[mirror_edk2.git] / SecurityPkg / Library / PeiRsa2048Sha256GuidedSectionExtractLib / PeiRsa2048Sha256GuidedSectionExtractLib.c

/** @file\r
\r
  This library registers RSA 2048 SHA 256 guided section handler\r
  to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
  It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
\r
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiPei.h>\r
#include <Protocol/Hash.h>\r
#include <Library/ExtractGuidedSectionLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/PcdLib.h>\r
#include <Guid/WinCertificate.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/PerformanceLib.h>\r
#include <Guid/SecurityPkgTokenSpace.h>\r
\r
///\r
/// RSA 2048 SHA 256 Guided Section header\r
///\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION          GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION_HEADER;\r
\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION2         GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION2_HEADER;\r
\r
///\r
/// Public Exponent of RSA Key.\r
///\r
CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };\r
\r
/**\r
\r
  GetInfo gets raw data size and attribute of the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection       Buffer containing the input GUIDed section to be processed.\r
  @param OutputBufferSize   The size of OutputBuffer.\r
  @param ScratchBufferSize  The size of ScratchBuffer.\r
  @param SectionAttribute   The attribute of the input guided section.\r
\r
  @retval EFI_SUCCESS            The size of destination buffer, the size of scratch buffer and\r
                                 the attribute of the input section are successfully retrieved.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionGetInfo (\r
  IN  CONST VOID  *InputSection,\r
  OUT UINT32      *OutputBufferSize,\r
  OUT UINT32      *ScratchBufferSize,\r
  OUT UINT16      *SectionAttribute\r
  )\r
{\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
\r
  Extraction handler tries to extract raw data from the input guided section.\r
  It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection    Buffer containing the input GUIDed section to be processed.\r
  @param OutputBuffer    Buffer to contain the output raw data allocated by the caller.\r
  @param ScratchBuffer   A pointer to a caller-allocated buffer for function internal use.\r
  @param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
                              authentication status of the output buffer.\r
\r
  @retval EFI_SUCCESS            Section Data and Auth Status is extracted successfully.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionHandler (\r
  IN CONST  VOID    *InputSection,\r
  OUT       VOID    **OutputBuffer,\r
  IN        VOID    *ScratchBuffer         OPTIONAL,\r
  OUT       UINT32  *AuthenticationStatus\r
  )\r
{\r
  EFI_STATUS                      Status;\r
  UINT32                          OutputBufferSize;\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  *CertBlockRsa2048Sha256;\r
  BOOLEAN                         CryptoStatus;\r
  UINT8                           Digest[SHA256_DIGEST_SIZE];\r
  UINT8                           *PublicKey;\r
  UINTN                           PublicKeyBufferSize;\r
  VOID                            *HashContext;\r
  VOID                            *Rsa;\r
\r
  HashContext = NULL;\r
  Rsa         = NULL;\r
\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  }\r
\r
  //\r
  // All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
  //\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // Fail if the HashType is not SHA 256\r
  //\r
  if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Allocate hash context buffer required for SHA 256\r
  //\r
  HashContext = AllocatePool (Sha256GetContextSize ());\r
  if (HashContext == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash public key from data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
  //\r
  PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
  ASSERT (PublicKey != NULL);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
  PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
  ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
  CryptoStatus = FALSE;\r
  while (PublicKeyBufferSize != 0) {\r
    if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
      CryptoStatus = TRUE;\r
      break;\r
    }\r
\r
    PublicKey           = PublicKey + SHA256_DIGEST_SIZE;\r
    PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
  }\r
\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Generate & Initialize RSA Context.\r
  //\r
  Rsa = RsaNew ();\r
  if (Rsa == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Set RSA Key Components.\r
  // NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
  //\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
  CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
  PERF_INMODULE_END ("PeiRsaShaData");\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Verify the RSA 2048 SHA 256 signature.\r
