| | 1 | /** @file\r |
| | 2 | Detects if PcdFmpDevicePkcs7CertBufferXdr contains a test key.\r |
| | 3 | \r |
| | 4 | Copyright (c) 2018 - 2019, Intel Corporation. All rights reserved.<BR>\r |
| | 5 | \r |
| | 6 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
| | 7 | \r |
| | 8 | **/\r |
| | 9 | \r |
| | 10 | #include "FmpDxe.h"\r |
| | 11 | \r |
| | 12 | /**\r |
| | 13 | Check to see if any of the keys in PcdFmpDevicePkcs7CertBufferXdr matches\r |
| | 14 | the test key. PcdFmpDeviceTestKeySha256Digest contains the SHA256 hash of\r |
| | 15 | the test key. For each key in PcdFmpDevicePkcs7CertBufferXdr, compute the\r |
| | 16 | SHA256 hash and compare it to PcdFmpDeviceTestKeySha256Digest. If the\r |
| | 17 | SHA256 hash matches or there is then error computing the SHA256 hash, then\r |
| | 18 | set PcdTestKeyUsed to TRUE. Skip this check if PcdTestKeyUsed is already\r |
| | 19 | TRUE or PcdFmpDeviceTestKeySha256Digest is not exactly SHA256_DIGEST_SIZE\r |
| | 20 | bytes.\r |
| | 21 | **/\r |
| | 22 | VOID\r |
| | 23 | DetectTestKey (\r |
| | 24 | VOID\r |
| | 25 | )\r |
| | 26 | {\r |
| | 27 | BOOLEAN TestKeyUsed;\r |
| | 28 | UINTN PublicKeyDataLength;\r |
| | 29 | UINT8 *PublicKeyDataXdr;\r |
| | 30 | UINT8 *PublicKeyDataXdrEnd;\r |
| | 31 | VOID *HashContext;\r |
| | 32 | UINT8 Digest[SHA256_DIGEST_SIZE];\r |
| | 33 | UINTN TestKeyDigestSize;\r |
| | 34 | \r |
| | 35 | //\r |
| | 36 | // If PcdFmpDeviceTestKeySha256Digest is not exactly SHA256_DIGEST_SIZE bytes,\r |
| | 37 | // then skip the test key detection.\r |
| | 38 | //\r |
| | 39 | TestKeyDigestSize = PcdGetSize (PcdFmpDeviceTestKeySha256Digest);\r |
| | 40 | if (TestKeyDigestSize != SHA256_DIGEST_SIZE) {\r |
| | 41 | return;\r |
| | 42 | }\r |
| | 43 | \r |
| | 44 | //\r |
| | 45 | // If PcdTestKeyUsed is already TRUE, then skip test key detection\r |
| | 46 | //\r |
| | 47 | TestKeyUsed = PcdGetBool (PcdTestKeyUsed);\r |
| | 48 | if (TestKeyUsed) {\r |
| | 49 | return;\r |
| | 50 | }\r |
| | 51 | \r |
| | 52 | //\r |
| | 53 | // If PcdFmpDevicePkcs7CertBufferXdr is invalid, then skip test key detection\r |
| | 54 | //\r |
| | 55 | PublicKeyDataXdr = PcdGetPtr (PcdFmpDevicePkcs7CertBufferXdr);\r |
| | 56 | PublicKeyDataXdrEnd = PublicKeyDataXdr + PcdGetSize (PcdFmpDevicePkcs7CertBufferXdr);\r |
| | 57 | if ((PublicKeyDataXdr == NULL) || (PublicKeyDataXdr == PublicKeyDataXdrEnd)) {\r |
| | 58 | return;\r |
| | 59 | }\r |
| | 60 | \r |
| | 61 | //\r |
| | 62 | // Allocate hash context buffer required for SHA 256\r |
| | 63 | //\r |
| | 64 | HashContext = AllocatePool (Sha256GetContextSize ());\r |
| | 65 | if (HashContext == NULL) {\r |
| | 66 | TestKeyUsed = TRUE;\r |
| | 67 | }\r |
| | 68 | \r |
| | 69 | //\r |
| | 70 | // Loop through all keys in PcdFmpDevicePkcs7CertBufferXdr\r |
| | 71 | //\r |
| | 72 | while (!TestKeyUsed && PublicKeyDataXdr < PublicKeyDataXdrEnd) {\r |
