue;
- }
- AuthData = WinCertUefiGuid->CertData;
- AuthDataSize = WinCertUefiGuid->Hdr.dwLength - OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
- } else {
- if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {
- break;
- }
- continue;
- }
-
- Status = HashPeImageByType (AuthData, AuthDataSize);
- if (EFI_ERROR (Status)) {
- continue;
- }
-
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED | EFI_IMAGE_EXECUTION_INITIALIZED;
-
- //
- // Check the digital signature against the revoked certificate in forbidden database (dbx).
- // Check the digital signature against the valid certificate in allowed database (db).
- //
- if (!IsForbiddenByDbx (AuthData, AuthDataSize, TRUE, FilePathStr, File)) {
- IsAllowedByDb (AuthData, AuthDataSize, TRUE, FilePathStr, File);
- }
-
- //
- // Check the image's hash value.
- //
- if (!IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED | EFI_IMAGE_EXECUTION_INITIALIZED;
- }
- }
-
- //
- // Add HASH digest for image with signature
- //
- Status = CreateSignatureList(mImageDigest, mImageDigestSize, &mCertType, &SignatureList, &SignatureListSize);
-
- if (!EFI_ERROR(Status)) {
- AddImageExeInfo (Action, FilePathStr, File, SignatureList, SignatureListSize);
- FreePool (SignatureList);
- } else {
- goto END;
- }
- }
-
-
- if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {
- //
- // The Size in Certificate Table or the attribute certicate table is corrupted.
- //
- Status = EFI_ACCESS_DENIED;
- } else {
- Status = EFI_SUCCESS;
- }
-
-END:
-
- if (FilePathStr != NULL) {
- FreePool(FilePathStr);
- FilePathStr = NULL;
- }
-
- return Status;
-}
-
-/**
Provide verification service for signed images, which include both signature validation
and platform policy control. For signature types, both UEFI WIN_CERTIFICATE_UEFI_GUID and
MSFT Authenticode type signatures are supported.
@@ -2141,9 +1559,7 @@ DxeImageVerificationHandler ( EFI_IMAGE_EXECUTION_ACTION Action;
WIN_CERTIFICATE *WinCertificate;
UINT32 Policy;
- UINT8 *VarData;
- UINT8 SecureBoot;
- UINT8 AuditMode;
+ UINT8 *SecureBoot;
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
UINT32 NumberOfRvaAndSizes;
WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
@@ -2163,20 +1579,6 @@ DxeImageVerificationHandler ( Status = EFI_ACCESS_DENIED;
VerifyStatus = EFI_ACCESS_DENIED;
- GetEfiGlobalVariable2 (EFI_AUDIT_MODE_NAME, (VOID**)&VarData, NULL);
- //
- // Skip verification if AuditMode variable doesn't exist. AuditMode should always exist
- //
- if (VarData == NULL) {
- return EFI_SUCCESS;
- }
- AuditMode = *VarData;
- FreePool(VarData);
-
- if (AuditMode == AUDIT_MODE_ENABLE) {
- return ImageVerificationInAuditMode(AuthenticationStatus, File, FileBuffer, FileSize, BootPolicy);
- }
-
//
// Check the image type and get policy setting.
//
@@ -2220,22 +1622,22 @@ DxeImageVerificationHandler ( CpuDeadLoop ();
}
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&VarData, NULL);
+ GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
//
// Skip verification if SecureBoot variable doesn't exist.
//
- if (VarData == NULL) {
+ if (SecureBoot == NULL) {
return EFI_SUCCESS;
}
- SecureBoot = *VarData;
- FreePool(VarData);
//
- // Skip verification if SecureBoot is disabled but not AuditMode
+ // Skip verification if SecureBoot is disabled.
//
- if (SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+ if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
+ FreePool (SecureBoot);
return EFI_SUCCESS;
}
+ FreePool (SecureBoot);
//
// Read the Dos header.
@@ -2406,7 +1808,7 @@ DxeImageVerificationHandler ( //
// Check the digital signature against the revoked certificate in forbidden database (dbx).
//
- if (IsForbiddenByDbx (AuthData, AuthDataSize, FALSE, NULL, NULL)) {
+ if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
VerifyStatus = EFI_ACCESS_DENIED;
break;
@@ -2416,7 +1818,7 @@ DxeImageVerificationHandler ( // Check the digital signature against the valid certificate in allowed database (db).
//
if (EFI_ERROR (VerifyStatus)) {
- if (IsAllowedByDb (AuthData, AuthDataSize, FALSE, NULL, NULL)) {
+ if (IsAllowedByDb (AuthData, AuthDataSize)) {
VerifyStatus = EFI_SUCCESS;
}
}
|