diff options
author | sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-07-13 06:12:58 +0000 |
---|---|---|
committer | sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> | 2012-07-13 06:12:58 +0000 |
commit | 785d84ead0d7bdba8214f445612eff6d169dea14 (patch) | |
tree | 3d94e90173626ef0dc06a763c6f653930fbbd561 /SecurityPkg | |
parent | 2445a70e62e5dd9678bfd29bed15e22343871803 (diff) | |
download | edk2-platforms-785d84ead0d7bdba8214f445612eff6d169dea14.tar.xz |
Verify the provided PKpub is signed with its private key when enrolling a new PK variable in setup mode.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13531 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg')
-rw-r--r-- | SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c | 105 | ||||
-rw-r--r-- | SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h | 3 |
2 files changed, 65 insertions, 43 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index d1aeab8bfc..566d398567 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -918,36 +918,13 @@ ProcessVarWithPk ( return EFI_INVALID_PARAMETER;
}
- if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
- //
- // Verify against X509 Cert PK.
- //
- Del = FALSE;
- Status = VerifyTimeBasedPayload (
- VariableName,
- VendorGuid,
- Data,
- DataSize,
- Variable,
- Attributes,
- AuthVarTypePk,
- &Del
- );
- if (!EFI_ERROR (Status)) {
- //
- // If delete PK in user mode, need change to setup mode.
- //
- if (Del && IsPk) {
- Status = UpdatePlatformMode (SETUP_MODE);
- }
- }
- return Status;
- } else {
- //
- // Process PK or KEK in Setup mode or Custom Secure Boot mode.
- //
+ Del = FALSE;
+ if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
+ if (PayloadSize == 0) {
+ Del = TRUE;
+ }
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
if (EFI_ERROR (Status)) {
@@ -965,20 +942,48 @@ ProcessVarWithPk ( Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
+ } else if (mPlatformMode == USER_MODE) {
+ //
+ // Verify against X509 Cert in PK database.
+ //
+ Status = VerifyTimeBasedPayload (
+ VariableName,
+ VendorGuid,
+ Data,
+ DataSize,
+ Variable,
+ Attributes,
+ AuthVarTypePk,
+ &Del
+ );
+ } else {
+ //
+ // Verify against the certificate in data payload.
+ //
+ Status = VerifyTimeBasedPayload (
+ VariableName,
+ VendorGuid,
+ Data,
+ DataSize,
+ Variable,
+ Attributes,
+ AuthVarTypePayload,
+ &Del
+ );
+ }
- if (IsPk) {
- if (PayloadSize != 0) {
- //
- // If enroll PK in setup mode, need change to user mode.
- //
- Status = UpdatePlatformMode (USER_MODE);
- } else {
- //
- // If delete PK in custom mode, need change to setup mode.
- //
- UpdatePlatformMode (SETUP_MODE);
- }
- }
+ if (!EFI_ERROR(Status) && IsPk) {
+ if (mPlatformMode == SETUP_MODE && !Del) {
+ //
+ // If enroll PK in setup mode, need change to user mode.
+ //
+ Status = UpdatePlatformMode (USER_MODE);
+ } else if (mPlatformMode == USER_MODE && Del){
+ //
+ // If delete PK in user mode, need change to setup mode.
+ //
+ Status = UpdatePlatformMode (SETUP_MODE);
+ }
}
return Status;
@@ -1859,7 +1864,7 @@ InsertCertsToDb ( data, this value contains the required size.
@param[in] Variable The variable information which is used to keep track of variable usage.
@param[in] Attributes Attribute value of the variable.
- @param[in] AuthVarType Verify against PK or KEK database or private database.
+ @param[in] AuthVarType Verify against PK, KEK database, private database or certificate in data payload.
@param[out] VarDel Delete the variable or not.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@@ -2152,6 +2157,22 @@ VerifyTimeBasedPayload ( goto Exit;
}
}
+ } else if (AuthVarType == AuthVarTypePayload) {
+ CertList = (EFI_SIGNATURE_LIST *) PayloadPtr;
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ RootCert = Cert->SignatureData;
+ RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
+
+ // Verify Pkcs7 SignedData via Pkcs7Verify library.
+ //
+ VerifyStatus = Pkcs7Verify (
+ SigData,
+ SigDataSize,
+ RootCert,
+ RootCertSize,
+ NewData,
+ NewDataSize
+ );
} else {
return EFI_SECURITY_VIOLATION;
}
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h index 7eb2a9d23c..e7a9a1f556 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h @@ -59,7 +59,8 @@ typedef struct { typedef enum {
AuthVarTypePk,
AuthVarTypeKek,
- AuthVarTypePriv
+ AuthVarTypePriv,
+ AuthVarTypePayload
} AUTHVAR_TYPE;
#pragma pack(1)
|