]>
Commit | Line | Data |
---|---|---|
fef2ae63 JY |
1 | /** @file\r |
2 | FMP Authentication PKCS7 handler.\r | |
3 | Provide generic FMP authentication functions for DXE/PEI post memory phase.\r | |
4 | \r | |
5 | Caution: This module requires additional review when modified.\r | |
6 | This module will have external input - capsule image.\r | |
7 | This external input must be validated carefully to avoid security issue like\r | |
8 | buffer overflow, integer overflow.\r | |
9 | \r | |
10 | FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive\r | |
11 | untrusted input and do basic validation.\r | |
12 | \r | |
ba47ae93 | 13 | Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>\r |
289b714b | 14 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
fef2ae63 JY |
15 | \r |
16 | **/\r | |
17 | \r | |
18 | #include <Uefi.h>\r | |
19 | \r | |
20 | #include <Guid/SystemResourceTable.h>\r | |
21 | #include <Guid/FirmwareContentsSigned.h>\r | |
22 | #include <Guid/WinCertificate.h>\r | |
23 | \r | |
24 | #include <Library/BaseLib.h>\r | |
25 | #include <Library/BaseMemoryLib.h>\r | |
26 | #include <Library/DebugLib.h>\r | |
27 | #include <Library/MemoryAllocationLib.h>\r | |
28 | #include <Library/BaseCryptLib.h>\r | |
29 | #include <Library/FmpAuthenticationLib.h>\r | |
30 | #include <Library/PcdLib.h>\r | |
31 | #include <Protocol/FirmwareManagement.h>\r | |
32 | #include <Guid/SystemResourceTable.h>\r | |
33 | \r | |
34 | /**\r | |
35 | The handler is used to do the authentication for FMP capsule based upon\r | |
36 | EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
37 | \r | |
38 | Caution: This function may receive untrusted input.\r | |
39 | \r | |
40 | This function assumes the caller AuthenticateFmpImage()\r | |
41 | already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
42 | \r | |
43 | @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
44 | @param[in] ImageSize Size of the authentication image in bytes.\r | |
45 | @param[in] PublicKeyData The public key data used to validate the signature.\r | |
46 | @param[in] PublicKeyDataLength The length of the public key data.\r | |
47 | \r | |
48 | @retval RETURN_SUCCESS Authentication pass.\r | |
49 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r | |
50 | @retval RETURN_SECURITY_VIOLATION Authentication fail.\r | |
51 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r | |
52 | @retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r | |
53 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
54 | @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r | |
55 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r | |
56 | **/\r | |
57 | RETURN_STATUS\r | |
58 | FmpAuthenticatedHandlerPkcs7 (\r | |
59 | IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r | |
60 | IN UINTN ImageSize,\r | |
61 | IN CONST UINT8 *PublicKeyData,\r | |
62 | IN UINTN PublicKeyDataLength\r | |
63 | )\r | |
64 | {\r | |
c411b485 MK |
65 | RETURN_STATUS Status;\r |
66 | BOOLEAN CryptoStatus;\r | |
67 | VOID *P7Data;\r | |
68 | UINTN P7Length;\r | |
69 | VOID *TempBuffer;\r | |
fef2ae63 | 70 | \r |
c411b485 | 71 | DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));\r |
fef2ae63 | 72 | \r |
c411b485 MK |
73 | P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));\r |
74 | P7Data = Image->AuthInfo.CertData;\r | |
fef2ae63 JY |
75 | \r |
76 | // It is a signature across the variable data and the Monotonic Count value.\r | |
c411b485 | 77 | TempBuffer = AllocatePool (ImageSize - Image->AuthInfo.Hdr.dwLength);\r |
fef2ae63 | 78 | if (TempBuffer == NULL) {\r |
c411b485 | 79 | DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));\r |
fef2ae63 JY |
80 | Status = RETURN_OUT_OF_RESOURCES;\r |
81 | goto Done;\r | |
82 | }\r | |
83 | \r | |
c411b485 | 84 | CopyMem (\r |
fef2ae63 | 85 | TempBuffer,\r |
c411b485 MK |
86 | (UINT8 *)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,\r |
87 | ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength\r | |
fef2ae63 | 88 | );\r |
c411b485 MK |
89 | CopyMem (\r |
90 | (UINT8 *)TempBuffer + ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,\r | |
fef2ae63 | 91 | &Image->MonotonicCount,\r |
c411b485 | 92 | sizeof (Image->MonotonicCount)\r |
fef2ae63 | 93 | );\r |
c411b485 | 94 | CryptoStatus = Pkcs7Verify (\r |
fef2ae63 JY |
95 | P7Data,\r |
96 | P7Length,\r | |
97 | PublicKeyData,\r | |
98 | PublicKeyDataLength,\r | |
99 | (UINT8 *)TempBuffer,\r | |
100 | ImageSize - Image->AuthInfo.Hdr.dwLength\r | |
101 | );\r | |
c411b485 | 102 | FreePool (TempBuffer);\r |
fef2ae63 JY |
103 | if (!CryptoStatus) {\r |
104 | //\r | |
105 | // If PKCS7 signature verification fails, AUTH tested failed bit is set.\r | |
106 | //\r | |
c411b485 | 107 | DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));\r |
fef2ae63 JY |
108 | Status = RETURN_SECURITY_VIOLATION;\r |
109 | goto Done;\r | |
110 | }\r | |
c411b485 MK |
111 | \r |
