[mirror_edk2.git] / SecurityPkg / Library / DxeRsa2048Sha256GuidedSectionExtractLib / DxeRsa2048Sha256GuidedSectionExtractLib.c

/** @file\r
\r
  This library registers RSA 2048 SHA 256 guided section handler\r
  to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
  It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
\r
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiDxe.h>\r
#include <Protocol/Hash.h>\r
#include <Protocol/SecurityPolicy.h>\r
#include <Library/ExtractGuidedSectionLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/UefiBootServicesTableLib.h>\r
#include <Library/PcdLib.h>\r
#include <Guid/WinCertificate.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/PerformanceLib.h>\r
#include <Guid/SecurityPkgTokenSpace.h>\r
\r
///\r
/// RSA 2048 SHA 256 Guided Section header\r
///\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION          GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION_HEADER;\r
\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION2         GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION2_HEADER;\r
\r
///\r
/// Public Exponent of RSA Key.\r
///\r
CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };\r
\r
/**\r
\r
  GetInfo gets raw data size and attribute of the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection       Buffer containing the input GUIDed section to be processed.\r
  @param OutputBufferSize   The size of OutputBuffer.\r
  @param ScratchBufferSize  The size of ScratchBuffer.\r
  @param SectionAttribute   The attribute of the input guided section.\r
\r
  @retval EFI_SUCCESS            The size of destination buffer, the size of scratch buffer and\r
                                 the attribute of the input section are successfully retrieved.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionGetInfo (\r
  IN  CONST VOID  *InputSection,\r
  OUT UINT32      *OutputBufferSize,\r
  OUT UINT32      *ScratchBufferSize,\r
  OUT UINT16      *SectionAttribute\r
  )\r
{\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
\r
  Extraction handler tries to extract raw data from the input guided section.\r
  It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection    Buffer containing the input GUIDed section to be processed.\r
  @param OutputBuffer    Buffer to contain the output raw data allocated by the caller.\r
  @param ScratchBuffer   A pointer to a caller-allocated buffer for function internal use.\r
  @param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
                              authentication status of the output buffer.\r
\r
  @retval EFI_SUCCESS            Section Data and Auth Status is extracted successfully.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionHandler (\r
  IN CONST  VOID    *InputSection,\r
  OUT       VOID    **OutputBuffer,\r
  IN        VOID    *ScratchBuffer         OPTIONAL,\r
  OUT       UINT32  *AuthenticationStatus\r
  )\r
{\r
  EFI_STATUS                      Status;\r
  UINT32                          OutputBufferSize;\r
  VOID                            *DummyInterface;\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  *CertBlockRsa2048Sha256;\r
  BOOLEAN                         CryptoStatus;\r
  UINT8                           Digest[SHA256_DIGEST_SIZE];\r
  UINT8                           *PublicKey;\r
  UINTN                           PublicKeyBufferSize;\r
  VOID                            *HashContext;\r
  VOID                            *Rsa;\r
\r
  HashContext = NULL;\r
  Rsa         = NULL;\r
\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("DxeRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("DxeRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("DxeRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("DxeRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  }\r
\r
  //\r
  // Check whether there exists EFI_SECURITY_POLICY_PROTOCOL_GUID.\r
  //\r
  Status = gBS->LocateProtocol (&gEfiSecurityPolicyProtocolGuid, NULL, &DummyInterface);\r
  if (!EFI_ERROR (Status)) {\r
    //\r
    // If SecurityPolicy Protocol exist, AUTH platform override bit is set.\r
    //\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_PLATFORM_OVERRIDE;\r
\r
    return EFI_SUCCESS;\r
  }\r
\r
  //\r
  // All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
  //\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // Fail if the HashType is not SHA 256\r
  //\r
  if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: HASH type of section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Allocate hash context buffer required for SHA 256\r
