From d7d2d0d9676bf9458e90c18e2fc5e1eedaf3e381 Mon Sep 17 00:00:00 2001 From: "Zhang, Chao B" Date: Wed, 13 Apr 2016 16:25:50 +0800 Subject: SecuritPkg: DxeImageVerificationLib: Fix wrong verification logic in DBX & DBT In image verification, if image verified pass in DBT, still need to verify if it is blocked by any other cert/cert hash from DBX. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Long Qin Reviewed-by: Dick Wilkins (cherry picked from commit 91422384d5915a6f14523b3cec557d730c940c6a) --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'SecurityPkg/Library') diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 5cb9f8144e..26cefda2c3 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -12,7 +12,7 @@ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept untrusted PE/COFF image and validate its data structure within this image buffer before use. -Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -1336,6 +1336,10 @@ IsForbiddenByDbx ( for (Index = 0; Index < CertNumber; Index++) { CertSize = (UINTN) ReadUnaligned32 ((UINT32 *)CertPtr); Cert = (UINT8 *)CertPtr + sizeof (UINT32); + // + // Advance CertPtr to the next cert in image signer's cert list + // + CertPtr = CertPtr + sizeof (UINT32) + CertSize; if (IsCertHashFoundInDatabase (Cert, CertSize, (EFI_SIGNATURE_LIST *)Data, DataSize, &RevocationTime)) { // @@ -1344,11 +1348,14 @@ IsForbiddenByDbx ( IsForbidden = TRUE; if (PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime)) { IsForbidden = FALSE; + // + // Pass DBT check. Continue to check other certs in image signer's cert list against DBX, DBT + // + continue; } goto Done; } - CertPtr = CertPtr + sizeof (UINT32) + CertSize; } Done: -- cgit v1.2.3