112 | DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));\r | |
fef2ae63 JY |
113 | \r |
114 | Status = RETURN_SUCCESS;\r | |
115 | \r | |
116 | Done:\r | |
117 | return Status;\r | |
118 | }\r | |
119 | \r | |
120 | /**\r | |
121 | The function is used to do the authentication for FMP capsule based upon\r | |
122 | EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
123 | \r | |
124 | The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,\r | |
125 | followed by the payload.\r | |
126 | \r | |
127 | If the return status is RETURN_SUCCESS, the caller may continue the rest\r | |
128 | FMP update process.\r | |
129 | If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP\r | |
130 | update process and convert the return status to LastAttemptStatus\r | |
131 | to indicate that FMP update fails.\r | |
132 | The LastAttemptStatus can be got from ESRT table or via\r | |
133 | EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().\r | |
134 | \r | |
135 | Caution: This function may receive untrusted input.\r | |
136 | \r | |
137 | @param[in] Image Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.\r | |
138 | @param[in] ImageSize Size of the authentication image in bytes.\r | |
139 | @param[in] PublicKeyData The public key data used to validate the signature.\r | |
140 | @param[in] PublicKeyDataLength The length of the public key data.\r | |
141 | \r | |
142 | @retval RETURN_SUCCESS Authentication pass.\r | |
143 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.\r | |
144 | @retval RETURN_SECURITY_VIOLATION Authentication fail.\r | |
145 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.\r | |
146 | @retval RETURN_INVALID_PARAMETER The image is in an invalid format.\r | |
147 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
148 | @retval RETURN_UNSUPPORTED No Authentication handler associated with CertType.\r | |
149 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
150 | @retval RETURN_UNSUPPORTED Image or ImageSize is invalid.\r | |
151 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.\r | |
152 | @retval RETURN_OUT_OF_RESOURCES No Authentication handler associated with CertType.\r | |
153 | The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.\r | |
154 | **/\r | |
155 | RETURN_STATUS\r | |
156 | EFIAPI\r | |
157 | AuthenticateFmpImage (\r | |
158 | IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image,\r | |
159 | IN UINTN ImageSize,\r | |
160 | IN CONST UINT8 *PublicKeyData,\r | |
161 | IN UINTN PublicKeyDataLength\r | |
162 | )\r | |
163 | {\r | |
c411b485 MK |
164 | GUID *CertType;\r |
165 | EFI_STATUS Status;\r | |
fef2ae63 JY |
166 | \r |
167 | if ((Image == NULL) || (ImageSize == 0)) {\r | |
168 | return RETURN_UNSUPPORTED;\r | |
169 | }\r | |
170 | \r | |
c411b485 MK |
171 | if (ImageSize < sizeof (EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {\r |
172 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r | |
fef2ae63 JY |
173 | return RETURN_INVALID_PARAMETER;\r |
174 | }\r | |
c411b485 MK |
175 | \r |
176 | if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {\r | |
177 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));\r | |
fef2ae63 JY |
178 | return RETURN_INVALID_PARAMETER;\r |
179 | }\r | |
c411b485 MK |
180 | \r |
181 | if ((UINTN)Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof (UINT64)) {\r | |
182 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));\r | |
fef2ae63 JY |
183 | return RETURN_INVALID_PARAMETER;\r |
184 | }\r | |
c411b485 MK |
185 | \r |
186 | if (ImageSize <= sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {\r | |
187 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));\r | |
fef2ae63 JY |
188 | return RETURN_INVALID_PARAMETER;\r |
189 | }\r | |
c411b485 | 190 | \r |
fef2ae63 | 191 | if (Image->AuthInfo.Hdr.wRevision != 0x0200) {\r |
c411b485 | 192 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));\r |
fef2ae63 JY |
193 | return RETURN_INVALID_PARAMETER;\r |
194 | }\r | |
c411b485 | 195 | \r |
fef2ae63 | 196 | if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r |
c411b485 | 197 | DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));\r |
fef2ae63 JY |
198 | return RETURN_INVALID_PARAMETER;\r |
199 | }\r | |
200 | \r | |
201 | CertType = &Image->AuthInfo.CertType;\r | |
c411b485 | 202 | DEBUG ((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));\r |
fef2ae63 JY |
203 | \r |
204 | if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {\r | |
205 | //\r | |
206 | // Call the match handler to extract raw data for the input section data.\r | |
207 | //\r | |
208 | Status = FmpAuthenticatedHandlerPkcs7 (\r | |
209 | Image,\r | |
210 | ImageSize,\r | |
211 | PublicKeyData,\r | |
212 | PublicKeyDataLength\r | |
213 | );\r | |
214 | return Status;\r | |
215 | }\r | |
216 | \r | |
217 | //\r | |
218 | // Not found, the input guided section is not supported.\r | |
219 | //\r | |
220 | return RETURN_UNSUPPORTED;\r | |
221 | }\r |