OvmfPkg: PlatformBdsLib: Platform dependent PCI/IRQ initialization
[mirror_edk2.git] / SecurityPkg / Library / DxeImageVerificationLib / DxeImageVerificationLib.c
CommitLineData
0c18794e 1/** @file\r
2 Implement image verification services for secure boot service in UEFI2.3.1.\r
3\r
dc204d5a
JY
4 Caution: This file requires additional review when modified.\r
5 This library will have external input - PE/COFF image.\r
6 This external input must be validated carefully to avoid security issue like\r
7 buffer overflow, integer overflow.\r
8\r
9 DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content\r
10 read is within the image buffer.\r
11\r
12 DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept\r
13 untrusted PE/COFF image and validate its data structure within this image buffer before use.\r
14\r
ffccb935 15Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
45bf2c47 16This program and the accompanying materials\r
17are licensed and made available under the terms and conditions of the BSD License\r
18which accompanies this distribution. The full text of the license may be found at\r
0c18794e 19http://opensource.org/licenses/bsd-license.php\r
20\r
45bf2c47 21THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
0c18794e 22WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
23\r
24**/\r
25\r
26#include "DxeImageVerificationLib.h"\r
27\r
dc204d5a
JY
28//\r
29// Caution: This is used by a function which may receive untrusted input.\r
30// These global variables hold PE/COFF image data, and they should be validated before use.\r
31//\r
0c18794e 32EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader;\r
45bf2c47 33UINT32 mPeCoffHeaderOffset;\r
0c18794e 34EFI_GUID mCertType;\r
35\r
dc204d5a
JY
36//\r
37// Information on current PE/COFF image\r
38//\r
39UINTN mImageSize;\r
40UINT8 *mImageBase = NULL;\r
41UINT8 mImageDigest[MAX_DIGEST_SIZE];\r
42UINTN mImageDigestSize;\r
43\r
0c18794e 44//\r
45// Notify string for authorization UI.\r
46//\r
47CHAR16 mNotifyString1[MAX_NOTIFY_STRING_LEN] = L"Image verification pass but not found in authorized database!";\r
48CHAR16 mNotifyString2[MAX_NOTIFY_STRING_LEN] = L"Launch this image anyway? (Yes/Defer/No)";\r
49//\r
50// Public Exponent of RSA Key.\r
51//\r
52CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
53\r
54\r
55//\r
56// OID ASN.1 Value for Hash Algorithms\r
57//\r
58UINT8 mHashOidValue[] = {\r
0c18794e 59 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJ_sha1\r
60 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, // OBJ_sha224\r
61 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, // OBJ_sha256\r
62 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, // OBJ_sha384\r
63 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, // OBJ_sha512\r
64 };\r
65\r
66HASH_TABLE mHash[] = {\r
64470c17 67 { L"SHA1", 20, &mHashOidValue[0], 5, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final },\r
68 { L"SHA224", 28, &mHashOidValue[5], 9, NULL, NULL, NULL, NULL },\r
69 { L"SHA256", 32, &mHashOidValue[14], 9, Sha256GetContextSize,Sha256Init, Sha256Update, Sha256Final},\r
70 { L"SHA384", 48, &mHashOidValue[23], 9, NULL, NULL, NULL, NULL },\r
71 { L"SHA512", 64, &mHashOidValue[32], 9, NULL, NULL, NULL, NULL }\r
0c18794e 72};\r
73\r
c1d93242
JY
74/**\r
75 SecureBoot Hook for processing image verification.\r
76\r
77 @param[in] VariableName Name of Variable to be found.\r
78 @param[in] VendorGuid Variable vendor GUID.\r
79 @param[in] DataSize Size of Data found. If size is less than the\r
80 data, this value contains the required size.\r
81 @param[in] Data Data pointer.\r
82\r
83**/\r
84VOID\r
85EFIAPI\r
86SecureBootHook (\r
87 IN CHAR16 *VariableName,\r
88 IN EFI_GUID *VendorGuid,\r
89 IN UINTN DataSize,\r
90 IN VOID *Data\r
91 );\r
92\r
28186d45
ED
93/**\r
94 Reads contents of a PE/COFF image in memory buffer.\r
95\r
dc204d5a
JY
96 Caution: This function may receive untrusted input.\r
97 PE/COFF image is external input, so this function will make sure the PE/COFF image content\r
98 read is within the image buffer.\r
99\r
28186d45
ED
100 @param FileHandle Pointer to the file handle to read the PE/COFF image.\r
101 @param FileOffset Offset into the PE/COFF image to begin the read operation.\r
102 @param ReadSize On input, the size in bytes of the requested read operation. \r
103 On output, the number of bytes actually read.\r
104 @param Buffer Output buffer that contains the data read from the PE/COFF image.\r
105 \r
106 @retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size \r
107**/\r
108EFI_STATUS\r
109EFIAPI\r
e0192326 110DxeImageVerificationLibImageRead (\r
28186d45
ED
111 IN VOID *FileHandle,\r
112 IN UINTN FileOffset,\r
113 IN OUT UINTN *ReadSize,\r
114 OUT VOID *Buffer\r
115 )\r
116{\r
117 UINTN EndPosition;\r
118\r
119 if (FileHandle == NULL || ReadSize == NULL || Buffer == NULL) {\r
120 return EFI_INVALID_PARAMETER; \r
121 }\r
122\r
123 if (MAX_ADDRESS - FileOffset < *ReadSize) {\r
124 return EFI_INVALID_PARAMETER;\r
125 }\r
126\r
127 EndPosition = FileOffset + *ReadSize;\r
128 if (EndPosition > mImageSize) {\r
129 *ReadSize = (UINT32)(mImageSize - FileOffset);\r
130 }\r
131\r
132 if (FileOffset >= mImageSize) {\r
133 *ReadSize = 0;\r
134 }\r
135\r
136 CopyMem (Buffer, (UINT8 *)((UINTN) FileHandle + FileOffset), *ReadSize);\r
137\r
138 return EFI_SUCCESS;\r
139}\r
140\r
0c18794e 141\r
142/**\r
143 Get the image type.\r
144\r
145 @param[in] File This is a pointer to the device path of the file that is\r
45bf2c47 146 being dispatched.\r
0c18794e 147\r
45bf2c47 148 @return UINT32 Image Type\r
0c18794e 149\r
150**/\r
151UINT32\r
152GetImageType (\r
153 IN CONST EFI_DEVICE_PATH_PROTOCOL *File\r
154 )\r
155{\r
156 EFI_STATUS Status;\r
45bf2c47 157 EFI_HANDLE DeviceHandle;\r
0c18794e 158 EFI_DEVICE_PATH_PROTOCOL *TempDevicePath;\r
159 EFI_BLOCK_IO_PROTOCOL *BlockIo;\r
160\r
5db28a67
LG
161 if (File == NULL) {\r
162 return IMAGE_UNKNOWN;\r
163 }\r
164\r
0c18794e 165 //\r
166 // First check to see if File is from a Firmware Volume\r
167 //\r
168 DeviceHandle = NULL;\r
45bf2c47 169 TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) File;\r
0c18794e 170 Status = gBS->LocateDevicePath (\r
171 &gEfiFirmwareVolume2ProtocolGuid,\r
172 &TempDevicePath,\r
173 &DeviceHandle\r
174 );\r
175 if (!EFI_ERROR (Status)) {\r
176 Status = gBS->OpenProtocol (\r