  //\r
  HashContext = AllocatePool (Sha256GetContextSize ());\r
  if (HashContext == NULL) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Can not allocate hash context\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash public key from data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
  //\r
  PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
  ASSERT (PublicKey != NULL);\r
  DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
  PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
  ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
  CryptoStatus = FALSE;\r
  while (PublicKeyBufferSize != 0) {\r
    if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
      CryptoStatus = TRUE;\r
      break;\r
    }\r
\r
    PublicKey           = PublicKey + SHA256_DIGEST_SIZE;\r
    PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
  }\r
\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Public key in section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Generate & Initialize RSA Context.\r
  //\r
  Rsa = RsaNew ();\r
  if (Rsa == NULL) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaNew() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Set RSA Key Components.\r
  // NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
  //\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  PERF_INMODULE_BEGIN ("DxeRsaShaData");\r
  CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
  PERF_INMODULE_END ("DxeRsaShaData");\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Verify the RSA 2048 SHA 256 signature.\r
  //\r
  PERF_INMODULE_BEGIN ("DxeRsaVerify");\r
  CryptoStatus = RsaPkcs1Verify (\r
                   Rsa,\r
                   Digest,\r
                   SHA256_DIGEST_SIZE,\r
                   CertBlockRsa2048Sha256->Signature,\r
                   sizeof (CertBlockRsa2048Sha256->Signature)\r
                   );\r
  PERF_INMODULE_END ("DxeRsaVerify");\r
  if (!CryptoStatus) {\r
    //\r
    // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
  }\r
\r
Done:\r
  //\r
  // Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
  //\r
  if (Rsa != NULL) {\r
    RsaFree (Rsa);\r
  }\r
\r
  if (HashContext != NULL) {\r
    FreePool (HashContext);\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "DxeRsa2048Sha256: Status = %r  AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
\r
  return Status;\r
}\r
\r
/**\r
  Register the handler to extract RSA 2048 SHA 256 guided section.\r
\r
  @param  ImageHandle  ImageHandle of the loaded driver.\r
  @param  SystemTable  Pointer to the EFI System Table.\r
\r
  @retval  EFI_SUCCESS            Register successfully.\r
  @retval  EFI_OUT_OF_RESOURCES   Not enough memory to register this handler.\r
**/\r
EFI_STATUS\r
EFIAPI\r
DxeRsa2048Sha256GuidedSectionExtractLibConstructor (\r
  IN EFI_HANDLE        ImageHandle,\r
  IN EFI_SYSTEM_TABLE  *SystemTable\r
  )\r
{\r
  return ExtractGuidedSectionRegisterHandlers (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           Rsa2048Sha256GuidedSectionGetInfo,\r
           Rsa2048Sha256GuidedSectionHandler\r
           );\r
}\r
Commit	Line	Data
1a53a034 MK	1	/** @file\r
1a53a034 MK	2	\r
b3548d32	3	This library registers RSA 2048 SHA 256 guided section handler\r
1a53a034	4	to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
d6b926e7	5	It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
1a53a034	6	\r
b3548d32	7	Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
289b714b	8	SPDX-License-Identifier: BSD-2-Clause-Patent\r
1a53a034 MK	9	\r
	10	**/\r
	11	\r
	12	#include <PiDxe.h>\r
	13	#include <Protocol/Hash.h>\r
	14	#include <Protocol/SecurityPolicy.h>\r
	15	#include <Library/ExtractGuidedSectionLib.h>\r
	16	#include <Library/DebugLib.h>\r
	17	#include <Library/BaseMemoryLib.h>\r
	18	#include <Library/MemoryAllocationLib.h>\r
	19	#include <Library/UefiBootServicesTableLib.h>\r
	20	#include <Library/PcdLib.h>\r
	21	#include <Guid/WinCertificate.h>\r
	22	#include <Library/BaseCryptLib.h>\r
	23	#include <Library/PerformanceLib.h>\r
	24	#include <Guid/SecurityPkgTokenSpace.h>\r
	25	\r
	26	///\r
	27	/// RSA 2048 SHA 256 Guided Section header\r
	28	///\r
	29	typedef struct {\r
c411b485 MK	30	EFI_GUID_DEFINED_SECTION GuidedSectionHeader; ///< EFI guided section header\r
c411b485 MK	31	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
1a53a034 MK	32	} RSA_2048_SHA_256_SECTION_HEADER;\r
	33	\r
