]>
Commit | Line | Data |
---|---|---|
fef2ae63 JY |
1 | /** @file\r |
2 | FMP Authentication PKCS7 handler.\r | |
3 | Provide generic FMP authentication functions for DXE/PEI post memory phase.\r | |
4 | \r | |
5 | Caution: This module requires additional review when modified.\r | |
6 | This module will have external input - capsule image.\r | |
7 | This external input must be validated carefully to avoid security issue like\r | |
8 | buffer overflow, integer overflow.\r | |
9 | \r | |
10 | FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r | |
11 | untrusted input and do basic validation.\r | |
12 | \r | |
ba47ae93 | 13 | Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r |
fef2ae63 JY |
14 | This program and the accompanying materials\r |
15 | are licensed and made available under the terms and conditions of the BSD License\r | |
16 | which accompanies this distribution. The full text of the license may be found at\r | |
17 | http://opensource.org/licenses/bsd-license.php\r | |
18 | \r | |
19 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
20 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
21 | \r | |
22 | **/\r | |
23 | \r | |
24 | #include <Uefi.h>\r | |
25 | \r | |
26 | #include <Guid/SystemResourceTable.h>\r | |
27 | #include <Guid/FirmwareContentsSigned.h>\r | |
28 | #include <Guid/WinCertificate.h>\r | |
29 | \r | |
30 | #include <Library/BaseLib.h>\r | |
31 | #include <Library/BaseMemoryLib.h>\r | |
32 | #include <Library/DebugLib.h>\r | |
33 | #include <Library/MemoryAllocationLib.h>\r | |
34 | #include <Library/BaseCryptLib.h>\r | |
35 | #include <Library/FmpAuthenticationLib.h>\r | |
36 | #include <Library/PcdLib.h>\r | |
37 | #include <Protocol/FirmwareManagement.h>\r | |
38 | #include <Guid/SystemResourceTable.h>\r | |
39 | \r | |
40 | /**\r | |
41 | The handler is used to do the authentication for FMP capsule based upon\r | |
42 | EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
43 | \r | |
44 | Caution: This function may receive untrusted input.\r | |
45 | \r | |
46 | This function assumes the caller AuthenticateFmpImage()\r | |
47 | already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
48 | \r | |
49 | @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
50 | @param[in] ImageSize Size of the authentication image in bytes.\r | |
51 | @param[in] PublicKeyData The public key data used to validate the signature.\r | |
52 | @param[in] PublicKeyDataLength The length of the public key data.\r | |
53 | \r | |
54 | @retval RETURN_SUCCESS Authentication pass.\r | |
55 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r | |
56 | @retval RETURN_SECURITY_VIOLATION Authentication fail.\r | |
57 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r | |
58 | @retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r | |
59 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
60 | @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r | |
61 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r | |
62 | **/\r | |
63 | RETURN_STATUS\r | |
64 | FmpAuthenticatedHandlerPkcs7 (\r | |
65 | IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r | |
66 | IN UINTN ImageSize,\r | |
67 | IN CONST UINT8 *PublicKeyData,\r | |
68 | IN UINTN PublicKeyDataLength\r | |
69 | )\r | |
70 | {\r | |
71 | RETURN_STATUS Status;\r | |
72 | BOOLEAN CryptoStatus;\r | |
73 | VOID *P7Data;\r | |
74 | UINTN P7Length;\r | |
75 | VOID *TempBuffer;\r | |
76 | \r | |
77 | DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r | |
78 | \r | |
79 | P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData));\r | |
80 | P7Data = Image->AuthInfo.CertData;\r | |
81 | \r | |
82 | // It is a signature across the variable data and the Monotonic Count value.\r | |
83 | TempBuffer = AllocatePool(ImageSize - Image->AuthInfo.Hdr.dwLength);\r | |
84 | if (TempBuffer == NULL) {\r | |
85 | DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r | |
86 | Status = RETURN_OUT_OF_RESOURCES;\r | |
87 | goto Done;\r | |
88 | }\r | |
89 | \r | |
90 | CopyMem(\r | |
91 | TempBuffer,\r | |
92 | (UINT8 *)Image + sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r | |
93 | ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r | |
94 | );\r | |
95 | CopyMem(\r | |
96 | (UINT8 *)TempBuffer + ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r | |
97 | &Image->MonotonicCount,\r | |
98 | sizeof(Image->MonotonicCount)\r | |
99 | );\r | |
100 | CryptoStatus = Pkcs7Verify(\r | |
101 | P7Data,\r | |
102 | P7Length,\r | |
103 | PublicKeyData,\r | |
104 | PublicKeyDataLength,\r | |
105 | (UINT8 *)TempBuffer,\r | |
106 | ImageSize - Image->AuthInfo.Hdr.dwLength\r | |
107 | );\r | |
108 | FreePool(TempBuffer);\r | |
109 | if (!CryptoStatus) {\r | |
110 | //\r | |
