[mirror_edk2.git] / SecurityPkg / Library / FmpAuthenticationLibPkcs7 / FmpAuthenticationLibPkcs7.c

/** @file\r
  FMP Authentication PKCS7 handler.\r
  Provide generic FMP authentication functions for DXE/PEI post memory phase.\r
\r
  Caution: This module requires additional review when modified.\r
  This module will have external input - capsule image.\r
  This external input must be validated carefully to avoid security issue like\r
  buffer overflow, integer overflow.\r
\r
  FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r
  untrusted input and do basic validation.\r
\r
  Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <Uefi.h>\r
\r
#include <Guid/SystemResourceTable.h>\r
#include <Guid/FirmwareContentsSigned.h>\r
#include <Guid/WinCertificate.h>\r
\r
#include <Library/BaseLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/FmpAuthenticationLib.h>\r
#include <Library/PcdLib.h>\r
#include <Protocol/FirmwareManagement.h>\r
#include <Guid/SystemResourceTable.h>\r
\r
/**\r
  The handler is used to do the authentication for FMP capsule based upon\r
  EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  Caution: This function may receive untrusted input.\r
\r
  This function assumes the caller AuthenticateFmpImage()\r
  already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
  @param[in]  ImageSize               Size of the authentication image in bytes.\r
  @param[in]  PublicKeyData           The public key data used to validate the signature.\r
  @param[in]  PublicKeyDataLength     The length of the public key data.\r
\r
  @retval RETURN_SUCCESS            Authentication pass.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
  @retval RETURN_SECURITY_VIOLATION Authentication fail.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
  @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
**/\r
RETURN_STATUS\r
FmpAuthenticatedHandlerPkcs7 (\r
  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,\r
  IN UINTN                              ImageSize,\r
  IN CONST UINT8                        *PublicKeyData,\r
  IN UINTN                              PublicKeyDataLength\r
  )\r
{\r
  RETURN_STATUS  Status;\r
  BOOLEAN        CryptoStatus;\r
  VOID           *P7Data;\r
  UINTN          P7Length;\r
  VOID           *TempBuffer;\r
\r
  DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r
\r
  P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));\r
  P7Data   = Image->AuthInfo.CertData;\r
\r
  // It is a signature across the variable data and the Monotonic Count value.\r
  TempBuffer = AllocatePool (ImageSize - Image->AuthInfo.Hdr.dwLength);\r
  if (TempBuffer == NULL) {\r
    DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r
    Status = RETURN_OUT_OF_RESOURCES;\r
    goto Done;\r
  }\r
\r
  CopyMem (\r
    TempBuffer,\r
    (UINT8 *)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r
    ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r
    );\r
  CopyMem (\r
    (UINT8 *)TempBuffer + ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r
    &Image->MonotonicCount,\r
    sizeof (Image->MonotonicCount)\r
    );\r
  CryptoStatus = Pkcs7Verify (\r
                   P7Data,\r
                   P7Length,\r
                   PublicKeyData,\r
                   PublicKeyDataLength,\r
                   (UINT8 *)TempBuffer,\r
                   ImageSize - Image->AuthInfo.Hdr.dwLength\r
                   );\r
  FreePool (TempBuffer);\r
  if (!CryptoStatus) {\r
    //\r
    // If PKCS7 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r
    Status = RETURN_SECURITY_VIOLATION;\r
    goto Done;\r
  }\r
\r
  DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r
\r
  Status = RETURN_SUCCESS;\r
\r
Done:\r
  return Status;\r
}\r
\r
/**\r
  The function is used to do the authentication for FMP capsule based upon\r
  EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
\r
  The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r
  followed by the payload.\r
\r
  If the return status is RETURN_SUCCESS, the caller may continue the rest\r
  FMP update process.\r
  If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r
  update process and convert the return status to LastAttemptStatus\r
  to indicate that FMP update fails.\r
  The LastAttemptStatus can be got from ESRT table or via\r
  EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r
\r
  Caution: This function may receive untrusted input.\r
\r
  @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
  @param[in]  ImageSize               Size of the authentication image in bytes.\r
  @param[in]  PublicKeyData           The public key data used to validate the signature.\r
  @param[in]  PublicKeyDataLength     The length of the public key data.\r
\r
  @retval RETURN_SUCCESS            Authentication pass.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
  @retval RETURN_SECURITY_VIOLATION Authentication fail.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
  @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_UNSUPPORTED        No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_UNSUPPORTED        Image or ImageSize is invalid.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
