[mirror_edk2.git] / SecurityPkg / Library / FmpAuthenticationLibPkcs7 / FmpAuthenticationLibPkcs7.c

/** @file\r
  FMP Authentication PKCS7 handler.\r
  Provide generic FMP authentication functions for DXE/PEI post memory phase.\r
\r
  Caution: This module requires additional review when modified.\r
  This module will have external input - capsule image.\r
  This external input must be validated carefully to avoid security issue like\r
  buffer overflow, integer overflow.\r
\r
  FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r
  untrusted input and do basic validation.\r
\r
  Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <Uefi.h>\r
\r
#include <Guid/SystemResourceTable.h>\r
#include <Guid/FirmwareContentsSigned.h>\r
#include <Guid/WinCertificate.h>\r
\r
#include <Library/BaseLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/FmpAuthenticationLib.h>\r
#include <Library/PcdLib.h>\r
#include <Protocol/FirmwareManagement.h>\r
#include <Guid/SystemResourceTable.h>\r
\r
/**\r
  The handler is used to do the authentication for FMP capsule based upon\r
  EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  Caution: This function may receive untrusted input.\r
\r
  This function assumes the caller AuthenticateFmpImage()\r
  already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
  @param[in]  ImageSize               Size of the authentication image in bytes.\r
  @param[in]  PublicKeyData           The public key data used to validate the signature.\r
  @param[in]  PublicKeyDataLength     The length of the public key data.\r
\r
  @retval RETURN_SUCCESS            Authentication pass.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
  @retval RETURN_SECURITY_VIOLATION Authentication fail.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
  @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
**/\r
RETURN_STATUS\r
FmpAuthenticatedHandlerPkcs7 (\r
  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,\r
  IN UINTN                              ImageSize,\r
  IN CONST UINT8                        *PublicKeyData,\r
  IN UINTN                              PublicKeyDataLength\r
  )\r
{\r
  RETURN_STATUS                             Status;\r
  BOOLEAN                                   CryptoStatus;\r
  VOID                                      *P7Data;\r
  UINTN                                     P7Length;\r
  VOID                                      *TempBuffer;\r
\r
  DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r
\r
  P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData));\r
  P7Data = Image->AuthInfo.CertData;\r
\r
  // It is a signature across the variable data and the Monotonic Count value.\r
  TempBuffer = AllocatePool(ImageSize - Image->AuthInfo.Hdr.dwLength);\r
  if (TempBuffer == NULL) {\r
    DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r
    Status = RETURN_OUT_OF_RESOURCES;\r
    goto Done;\r
  }\r
\r
  CopyMem(\r
    TempBuffer,\r
    (UINT8 *)Image + sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r
    ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r
    );\r
  CopyMem(\r
    (UINT8 *)TempBuffer + ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r
    &Image->MonotonicCount,\r
    sizeof(Image->MonotonicCount)\r
    );\r
  CryptoStatus = Pkcs7Verify(\r
                   P7Data,\r
                   P7Length,\r
                   PublicKeyData,\r
                   PublicKeyDataLength,\r
                   (UINT8 *)TempBuffer,\r
                   ImageSize - Image->AuthInfo.Hdr.dwLength\r
                   );\r
  FreePool(TempBuffer);\r
  if (!CryptoStatus) {\r
    //\r
    // If PKCS7 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r
    Status = RETURN_SECURITY_VIOLATION;\r
    goto Done;\r
  }\r
  DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r
\r
  Status = RETURN_SUCCESS;\r
\r
Done:\r
  return Status;\r
}\r
\r
/**\r
  The function is used to do the authentication for FMP capsule based upon\r
  EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r
  followed by the payload.\r
\r
  If the return status is RETURN_SUCCESS, the caller may continue the rest\r
  FMP update process.\r
  If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r
  update process and convert the return status to LastAttemptStatus\r
  to indicate that FMP update fails.\r
  The LastAttemptStatus can be got from ESRT table or via\r
  EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r
\r
  Caution: This function may receive untrusted input.\r
\r
  @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
  @param[in]  ImageSize               Size of the authentication image in bytes.\r
  @param[in]  PublicKeyData           The public key data used to validate the signature.\r
  @param[in]  PublicKeyDataLength     The length of the public key data.\r
\r
  @retval RETURN_SUCCESS            Authentication pass.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