111 | // If PKCS7 signature verification fails, AUTH tested failed bit is set.\r | |
112 | //\r | |
113 | DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r | |
114 | Status = RETURN_SECURITY_VIOLATION;\r | |
115 | goto Done;\r | |
116 | }\r | |
117 | DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r | |
118 | \r | |
119 | Status = RETURN_SUCCESS;\r | |
120 | \r | |
121 | Done:\r | |
122 | return Status;\r | |
123 | }\r | |
124 | \r | |
125 | /**\r | |
126 | The function is used to do the authentication for FMP capsule based upon\r | |
127 | EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
128 | \r | |
129 | The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r | |
130 | followed by the payload.\r | |
131 | \r | |
132 | If the return status is RETURN_SUCCESS, the caller may continue the rest\r | |
133 | FMP update process.\r | |
134 | If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r | |
135 | update process and convert the return status to LastAttemptStatus\r | |
136 | to indicate that FMP update fails.\r | |
137 | The LastAttemptStatus can be got from ESRT table or via\r | |
138 | EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r | |
139 | \r | |
140 | Caution: This function may receive untrusted input.\r | |
141 | \r | |
142 | @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
143 | @param[in] ImageSize Size of the authentication image in bytes.\r | |
144 | @param[in] PublicKeyData The public key data used to validate the signature.\r | |
145 | @param[in] PublicKeyDataLength The length of the public key data.\r | |
146 | \r | |
147 | @retval RETURN_SUCCESS Authentication pass.\r | |
148 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r | |
149 | @retval RETURN_SECURITY_VIOLATION Authentication fail.\r | |
150 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r | |
151 | @retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r | |
152 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
153 | @retval RETURN_UNSUPPORTED No Authentication handler associated with CertType.\r | |
154 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
155 | @retval RETURN_UNSUPPORTED Image or ImageSize is invalid.\r | |
156 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
157 | @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r | |
158 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r | |
159 | **/\r | |
160 | RETURN_STATUS\r | |
161 | EFIAPI\r | |
162 | AuthenticateFmpImage (\r | |
163 | IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r | |
164 | IN UINTN ImageSize,\r | |
165 | IN CONST UINT8 *PublicKeyData,\r | |
166 | IN UINTN PublicKeyDataLength\r | |
167 | )\r | |
168 | {\r | |
169 | GUID *CertType;\r | |
170 | EFI_STATUS Status;\r | |
171 | \r | |
172 | if ((Image == NULL) || (ImageSize == 0)) {\r | |
173 | return RETURN_UNSUPPORTED;\r | |
174 | }\r | |
175 | \r | |
176 | if (ImageSize < sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r | |
177 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r | |
178 | return RETURN_INVALID_PARAMETER;\r | |
179 | }\r | |
180 | if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r | |
181 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r | |
182 | return RETURN_INVALID_PARAMETER;\r | |
183 | }\r | |
ba47ae93 | 184 | if ((UINTN) Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof(UINT64)) {\r |
fef2ae63 JY |
185 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r |
186 | return RETURN_INVALID_PARAMETER;\r | |
187 | }\r | |
188 | if (ImageSize <= sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r | |
189 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r | |
190 | return RETURN_INVALID_PARAMETER;\r | |
191 | }\r | |
192 | if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r | |
193 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r | |
194 | return RETURN_INVALID_PARAMETER;\r | |
195 | }\r | |
196 | if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r | |
197 | DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r | |
198 | return RETURN_INVALID_PARAMETER;\r | |
199 | }\r | |
200 | \r | |
201 | CertType = &Image->AuthInfo.CertType;\r | |
202 | DEBUG((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r | |
203 | \r | |
204 | if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r | |
205 | //\r | |
206 | // Call the match handler to extract raw data for the input section data.\r | |
207 | //\r | |
208 | Status = FmpAuthenticatedHandlerPkcs7 (\r | |
209 | Image,\r | |
210 | ImageSize,\r | |
211 | PublicKeyData,\r | |
212 | PublicKeyDataLength\r | |
213 | );\r | |
214 | return Status;\r | |
215 | }\r | |
216 | \r | |
217 | //\r | |
218 | // Not found, the input guided section is not supported.\r | |
219 | //\r | |
220 | return RETURN_UNSUPPORTED;\r | |
221 | }\r | |
222 | \r |