[mirror_edk2.git] / SecurityPkg / Library / PeiRsa2048Sha256GuidedSectionExtractLib / PeiRsa2048Sha256GuidedSectionExtractLib.c

/** @file\r
\r
  This library registers RSA 2048 SHA 256 guided section handler\r
  to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
  It uses the BaseCrypyLib based on OpenSSL to authenticate the signature.\r
\r
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiPei.h>\r
#include <Protocol/Hash.h>\r
#include <Library/ExtractGuidedSectionLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/PcdLib.h>\r
#include <Guid/WinCertificate.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/PerformanceLib.h>\r
#include <Guid/SecurityPkgTokenSpace.h>\r
\r
///\r
/// RSA 2048 SHA 256 Guided Section header\r
///\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION        GuidedSectionHeader;     ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  CertBlockRsa2048Sha256;  ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION_HEADER;\r
\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION2       GuidedSectionHeader;     ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  CertBlockRsa2048Sha256;  ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION2_HEADER;\r
\r
///\r
/// Public Exponent of RSA Key.\r
///\r
CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
\r
/**\r
\r
  GetInfo gets raw data size and attribute of the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection       Buffer containing the input GUIDed section to be processed.\r
  @param OutputBufferSize   The size of OutputBuffer.\r
  @param ScratchBufferSize  The size of ScratchBuffer.\r
  @param SectionAttribute   The attribute of the input guided section.\r
\r
  @retval EFI_SUCCESS            The size of destination buffer, the size of scratch buffer and\r
                                 the attribute of the input section are successfully retrieved.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionGetInfo (\r
  IN  CONST VOID  *InputSection,\r
  OUT UINT32      *OutputBufferSize,\r
  OUT UINT32      *ScratchBufferSize,\r
  OUT UINT16      *SectionAttribute\r
  )\r
{\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
        &gEfiCertTypeRsa2048Sha256Guid,\r
        &(((EFI_GUID_DEFINED_SECTION2 *) InputSection)->SectionDefinitionGuid))) {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION2 *) InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION2_SIZE (InputSection) - sizeof(RSA_2048_SHA_256_SECTION2_HEADER);\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
        &gEfiCertTypeRsa2048Sha256Guid,\r
        &(((EFI_GUID_DEFINED_SECTION *) InputSection)->SectionDefinitionGuid))) {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION *) InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION_SIZE (InputSection) - sizeof(RSA_2048_SHA_256_SECTION_HEADER);\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
\r
  Extraction handler tries to extract raw data from the input guided section.\r
  It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection    Buffer containing the input GUIDed section to be processed.\r
  @param OutputBuffer    Buffer to contain the output raw data allocated by the caller.\r
  @param ScratchBuffer   A pointer to a caller-allocated buffer for function internal use.\r
  @param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
                              authentication status of the output buffer.\r
\r
  @retval EFI_SUCCESS            Section Data and Auth Status is extracted successfully.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionHandler (\r
  IN CONST  VOID    *InputSection,\r
  OUT       VOID    **OutputBuffer,\r
  IN        VOID    *ScratchBuffer,        OPTIONAL\r
  OUT       UINT32  *AuthenticationStatus\r
  )\r
{\r
  EFI_STATUS                      Status;\r
  UINT32                          OutputBufferSize;\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  *CertBlockRsa2048Sha256;\r
  BOOLEAN                         CryptoStatus;\r
  UINT8                           Digest[SHA256_DIGEST_SIZE];\r
  UINT8                           *PublicKey;\r
  UINTN                           PublicKeyBufferSize;\r
  VOID                            *HashContext;\r
  VOID                            *Rsa;\r
\r
  HashContext = NULL;\r
  Rsa         = NULL;\r
\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