  @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.\r
                                    The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
**/\r
RETURN_STATUS\r
EFIAPI\r
AuthenticateFmpImage (\r
  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,\r
  IN UINTN                              ImageSize,\r
  IN CONST UINT8                        *PublicKeyData,\r
  IN UINTN                              PublicKeyDataLength\r
  )\r
{\r
  GUID        *CertType;\r
  EFI_STATUS  Status;\r
\r
  if ((Image == NULL) || (ImageSize == 0)) {\r
    return RETURN_UNSUPPORTED;\r
  }\r
\r
  if (ImageSize < sizeof (EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  if ((UINTN)Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof (UINT64)) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  if (ImageSize <= sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r
    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r
    return RETURN_INVALID_PARAMETER;\r
  }\r
\r
  CertType = &Image->AuthInfo.CertType;\r
  DEBUG ((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r
\r
  if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r
    //\r
    // Call the match handler to extract raw data for the input section data.\r
    //\r
    Status = FmpAuthenticatedHandlerPkcs7 (\r
               Image,\r
               ImageSize,\r
               PublicKeyData,\r
               PublicKeyDataLength\r
               );\r
    return Status;\r
  }\r
\r
  //\r
  // Not found, the input guided section is not supported.\r
  //\r
  return RETURN_UNSUPPORTED;\r
}\r
Commit	Line	Data
fef2ae63 JY	1	/** @file\r
	2	FMP Authentication PKCS7 handler.\r
	3	Provide generic FMP authentication functions for DXE/PEI post memory phase.\r
	4	\r
	5	Caution: This module requires additional review when modified.\r
	6	This module will have external input - capsule image.\r
	7	This external input must be validated carefully to avoid security issue like\r
	8	buffer overflow, integer overflow.\r
	9	\r
	10	FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r
	11	untrusted input and do basic validation.\r
	12	\r
ba47ae93	13	Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r
289b714b	14	SPDX-License-Identifier: BSD-2-Clause-Patent\r
fef2ae63 JY	15	\r
	16	**/\r
	17	\r
	18	#include <Uefi.h>\r
	19	\r
	20	#include <Guid/SystemResourceTable.h>\r
	21	#include <Guid/FirmwareContentsSigned.h>\r
	22	#include <Guid/WinCertificate.h>\r
	23	\r
	24	#include <Library/BaseLib.h>\r
	25	#include <Library/BaseMemoryLib.h>\r
	26	#include <Library/DebugLib.h>\r
	27	#include <Library/MemoryAllocationLib.h>\r
	28	#include <Library/BaseCryptLib.h>\r
	29	#include <Library/FmpAuthenticationLib.h>\r
	30	#include <Library/PcdLib.h>\r
	31	#include <Protocol/FirmwareManagement.h>\r
	32	#include <Guid/SystemResourceTable.h>\r
	33	\r
	34	/**\r
	35	The handler is used to do the authentication for FMP capsule based upon\r
	36	EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	37	\r
	38	Caution: This function may receive untrusted input.\r
	39	\r
	40	This function assumes the caller AuthenticateFmpImage()\r
	41	already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	42	\r
	43	@param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	44	@param[in] ImageSize Size of the authentication image in bytes.\r
	45	@param[in] PublicKeyData The public key data used to validate the signature.\r
	46	@param[in] PublicKeyDataLength The length of the public key data.\r
	47	\r
	48	@retval RETURN_SUCCESS Authentication pass.\r
	49	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
	50	@retval RETURN_SECURITY_VIOLATION Authentication fail.\r
	51	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
	52	@retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r
	53	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
	54	@retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r
	55	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
	56	**/\r
	57	RETURN_STATUS\r
	58	FmpAuthenticatedHandlerPkcs7 (\r
	59	IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r
	60	IN UINTN ImageSize,\r
	61	IN CONST UINT8 *PublicKeyData,\r
	62	IN UINTN PublicKeyDataLength\r
	63	)\r
	64	{\r
c411b485 MK	65	RETURN_STATUS Status;\r
	66	BOOLEAN CryptoStatus;\r
	67	VOID *P7Data;\r
	68	UINTN P7Length;\r
	69	VOID *TempBuffer;\r
fef2ae63	70	\r
c411b485	71	DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r
fef2ae63	72	\r
c411b485 MK	73	P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));\r
c411b485 MK	74	P7Data = Image->AuthInfo.CertData;\r
fef2ae63 JY	75	\r
fef2ae63 JY	76	// It is a signature across the variable data and the Monotonic Count value.\r
c411b485	77	TempBuffer = AllocatePool (ImageSize - Image->AuthInfo.Hdr.dwLength);\r
fef2ae63	78	if (TempBuffer == NULL) {\r
c411b485	79	DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r
fef2ae63 JY	80	Status = RETURN_OUT_OF_RESOURCES;\r
	81	goto Done;\r
	82	}\r
	83	\r
c411b485	84	CopyMem (\r
fef2ae63	85	TempBuffer,\r
c411b485 MK	86	(UINT8 *)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r
c411b485 MK	87	ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r
fef2ae63	88	);\r
