summaryrefslogtreecommitdiff
path: root/SecurityPkg/Library
diff options
context:
space:
mode:
authorZhang Lubo <lubo.zhang@intel.com>2017-01-05 14:58:05 +0800
committerJiaxin Wu <jiaxin.wu@intel.com>2017-02-20 10:09:53 +0800
commitc035e37335ae43229d7e68de74a65f2c01ebc0af (patch)
treeffdf5d04eae742a9f907149ffde82c2b8e0c74a2 /SecurityPkg/Library
parent80e63e846af4ac135da5faccead7450e956d6462 (diff)
downloadedk2-platforms-c035e37335ae43229d7e68de74a65f2c01ebc0af.tar.xz
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
V3: code clean up prohibit Image SHA-1 hash option in SecureBootConfigDxe. Timebased Auth Variable driver should ensure AuthAlgorithm is SHA256 before further verification Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Zhang Lubo <lubo.zhang@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Long Qin <qin.long@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
Diffstat (limited to 'SecurityPkg/Library')
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthService.c27
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h4
2 files changed, 29 insertions, 2 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index b013d420f6..a37ec0bd0f 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -18,7 +18,7 @@
They will do basic validation for authentication data structure, then call crypto library
to verify the signature.
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -36,6 +36,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
+CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
+
//
// Requirement for different signature type which have been defined in UEFI spec.
// These data are used to perform SignatureList format check while setting PK/KEK variable.
@@ -2245,6 +2247,29 @@ VerifyTimeBasedPayload (
SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
//
+ // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
+ // signature. Only a digest algorithm of SHA-256 is accepted.
+ //
+ // According to PKCS#7 Definition:
+ // SignedData ::= SEQUENCE {
+ // version Version,
+ // digestAlgorithms DigestAlgorithmIdentifiers,
+ // contentInfo ContentInfo,
+ // .... }
+ // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm
+ // in VARIABLE_AUTHENTICATION_2 descriptor.
+ // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding.
+ //
+ if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
+ if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
+ if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
+ (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
+ return EFI_SECURITY_VIOLATION;
+ }
+ }
+ }
+
+ //
// Find out the new data payload which follows Pkcs7 SignedData directly.
//
PayloadPtr = SigData + SigDataSize;
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index e7c4bf043d..e9b7cf3579 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -12,7 +12,7 @@
may not be modified without authorization. If platform fails to protect these resources,
the authentication service provided in this driver will be broken, and the behavior is undefined.
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -37,6 +37,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
+#define TWO_BYTE_ENCODE 0x82
+
///
/// Struct to record signature requirement defined by UEFI spec.
/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.