2 FMP Authentication PKCS7 handler.
3 Provide generic FMP authentication functions for DXE/PEI post memory phase.
5 Caution: This module requires additional review when modified.
6 This module will have external input - capsule image.
7 This external input must be validated carefully to avoid security issue like
8 buffer overflow, integer overflow.
10 FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive
11 untrusted input and do basic validation.
13 Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
14 This program and the accompanying materials
15 are licensed and made available under the terms and conditions of the BSD License
16 which accompanies this distribution. The full text of the license may be found at
17 http://opensource.org/licenses/bsd-license.php
19 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
20 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
26 #include <Guid/SystemResourceTable.h>
27 #include <Guid/FirmwareContentsSigned.h>
28 #include <Guid/WinCertificate.h>
30 #include <Library/BaseLib.h>
31 #include <Library/BaseMemoryLib.h>
32 #include <Library/DebugLib.h>
33 #include <Library/MemoryAllocationLib.h>
34 #include <Library/BaseCryptLib.h>
35 #include <Library/FmpAuthenticationLib.h>
36 #include <Library/PcdLib.h>
37 #include <Protocol/FirmwareManagement.h>
38 #include <Guid/SystemResourceTable.h>
41 The handler is used to do the authentication for FMP capsule based upon
42 EFI_FIRMWARE_IMAGE_AUTHENTICATION.
44 Caution: This function may receive untrusted input.
46 This function assumes the caller AuthenticateFmpImage()
47 already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.
49 @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
50 @param[in] ImageSize Size of the authentication image in bytes.
51 @param[in] PublicKeyData The public key data used to validate the signature.
52 @param[in] PublicKeyDataLength The length of the public key data.
54 @retval RETURN_SUCCESS Authentication pass.
55 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
56 @retval RETURN_SECURITY_VIOLATION Authentication fail.
57 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
58 @retval RETURN_INVALID_PARAMETER The image is in an invalid format.
59 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
60 @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.
61 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
64 FmpAuthenticatedHandlerPkcs7 (
65 IN EFI_FIRMWARE_IMAGE_AUTHENTICATION
*Image
,
67 IN CONST UINT8
*PublicKeyData
,
68 IN UINTN PublicKeyDataLength
77 DEBUG((DEBUG_INFO
, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN
)Image
, (UINTN
)ImageSize
));
79 P7Length
= Image
->AuthInfo
.Hdr
.dwLength
- (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID
, CertData
));
80 P7Data
= Image
->AuthInfo
.CertData
;
82 // It is a signature across the variable data and the Monotonic Count value.
83 TempBuffer
= AllocatePool(ImageSize
- Image
->AuthInfo
.Hdr
.dwLength
);
84 if (TempBuffer
== NULL
) {
85 DEBUG((DEBUG_ERROR
, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));
86 Status
= RETURN_OUT_OF_RESOURCES
;
92 (UINT8
*)Image
+ sizeof(Image
->MonotonicCount
) + Image
->AuthInfo
.Hdr
.dwLength
,
93 ImageSize
- sizeof(Image
->MonotonicCount
) - Image
->AuthInfo
.Hdr
.dwLength
96 (UINT8
*)TempBuffer
+ ImageSize
- sizeof(Image
->MonotonicCount
) - Image
->AuthInfo
.Hdr
.dwLength
,
97 &Image
->MonotonicCount
,
98 sizeof(Image
->MonotonicCount
)
100 CryptoStatus
= Pkcs7Verify(
106 ImageSize
- Image
->AuthInfo
.Hdr
.dwLength
108 FreePool(TempBuffer
);
111 // If PKCS7 signature verification fails, AUTH tested failed bit is set.
113 DEBUG((DEBUG_ERROR
, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));
114 Status
= RETURN_SECURITY_VIOLATION
;
117 DEBUG((DEBUG_INFO
, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));
119 Status
= RETURN_SUCCESS
;
126 The function is used to do the authentication for FMP capsule based upon
127 EFI_FIRMWARE_IMAGE_AUTHENTICATION.
129 The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,
130 followed by the payload.
132 If the return status is RETURN_SUCCESS, the caller may continue the rest
134 If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP
135 update process and convert the return status to LastAttemptStatus
136 to indicate that FMP update fails.
137 The LastAttemptStatus can be got from ESRT table or via
138 EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().
140 Caution: This function may receive untrusted input.
142 @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
143 @param[in] ImageSize Size of the authentication image in bytes.
144 @param[in] PublicKeyData The public key data used to validate the signature.
145 @param[in] PublicKeyDataLength The length of the public key data.
147 @retval RETURN_SUCCESS Authentication pass.
148 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
149 @retval RETURN_SECURITY_VIOLATION Authentication fail.
150 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
151 @retval RETURN_INVALID_PARAMETER The image is in an invalid format.
152 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
153 @retval RETURN_UNSUPPORTED No Authentication handler associated with CertType.
154 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
155 @retval RETURN_UNSUPPORTED Image or ImageSize is invalid.
156 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
157 @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.
158 The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
162 AuthenticateFmpImage (
163 IN EFI_FIRMWARE_IMAGE_AUTHENTICATION
*Image
,
165 IN CONST UINT8
*PublicKeyData
,
166 IN UINTN PublicKeyDataLength
172 if ((Image
== NULL
) || (ImageSize
== 0)) {
173 return RETURN_UNSUPPORTED
;
176 if (ImageSize
< sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION
)) {
177 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - ImageSize too small\n"));
178 return RETURN_INVALID_PARAMETER
;
180 if (Image
->AuthInfo
.Hdr
.dwLength
<= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID
, CertData
)) {
181 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - dwLength too small\n"));
182 return RETURN_INVALID_PARAMETER
;
184 if ((UINTN
) Image
->AuthInfo
.Hdr
.dwLength
> MAX_UINTN
- sizeof(UINT64
)) {
185 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - dwLength too big\n"));
186 return RETURN_INVALID_PARAMETER
;
188 if (ImageSize
<= sizeof(Image
->MonotonicCount
) + Image
->AuthInfo
.Hdr
.dwLength
) {
189 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - ImageSize too small\n"));
190 return RETURN_INVALID_PARAMETER
;
192 if (Image
->AuthInfo
.Hdr
.wRevision
!= 0x0200) {
193 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN
)Image
->AuthInfo
.Hdr
.wRevision
, (UINTN
)0x0200));
194 return RETURN_INVALID_PARAMETER
;
196 if (Image
->AuthInfo
.Hdr
.wCertificateType
!= WIN_CERT_TYPE_EFI_GUID
) {
197 DEBUG((DEBUG_ERROR
, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN
)Image
->AuthInfo
.Hdr
.wCertificateType
, (UINTN
)WIN_CERT_TYPE_EFI_GUID
));
198 return RETURN_INVALID_PARAMETER
;
201 CertType
= &Image
->AuthInfo
.CertType
;
202 DEBUG((DEBUG_INFO
, "AuthenticateFmpImage - CertType: %g\n", CertType
));
204 if (CompareGuid (&gEfiCertPkcs7Guid
, CertType
)) {
206 // Call the match handler to extract raw data for the input section data.
208 Status
= FmpAuthenticatedHandlerPkcs7 (
218 // Not found, the input guided section is not supported.
220 return RETURN_UNSUPPORTED
;