  @retval RETURN_SECURITY_VIOLATION Authentication fail.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
  @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_UNSUPPORTED        No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_UNSUPPORTED        Image or ImageSize is invalid.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
**/\r
RETURN_STATUS\r
EFIAPI\r
AuthenticateFmpImage (\r
  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,\r
  IN UINTN                              ImageSize,\r
  IN CONST UINT8                        *PublicKeyData,\r
  IN UINTN                              PublicKeyDataLength\r
  )\r
{\r
  GUID                                      *CertType;\r
  EFI_STATUS                                Status;\r
\r
  if ((Image == NULL) || (ImageSize == 0)) {\r
    return RETURN_UNSUPPORTED;\r
  }\r
\r
  if (ImageSize < sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
  if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
  if ((UINTN) Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof(UINT64)) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
  if (ImageSize <= sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
  if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
  if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r
    DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  CertType = &Image->AuthInfo.CertType;\r
  DEBUG((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r
\r
  if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r
    //\r
    // Call the match handler to extract raw data for the input section data.\r
    //\r
    Status = FmpAuthenticatedHandlerPkcs7 (\r
               Image,\r
               ImageSize,\r
               PublicKeyData,\r
               PublicKeyDataLength\r
               );\r
    return Status;\r
  }\r
\r
  //\r
  // Not found, the input guided section is not supported.\r
  //\r
  return RETURN_UNSUPPORTED;\r
}\r
\r
Commit	Line	Data
fef2ae63 JY	1	/** @file\r
	2	FMP Authentication PKCS7 handler.\r
	3	Provide generic FMP authentication functions for DXE/PEI post memory phase.\r
	4	\r
	5	Caution: This module requires additional review when modified.\r
	6	This module will have external input - capsule image.\r
	7	This external input must be validated carefully to avoid security issue like\r
	8	buffer overflow, integer overflow.\r
	9	\r
	10	FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r
	11	untrusted input and do basic validation.\r
	12	\r
ba47ae93	13	Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
289b714b	14	SPDX-License-Identifier: BSD-2-Clause-Patent\r
fef2ae63 JY	15	\r
	16	**/\r
	17	\r
	18	#include <Uefi.h>\r
	19	\r
	20	#include <Guid/SystemResourceTable.h>\r
	21	#include <Guid/FirmwareContentsSigned.h>\r
	22	#include <Guid/WinCertificate.h>\r
	23	\r
	24	#include <Library/BaseLib.h>\r
	25	#include <Library/BaseMemoryLib.h>\r
	26	#include <Library/DebugLib.h>\r
	27	#include <Library/MemoryAllocationLib.h>\r
	28	#include <Library/BaseCryptLib.h>\r
	29	#include <Library/FmpAuthenticationLib.h>\r
	30	#include <Library/PcdLib.h>\r
	31	#include <Protocol/FirmwareManagement.h>\r
	32	#include <Guid/SystemResourceTable.h>\r
	33	\r
	34	/**\r
	35	The handler is used to do the authentication for FMP capsule based upon\r
	36	EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	37	\r
	38	Caution: This function may receive untrusted input.\r
	39	\r
	40	This function assumes the caller AuthenticateFmpImage()\r
	41	already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	42	\r
	43	@param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	44	@param[in] ImageSize Size of the authentication image in bytes.\r
	45	@param[in] PublicKeyData The public key data used to validate the signature.\r
	46	@param[in] PublicKeyDataLength The length of the public key data.\r
	47	\r
	48	@retval RETURN_SUCCESS Authentication pass.\r
	49	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
	50	@retval RETURN_SECURITY_VIOLATION Authentication fail.\r
	51	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
	52	@retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r
	53	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
	54	@retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r
	55	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
	56	**/\r
	57	RETURN_STATUS\r
	58	FmpAuthenticatedHandlerPkcs7 (\r
	59	IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r
	60	IN UINTN ImageSize,\r
	61	IN CONST UINT8 *PublicKeyData,\r
	62	IN UINTN PublicKeyDataLength\r
	63	)\r
	64	{\r
	65	RETURN_STATUS Status;\r
	66	BOOLEAN CryptoStatus;\r
	67	VOID *P7Data;\r
	68	UINTN P7Length;\r
	69	VOID *TempBuffer;\r
	70	\r
	71	DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r
	72	\r
	73	P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData));\r
	74	P7Data = Image->AuthInfo.CertData;\r
	75	\r
	76	// It is a signature across the variable data and the Monotonic Count value.\r
	77	TempBuffer = AllocatePool(ImageSize - Image->AuthInfo.Hdr.dwLength);\r