  //\r
  PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
  CryptoStatus = RsaPkcs1Verify (\r
                   Rsa,\r
                   Digest,\r
                   SHA256_DIGEST_SIZE,\r
                   CertBlockRsa2048Sha256->Signature,\r
                   sizeof (CertBlockRsa2048Sha256->Signature)\r
                   );\r
  PERF_INMODULE_END ("PeiRsaVerify");\r
  if (!CryptoStatus) {\r
    //\r
    // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
  }\r
\r
Done:\r
  //\r
  // Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
  //\r
  if (Rsa != NULL) {\r
    RsaFree (Rsa);\r
  }\r
\r
  if (HashContext != NULL) {\r
    FreePool (HashContext);\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r  AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
\r
  return Status;\r
}\r
\r
/**\r
  Register the handler to extract RSA 2048 SHA 256 guided section.\r
\r
  @param  FileHandle   The handle of FFS header the loaded driver.\r
  @param  PeiServices  The pointer to the PEI services.\r
\r
  @retval  EFI_SUCCESS           Register successfully.\r
  @retval  EFI_OUT_OF_RESOURCES  Not enough memory to register this handler.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
  IN EFI_PEI_FILE_HANDLE     FileHandle,\r
  IN CONST EFI_PEI_SERVICES  **PeiServices\r
  )\r
{\r
  return ExtractGuidedSectionRegisterHandlers (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           Rsa2048Sha256GuidedSectionGetInfo,\r
           Rsa2048Sha256GuidedSectionHandler\r
           );\r
}\r
Commit	Line	Data
1a53a034 MK	1	/** @file\r
1a53a034 MK	2	\r
b3548d32	3	This library registers RSA 2048 SHA 256 guided section handler\r
1a53a034	4	to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
d6b926e7	5	It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
1a53a034	6	\r
b3548d32	7	Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
289b714b	8	SPDX-License-Identifier: BSD-2-Clause-Patent\r
1a53a034 MK	9	\r
	10	**/\r
	11	\r
	12	#include <PiPei.h>\r
	13	#include <Protocol/Hash.h>\r
	14	#include <Library/ExtractGuidedSectionLib.h>\r
	15	#include <Library/DebugLib.h>\r
	16	#include <Library/BaseMemoryLib.h>\r
	17	#include <Library/MemoryAllocationLib.h>\r
	18	#include <Library/PcdLib.h>\r
	19	#include <Guid/WinCertificate.h>\r
	20	#include <Library/BaseCryptLib.h>\r
	21	#include <Library/PerformanceLib.h>\r
	22	#include <Guid/SecurityPkgTokenSpace.h>\r
	23	\r
	24	///\r
	25	/// RSA 2048 SHA 256 Guided Section header\r
	26	///\r
	27	typedef struct {\r
c411b485 MK	28	EFI_GUID_DEFINED_SECTION GuidedSectionHeader; ///< EFI guided section header\r
c411b485 MK	29	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
1a53a034 MK	30	} RSA_2048_SHA_256_SECTION_HEADER;\r
	31	\r
	32	typedef struct {\r
c411b485 MK	33	EFI_GUID_DEFINED_SECTION2 GuidedSectionHeader; ///< EFI guided section header\r
c411b485 MK	34	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
1a53a034 MK	35	} RSA_2048_SHA_256_SECTION2_HEADER;\r
	36	\r
	37	///\r
	38	/// Public Exponent of RSA Key.\r
	39	///\r
c411b485	40	CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
1a53a034 MK	41	\r
	42	/**\r
	43	\r
	44	GetInfo gets raw data size and attribute of the input guided section.\r
b3548d32	45	It first checks whether the input guid section is supported.\r
1a53a034 MK	46	If not, EFI_INVALID_PARAMETER will return.\r
	47	\r
	48	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	49	@param OutputBufferSize The size of OutputBuffer.\r
	50	@param ScratchBufferSize The size of ScratchBuffer.\r
	51	@param SectionAttribute The attribute of the input guided section.\r
	52	\r
b3548d32	53	@retval EFI_SUCCESS The size of destination buffer, the size of scratch buffer and\r
0ab475c9	54	the attribute of the input section are successfully retrieved.\r
1a53a034 MK	55	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	56	\r
	57	**/\r
	58	EFI_STATUS\r
	59	EFIAPI\r
	60	Rsa2048Sha256GuidedSectionGetInfo (\r
	61	IN CONST VOID *InputSection,\r
	62	OUT UINT32 *OutputBufferSize,\r
	63	OUT UINT32 *ScratchBufferSize,\r
	64	OUT UINT16 *SectionAttribute\r
	65	)\r
	66	{\r
	67	if (IS_SECTION2 (InputSection)) {\r
	68	//\r
	69	// Check whether the input guid section is recognized.\r
	70	//\r
	71	if (!CompareGuid (\r
c411b485 MK	72	&gEfiCertTypeRsa2048Sha256Guid,\r
	73	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	74	))\r
	75	{\r
1a53a034 MK	76	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	77	}\r
c411b485	78	\r
1a53a034 MK	79	//\r
	80	// Retrieve the size and attribute of the input section data.\r
	81	//\r
c411b485	82	SectionAttribute = ((EFI_GUID_DEFINED_SECTION2 )InputSection)->Attributes;\r
1a53a034	83	*ScratchBufferSize = 0;\r
c411b485	84	*OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
1a53a034 MK	85	} else {\r
	86	//\r
	87	// Check whether the input guid section is recognized.\r
	88	//\r
	89	if (!CompareGuid (\r
c411b485 MK	90	&gEfiCertTypeRsa2048Sha256Guid,\r
	91	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	92	))\r