	34	typedef struct {\r
c411b485 MK	35	EFI_GUID_DEFINED_SECTION2 GuidedSectionHeader; ///< EFI guided section header\r
c411b485 MK	36	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
1a53a034 MK	37	} RSA_2048_SHA_256_SECTION2_HEADER;\r
	38	\r
	39	///\r
	40	/// Public Exponent of RSA Key.\r
	41	///\r
c411b485	42	CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
1a53a034 MK	43	\r
	44	/**\r
	45	\r
	46	GetInfo gets raw data size and attribute of the input guided section.\r
b3548d32	47	It first checks whether the input guid section is supported.\r
1a53a034 MK	48	If not, EFI_INVALID_PARAMETER will return.\r
	49	\r
	50	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	51	@param OutputBufferSize The size of OutputBuffer.\r
	52	@param ScratchBufferSize The size of ScratchBuffer.\r
	53	@param SectionAttribute The attribute of the input guided section.\r
	54	\r
b3548d32	55	@retval EFI_SUCCESS The size of destination buffer, the size of scratch buffer and\r
0ab475c9	56	the attribute of the input section are successfully retrieved.\r
1a53a034 MK	57	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	58	\r
	59	**/\r
	60	EFI_STATUS\r
	61	EFIAPI\r
	62	Rsa2048Sha256GuidedSectionGetInfo (\r
	63	IN CONST VOID *InputSection,\r
	64	OUT UINT32 *OutputBufferSize,\r
	65	OUT UINT32 *ScratchBufferSize,\r
	66	OUT UINT16 *SectionAttribute\r
	67	)\r
	68	{\r
	69	if (IS_SECTION2 (InputSection)) {\r
	70	//\r
	71	// Check whether the input guid section is recognized.\r
	72	//\r
	73	if (!CompareGuid (\r
c411b485 MK	74	&gEfiCertTypeRsa2048Sha256Guid,\r
	75	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	76	))\r
	77	{\r
1a53a034 MK	78	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	79	}\r
c411b485	80	\r
1a53a034 MK	81	//\r
	82	// Retrieve the size and attribute of the input section data.\r
	83	//\r
c411b485	84	SectionAttribute = ((EFI_GUID_DEFINED_SECTION2 )InputSection)->Attributes;\r
1a53a034	85	*ScratchBufferSize = 0;\r
c411b485	86	*OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
1a53a034 MK	87	} else {\r
	88	//\r
	89	// Check whether the input guid section is recognized.\r
	90	//\r
	91	if (!CompareGuid (\r
c411b485 MK	92	&gEfiCertTypeRsa2048Sha256Guid,\r
	93	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	94	))\r
	95	{\r
1a53a034 MK	96	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	97	}\r
c411b485	98	\r
1a53a034 MK	99	//\r
	100	// Retrieve the size and attribute of the input section data.\r
	101	//\r
c411b485	102	SectionAttribute = ((EFI_GUID_DEFINED_SECTION )InputSection)->Attributes;\r
1a53a034	103	*ScratchBufferSize = 0;\r
c411b485	104	*OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
1a53a034 MK	105	}\r
	106	\r
	107	return EFI_SUCCESS;\r
	108	}\r
	109	\r
	110	/**\r
	111	\r
	112	Extraction handler tries to extract raw data from the input guided section.\r
	113	It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
b3548d32	114	It first checks whether the input guid section is supported.\r
1a53a034 MK	115	If not, EFI_INVALID_PARAMETER will return.\r
	116	\r
	117	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	118	@param OutputBuffer Buffer to contain the output raw data allocated by the caller.\r
	119	@param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.\r
	120	@param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
	121	authentication status of the output buffer.\r
	122	\r
	123	@retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.\r
	124	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	125	\r
	126	**/\r
	127	EFI_STATUS\r
	128	EFIAPI\r
	129	Rsa2048Sha256GuidedSectionHandler (\r
	130	IN CONST VOID *InputSection,\r
	131	OUT VOID **OutputBuffer,\r
12710fe9	132	IN VOID *ScratchBuffer OPTIONAL,\r
1a53a034 MK	133	OUT UINT32 *AuthenticationStatus\r
	134	)\r
	135	{\r
	136	EFI_STATUS Status;\r
	137	UINT32 OutputBufferSize;\r
	138	VOID *DummyInterface;\r
	139	EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;\r
	140	BOOLEAN CryptoStatus;\r
	141	UINT8 Digest[SHA256_DIGEST_SIZE];\r
	142	UINT8 *PublicKey;\r
	143	UINTN PublicKeyBufferSize;\r
	144	VOID *HashContext;\r
	145	VOID *Rsa;\r
b3548d32	146	\r
1a53a034 MK	147	HashContext = NULL;\r
1a53a034 MK	148	Rsa = NULL;\r
b3548d32	149	\r
1a53a034 MK	150	if (IS_SECTION2 (InputSection)) {\r
	151	//\r
	152	// Check whether the input guid section is recognized.\r
	153	//\r
	154	if (!CompareGuid (\r
c411b485 MK	155	&gEfiCertTypeRsa2048Sha256Guid,\r
	156	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	157	))\r
	158	{\r
