]>
Commit | Line | Data |
---|---|---|
a6d73269 | 1 | /** @file\r |
b0bacc00 KM |
2 | Detects if PcdFmpDevicePkcs7CertBufferXdr contains a test key.\r |
3 | \r | |
e0961677 | 4 | Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>\r |
b0bacc00 | 5 | \r |
bcef758c | 6 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
b0bacc00 KM |
7 | \r |
8 | **/\r | |
9 | \r | |
e0961677 | 10 | #include "FmpDxe.h"\r |
b0bacc00 KM |
11 | \r |
12 | /**\r | |
13 | Check to see if any of the keys in PcdFmpDevicePkcs7CertBufferXdr matches\r | |
14 | the test key. PcdFmpDeviceTestKeySha256Digest contains the SHA256 hash of\r | |
15 | the test key. For each key in PcdFmpDevicePkcs7CertBufferXdr, compute the\r | |
16 | SHA256 hash and compare it to PcdFmpDeviceTestKeySha256Digest. If the\r | |
17 | SHA256 hash matches or there is then error computing the SHA256 hash, then\r | |
18 | set PcdTestKeyUsed to TRUE. Skip this check if PcdTestKeyUsed is already\r | |
19 | TRUE or PcdFmpDeviceTestKeySha256Digest is not exactly SHA256_DIGEST_SIZE\r | |
20 | bytes.\r | |
21 | **/\r | |
22 | VOID\r | |
23 | DetectTestKey (\r | |
24 | VOID\r | |
25 | )\r | |
26 | {\r | |
27 | BOOLEAN TestKeyUsed;\r | |
28 | UINTN PublicKeyDataLength;\r | |
29 | UINT8 *PublicKeyDataXdr;\r | |
30 | UINT8 *PublicKeyDataXdrEnd;\r | |
31 | VOID *HashContext;\r | |
32 | UINT8 Digest[SHA256_DIGEST_SIZE];\r | |
d7fb5a46 | 33 | UINTN TestKeyDigestSize;\r |
b0bacc00 KM |
34 | \r |
35 | //\r | |
e0961677 | 36 | // If PcdFmpDeviceTestKeySha256Digest is not exactly SHA256_DIGEST_SIZE bytes,\r |
b0bacc00 KM |
37 | // then skip the test key detection.\r |
38 | //\r | |
d7fb5a46 SZ |
39 | TestKeyDigestSize = PcdGetSize (PcdFmpDeviceTestKeySha256Digest);\r |
40 | if (TestKeyDigestSize != SHA256_DIGEST_SIZE) {\r | |
b0bacc00 KM |
41 | return;\r |
42 | }\r | |
43 | \r | |
44 | //\r | |
45 | // If PcdTestKeyUsed is already TRUE, then skip test key detection\r | |
46 | //\r | |
47 | TestKeyUsed = PcdGetBool (PcdTestKeyUsed);\r | |
48 | if (TestKeyUsed) {\r | |
49 | return;\r | |
50 | }\r | |
51 | \r | |
52 | //\r | |
53 | // If PcdFmpDevicePkcs7CertBufferXdr is invalid, then skip test key detection\r | |
54 | //\r | |
55 | PublicKeyDataXdr = PcdGetPtr (PcdFmpDevicePkcs7CertBufferXdr);\r | |
56 | PublicKeyDataXdrEnd = PublicKeyDataXdr + PcdGetSize (PcdFmpDevicePkcs7CertBufferXdr);\r | |
57 | if (PublicKeyDataXdr == NULL || PublicKeyDataXdr == PublicKeyDataXdrEnd) {\r | |
58 | return;\r | |
59 | }\r | |
60 | \r | |
61 | //\r | |
62 | // Allocate hash context buffer required for SHA 256\r | |
63 | //\r | |
64 | HashContext = AllocatePool (Sha256GetContextSize ());\r | |
65 | if (HashContext == NULL) {\r | |
66 | TestKeyUsed = TRUE;\r | |
67 | }\r | |
68 | \r | |
69 | //\r | |