        &gEfiCertTypeRsa2048Sha256Guid,\r
        &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid))) {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *) InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
        &gEfiCertTypeRsa2048Sha256Guid,\r
        &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid))) {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION *) InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  }\r
\r
  //\r
  // All paths from here return EFI_SUCESS and result is returned in AuthenticationStatus\r
  //\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // Fail if the HashType is not SHA 256\r
  //\r
  if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Allocate hash context buffer required for SHA 256\r
  //\r
  HashContext = AllocatePool (Sha256GetContextSize ());\r
  if (HashContext == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash public key from data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
  CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
  CryptoStatus  = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
  //\r
  PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
  ASSERT (PublicKey != NULL);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
  PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
  ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
  CryptoStatus = FALSE;\r
  while (PublicKeyBufferSize != 0) {\r
    if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
      CryptoStatus = TRUE;\r
      break;\r
    }\r
    PublicKey = PublicKey + SHA256_DIGEST_SIZE;\r
    PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
  }\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Generate & Initialize RSA Context.\r
  //\r
  Rsa = RsaNew ();\r
  if (Rsa == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Set RSA Key Components.\r
  // NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
  //\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
  PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
  CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
  PERF_INMODULE_END ("PeiRsaShaData");\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
  CryptoStatus  = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Verify the RSA 2048 SHA 256 signature.\r
  //\r
  PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
  CryptoStatus = RsaPkcs1Verify (\r
                   Rsa,\r
                   Digest,\r
                   SHA256_DIGEST_SIZE,\r
                   CertBlockRsa2048Sha256->Signature,\r
                   sizeof (CertBlockRsa2048Sha256->Signature)\r
                   );\r
  PERF_INMODULE_END ("PeiRsaVerify");\r
  if (!CryptoStatus) {\r
    //\r
    // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
  }\r
\r
Done:\r
  //\r
  // Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
  //\r
  if (Rsa != NULL) {\r
    RsaFree (Rsa);\r
  }\r
  if (HashContext != NULL) {\r
    FreePool (HashContext);\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r  AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
\r
  return Status;\r
}\r
\r
/**\r
  Register the handler to extract RSA 2048 SHA 256 guided section.\r
\r
  @param  FileHandle   The handle of FFS header the loaded driver.\r
  @param  PeiServices  The pointer to the PEI services.\r
\r
  @retval  EFI_SUCCESS           Register successfully.\r
  @retval  EFI_OUT_OF_RESOURCES  Not enough memory to register this handler.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
  IN EFI_PEI_FILE_HANDLE        FileHandle,\r
  IN CONST EFI_PEI_SERVICES     **PeiServices\r
  )\r
{\r
  return ExtractGuidedSectionRegisterHandlers (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           Rsa2048Sha256GuidedSectionGetInfo,\r
           Rsa2048Sha256GuidedSectionHandler\r
           );\r
}\r
Commit	Line	Data
1a53a034 MK	1	/** @file\r
1a53a034 MK	2	\r
b3548d32	3	This library registers RSA 2048 SHA 256 guided section handler\r
1a53a034 MK	4	to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
	5	It uses the BaseCrypyLib based on OpenSSL to authenticate the signature.\r
	6	\r
b3548d32	7	Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
289b714b	8	SPDX-License-Identifier: BSD-2-Clause-Patent\r
1a53a034 MK	9	\r
	10	**/\r
	11	\r
	12	#include <PiPei.h>\r
	13	#include <Protocol/Hash.h>\r