1a53a034 MK	159	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	160	}\r
b3548d32	161	\r
1a53a034 MK	162	//\r
	163	// Get the RSA 2048 SHA 256 information.\r
	164	//\r
c411b485	165	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
1a53a034 MK	166	OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
1a53a034 MK	167	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	168	PERF_INMODULE_BEGIN ("DxeRsaCopy");\r
1a53a034	169	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
e1dea56b	170	PERF_INMODULE_END ("DxeRsaCopy");\r
1a53a034 MK	171	} else {\r
	172	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	173	}\r
	174	\r
	175	//\r
	176	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	177	//\r
	178	ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	179	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	180	} else {\r
	181	//\r
	182	// Check whether the input guid section is recognized.\r
	183	//\r
	184	if (!CompareGuid (\r
c411b485 MK	185	&gEfiCertTypeRsa2048Sha256Guid,\r
	186	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	187	))\r
	188	{\r
1a53a034 MK	189	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	190	}\r
b3548d32	191	\r
1a53a034 MK	192	//\r
	193	// Get the RSA 2048 SHA 256 information.\r
	194	//\r
	195	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
	196	OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	197	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	198	PERF_INMODULE_BEGIN ("DxeRsaCopy");\r
1a53a034	199	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
e1dea56b	200	PERF_INMODULE_END ("DxeRsaCopy");\r
1a53a034 MK	201	} else {\r
	202	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	203	}\r
	204	\r
	205	//\r
	206	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	207	//\r
c411b485	208	ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
1a53a034 MK	209	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	210	}\r
	211	\r
	212	//\r
	213	// Check whether there exists EFI_SECURITY_POLICY_PROTOCOL_GUID.\r
	214	//\r
	215	Status = gBS->LocateProtocol (&gEfiSecurityPolicyProtocolGuid, NULL, &DummyInterface);\r
	216	if (!EFI_ERROR (Status)) {\r
	217	//\r
	218	// If SecurityPolicy Protocol exist, AUTH platform override bit is set.\r
	219	//\r
	220	*AuthenticationStatus \|= EFI_AUTH_STATUS_PLATFORM_OVERRIDE;\r
b3548d32	221	\r
1a53a034 MK	222	return EFI_SUCCESS;\r
	223	}\r
	224	\r
	225	//\r
d6b926e7	226	// All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
1a53a034 MK	227	//\r
1a53a034 MK	228	Status = EFI_SUCCESS;\r
b3548d32	229	\r
1a53a034 MK	230	//\r
	231	// Fail if the HashType is not SHA 256\r
	232	//\r
	233	if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
	234	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: HASH type of section is not supported\n"));\r
	235	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	236	goto Done;\r
	237	}\r
	238	\r
	239	//\r
	240	// Allocate hash context buffer required for SHA 256\r
	241	//\r
	242	HashContext = AllocatePool (Sha256GetContextSize ());\r
	243	if (HashContext == NULL) {\r
	244	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Can not allocate hash context\n"));\r
	245	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	246	goto Done;\r
	247	}\r
	248	\r
	249	//\r
	250	// Hash public key from data payload with SHA256.\r
	251	//\r
	252	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	253	CryptoStatus = Sha256Init (HashContext);\r
	254	if (!CryptoStatus) {\r
	255	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));\r
	256	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	257	goto Done;\r
	258	}\r
c411b485 MK	259	\r
c411b485 MK	260	CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
1a53a034 MK	261	if (!CryptoStatus) {\r
	262	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));\r
	263	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	264	goto Done;\r
	265	}\r
c411b485 MK	266	\r
c411b485 MK	267	CryptoStatus = Sha256Final (HashContext, Digest);\r
1a53a034 MK	268	if (!CryptoStatus) {\r
	269	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));\r
	270	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	271	goto Done;\r
	272	}\r
b3548d32	273	\r
1a53a034 MK	274	//\r
	275	// Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
	276	//\r
	277	PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
	278	DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
	279	ASSERT (PublicKey != NULL);\r
	280	DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
6bb832b3	281	PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