70 | // Loop through all keys in PcdFmpDevicePkcs7CertBufferXdr\r | |
71 | //\r | |
72 | while (!TestKeyUsed && PublicKeyDataXdr < PublicKeyDataXdrEnd) {\r | |
73 | if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) {\r | |
74 | //\r | |
75 | // Key data extends beyond end of PCD\r | |
76 | //\r | |
77 | break;\r | |
78 | }\r | |
79 | //\r | |
80 | // Read key length stored in big endian format\r | |
81 | //\r | |
82 | PublicKeyDataLength = SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr));\r | |
83 | //\r | |
84 | // Point to the start of the key data\r | |
85 | //\r | |
86 | PublicKeyDataXdr += sizeof (UINT32);\r | |
87 | if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) {\r | |
88 | //\r | |
89 | // Key data extends beyond end of PCD\r | |
90 | //\r | |
91 | break;\r | |
92 | }\r | |
93 | \r | |
94 | //\r | |
95 | // Hash public key from PcdFmpDevicePkcs7CertBufferXdr using SHA256.\r | |
96 | // If error occurs computing SHA256, then assume test key is in use.\r | |
97 | //\r | |
98 | ZeroMem (Digest, SHA256_DIGEST_SIZE);\r | |
99 | if (!Sha256Init (HashContext)) {\r | |
100 | TestKeyUsed = TRUE;\r | |
101 | break;\r | |
102 | }\r | |
103 | if (!Sha256Update (HashContext, PublicKeyDataXdr, PublicKeyDataLength)) {\r | |
104 | TestKeyUsed = TRUE;\r | |
105 | break;\r | |
106 | }\r | |
107 | if (!Sha256Final (HashContext, Digest)) {\r | |
108 | TestKeyUsed = TRUE;\r | |
109 | break;\r | |
110 | }\r | |
111 | \r | |
112 | //\r | |
113 | // Check if SHA256 hash of public key matches SHA256 hash of test key\r | |
114 | //\r | |
115 | if (CompareMem (Digest, PcdGetPtr (PcdFmpDeviceTestKeySha256Digest), SHA256_DIGEST_SIZE) == 0) {\r | |
116 | TestKeyUsed = TRUE;\r | |
117 | break;\r | |
118 | }\r | |
119 | \r | |
120 | //\r | |
121 | // Point to start of next key\r | |
122 | //\r | |
123 | PublicKeyDataXdr += PublicKeyDataLength;\r | |
124 | PublicKeyDataXdr = (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeof (UINT32));\r | |
125 | }\r | |
126 | \r | |
127 | //\r | |
128 | // Free hash context buffer required for SHA 256\r | |
129 | //\r | |
130 | if (HashContext != NULL) {\r | |
131 | FreePool (HashContext);\r | |
132 | HashContext = NULL;\r | |
133 | }\r | |
134 | \r | |
135 | //\r | |
43622317 | 136 | // If test key detected or an error occurred checking for the test key, then\r |
b0bacc00 KM |
137 | // set PcdTestKeyUsed to TRUE.\r |
138 | //\r | |
139 | if (TestKeyUsed) {\r | |
e0961677 | 140 | DEBUG ((DEBUG_INFO, "FmpDxe(%s): Test key detected in PcdFmpDevicePkcs7CertBufferXdr.\n", mImageIdName));\r |
b0bacc00 KM |
141 | PcdSetBoolS (PcdTestKeyUsed, TRUE);\r |
142 | } else {\r | |
e0961677 | 143 | DEBUG ((DEBUG_INFO, "FmpDxe(%s): No test key detected in PcdFmpDevicePkcs7CertBufferXdr.\n", mImageIdName));\r |
b0bacc00 KM |
144 | }\r |
145 | }\r |