Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14661
6f19259b-4bc3-4df7-8a09-
765794883524
\r
if (AuthVarType == AuthVarTypePk) {\r
//\r
\r
if (AuthVarType == AuthVarTypePk) {\r
//\r
- // Get platform key from variable.\r
+ // Verify that the signature has been made with the current Platform Key (no chaining for PK).\r
+ // First, get signer's certificates from SignedData.\r
+ //\r
+ VerifyStatus = Pkcs7GetSigners (\r
+ SigData,\r
+ SigDataSize,\r
+ &SignerCerts,\r
+ &CertStackSize,\r
+ &RootCert,\r
+ &RootCertSize\r
+ );\r
+ if (!VerifyStatus) {\r
+ goto Exit;\r
+ }\r
+\r
+ //\r
+ // Second, get the current platform key from variable. Check whether it's identical with signer's certificates\r
+ // in SignedData. If not, return error immediately.\r
//\r
Status = FindVariable (\r
EFI_PLATFORM_KEY_NAME,\r
//\r
Status = FindVariable (\r
EFI_PLATFORM_KEY_NAME,\r
FALSE\r
);\r
if (EFI_ERROR (Status)) {\r
FALSE\r
);\r
if (EFI_ERROR (Status)) {\r
+ VerifyStatus = FALSE;\r
+ goto Exit;\r
CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
- RootCert = Cert->SignatureData;\r
- RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);\r
-\r
+ if ((RootCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||\r
+ (CompareMem (Cert->SignatureData, RootCert, RootCertSize) != 0)) {\r
+ VerifyStatus = FALSE;\r
+ goto Exit;\r
+ }\r
\r
//\r
// Verify Pkcs7 SignedData via Pkcs7Verify library.\r
\r
//\r
// Verify Pkcs7 SignedData via Pkcs7Verify library.\r
- if (AuthVarType == AuthVarTypePriv) {\r
+ if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {\r
Pkcs7FreeSigners (RootCert);\r
Pkcs7FreeSigners (SignerCerts);\r
}\r
Pkcs7FreeSigners (RootCert);\r
Pkcs7FreeSigners (SignerCerts);\r
}\r