	14	#include <Library/ExtractGuidedSectionLib.h>\r
	15	#include <Library/DebugLib.h>\r
	16	#include <Library/BaseMemoryLib.h>\r
	17	#include <Library/MemoryAllocationLib.h>\r
	18	#include <Library/PcdLib.h>\r
	19	#include <Guid/WinCertificate.h>\r
	20	#include <Library/BaseCryptLib.h>\r
	21	#include <Library/PerformanceLib.h>\r
	22	#include <Guid/SecurityPkgTokenSpace.h>\r
	23	\r
	24	///\r
	25	/// RSA 2048 SHA 256 Guided Section header\r
	26	///\r
	27	typedef struct {\r
	28	EFI_GUID_DEFINED_SECTION GuidedSectionHeader; ///< EFI guided section header\r
	29	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
	30	} RSA_2048_SHA_256_SECTION_HEADER;\r
	31	\r
	32	typedef struct {\r
	33	EFI_GUID_DEFINED_SECTION2 GuidedSectionHeader; ///< EFI guided section header\r
	34	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
	35	} RSA_2048_SHA_256_SECTION2_HEADER;\r
	36	\r
	37	///\r
	38	/// Public Exponent of RSA Key.\r
	39	///\r
	40	CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
	41	\r
	42	/**\r
	43	\r
	44	GetInfo gets raw data size and attribute of the input guided section.\r
b3548d32	45	It first checks whether the input guid section is supported.\r
1a53a034 MK	46	If not, EFI_INVALID_PARAMETER will return.\r
	47	\r
	48	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	49	@param OutputBufferSize The size of OutputBuffer.\r
	50	@param ScratchBufferSize The size of ScratchBuffer.\r
	51	@param SectionAttribute The attribute of the input guided section.\r
	52	\r
b3548d32	53	@retval EFI_SUCCESS The size of destination buffer, the size of scratch buffer and\r
0ab475c9	54	the attribute of the input section are successfully retrieved.\r
1a53a034 MK	55	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	56	\r
	57	**/\r
	58	EFI_STATUS\r
	59	EFIAPI\r
	60	Rsa2048Sha256GuidedSectionGetInfo (\r
	61	IN CONST VOID *InputSection,\r
	62	OUT UINT32 *OutputBufferSize,\r
	63	OUT UINT32 *ScratchBufferSize,\r
	64	OUT UINT16 *SectionAttribute\r
	65	)\r
	66	{\r
	67	if (IS_SECTION2 (InputSection)) {\r
	68	//\r
	69	// Check whether the input guid section is recognized.\r
	70	//\r
	71	if (!CompareGuid (\r
	72	&gEfiCertTypeRsa2048Sha256Guid,\r
	73	&(((EFI_GUID_DEFINED_SECTION2 *) InputSection)->SectionDefinitionGuid))) {\r
	74	return EFI_INVALID_PARAMETER;\r
	75	}\r
	76	//\r
	77	// Retrieve the size and attribute of the input section data.\r
	78	//\r
	79	SectionAttribute = ((EFI_GUID_DEFINED_SECTION2 ) InputSection)->Attributes;\r
	80	*ScratchBufferSize = 0;\r
3a2e6a74	81	*OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof(RSA_2048_SHA_256_SECTION2_HEADER);\r
1a53a034 MK	82	} else {\r
	83	//\r
	84	// Check whether the input guid section is recognized.\r
	85	//\r
	86	if (!CompareGuid (\r
	87	&gEfiCertTypeRsa2048Sha256Guid,\r
	88	&(((EFI_GUID_DEFINED_SECTION *) InputSection)->SectionDefinitionGuid))) {\r
	89	return EFI_INVALID_PARAMETER;\r
	90	}\r
	91	//\r
	92	// Retrieve the size and attribute of the input section data.\r
	93	//\r
	94	SectionAttribute = ((EFI_GUID_DEFINED_SECTION ) InputSection)->Attributes;\r
	95	*ScratchBufferSize = 0;\r
3a2e6a74	96	*OutputBufferSize = SECTION_SIZE (InputSection) - sizeof(RSA_2048_SHA_256_SECTION_HEADER);\r
1a53a034 MK	97	}\r
	98	\r
	99	return EFI_SUCCESS;\r
	100	}\r
	101	\r
	102	/**\r
	103	\r
	104	Extraction handler tries to extract raw data from the input guided section.\r
	105	It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
b3548d32	106	It first checks whether the input guid section is supported.\r
1a53a034 MK	107	If not, EFI_INVALID_PARAMETER will return.\r
	108	\r
	109	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	110	@param OutputBuffer Buffer to contain the output raw data allocated by the caller.\r
	111	@param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.\r
	112	@param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
	113	authentication status of the output buffer.\r
	114	\r
	115	@retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.\r
	116	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	117	\r
	118	**/\r
	119	EFI_STATUS\r
	120	EFIAPI\r
	121	Rsa2048Sha256GuidedSectionHandler (\r
	122	IN CONST VOID *InputSection,\r
	123	OUT VOID **OutputBuffer,\r
	124	IN VOID *ScratchBuffer, OPTIONAL\r
	125	OUT UINT32 *AuthenticationStatus\r
	126	)\r
	127	{\r
	128	EFI_STATUS Status;\r
	129	UINT32 OutputBufferSize;\r