177 DeviceHandle,\r
178 &gEfiFirmwareVolume2ProtocolGuid,\r
179 NULL,\r
180 NULL,\r
181 NULL,\r
182 EFI_OPEN_PROTOCOL_TEST_PROTOCOL\r
183 );\r
184 if (!EFI_ERROR (Status)) {\r
185 return IMAGE_FROM_FV;\r
186 }\r
187 }\r
188\r
189 //\r
190 // Next check to see if File is from a Block I/O device\r
191 //\r
192 DeviceHandle = NULL;\r
45bf2c47 193 TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) File;\r
0c18794e 194 Status = gBS->LocateDevicePath (\r
195 &gEfiBlockIoProtocolGuid,\r
196 &TempDevicePath,\r
197 &DeviceHandle\r
198 );\r
199 if (!EFI_ERROR (Status)) {\r
200 BlockIo = NULL;\r
201 Status = gBS->OpenProtocol (\r
202 DeviceHandle,\r
203 &gEfiBlockIoProtocolGuid,\r
204 (VOID **) &BlockIo,\r
205 NULL,\r
206 NULL,\r
207 EFI_OPEN_PROTOCOL_GET_PROTOCOL\r
208 );\r
209 if (!EFI_ERROR (Status) && BlockIo != NULL) {\r
210 if (BlockIo->Media != NULL) {\r
211 if (BlockIo->Media->RemovableMedia) {\r
212 //\r
213 // Block I/O is present and specifies the media is removable\r
214 //\r
215 return IMAGE_FROM_REMOVABLE_MEDIA;\r
216 } else {\r
217 //\r
218 // Block I/O is present and specifies the media is not removable\r
219 //\r
220 return IMAGE_FROM_FIXED_MEDIA;\r
221 }\r
222 }\r
223 }\r
224 }\r
225\r
226 //\r
45bf2c47 227 // File is not in a Firmware Volume or on a Block I/O device, so check to see if\r
0c18794e 228 // the device path supports the Simple File System Protocol.\r
229 //\r
230 DeviceHandle = NULL;\r
45bf2c47 231 TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) File;\r
0c18794e 232 Status = gBS->LocateDevicePath (\r
233 &gEfiSimpleFileSystemProtocolGuid,\r
234 &TempDevicePath,\r
235 &DeviceHandle\r
236 );\r
237 if (!EFI_ERROR (Status)) {\r
238 //\r
239 // Simple File System is present without Block I/O, so assume media is fixed.\r
240 //\r
241 return IMAGE_FROM_FIXED_MEDIA;\r
242 }\r
243\r
244 //\r
245 // File is not from an FV, Block I/O or Simple File System, so the only options\r
45bf2c47 246 // left are a PCI Option ROM and a Load File Protocol such as a PXE Boot from a NIC.\r
0c18794e 247 //\r
45bf2c47 248 TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) File;\r
0c18794e 249 while (!IsDevicePathEndType (TempDevicePath)) {\r
250 switch (DevicePathType (TempDevicePath)) {\r
45bf2c47 251\r
0c18794e 252 case MEDIA_DEVICE_PATH:\r
253 if (DevicePathSubType (TempDevicePath) == MEDIA_RELATIVE_OFFSET_RANGE_DP) {\r
254 return IMAGE_FROM_OPTION_ROM;\r
255 }\r
256 break;\r
257\r
258 case MESSAGING_DEVICE_PATH:\r
259 if (DevicePathSubType(TempDevicePath) == MSG_MAC_ADDR_DP) {\r
260 return IMAGE_FROM_REMOVABLE_MEDIA;\r
45bf2c47 261 }\r
0c18794e 262 break;\r
263\r
264 default:\r
265 break;\r
266 }\r
267 TempDevicePath = NextDevicePathNode (TempDevicePath);\r
268 }\r
45bf2c47 269 return IMAGE_UNKNOWN;\r
0c18794e 270}\r
271\r
272/**\r
273 Caculate hash of Pe/Coff image based on the authenticode image hashing in\r
274 PE/COFF Specification 8.0 Appendix A\r
275\r
dc204d5a
JY
276 Caution: This function may receive untrusted input.\r
277 PE/COFF image is external input, so this function will validate its data structure\r
278 within this image buffer before use.\r
279\r
0c18794e 280 @param[in] HashAlg Hash algorithm type.\r
45bf2c47 281\r
0c18794e 282 @retval TRUE Successfully hash image.\r
283 @retval FALSE Fail in hash image.\r
284\r
285**/\r
45bf2c47 286BOOLEAN\r
0c18794e 287HashPeImage (\r
288 IN UINT32 HashAlg\r
289 )\r
290{\r
291 BOOLEAN Status;\r
292 UINT16 Magic;\r
293 EFI_IMAGE_SECTION_HEADER *Section;\r
294 VOID *HashCtx;\r
295 UINTN CtxSize;\r
296 UINT8 *HashBase;\r
297 UINTN HashSize;\r
298 UINTN SumOfBytesHashed;\r
299 EFI_IMAGE_SECTION_HEADER *SectionHeader;\r
300 UINTN Index;\r
301 UINTN Pos;\r
551d8081 302 UINT32 CertSize;\r
303 UINT32 NumberOfRvaAndSizes;\r
45bf2c47 304\r
0c18794e 305 HashCtx = NULL;\r
306 SectionHeader = NULL;\r
307 Status = FALSE;\r
308\r
309 if ((HashAlg != HASHALG_SHA1) && (HashAlg != HASHALG_SHA256)) {\r
310 return FALSE;\r
311 }\r
45bf2c47 312\r
0c18794e 313 //\r
314 // Initialize context of hash.\r
315 //\r
316 ZeroMem (mImageDigest, MAX_DIGEST_SIZE);\r
317\r
318 if (HashAlg == HASHALG_SHA1) {\r
319 mImageDigestSize = SHA1_DIGEST_SIZE;\r
320 mCertType = gEfiCertSha1Guid;\r
321 } else if (HashAlg == HASHALG_SHA256) {\r
322 mImageDigestSize = SHA256_DIGEST_SIZE;\r
323 mCertType = gEfiCertSha256Guid;\r
324 } else {\r
325 return FALSE;\r
326 }\r
327\r
328 CtxSize = mHash[HashAlg].GetContextSize();\r
45bf2c47 329\r
0c18794e 330 HashCtx = AllocatePool (CtxSize);\r
570b3d1a 331 if (HashCtx == NULL) {\r
332 return FALSE;\r
333 }\r
0c18794e 334\r
335 // 1. Load the image header into memory.\r
336\r
337 // 2. Initialize a SHA hash context.\r
338 Status = mHash[HashAlg].HashInit(HashCtx);\r
45bf2c47 339\r
0c18794e 340 if (!Status) {\r
341 goto Done;\r
342 }\r
551d8081 343\r
0c18794e 344 //\r
345 // Measuring PE/COFF Image Header;\r
346 // But CheckSum field and SECURITY data directory (certificate) are excluded\r
347 //\r
de2447dd 348 if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
349 //\r
350 // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value \r
351 // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the \r
352 // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC\r
353 // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC\r
354 //\r
355 Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC;\r
356 } else {\r
357 //\r
358 // Get the magic value from the PE/COFF Optional Header\r
359 //\r
360 Magic = mNtHeader.Pe32->OptionalHeader.Magic;\r
361 }\r
362 \r
0c18794e 363 //\r
364 // 3. Calculate the distance from the base of the image header to the image checksum address.\r
365 // 4. Hash the image header from its base to beginning of the image checksum.\r
366 //\r
367 HashBase = mImageBase;\r
368 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
369 //\r
370 // Use PE32 offset.\r
371 //\r
372 HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32->OptionalHeader.CheckSum) - HashBase);\r
551d8081 373 NumberOfRvaAndSizes = mNtHeader.Pe32->OptionalHeader.NumberOfRvaAndSizes;\r
570b3d1a 374 } else if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC) {\r
0c18794e 375 //\r
376 // Use PE32+ offset.\r
377 //\r
378 HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32Plus->OptionalHeader.CheckSum) - HashBase);\r