| | 73 | if (PublicKeyDataXdr + sizeof (UINT32) > PublicKeyDataXdrEnd) {\r |
| | 74 | //\r |
| | 75 | // Key data extends beyond end of PCD\r |
| | 76 | //\r |
| | 77 | break;\r |
| | 78 | }\r |
| | 79 | \r |
| | 80 | //\r |
| | 81 | // Read key length stored in big endian format\r |
| | 82 | //\r |
| | 83 | PublicKeyDataLength = SwapBytes32 (*(UINT32 *)(PublicKeyDataXdr));\r |
| | 84 | //\r |
| | 85 | // Point to the start of the key data\r |
| | 86 | //\r |
| | 87 | PublicKeyDataXdr += sizeof (UINT32);\r |
| | 88 | if (PublicKeyDataXdr + PublicKeyDataLength > PublicKeyDataXdrEnd) {\r |
| | 89 | //\r |
| | 90 | // Key data extends beyond end of PCD\r |
| | 91 | //\r |
| | 92 | break;\r |
| | 93 | }\r |
| | 94 | \r |
| | 95 | //\r |
| | 96 | // Hash public key from PcdFmpDevicePkcs7CertBufferXdr using SHA256.\r |
| | 97 | // If error occurs computing SHA256, then assume test key is in use.\r |
| | 98 | //\r |
| | 99 | ZeroMem (Digest, SHA256_DIGEST_SIZE);\r |
| | 100 | if (!Sha256Init (HashContext)) {\r |
| | 101 | TestKeyUsed = TRUE;\r |
| | 102 | break;\r |
| | 103 | }\r |
| | 104 | \r |
| | 105 | if (!Sha256Update (HashContext, PublicKeyDataXdr, PublicKeyDataLength)) {\r |
| | 106 | TestKeyUsed = TRUE;\r |
| | 107 | break;\r |
| | 108 | }\r |
| | 109 | \r |
| | 110 | if (!Sha256Final (HashContext, Digest)) {\r |
| | 111 | TestKeyUsed = TRUE;\r |
| | 112 | break;\r |
| | 113 | }\r |
| | 114 | \r |
| | 115 | //\r |
| | 116 | // Check if SHA256 hash of public key matches SHA256 hash of test key\r |
| | 117 | //\r |
| | 118 | if (CompareMem (Digest, PcdGetPtr (PcdFmpDeviceTestKeySha256Digest), SHA256_DIGEST_SIZE) == 0) {\r |
| | 119 | TestKeyUsed = TRUE;\r |
| | 120 | break;\r |
| | 121 | }\r |
| | 122 | \r |
| | 123 | //\r |
| | 124 | // Point to start of next key\r |
| | 125 | //\r |
| | 126 | PublicKeyDataXdr += PublicKeyDataLength;\r |
| | 127 | PublicKeyDataXdr = (UINT8 *)ALIGN_POINTER (PublicKeyDataXdr, sizeof (UINT32));\r |
| | 128 | }\r |
| | 129 | \r |
| | 130 | //\r |
| | 131 | // Free hash context buffer required for SHA 256\r |
| | 132 | //\r |
| | 133 | if (HashContext != NULL) {\r |
| | 134 | FreePool (HashContext);\r |
| | 135 | HashContext = NULL;\r |
| | 136 | }\r |
| | 137 | \r |
| | 138 | //\r |
| | 139 | // If test key detected or an error occurred checking for the test key, then\r |
| | 140 | // set PcdTestKeyUsed to TRUE.\r |
| | 141 | //\r |
| | 142 | if (TestKeyUsed) {\r |
| | 143 | DEBUG ((DEBUG_INFO, "FmpDxe(%s): Test key detected in PcdFmpDevicePkcs7CertBufferXdr.\n", mImageIdName));\r |
| | 144 | PcdSetBoolS (PcdTestKeyUsed, TRUE);\r |
| | 145 | } else {\r |
| | 146 | DEBUG ((DEBUG_INFO, "FmpDxe(%s): No test key detected in PcdFmpDevicePkcs7CertBufferXdr.\n", mImageIdName));\r |
| | 147 | }\r |
| | 148 | }\r |
projects / mirror_edk2.git / blame_incremental