c411b485 MK	89	CopyMem (\r
c411b485 MK	90	(UINT8 *)TempBuffer + ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r
fef2ae63	91	&Image->MonotonicCount,\r
c411b485	92	sizeof (Image->MonotonicCount)\r
fef2ae63	93	);\r
c411b485	94	CryptoStatus = Pkcs7Verify (\r
fef2ae63 JY	95	P7Data,\r
	96	P7Length,\r
	97	PublicKeyData,\r
	98	PublicKeyDataLength,\r
	99	(UINT8 *)TempBuffer,\r
	100	ImageSize - Image->AuthInfo.Hdr.dwLength\r
	101	);\r
c411b485	102	FreePool (TempBuffer);\r
fef2ae63 JY	103	if (!CryptoStatus) {\r
	104	//\r
	105	// If PKCS7 signature verification fails, AUTH tested failed bit is set.\r
	106	//\r
c411b485	107	DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r
fef2ae63 JY	108	Status = RETURN_SECURITY_VIOLATION;\r
	109	goto Done;\r
	110	}\r
c411b485 MK	111	\r
c411b485 MK	112	DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r
fef2ae63 JY	113	\r
	114	Status = RETURN_SUCCESS;\r
	115	\r
	116	Done:\r
	117	return Status;\r
	118	}\r
	119	\r
	120	/**\r
	121	The function is used to do the authentication for FMP capsule based upon\r
	122	EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	123	\r
	124	The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r
	125	followed by the payload.\r
	126	\r
	127	If the return status is RETURN_SUCCESS, the caller may continue the rest\r
	128	FMP update process.\r
	129	If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r
	130	update process and convert the return status to LastAttemptStatus\r
	131	to indicate that FMP update fails.\r
	132	The LastAttemptStatus can be got from ESRT table or via\r
	133	EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r
	134	\r
	135	Caution: This function may receive untrusted input.\r
	136	\r
	137	@param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r
	138	@param[in] ImageSize Size of the authentication image in bytes.\r
	139	@param[in] PublicKeyData The public key data used to validate the signature.\r
	140	@param[in] PublicKeyDataLength The length of the public key data.\r
	141	\r
	142	@retval RETURN_SUCCESS Authentication pass.\r
	143	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r
	144	@retval RETURN_SECURITY_VIOLATION Authentication fail.\r
	145	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r
	146	@retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r
	147	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
	148	@retval RETURN_UNSUPPORTED No Authentication handler associated with CertType.\r
	149	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
	150	@retval RETURN_UNSUPPORTED Image or ImageSize is invalid.\r
	151	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r
	152	@retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r
	153	The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r
	154	**/\r
	155	RETURN_STATUS\r
	156	EFIAPI\r
	157	AuthenticateFmpImage (\r
	158	IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r
	159	IN UINTN ImageSize,\r
	160	IN CONST UINT8 *PublicKeyData,\r
	161	IN UINTN PublicKeyDataLength\r
	162	)\r
	163	{\r
c411b485 MK	164	GUID *CertType;\r
c411b485 MK	165	EFI_STATUS Status;\r
fef2ae63 JY	166	\r
	167	if ((Image == NULL) \|\| (ImageSize == 0)) {\r
	168	return RETURN_UNSUPPORTED;\r
	169	}\r
	170	\r
c411b485 MK	171	if (ImageSize < sizeof (EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r
c411b485 MK	172	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
fef2ae63 JY	173	return RETURN_INVALID_PARAMETER;\r
fef2ae63 JY	174	}\r
c411b485 MK	175	\r
	176	if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r
	177	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r
fef2ae63 JY	178	return RETURN_INVALID_PARAMETER;\r
fef2ae63 JY	179	}\r
c411b485 MK	180	\r
	181	if ((UINTN)Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof (UINT64)) {\r
	182	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r
fef2ae63 JY	183	return RETURN_INVALID_PARAMETER;\r
fef2ae63 JY	184	}\r
c411b485 MK	185	\r
	186	if (ImageSize <= sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r
	187	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r
fef2ae63 JY	188	return RETURN_INVALID_PARAMETER;\r
fef2ae63 JY	189	}\r
c411b485	190	\r
fef2ae63	191	if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r
c411b485	192	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r
fef2ae63 JY	193	return RETURN_INVALID_PARAMETER;\r
fef2ae63 JY	194	}\r
c411b485	195	\r
fef2ae63	196	if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r
c411b485	197	DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r
fef2ae63 JY	198	return RETURN_INVALID_PARAMETER;\r
	199	}\r
	200	\r
	201	CertType = &Image->AuthInfo.CertType;\r
c411b485	202	DEBUG ((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r
fef2ae63 JY	203	\r
	204	if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r
	205	//\r
	206	// Call the match handler to extract raw data for the input section data.\r
	207	//\r
	208	Status = FmpAuthenticatedHandlerPkcs7 (\r
	209	Image,\r
	210	ImageSize,\r
	211	PublicKeyData,\r
	212	PublicKeyDataLength\r
	213	);\r
	214	return Status;\r
	215	}\r
	216	\r
	217	//\r
	218	// Not found, the input guided section is not supported.\r
	219	//\r
	220	return RETURN_UNSUPPORTED;\r
	221	}\r