551d8081 379 NumberOfRvaAndSizes = mNtHeader.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes;\r
570b3d1a 380 } else {\r
381 //\r
382 // Invalid header magic number.\r
383 //\r
384 Status = FALSE;\r
385 goto Done;\r
0c18794e 386 }\r
387\r
388 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
389 if (!Status) {\r
390 goto Done;\r
391 }\r
551d8081 392\r
0c18794e 393 //\r
394 // 5. Skip over the image checksum (it occupies a single ULONG).\r
0c18794e 395 //\r
551d8081 396 if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {\r
0c18794e 397 //\r
551d8081 398 // 6. Since there is no Cert Directory in optional header, hash everything\r
399 // from the end of the checksum to the end of image header.\r
0c18794e 400 //\r
551d8081 401 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
402 //\r
403 // Use PE32 offset.\r
404 //\r
405 HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);\r
406 HashSize = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - mImageBase);\r
407 } else {\r
408 //\r
409 // Use PE32+ offset.\r
410 //\r
411 HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);\r
412 HashSize = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - mImageBase);\r
413 }\r
414\r
415 if (HashSize != 0) {\r
416 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
417 if (!Status) {\r
418 goto Done;\r
419 }\r
420 }\r
0c18794e 421 } else {\r
422 //\r
551d8081 423 // 7. Hash everything from the end of the checksum to the start of the Cert Directory.\r
45bf2c47 424 //\r
551d8081 425 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
426 //\r
427 // Use PE32 offset.\r
428 //\r
429 HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);\r
430 HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase);\r
431 } else {\r
432 //\r
433 // Use PE32+ offset.\r
434 //\r
435 HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);\r
436 HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase);\r
437 }\r
438\r
439 if (HashSize != 0) {\r
440 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
441 if (!Status) {\r
442 goto Done;\r
443 }\r
444 }\r
0c18794e 445\r
0c18794e 446 //\r
551d8081 447 // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.)\r
448 // 9. Hash everything from the end of the Cert Directory to the end of image header.\r
0c18794e 449 //\r
551d8081 450 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
451 //\r
452 // Use PE32 offset\r
453 //\r
454 HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];\r
455 HashSize = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - mImageBase);\r
456 } else {\r
457 //\r
458 // Use PE32+ offset.\r
459 //\r
460 HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];\r
461 HashSize = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - mImageBase);\r
462 }\r
0c18794e 463\r
551d8081 464 if (HashSize != 0) {\r
465 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
466 if (!Status) {\r
467 goto Done;\r
468 }\r
469 } \r
0c18794e 470 }\r
551d8081 471\r
0c18794e 472 //\r
473 // 10. Set the SUM_OF_BYTES_HASHED to the size of the header.\r
474 //\r
475 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
476 //\r
477 // Use PE32 offset.\r
478 //\r
479 SumOfBytesHashed = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders;\r
480 } else {\r
481 //\r
482 // Use PE32+ offset\r
483 //\r
484 SumOfBytesHashed = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders;\r
485 }\r
486\r
570b3d1a 487\r
488 Section = (EFI_IMAGE_SECTION_HEADER *) (\r
489 mImageBase +\r
490 mPeCoffHeaderOffset +\r
491 sizeof (UINT32) +\r
492 sizeof (EFI_IMAGE_FILE_HEADER) +\r
493 mNtHeader.Pe32->FileHeader.SizeOfOptionalHeader\r
494 );\r
495\r
0c18794e 496 //\r
497 // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER\r
498 // structures in the image. The 'NumberOfSections' field of the image\r
499 // header indicates how big the table should be. Do not include any\r
500 // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero.\r
501 //\r
502 SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * mNtHeader.Pe32->FileHeader.NumberOfSections);\r
570b3d1a 503 if (SectionHeader == NULL) {\r
504 Status = FALSE;\r
505 goto Done;\r
506 }\r
0c18794e 507 //\r
508 // 12. Using the 'PointerToRawData' in the referenced section headers as\r
509 // a key, arrange the elements in the table in ascending order. In other\r
510 // words, sort the section headers according to the disk-file offset of\r
511 // the section.\r
512 //\r
0c18794e 513 for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {\r
514 Pos = Index;\r
515 while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) {\r
516 CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER));\r
517 Pos--;\r
518 }\r
519 CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER));\r
520 Section += 1;\r
521 }\r
522\r
523 //\r
524 // 13. Walk through the sorted table, bring the corresponding section\r
525 // into memory, and hash the entire section (using the 'SizeOfRawData'\r
526 // field in the section header to determine the amount of data to hash).\r
527 // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED .\r
528 // 15. Repeat steps 13 and 14 for all the sections in the sorted table.\r
529 //\r
530 for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {\r
531 Section = &SectionHeader[Index];\r
532 if (Section->SizeOfRawData == 0) {\r
533 continue;\r
534 }\r
535 HashBase = mImageBase + Section->PointerToRawData;\r
536 HashSize = (UINTN) Section->SizeOfRawData;\r
537\r
538 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
539 if (!Status) {\r
540 goto Done;\r
541 }\r
542\r
543 SumOfBytesHashed += HashSize;\r
544 }\r
545\r
546 //\r
547 // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra\r
548 // data in the file that needs to be added to the hash. This data begins\r
549 // at file offset SUM_OF_BYTES_HASHED and its length is:\r
550 // FileSize - (CertDirectory->Size)\r
551 //\r
552 if (mImageSize > SumOfBytesHashed) {\r
553 HashBase = mImageBase + SumOfBytesHashed;\r
551d8081 554\r
555 if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {\r
556 CertSize = 0;\r
0c18794e 557 } else {\r
551d8081 558 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
559 //\r
560 // Use PE32 offset.\r
561 //\r
562 CertSize = mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size;\r
563 } else {\r
564 //\r
565 // Use PE32+ offset.\r
566 //\r