	130	EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;\r
	131	BOOLEAN CryptoStatus;\r
	132	UINT8 Digest[SHA256_DIGEST_SIZE];\r
	133	UINT8 *PublicKey;\r
	134	UINTN PublicKeyBufferSize;\r
	135	VOID *HashContext;\r
	136	VOID *Rsa;\r
b3548d32	137	\r
1a53a034 MK	138	HashContext = NULL;\r
1a53a034 MK	139	Rsa = NULL;\r
b3548d32	140	\r
1a53a034 MK	141	if (IS_SECTION2 (InputSection)) {\r
	142	//\r
	143	// Check whether the input guid section is recognized.\r
	144	//\r
	145	if (!CompareGuid (\r
	146	&gEfiCertTypeRsa2048Sha256Guid,\r
	147	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid))) {\r
	148	return EFI_INVALID_PARAMETER;\r
	149	}\r
b3548d32	150	\r
1a53a034 MK	151	//\r
	152	// Get the RSA 2048 SHA 256 information.\r
	153	//\r
	154	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *) InputSection)->CertBlockRsa2048Sha256;\r
	155	OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	156	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	157	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
1a53a034	158	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
e1dea56b	159	PERF_INMODULE_END ("PeiRsaCopy");\r
1a53a034 MK	160	} else {\r
	161	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	162	}\r
	163	\r
	164	//\r
	165	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	166	//\r
	167	ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	168	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	169	} else {\r
	170	//\r
	171	// Check whether the input guid section is recognized.\r
	172	//\r
	173	if (!CompareGuid (\r
	174	&gEfiCertTypeRsa2048Sha256Guid,\r
	175	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid))) {\r
	176	return EFI_INVALID_PARAMETER;\r
	177	}\r
b3548d32	178	\r
1a53a034 MK	179	//\r
	180	// Get the RSA 2048 SHA 256 information.\r
	181	//\r
	182	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
	183	OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	184	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	185	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
1a53a034	186	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
e1dea56b	187	PERF_INMODULE_END ("PeiRsaCopy");\r
1a53a034 MK	188	} else {\r
	189	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	190	}\r
	191	\r
	192	//\r
	193	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	194	//\r
	195	ASSERT ((((EFI_GUID_DEFINED_SECTION *) InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	196	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	197	}\r
	198	\r
	199	//\r
	200	// All paths from here return EFI_SUCESS and result is returned in AuthenticationStatus\r
	201	//\r
	202	Status = EFI_SUCCESS;\r
b3548d32	203	\r
1a53a034 MK	204	//\r
	205	// Fail if the HashType is not SHA 256\r
	206	//\r
	207	if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
	208	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
	209	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	210	goto Done;\r
	211	}\r
	212	\r
	213	//\r
	214	// Allocate hash context buffer required for SHA 256\r
	215	//\r
	216	HashContext = AllocatePool (Sha256GetContextSize ());\r
	217	if (HashContext == NULL) {\r
	218	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
	219	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	220	goto Done;\r
	221	}\r
	222	\r
	223	//\r
	224	// Hash public key from data payload with SHA256.\r
	225	//\r
	226	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	227	CryptoStatus = Sha256Init (HashContext);\r
	228	if (!CryptoStatus) {\r
	229	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	230	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	231	goto Done;\r
	232	}\r
	233	CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));\r
	234	if (!CryptoStatus) {\r
	235	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	236	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	237	goto Done;\r
	238	}\r
	239	CryptoStatus = Sha256Final (HashContext, Digest);\r
	240	if (!CryptoStatus) {\r
	241	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	242	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	243	goto Done;\r
	244	}\r
b3548d32	245	\r
1a53a034 MK	246	//\r
	247	// Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
	248	//\r
	249	PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
	250	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
	251	ASSERT (PublicKey != NULL);\r