1a53a034 MK	282	DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
	283	ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
	284	CryptoStatus = FALSE;\r
	285	while (PublicKeyBufferSize != 0) {\r
	286	if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
	287	CryptoStatus = TRUE;\r
	288	break;\r
	289	}\r
c411b485 MK	290	\r
c411b485 MK	291	PublicKey = PublicKey + SHA256_DIGEST_SIZE;\r
1a53a034 MK	292	PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
1a53a034 MK	293	}\r
c411b485	294	\r
1a53a034 MK	295	if (!CryptoStatus) {\r
	296	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Public key in section is not supported\n"));\r
	297	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	298	goto Done;\r
	299	}\r
	300	\r
	301	//\r
	302	// Generate & Initialize RSA Context.\r
	303	//\r
	304	Rsa = RsaNew ();\r
	305	if (Rsa == NULL) {\r
	306	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaNew() failed\n"));\r
	307	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	308	goto Done;\r
	309	}\r
b3548d32 LG	310	\r
b3548d32 LG	311	//\r
1a53a034 MK	312	// Set RSA Key Components.\r
	313	// NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
	314	//\r
c411b485	315	CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
1a53a034 MK	316	if (!CryptoStatus) {\r
	317	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
	318	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	319	goto Done;\r
	320	}\r
c411b485	321	\r
1a53a034 MK	322	CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
	323	if (!CryptoStatus) {\r
	324	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
	325	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	326	goto Done;\r
	327	}\r
	328	\r
	329	//\r
	330	// Hash data payload with SHA256.\r
	331	//\r
	332	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	333	CryptoStatus = Sha256Init (HashContext);\r
	334	if (!CryptoStatus) {\r
	335	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));\r
	336	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	337	goto Done;\r
	338	}\r
c411b485	339	\r
e1dea56b	340	PERF_INMODULE_BEGIN ("DxeRsaShaData");\r
1a53a034	341	CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
e1dea56b	342	PERF_INMODULE_END ("DxeRsaShaData");\r
1a53a034 MK	343	if (!CryptoStatus) {\r
	344	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));\r
	345	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	346	goto Done;\r
	347	}\r
c411b485 MK	348	\r
c411b485 MK	349	CryptoStatus = Sha256Final (HashContext, Digest);\r
1a53a034 MK	350	if (!CryptoStatus) {\r
	351	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));\r
	352	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	353	goto Done;\r
	354	}\r
	355	\r
	356	//\r
	357	// Verify the RSA 2048 SHA 256 signature.\r
	358	//\r
e1dea56b	359	PERF_INMODULE_BEGIN ("DxeRsaVerify");\r
1a53a034	360	CryptoStatus = RsaPkcs1Verify (\r
b3548d32 LG	361	Rsa,\r
	362	Digest,\r
	363	SHA256_DIGEST_SIZE,\r
	364	CertBlockRsa2048Sha256->Signature,\r
1a53a034 MK	365	sizeof (CertBlockRsa2048Sha256->Signature)\r
1a53a034 MK	366	);\r
e1dea56b	367	PERF_INMODULE_END ("DxeRsaVerify");\r
1a53a034 MK	368	if (!CryptoStatus) {\r
	369	//\r
	370	// If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
	371	//\r
	372	DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
	373	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	374	}\r
	375	\r
	376	Done:\r
	377	//\r
	378	// Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
	379	//\r
	380	if (Rsa != NULL) {\r
	381	RsaFree (Rsa);\r
	382	}\r
c411b485	383	\r
1a53a034 MK	384	if (HashContext != NULL) {\r
	385	FreePool (HashContext);\r
	386	}\r
	387	\r
	388	DEBUG ((DEBUG_VERBOSE, "DxeRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
	389	\r
	390	return Status;\r
	391	}\r
	392	\r
	393	/**\r
	394	Register the handler to extract RSA 2048 SHA 256 guided section.\r
	395	\r
	396	@param ImageHandle ImageHandle of the loaded driver.\r
	397	@param SystemTable Pointer to the EFI System Table.\r
	398	\r
	399	@retval EFI_SUCCESS Register successfully.\r
	400	@retval EFI_OUT_OF_RESOURCES Not enough memory to register this handler.\r
	401	**/\r
	402	EFI_STATUS\r
	403	EFIAPI\r
	404	DxeRsa2048Sha256GuidedSectionExtractLibConstructor (\r
	405	IN EFI_HANDLE ImageHandle,\r
	406	IN EFI_SYSTEM_TABLE *SystemTable\r
	407	)\r
	408	{\r
	409	return ExtractGuidedSectionRegisterHandlers (\r
	410	&gEfiCertTypeRsa2048Sha256Guid,\r
	411	Rsa2048Sha256GuidedSectionGetInfo,\r
	412	Rsa2048Sha256GuidedSectionHandler\r
	413	);\r
	414	}\r