567 CertSize = mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size;\r
28186d45 568 }\r
0c18794e 569 }\r
570\r
551d8081 571 if (mImageSize > CertSize + SumOfBytesHashed) {\r
572 HashSize = (UINTN) (mImageSize - CertSize - SumOfBytesHashed);\r
573\r
574 Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);\r
575 if (!Status) {\r
576 goto Done;\r
577 }\r
578 } else if (mImageSize < CertSize + SumOfBytesHashed) {\r
579 Status = FALSE;\r
0c18794e 580 goto Done;\r
581 }\r
582 }\r
551d8081 583\r
0c18794e 584 Status = mHash[HashAlg].HashFinal(HashCtx, mImageDigest);\r
585\r
586Done:\r
587 if (HashCtx != NULL) {\r
588 FreePool (HashCtx);\r
589 }\r
590 if (SectionHeader != NULL) {\r
591 FreePool (SectionHeader);\r
592 }\r
593 return Status;\r
594}\r
595\r
596/**\r
45bf2c47 597 Recognize the Hash algorithm in PE/COFF Authenticode and caculate hash of\r
598 Pe/Coff image based on the authenticode image hashing in PE/COFF Specification\r
0c18794e 599 8.0 Appendix A\r
600\r
dc204d5a
JY
601 Caution: This function may receive untrusted input.\r
602 PE/COFF image is external input, so this function will validate its data structure\r
603 within this image buffer before use.\r
604\r
f6f9031f 605 @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed image.\r
606 @param[in] AuthDataSize Size of the Authenticode Signature in bytes.\r
607 \r
0c18794e 608 @retval EFI_UNSUPPORTED Hash algorithm is not supported.\r
609 @retval EFI_SUCCESS Hash successfully.\r
610\r
611**/\r
45bf2c47 612EFI_STATUS\r
0c18794e 613HashPeImageByType (\r
f6f9031f 614 IN UINT8 *AuthData,\r
615 IN UINTN AuthDataSize\r
0c18794e 616 )\r
617{\r
618 UINT8 Index;\r
badd40f9 619\r
45bf2c47 620 for (Index = 0; Index < HASHALG_MAX; Index++) {\r
0c18794e 621 //\r
622 // Check the Hash algorithm in PE/COFF Authenticode.\r
45bf2c47 623 // According to PKCS#7 Definition:\r
0c18794e 624 // SignedData ::= SEQUENCE {\r
625 // version Version,\r
626 // digestAlgorithms DigestAlgorithmIdentifiers,\r
627 // contentInfo ContentInfo,\r
628 // .... }\r
629 // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing\r
630 // This field has the fixed offset (+32) in final Authenticode ASN.1 data.\r
bd0de396 631 // Fixed offset (+32) is calculated based on two bytes of length encoding.\r
45bf2c47 632 //\r
f6f9031f 633 if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {\r
bd0de396 634 //\r
635 // Only support two bytes of Long Form of Length Encoding.\r
636 //\r
637 continue;\r
638 }\r
639\r
f6f9031f 640 if (AuthDataSize < 32 + mHash[Index].OidLength) {\r
badd40f9 641 return EFI_UNSUPPORTED;\r
642 }\r
643\r
f6f9031f 644 if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {\r
0c18794e 645 break;\r
646 }\r
647 }\r
648\r
649 if (Index == HASHALG_MAX) {\r
650 return EFI_UNSUPPORTED;\r
651 }\r
652\r
653 //\r
654 // HASH PE Image based on Hash algorithm in PE/COFF Authenticode.\r
655 //\r
656 if (!HashPeImage(Index)) {\r
657 return EFI_UNSUPPORTED;\r
658 }\r
659\r
660 return EFI_SUCCESS;\r
661}\r
662\r
663\r
664/**\r
665 Returns the size of a given image execution info table in bytes.\r
666\r
667 This function returns the size, in bytes, of the image execution info table specified by\r
668 ImageExeInfoTable. If ImageExeInfoTable is NULL, then 0 is returned.\r
669\r
670 @param ImageExeInfoTable A pointer to a image execution info table structure.\r
45bf2c47 671\r
0c18794e 672 @retval 0 If ImageExeInfoTable is NULL.\r
673 @retval Others The size of a image execution info table in bytes.\r
674\r
675**/\r
676UINTN\r
677GetImageExeInfoTableSize (\r
678 EFI_IMAGE_EXECUTION_INFO_TABLE *ImageExeInfoTable\r
679 )\r
680{\r
681 UINTN Index;\r
682 EFI_IMAGE_EXECUTION_INFO *ImageExeInfoItem;\r
683 UINTN TotalSize;\r
684\r
685 if (ImageExeInfoTable == NULL) {\r
686 return 0;\r
687 }\r
688\r
689 ImageExeInfoItem = (EFI_IMAGE_EXECUTION_INFO *) ((UINT8 *) ImageExeInfoTable + sizeof (EFI_IMAGE_EXECUTION_INFO_TABLE));\r
690 TotalSize = sizeof (EFI_IMAGE_EXECUTION_INFO_TABLE);\r
691 for (Index = 0; Index < ImageExeInfoTable->NumberOfImages; Index++) {\r
692 TotalSize += ReadUnaligned32 ((UINT32 *) &ImageExeInfoItem->InfoSize);\r
693 ImageExeInfoItem = (EFI_IMAGE_EXECUTION_INFO *) ((UINT8 *) ImageExeInfoItem + ReadUnaligned32 ((UINT32 *) &ImageExeInfoItem->InfoSize));\r
694 }\r
695\r
696 return TotalSize;\r
697}\r
698\r
699/**\r
700 Create an Image Execution Information Table entry and add it to system configuration table.\r
701\r
702 @param[in] Action Describes the action taken by the firmware regarding this image.\r
703 @param[in] Name Input a null-terminated, user-friendly name.\r
704 @param[in] DevicePath Input device path pointer.\r
705 @param[in] Signature Input signature info in EFI_SIGNATURE_LIST data structure.\r
706 @param[in] SignatureSize Size of signature.\r
45bf2c47 707\r
0c18794e 708**/\r
709VOID\r
710AddImageExeInfo (\r
45bf2c47 711 IN EFI_IMAGE_EXECUTION_ACTION Action,\r
712 IN CHAR16 *Name OPTIONAL,\r
0c18794e 713 IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath,\r
714 IN EFI_SIGNATURE_LIST *Signature OPTIONAL,\r
715 IN UINTN SignatureSize\r
716 )\r
717{\r
0c18794e 718 EFI_IMAGE_EXECUTION_INFO_TABLE *ImageExeInfoTable;\r
719 EFI_IMAGE_EXECUTION_INFO_TABLE *NewImageExeInfoTable;\r
720 EFI_IMAGE_EXECUTION_INFO *ImageExeInfoEntry;\r
721 UINTN ImageExeInfoTableSize;\r
722 UINTN NewImageExeInfoEntrySize;\r
723 UINTN NameStringLen;\r
724 UINTN DevicePathSize;\r
725\r
0c18794e 726 ImageExeInfoTable = NULL;\r
727 NewImageExeInfoTable = NULL;\r
728 ImageExeInfoEntry = NULL;\r
729 NameStringLen = 0;\r
730\r
570b3d1a 731 if (DevicePath == NULL) {\r
732 return ;\r
733 }\r
45bf2c47 734\r
0c18794e 735 if (Name != NULL) {\r
736 NameStringLen = StrSize (Name);\r
b3d42170 737 } else {\r
738 NameStringLen = sizeof (CHAR16);\r
0c18794e 739 }\r
740\r
45bf2c47 741 EfiGetSystemConfigurationTable (&gEfiImageSecurityDatabaseGuid, (VOID **) &ImageExeInfoTable);\r
0c18794e 742 if (ImageExeInfoTable != NULL) {\r
743 //\r
744 // The table has been found!\r
b3d42170 745 // We must enlarge the table to accomodate the new exe info entry.\r
0c18794e 746 //\r
747 ImageExeInfoTableSize = GetImageExeInfoTableSize (ImageExeInfoTable);\r
748 } else {\r
749 //\r
750 // Not Found!\r
751 // We should create a new table to append to the configuration table.\r
752 //\r
753 ImageExeInfoTableSize = sizeof (EFI_IMAGE_EXECUTION_INFO_TABLE);\r
754 }\r
755\r