	252	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
6bb832b3	253	PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
1a53a034 MK	254	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
	255	ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
	256	CryptoStatus = FALSE;\r
	257	while (PublicKeyBufferSize != 0) {\r
	258	if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
	259	CryptoStatus = TRUE;\r
	260	break;\r
	261	}\r
	262	PublicKey = PublicKey + SHA256_DIGEST_SIZE;\r
	263	PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
	264	}\r
	265	if (!CryptoStatus) {\r
	266	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
	267	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	268	goto Done;\r
	269	}\r
	270	\r
	271	//\r
	272	// Generate & Initialize RSA Context.\r
	273	//\r
	274	Rsa = RsaNew ();\r
	275	if (Rsa == NULL) {\r
	276	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
	277	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	278	goto Done;\r
	279	}\r
b3548d32 LG	280	\r
b3548d32 LG	281	//\r
1a53a034 MK	282	// Set RSA Key Components.\r
	283	// NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
	284	//\r
	285	CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));\r
	286	if (!CryptoStatus) {\r
	287	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
	288	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	289	goto Done;\r
	290	}\r
	291	CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
	292	if (!CryptoStatus) {\r
	293	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
	294	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	295	goto Done;\r
	296	}\r
	297	\r
	298	//\r
	299	// Hash data payload with SHA256.\r
	300	//\r
	301	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	302	CryptoStatus = Sha256Init (HashContext);\r
	303	if (!CryptoStatus) {\r
	304	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	305	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	306	goto Done;\r
	307	}\r
e1dea56b	308	PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
1a53a034	309	CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
e1dea56b	310	PERF_INMODULE_END ("PeiRsaShaData");\r
1a53a034 MK	311	if (!CryptoStatus) {\r
	312	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	313	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	314	goto Done;\r
	315	}\r
	316	CryptoStatus = Sha256Final (HashContext, Digest);\r
	317	if (!CryptoStatus) {\r
	318	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	319	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	320	goto Done;\r
	321	}\r
	322	\r
	323	//\r
	324	// Verify the RSA 2048 SHA 256 signature.\r
	325	//\r
e1dea56b	326	PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
1a53a034	327	CryptoStatus = RsaPkcs1Verify (\r
b3548d32 LG	328	Rsa,\r
	329	Digest,\r
	330	SHA256_DIGEST_SIZE,\r
	331	CertBlockRsa2048Sha256->Signature,\r
1a53a034 MK	332	sizeof (CertBlockRsa2048Sha256->Signature)\r
1a53a034 MK	333	);\r
e1dea56b	334	PERF_INMODULE_END ("PeiRsaVerify");\r
1a53a034 MK	335	if (!CryptoStatus) {\r
	336	//\r
	337	// If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
	338	//\r
	339	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
	340	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	341	}\r
	342	\r
	343	Done:\r
	344	//\r
	345	// Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
	346	//\r
	347	if (Rsa != NULL) {\r
	348	RsaFree (Rsa);\r
	349	}\r
	350	if (HashContext != NULL) {\r
	351	FreePool (HashContext);\r
	352	}\r
	353	\r
1a53a034 MK	354	DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
	355	\r
	356	return Status;\r
	357	}\r
	358	\r
	359	/**\r
	360	Register the handler to extract RSA 2048 SHA 256 guided section.\r
	361	\r
	362	@param FileHandle The handle of FFS header the loaded driver.\r
	363	@param PeiServices The pointer to the PEI services.\r
	364	\r
	365	@retval EFI_SUCCESS Register successfully.\r
	366	@retval EFI_OUT_OF_RESOURCES Not enough memory to register this handler.\r
	367	\r
	368	**/\r
	369	EFI_STATUS\r
	370	EFIAPI\r
	371	PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
	372	IN EFI_PEI_FILE_HANDLE FileHandle,\r
	373	IN CONST EFI_PEI_SERVICES **PeiServices\r
	374	)\r
	375	{\r
	376	return ExtractGuidedSectionRegisterHandlers (\r
	377	&gEfiCertTypeRsa2048Sha256Guid,\r
	378	Rsa2048Sha256GuidedSectionGetInfo,\r
	379	Rsa2048Sha256GuidedSectionHandler\r
	380	);\r
	381	}\r