summaryrefslogtreecommitdiff
path: root/SecurityPkg
diff options
context:
space:
mode:
authorFu Siyuan <siyuan.fu@intel.com>2013-09-12 05:26:15 +0000
committersfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>2013-09-12 05:26:15 +0000
commit74b5fd7a112746e9166ff204db4331f0eeb2ba4c (patch)
tree126cc790833ee8572eaf7a6a15971a9751baee85 /SecurityPkg
parenta555940b2d4cb525d8c2bfcf16fbaab89157556f (diff)
downloadedk2-platforms-74b5fd7a112746e9166ff204db4331f0eeb2ba4c.tar.xz
Update the chaining requirements with regards to the Platform Key.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14661 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg')
-rw-r--r--SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c33
1 files changed, 26 insertions, 7 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 909de960b7..1f930e8a11 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -2195,7 +2195,24 @@ VerifyTimeBasedPayload (
if (AuthVarType == AuthVarTypePk) {
//
- // Get platform key from variable.
+ // Verify that the signature has been made with the current Platform Key (no chaining for PK).
+ // First, get signer's certificates from SignedData.
+ //
+ VerifyStatus = Pkcs7GetSigners (
+ SigData,
+ SigDataSize,
+ &SignerCerts,
+ &CertStackSize,
+ &RootCert,
+ &RootCertSize
+ );
+ if (!VerifyStatus) {
+ goto Exit;
+ }
+
+ //
+ // Second, get the current platform key from variable. Check whether it's identical with signer's certificates
+ // in SignedData. If not, return error immediately.
//
Status = FindVariable (
EFI_PLATFORM_KEY_NAME,
@@ -2205,14 +2222,16 @@ VerifyTimeBasedPayload (
FALSE
);
if (EFI_ERROR (Status)) {
- return Status;
+ VerifyStatus = FALSE;
+ goto Exit;
}
-
CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- RootCert = Cert->SignatureData;
- RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
-
+ if ((RootCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||
+ (CompareMem (Cert->SignatureData, RootCert, RootCertSize) != 0)) {
+ VerifyStatus = FALSE;
+ goto Exit;
+ }
//
// Verify Pkcs7 SignedData via Pkcs7Verify library.
@@ -2368,7 +2387,7 @@ VerifyTimeBasedPayload (
Exit:
- if (AuthVarType == AuthVarTypePriv) {
+ if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
Pkcs7FreeSigners (RootCert);
Pkcs7FreeSigners (SignerCerts);
}