756 DevicePathSize = GetDevicePathSize (DevicePath);\r
757 NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize;\r
758 NewImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize + NewImageExeInfoEntrySize);\r
570b3d1a 759 if (NewImageExeInfoTable == NULL) {\r
760 return ;\r
761 }\r
0c18794e 762\r
763 if (ImageExeInfoTable != NULL) {\r
764 CopyMem (NewImageExeInfoTable, ImageExeInfoTable, ImageExeInfoTableSize);\r
765 } else {\r
766 NewImageExeInfoTable->NumberOfImages = 0;\r
767 }\r
768 NewImageExeInfoTable->NumberOfImages++;\r
769 ImageExeInfoEntry = (EFI_IMAGE_EXECUTION_INFO *) ((UINT8 *) NewImageExeInfoTable + ImageExeInfoTableSize);\r
770 //\r
ffccb935 771 // Update new item's information.\r
0c18794e 772 //\r
1fee5304
ED
773 WriteUnaligned32 ((UINT32 *) ImageExeInfoEntry, Action);\r
774 WriteUnaligned32 ((UINT32 *) ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION)), (UINT32) NewImageExeInfoEntrySize);\r
0c18794e 775\r
776 if (Name != NULL) {\r
1fee5304 777 CopyMem ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32), Name, NameStringLen);\r
b3d42170 778 } else {\r
1fee5304 779 ZeroMem ((UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32), sizeof (CHAR16));\r
0c18794e 780 }\r
781 CopyMem (\r
1fee5304 782 (UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32) + NameStringLen,\r
0c18794e 783 DevicePath,\r
784 DevicePathSize\r
785 );\r
786 if (Signature != NULL) {\r
787 CopyMem (\r
1fee5304 788 (UINT8 *) ImageExeInfoEntry + sizeof (EFI_IMAGE_EXECUTION_ACTION) + sizeof (UINT32) + NameStringLen + DevicePathSize,\r
0c18794e 789 Signature,\r
790 SignatureSize\r
791 );\r
792 }\r
793 //\r
794 // Update/replace the image execution table.\r
795 //\r
570b3d1a 796 gBS->InstallConfigurationTable (&gEfiImageSecurityDatabaseGuid, (VOID *) NewImageExeInfoTable);\r
45bf2c47 797\r
0c18794e 798 //\r
799 // Free Old table data!\r
800 //\r
801 if (ImageExeInfoTable != NULL) {\r
802 FreePool (ImageExeInfoTable);\r
803 }\r
804}\r
805\r
0c18794e 806/**\r
807 Check whether signature is in specified database.\r
808\r
809 @param[in] VariableName Name of database variable that is searched in.\r
810 @param[in] Signature Pointer to signature that is searched for.\r
811 @param[in] CertType Pointer to hash algrithom.\r
812 @param[in] SignatureSize Size of Signature.\r
813\r
814 @return TRUE Found the signature in the variable database.\r
815 @return FALSE Not found the signature in the variable database.\r
816\r
817**/\r
818BOOLEAN\r
819IsSignatureFoundInDatabase (\r
820 IN CHAR16 *VariableName,\r
45bf2c47 821 IN UINT8 *Signature,\r
0c18794e 822 IN EFI_GUID *CertType,\r
823 IN UINTN SignatureSize\r
824 )\r
825{\r
826 EFI_STATUS Status;\r
827 EFI_SIGNATURE_LIST *CertList;\r
828 EFI_SIGNATURE_DATA *Cert;\r
829 UINTN DataSize;\r
830 UINT8 *Data;\r
831 UINTN Index;\r
832 UINTN CertCount;\r
833 BOOLEAN IsFound;\r
834 //\r
835 // Read signature database variable.\r
836 //\r
837 IsFound = FALSE;\r
838 Data = NULL;\r
839 DataSize = 0;\r
840 Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
841 if (Status != EFI_BUFFER_TOO_SMALL) {\r
842 return FALSE;\r
843 }\r
844\r
845 Data = (UINT8 *) AllocateZeroPool (DataSize);\r
570b3d1a 846 if (Data == NULL) {\r
847 return FALSE;\r
848 }\r
0c18794e 849\r
850 Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r
851 if (EFI_ERROR (Status)) {\r
852 goto Done;\r
853 }\r
854 //\r
855 // Enumerate all signature data in SigDB to check if executable's signature exists.\r
856 //\r
857 CertList = (EFI_SIGNATURE_LIST *) Data;\r
858 while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {\r
7403ff5b 859 CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;\r
0c18794e 860 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
861 if ((CertList->SignatureSize == sizeof(EFI_SIGNATURE_DATA) - 1 + SignatureSize) && (CompareGuid(&CertList->SignatureType, CertType))) {\r
862 for (Index = 0; Index < CertCount; Index++) {\r
863 if (CompareMem (Cert->SignatureData, Signature, SignatureSize) == 0) {\r
864 //\r
865 // Find the signature in database.\r
866 //\r
867 IsFound = TRUE;\r
c1d93242 868 SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);\r
0c18794e 869 break;\r
870 }\r
871\r
872 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);\r
873 }\r
874\r
875 if (IsFound) {\r
876 break;\r
877 }\r
878 }\r
879\r
880 DataSize -= CertList->SignatureListSize;\r
881 CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);\r
882 }\r
883\r
884Done:\r
885 if (Data != NULL) {\r
886 FreePool (Data);\r
887 }\r
888\r
889 return IsFound;\r
890}\r
891\r
892/**\r
45bf2c47 893 Verify PKCS#7 SignedData using certificate found in Variable which formatted\r
894 as EFI_SIGNATURE_LIST. The Variable may be PK, KEK, DB or DBX.\r
0c18794e 895\r
f6f9031f 896 @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed image.\r
897 @param[in] AuthDataSize Size of the Authenticode Signature in bytes.\r
898 @param[in] VariableName Name of Variable to search for Certificate.\r
899 @param[in] VendorGuid Variable vendor GUID.\r
45bf2c47 900\r
901 @retval TRUE Image pass verification.\r
902 @retval FALSE Image fail verification.\r
0c18794e 903\r
904**/\r
45bf2c47 905BOOLEAN\r
906IsPkcsSignedDataVerifiedBySignatureList (\r
f6f9031f 907 IN UINT8 *AuthData,\r
908 IN UINTN AuthDataSize,\r
45bf2c47 909 IN CHAR16 *VariableName,\r
910 IN EFI_GUID *VendorGuid\r
0c18794e 911 )\r
912{\r
913 EFI_STATUS Status;\r
914 BOOLEAN VerifyStatus;\r
0c18794e 915 EFI_SIGNATURE_LIST *CertList;\r
916 EFI_SIGNATURE_DATA *Cert;\r
917 UINTN DataSize;\r
45bf2c47 918 UINT8 *Data;\r
0c18794e 919 UINT8 *RootCert;\r
920 UINTN RootCertSize;\r
921 UINTN Index;\r
922 UINTN CertCount;\r
923\r
45bf2c47 924 Data = NULL;\r
925 CertList = NULL;\r
926 Cert = NULL;\r
927 RootCert = NULL;\r
928 RootCertSize = 0;\r
929 VerifyStatus = FALSE;\r
0c18794e 930\r
0c18794e 931 DataSize = 0;\r
45bf2c47 932 Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, NULL);\r
0c18794e 933 if (Status == EFI_BUFFER_TOO_SMALL) {\r
45bf2c47 934 Data = (UINT8 *) AllocateZeroPool (DataSize);\r
935 if (Data == NULL) {\r
936 return VerifyStatus;\r
570b3d1a 937 }\r
0c18794e 938\r
45bf2c47 939 Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, (VOID *) Data);\r
0c18794e 940 if (EFI_ERROR (Status)) {\r
941 goto Done;\r
942 }\r
45bf2c47 943\r
944 //\r
945 // Find X509 certificate in Signature List to verify the signature in pkcs7 signed data.\r