	78	if (TempBuffer == NULL) {\r
79	DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r
80	Status = RETURN_OUT_OF_RESOURCES;\r
81	goto Done;\r
82	}\r
83	\r
84	CopyMem(\r
85	TempBuffer,\r
86	(UINT8 *)Image + sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r
87	ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r
88	);\r
89	CopyMem(\r
90	(UINT8 *)TempBuffer + ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r
91	&Image->MonotonicCount,\r
92	sizeof(Image->MonotonicCount)\r
93	);\r
94	CryptoStatus = Pkcs7Verify(\r
95	P7Data,\r
96	P7Length,\r
97	PublicKeyData,\r
98	PublicKeyDataLength,\r
99	(UINT8 *)TempBuffer,\r
100	ImageSize - Image->AuthInfo.Hdr.dwLength\r
101	);\r
102	FreePool(TempBuffer);\r
103	if (!CryptoStatus) {\r
104	//\r
105	// If PKCS7 signature verification fails, AUTH tested failed bit is set.\r
106	//\r
107	DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r
108	Status = RETURN_SECURITY_VIOLATION;\r
109	goto Done;\r
110	}\r
111	DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r
112	\r
113	Status = RETURN_SUCCESS;\r
114	\r
115	Done:\r
116	return Status;\r
117	}\r
118	\r
119	/**\r
120	The function is used to do the authentication for FMP capsule based upon\r
121	EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
122	\r
123	The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r
124	followed by the payload.\r
125	\r
126	If the return status is RETURN_SUCCESS, the caller may continue the rest\r
127	FMP update process.\r
128	If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r
129	update process and convert the return status to LastAttemptStatus\r
130	to indicate that FMP update fails.\r
131	The LastAttemptStatus can be got from ESRT table or via\r
132	EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r
133	\r
134	Caution: This function may receive untrusted input.\r
135	\r
136	@param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
137	@param[in] ImageSize Size of the authentication image in bytes.\r
138	@param[in] PublicKeyData The public key data used to validate the signature.\r
139	@param[in] PublicKeyDataLength The length of the public key data.\r
140	\r
141	@retval RETURN_SUCCESS Authentication pass.\r
142	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
143	@retval RETURN_SECURITY_VIOLATION Authentication fail.\r
144	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
145	@retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r
146	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
147	@retval RETURN_UNSUPPORTED No Authentication handler associated with CertType.\r
148	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
149	@retval RETURN_UNSUPPORTED Image or ImageSize is invalid.\r
150	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
151	@retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r
152	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
153	**/\r
154	RETURN_STATUS\r
155	EFIAPI\r
156	AuthenticateFmpImage (\r
157	IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r
158	IN UINTN ImageSize,\r
159	IN CONST UINT8 *PublicKeyData,\r
160	IN UINTN PublicKeyDataLength\r
161	)\r
162	{\r
163	GUID *CertType;\r
164	EFI_STATUS Status;\r
165	\r
166	if ((Image == NULL) \|\| (ImageSize == 0)) {\r
167	return RETURN_UNSUPPORTED;\r
168	}\r
169	\r
170	if (ImageSize < sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r
171	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
172	return RETURN_INVALID_PARAMETER;\r
173	}\r
174	if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
175	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r
176	return RETURN_INVALID_PARAMETER;\r
177	}\r
ba47ae93	178	if ((UINTN) Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof(UINT64)) {\r
fef2ae63 JY	179	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r
	180	return RETURN_INVALID_PARAMETER;\r
	181	}\r
	182	if (ImageSize <= sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r
	183	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
	184	return RETURN_INVALID_PARAMETER;\r
	185	}\r
	186	if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r
	187	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r
	188	return RETURN_INVALID_PARAMETER;\r
	189	}\r
	190	if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r
	191	DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r
	192	return RETURN_INVALID_PARAMETER;\r
	193	}\r
	194	\r
	195	CertType = &Image->AuthInfo.CertType;\r
	196	DEBUG((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r
	197	\r
	198	if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r
	199	//\r
	200	// Call the match handler to extract raw data for the input section data.\r
	201	//\r
	202	Status = FmpAuthenticatedHandlerPkcs7 (\r
	203	Image,\r
	204	ImageSize,\r
	205	PublicKeyData,\r
	206	PublicKeyDataLength\r
	207	);\r
	208	return Status;\r
	209	}\r
	210	\r
	211	//\r
	212	// Not found, the input guided section is not supported.\r
	213	//\r
	214	return RETURN_UNSUPPORTED;\r
	215	}\r
	216	\r