0c18794e 946 //\r
45bf2c47 947 CertList = (EFI_SIGNATURE_LIST *) Data;\r
0c18794e 948 while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {\r
949 if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {\r
950 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
951 CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;\r
952 for (Index = 0; Index < CertCount; Index++) {\r
953 //\r
45bf2c47 954 // Iterate each Signature Data Node within this CertList for verify.\r
955 //\r
0c18794e 956 RootCert = Cert->SignatureData;\r
3277a4e5 957 RootCertSize = CertList->SignatureSize - sizeof (EFI_GUID);\r
45bf2c47 958\r
0c18794e 959 //\r
45bf2c47 960 // Call AuthenticodeVerify library to Verify Authenticode struct.\r
0c18794e 961 //\r
962 VerifyStatus = AuthenticodeVerify (\r
f6f9031f 963 AuthData,\r
964 AuthDataSize,\r
0c18794e 965 RootCert,\r
966 RootCertSize,\r
967 mImageDigest,\r
968 mImageDigestSize\r
969 );\r
0c18794e 970 if (VerifyStatus) {\r
c1d93242 971 SecureBootHook (VariableName, VendorGuid, CertList->SignatureSize, Cert);\r
0c18794e 972 goto Done;\r
973 }\r
974 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);\r
45bf2c47 975 }\r
0c18794e 976 }\r
977 DataSize -= CertList->SignatureListSize;\r
978 CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);\r
979 }\r
980 }\r
981\r
45bf2c47 982Done:\r
983 if (Data != NULL) {\r
984 FreePool (Data);\r
985 }\r
0c18794e 986\r
45bf2c47 987 return VerifyStatus;\r
988}\r
0c18794e 989\r
0c18794e 990/**\r
991 Provide verification service for signed images, which include both signature validation\r
45bf2c47 992 and platform policy control. For signature types, both UEFI WIN_CERTIFICATE_UEFI_GUID and\r
0c18794e 993 MSFT Authenticode type signatures are supported.\r
0c18794e 994\r
45bf2c47 995 In this implementation, only verify external executables when in USER MODE.\r
996 Executables from FV is bypass, so pass in AuthenticationStatus is ignored.\r
997\r
6de4c35f 998 The image verification policy is:\r
50fe73a1 999 If the image is signed,\r
6de4c35f 1000 At least one valid signature or at least one hash value of the image must match a record\r
1001 in the security database "db", and no valid signature nor any hash value of the image may\r
1002 be reflected in the security database "dbx".\r
50fe73a1 1003 Otherwise, the image is not signed,\r
6de4c35f 1004 The SHA256 hash value of the image must match a record in the security database "db", and\r
1005 not be reflected in the security data base "dbx".\r
45bf2c47 1006\r
dc204d5a
JY
1007 Caution: This function may receive untrusted input.\r
1008 PE/COFF image is external input, so this function will validate its data structure\r
1009 within this image buffer before use.\r
1010\r
45bf2c47 1011 @param[in] AuthenticationStatus\r
0c18794e 1012 This is the authentication status returned from the security\r
1013 measurement services for the input file.\r
1014 @param[in] File This is a pointer to the device path of the file that is\r
1015 being dispatched. This will optionally be used for logging.\r
1016 @param[in] FileBuffer File buffer matches the input file device path.\r
1017 @param[in] FileSize Size of File buffer matches the input file device path.\r
5db28a67
LG
1018 @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.\r
1019\r
1020 @retval EFI_SUCCESS The file specified by DevicePath and non-NULL\r
1021 FileBuffer did authenticate, and the platform policy dictates\r
1022 that the DXE Foundation may use the file.\r
1023 @retval EFI_SUCCESS The device path specified by NULL device path DevicePath\r
1024 and non-NULL FileBuffer did authenticate, and the platform\r
1025 policy dictates that the DXE Foundation may execute the image in\r
1026 FileBuffer.\r
570b3d1a 1027 @retval EFI_OUT_RESOURCE Fail to allocate memory.\r
0c18794e 1028 @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and\r
1029 the platform policy dictates that File should be placed\r
5db28a67
LG
1030 in the untrusted state. The image has been added to the file\r
1031 execution table.\r
1032 @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not\r
1033 authenticate, and the platform policy dictates that the DXE\r
1034 Foundation many not use File.\r
0c18794e 1035\r
1036**/\r
1037EFI_STATUS\r
1038EFIAPI\r
1039DxeImageVerificationHandler (\r
1040 IN UINT32 AuthenticationStatus,\r
1041 IN CONST EFI_DEVICE_PATH_PROTOCOL *File,\r
1042 IN VOID *FileBuffer,\r
5db28a67
LG
1043 IN UINTN FileSize,\r
1044 IN BOOLEAN BootPolicy\r
0c18794e 1045 )\r
0c18794e 1046{\r
551d8081 1047 EFI_STATUS Status;\r
1048 UINT16 Magic;\r
1049 EFI_IMAGE_DOS_HEADER *DosHdr;\r
1050 EFI_STATUS VerifyStatus;\r
551d8081 1051 EFI_SIGNATURE_LIST *SignatureList;\r
1052 UINTN SignatureListSize;\r
1053 EFI_SIGNATURE_DATA *Signature;\r
1054 EFI_IMAGE_EXECUTION_ACTION Action;\r
1055 WIN_CERTIFICATE *WinCertificate;\r
1056 UINT32 Policy;\r
8f8ca22e 1057 UINT8 *SecureBoot;\r
551d8081 1058 PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;\r
1059 UINT32 NumberOfRvaAndSizes;\r
f6f9031f 1060 WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;\r
1061 WIN_CERTIFICATE_UEFI_GUID *WinCertUefiGuid;\r
1062 UINT8 *AuthData;\r
1063 UINTN AuthDataSize;\r
1064 EFI_IMAGE_DATA_DIRECTORY *SecDataDir;\r
6de4c35f 1065 UINT32 OffSet;\r
0c18794e 1066\r
0c18794e 1067 SignatureList = NULL;\r
1068 SignatureListSize = 0;\r
1069 WinCertificate = NULL;\r
f6f9031f 1070 SecDataDir = NULL;\r
1071 PkcsCertData = NULL;\r
0c18794e 1072 Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;\r
1073 Status = EFI_ACCESS_DENIED;\r
6de4c35f 1074 VerifyStatus = EFI_ACCESS_DENIED;\r
1075\r
0c18794e 1076 //\r
1077 // Check the image type and get policy setting.\r
1078 //\r
1079 switch (GetImageType (File)) {\r
45bf2c47 1080\r
0c18794e 1081 case IMAGE_FROM_FV:\r
1082 Policy = ALWAYS_EXECUTE;\r
1083 break;\r
1084\r
1085 case IMAGE_FROM_OPTION_ROM:\r
1086 Policy = PcdGet32 (PcdOptionRomImageVerificationPolicy);\r
1087 break;\r
1088\r
1089 case IMAGE_FROM_REMOVABLE_MEDIA:\r
1090 Policy = PcdGet32 (PcdRemovableMediaImageVerificationPolicy);\r
1091 break;\r
1092\r
1093 case IMAGE_FROM_FIXED_MEDIA:\r
1094 Policy = PcdGet32 (PcdFixedMediaImageVerificationPolicy);\r
1095 break;\r
1096\r
1097 default:\r
45bf2c47 1098 Policy = DENY_EXECUTE_ON_SECURITY_VIOLATION;\r
0c18794e 1099 break;\r
1100 }\r
1101 //\r
1102 // If policy is always/never execute, return directly.\r
1103 //\r
1104 if (Policy == ALWAYS_EXECUTE) {\r
1105 return EFI_SUCCESS;\r
1106 } else if (Policy == NEVER_EXECUTE) {\r
1107 return EFI_ACCESS_DENIED;\r
1108 }\r
beda2356 1109\r
db44ea6c 1110 //\r
68fc0c73
FS
1111 // The policy QUERY_USER_ON_SECURITY_VIOLATION and ALLOW_EXECUTE_ON_SECURITY_VIOLATION \r
1112 // violates the UEFI spec and has been removed.\r
db44ea6c 1113 //\r
68fc0c73
FS
1114 ASSERT (Policy != QUERY_USER_ON_SECURITY_VIOLATION && Policy != ALLOW_EXECUTE_ON_SECURITY_VIOLATION);\r
1115 if (Policy == QUERY_USER_ON_SECURITY_VIOLATION || Policy == ALLOW_EXECUTE_ON_SECURITY_VIOLATION) {\r
db44ea6c
FS
1116 CpuDeadLoop ();\r
1117 }\r
1118\r
8f8ca22e 1119 GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);\r
beda2356 1120 //\r
8f8ca22e 1121 // Skip verification if SecureBoot variable doesn't exist.\r
beda2356 1122 //\r
8f8ca22e 1123 if (SecureBoot == NULL) {\r
beda2356 1124 return EFI_SUCCESS;\r
1125 }\r
1126\r
1127 //\r
8f8ca22e 1128 // Skip verification if SecureBoot is disabled.\r
beda2356 1129 //\r
8f8ca22e 1130 if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {\r
1131 FreePool (SecureBoot);\r
beda2356 1132 return EFI_SUCCESS;\r
45bf2c47 1133 }\r
8f8ca22e 1134 FreePool (SecureBoot);\r
551d8081 1135\r
0c18794e 1136 //\r
1137 // Read the Dos header.\r
1138 //\r
570b3d1a 1139 if (FileBuffer == NULL) {\r
570b3d1a 1140 return EFI_INVALID_PARAMETER;\r
1141 }\r
551d8081 1142\r
0c18794e 1143 mImageBase = (UINT8 *) FileBuffer;\r
1144 mImageSize = FileSize;\r
28186d45
ED
1145\r
1146 ZeroMem (&ImageContext, sizeof (ImageContext));\r
1147 ImageContext.Handle = (VOID *) FileBuffer;\r
e0192326 1148 ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE) DxeImageVerificationLibImageRead;\r
28186d45
ED
1149\r
1150 //\r
1151 // Get information about the image being loaded\r
1152 //\r
1153 Status = PeCoffLoaderGetImageInfo (&ImageContext);\r
1154 if (EFI_ERROR (Status)) {\r
1155 //\r
1156 // The information can't be got from the invalid PeImage\r
1157 //\r
1158 goto Done;\r
1159 }\r
1160\r
badd40f9 1161 Status = EFI_ACCESS_DENIED;\r
1162\r
1163 DosHdr = (EFI_IMAGE_DOS_HEADER *) mImageBase;\r
0c18794e 1164 if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) {\r
1165 //\r
45bf2c47 1166 // DOS image header is present,\r
0c18794e 1167 // so read the PE header after the DOS image header.\r
1168 //\r
1169 mPeCoffHeaderOffset = DosHdr->e_lfanew;\r
1170 } else {\r
1171 mPeCoffHeaderOffset = 0;\r
1172 }\r
1173 //\r
1174 // Check PE/COFF image.\r
1175 //\r
1176 mNtHeader.Pe32 = (EFI_IMAGE_NT_HEADERS32 *) (mImageBase + mPeCoffHeaderOffset);\r
1177 if (mNtHeader.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) {\r
1178 //\r
1179 // It is not a valid Pe/Coff file.\r
1180 //\r
551d8081 1181 goto Done;\r
0c18794e 1182 }\r
1183\r
de2447dd 1184 if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
1185 //\r
1186 // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value \r
1187 // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the \r
1188 // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC\r
1189 // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC\r
1190 //\r
1191 Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC;\r
1192 } else {\r
1193 //\r
1194 // Get the magic value from the PE/COFF Optional Header\r
1195 //\r
1196 Magic = mNtHeader.Pe32->OptionalHeader.Magic;\r
1197 }\r
1198 \r
0c18794e 1199 if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {\r
1200 //\r
1201 // Use PE32 offset.\r
1202 //\r
551d8081 1203 NumberOfRvaAndSizes = mNtHeader.Pe32->OptionalHeader.NumberOfRvaAndSizes;\r
1204 if (NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {\r
f6f9031f 1205 SecDataDir = (EFI_IMAGE_DATA_DIRECTORY *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];\r
551d8081 1206 } \r
570b3d1a 1207 } else {\r
1208 //\r
551d8081 1209 // Use PE32+ offset.\r
570b3d1a 1210 //\r
551d8081 1211 NumberOfRvaAndSizes = mNtHeader.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes;\r
1212 if (NumberOfRvaAndSizes > EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) {\r
f6f9031f 1213 SecDataDir = (EFI_IMAGE_DATA_DIRECTORY *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];\r
551d8081 1214 }\r
0c18794e 1215 }\r
1216\r
6de4c35f 1217 //\r
1218 // Start Image Validation.\r
1219 //\r
1220 if (SecDataDir == NULL || SecDataDir->Size == 0) {\r
0c18794e 1221 //\r
6de4c35f 1222 // This image is not signed. The SHA256 hash value of the image must match a record in the security database "db", \r
1223 // and not be reflected in the security data base "dbx".\r
0c18794e 1224 //\r
45bf2c47 1225 if (!HashPeImage (HASHALG_SHA256)) {\r
1226 goto Done;\r
1227 }\r
1228\r
1229 if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
1230 //\r
1231 // Image Hash is in forbidden database (DBX).\r
1232 //\r
45bf2c47 1233 goto Done;\r
1234 }\r
1235\r
1236 if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
1237 //\r
1238 // Image Hash is in allowed database (DB).\r
1239 //\r
1240 return EFI_SUCCESS;\r
1241 }\r
1242\r
1243 //\r
1244 // Image Hash is not found in both forbidden and allowed database.\r
1245 //\r
45bf2c47 1246 goto Done;\r
0c18794e 1247 }\r
45bf2c47 1248\r
0c18794e 1249 //\r
6de4c35f 1250 // Verify the signature of the image, multiple signatures are allowed as per PE/COFF Section 4.7 \r
1251 // "Attribute Certificate Table".\r
1252 // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file.\r
0c18794e 1253 //\r
6de4c35f 1254 for (OffSet = SecDataDir->VirtualAddress;\r
1255 OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);\r
1256 OffSet += WinCertificate->dwLength, OffSet += ALIGN_SIZE (OffSet)) {\r
1257 WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);\r
1258 if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||\r
1259 (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {\r
1260 break;\r
1261 }\r
1262 \r
0c18794e 1263 //\r
6de4c35f 1264 // Verify the image's Authenticode signature, only DER-encoded PKCS#7 signed data is supported.\r
0c18794e 1265 //\r
6de4c35f 1266 if (WinCertificate->wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) {\r
1267 //\r
1268 // The certificate is formatted as WIN_CERTIFICATE_EFI_PKCS which is described in the \r
1269 // Authenticode specification.\r
1270 //\r
1271 PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) WinCertificate;\r
1272 if (PkcsCertData->Hdr.dwLength <= sizeof (PkcsCertData->Hdr)) {\r
1273 break;\r
1274 }\r
1275 AuthData = PkcsCertData->CertData;\r
1276 AuthDataSize = PkcsCertData->Hdr.dwLength - sizeof(PkcsCertData->Hdr);\r
1277 } else if (WinCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {\r
1278 //\r
1279 // The certificate is formatted as WIN_CERTIFICATE_UEFI_GUID which is described in UEFI Spec.\r
1280 //\r
1281 WinCertUefiGuid = (WIN_CERTIFICATE_UEFI_GUID *) WinCertificate;\r
1282 if (WinCertUefiGuid->Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
1283 break;\r
1284 }\r
1285 if (!CompareGuid (&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid)) {\r
1286 continue;\r
1287 }\r
1288 AuthData = WinCertUefiGuid->CertData;\r
1289 AuthDataSize = WinCertUefiGuid->Hdr.dwLength - OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);\r
1290 } else {\r
1291 if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {\r
1292 break;\r
1293 }\r
1294 continue;\r
84bce75b 1295 }\r
6de4c35f 1296\r
f6f9031f 1297 Status = HashPeImageByType (AuthData, AuthDataSize);\r
45bf2c47 1298 if (EFI_ERROR (Status)) {\r
6de4c35f 1299 continue;\r
0c18794e 1300 }\r
6de4c35f 1301 \r
f6f9031f 1302 //\r
6de4c35f 1303 // Check the digital signature against the revoked certificate in forbidden database (dbx).\r
f6f9031f 1304 //\r
6de4c35f 1305 if (IsPkcsSignedDataVerifiedBySignatureList (AuthData, AuthDataSize, EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid)) {\r
1306 Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;\r
1307 VerifyStatus = EFI_ACCESS_DENIED;\r
1308 break;\r
f6f9031f 1309 }\r
0c18794e 1310\r
1311 //\r
6de4c35f 1312 // Check the digital signature against the valid certificate in allowed database (db).\r
0c18794e 1313 //\r
6de4c35f 1314 if (EFI_ERROR (VerifyStatus)) {\r
1315 if (IsPkcsSignedDataVerifiedBySignatureList (AuthData, AuthDataSize, EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid)) {\r
1316 VerifyStatus = EFI_SUCCESS;\r
1317 }\r
0c18794e 1318 }\r
6de4c35f 1319\r
0c18794e 1320 //\r
6de4c35f 1321 // Check the image's hash value.\r
0c18794e 1322 //\r
6de4c35f 1323 if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
1324 Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;\r
1325 VerifyStatus = EFI_ACCESS_DENIED;\r
1326 break;\r
1327 } else if (EFI_ERROR (VerifyStatus)) {\r
1328 if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
1329 VerifyStatus = EFI_SUCCESS;\r
1330 }\r
45bf2c47 1331 }\r
50fe73a1 1332 }\r
1333\r
6de4c35f 1334 if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) {\r
0c18794e 1335 //\r
6de4c35f 1336 // The Size in Certificate Table or the attribute certicate table is corrupted.\r
0c18794e 1337 //\r
6de4c35f 1338 VerifyStatus = EFI_ACCESS_DENIED;\r
1339 }\r
1340 \r
1341 if (!EFI_ERROR (VerifyStatus)) {\r
1342 return EFI_SUCCESS;\r
1343 } else {\r
1344 Status = EFI_ACCESS_DENIED;\r
1345 if (Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED || Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND) {\r
1346 //\r
1347 // Get image hash value as executable's signature.\r
1348 //\r
1349 SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + mImageDigestSize;\r
1350 SignatureList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SignatureListSize);\r
1351 if (SignatureList == NULL) {\r
1352 Status = EFI_OUT_OF_RESOURCES;\r
1353 goto Done;\r
1354 }\r
1355 SignatureList->SignatureHeaderSize = 0;\r
1356 SignatureList->SignatureListSize = (UINT32) SignatureListSize;\r
1357 SignatureList->SignatureSize = (UINT32) mImageDigestSize;\r
1358 CopyMem (&SignatureList->SignatureType, &mCertType, sizeof (EFI_GUID));\r
1359 Signature = (EFI_SIGNATURE_DATA *) ((UINT8 *) SignatureList + sizeof (EFI_SIGNATURE_LIST));\r
1360 CopyMem (Signature->SignatureData, mImageDigest, mImageDigestSize);\r
50fe73a1 1361 }\r
0c18794e 1362 }\r
1363\r
1364Done:\r
1365 if (Status != EFI_SUCCESS) {\r
1366 //\r
1367 // Policy decides to defer or reject the image; add its information in image executable information table.\r
1368 //\r
1369 AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize);\r
5db28a67 1370 Status = EFI_SECURITY_VIOLATION;\r
0c18794e 1371 }\r
1372\r
1373 if (SignatureList != NULL) {\r
1374 FreePool (SignatureList);\r
1375 }\r
1376\r
0c18794e 1377 return Status;\r
1378}\r
1379\r
ffccb935
DG
1380/**\r
1381 On Ready To Boot Services Event notification handler.\r
1382\r
1383 Add the image execution information table if it is not in system configuration table.\r
1384\r
1385 @param[in] Event Event whose notification function is being invoked\r
1386 @param[in] Context Pointer to the notification function's context\r
1387\r
1388**/\r
1389VOID\r
1390EFIAPI\r
1391OnReadyToBoot (\r
1392 IN EFI_EVENT Event,\r
1393 IN VOID *Context\r
1394 )\r
1395{\r
1396 EFI_IMAGE_EXECUTION_INFO_TABLE *ImageExeInfoTable;\r
1397 UINTN ImageExeInfoTableSize;\r
1398\r
1399 EfiGetSystemConfigurationTable (&gEfiImageSecurityDatabaseGuid, (VOID **) &ImageExeInfoTable);\r
1400 if (ImageExeInfoTable != NULL) {\r
1401 return;\r
1402 }\r
1403\r
1404 ImageExeInfoTableSize = sizeof (EFI_IMAGE_EXECUTION_INFO_TABLE);\r
1405 ImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize);\r
1406 if (ImageExeInfoTable == NULL) {\r
1407 return ;\r
1408 }\r
1409\r
1410 ImageExeInfoTable->NumberOfImages = 0; \r
1411 gBS->InstallConfigurationTable (&gEfiImageSecurityDatabaseGuid, (VOID *) ImageExeInfoTable);\r
1412\r
1413}\r
1414\r
0c18794e 1415/**\r
1416 Register security measurement handler.\r
1417\r
1418 @param ImageHandle ImageHandle of the loaded driver.\r
1419 @param SystemTable Pointer to the EFI System Table.\r
1420\r
1421 @retval EFI_SUCCESS The handlers were registered successfully.\r
1422**/\r
1423EFI_STATUS\r
1424EFIAPI\r
1425DxeImageVerificationLibConstructor (\r
1426 IN EFI_HANDLE ImageHandle,\r
1427 IN EFI_SYSTEM_TABLE *SystemTable\r
1428 )\r
1429{\r
ffccb935
DG
1430 EFI_EVENT Event;\r
1431\r
1432 //\r
1433 // Register the event to publish the image execution table.\r
1434 //\r
1435 EfiCreateEventReadyToBootEx (\r
1436 TPL_CALLBACK,\r
1437 OnReadyToBoot, \r
1438 NULL, \r
1439 &Event\r
1440 ); \r
1441\r
5db28a67 1442 return RegisterSecurity2Handler (\r
0c18794e 1443 DxeImageVerificationHandler,\r
1444 EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED\r
45bf2c47 1445 );\r
0c18794e 1446}\r