	93	{\r
1a53a034 MK	94	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	95	}\r
c411b485	96	\r
1a53a034 MK	97	//\r
	98	// Retrieve the size and attribute of the input section data.\r
	99	//\r
c411b485	100	SectionAttribute = ((EFI_GUID_DEFINED_SECTION )InputSection)->Attributes;\r
1a53a034	101	*ScratchBufferSize = 0;\r
c411b485	102	*OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
1a53a034 MK	103	}\r
	104	\r
	105	return EFI_SUCCESS;\r
	106	}\r
	107	\r
	108	/**\r
	109	\r
	110	Extraction handler tries to extract raw data from the input guided section.\r
	111	It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
b3548d32	112	It first checks whether the input guid section is supported.\r
1a53a034 MK	113	If not, EFI_INVALID_PARAMETER will return.\r
	114	\r
	115	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	116	@param OutputBuffer Buffer to contain the output raw data allocated by the caller.\r
	117	@param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.\r
	118	@param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
	119	authentication status of the output buffer.\r
	120	\r
	121	@retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.\r
	122	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	123	\r
	124	**/\r
	125	EFI_STATUS\r
	126	EFIAPI\r
	127	Rsa2048Sha256GuidedSectionHandler (\r
	128	IN CONST VOID *InputSection,\r
	129	OUT VOID **OutputBuffer,\r
12710fe9	130	IN VOID *ScratchBuffer OPTIONAL,\r
1a53a034 MK	131	OUT UINT32 *AuthenticationStatus\r
	132	)\r
	133	{\r
	134	EFI_STATUS Status;\r
	135	UINT32 OutputBufferSize;\r
	136	EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;\r
	137	BOOLEAN CryptoStatus;\r
	138	UINT8 Digest[SHA256_DIGEST_SIZE];\r
	139	UINT8 *PublicKey;\r
	140	UINTN PublicKeyBufferSize;\r
	141	VOID *HashContext;\r
	142	VOID *Rsa;\r
b3548d32	143	\r
1a53a034 MK	144	HashContext = NULL;\r
1a53a034 MK	145	Rsa = NULL;\r
b3548d32	146	\r
1a53a034 MK	147	if (IS_SECTION2 (InputSection)) {\r
	148	//\r
	149	// Check whether the input guid section is recognized.\r
	150	//\r
	151	if (!CompareGuid (\r
c411b485 MK	152	&gEfiCertTypeRsa2048Sha256Guid,\r
	153	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	154	))\r
	155	{\r
1a53a034 MK	156	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	157	}\r
b3548d32	158	\r
1a53a034 MK	159	//\r
	160	// Get the RSA 2048 SHA 256 information.\r
	161	//\r
c411b485	162	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
1a53a034 MK	163	OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
1a53a034 MK	164	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	165	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
1a53a034	166	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
e1dea56b	167	PERF_INMODULE_END ("PeiRsaCopy");\r
1a53a034 MK	168	} else {\r
	169	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	170	}\r
	171	\r
	172	//\r
	173	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	174	//\r
	175	ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	176	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	177	} else {\r
	178	//\r
	179	// Check whether the input guid section is recognized.\r
	180	//\r
	181	if (!CompareGuid (\r
c411b485 MK	182	&gEfiCertTypeRsa2048Sha256Guid,\r
	183	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	184	))\r
	185	{\r
1a53a034 MK	186	return EFI_INVALID_PARAMETER;\r
1a53a034 MK	187	}\r
b3548d32	188	\r
1a53a034 MK	189	//\r
	190	// Get the RSA 2048 SHA 256 information.\r
	191	//\r
	192	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
	193	OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	194	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
e1dea56b	195	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
1a53a034	196	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
e1dea56b	197	PERF_INMODULE_END ("PeiRsaCopy");\r
1a53a034 MK	198	} else {\r
	199	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	200	}\r
	201	\r
	202	//\r
	203	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	204	//\r
c411b485	205	ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
1a53a034 MK	206	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	207	}\r
	208	\r
	209	//\r
d6b926e7	210	// All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
1a53a034 MK	211	//\r
1a53a034 MK	212	Status = EFI_SUCCESS;\r
b3548d32	213	\r
1a53a034 MK	214	//\r
	215	// Fail if the HashType is not SHA 256\r
	216	//\r
	217	if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
	218	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
	219	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	220	goto Done;\r
	221	}\r
	222	\r
	223	//\r
	224	// Allocate hash context buffer required for SHA 256\r
	225	//\r
	226	HashContext = AllocatePool (Sha256GetContextSize ());\r
	227	if (HashContext == NULL) {\r
	228	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
	229	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	230	goto Done;\r
	231	}\r
	232	\r
	233	//\r
	234	// Hash public key from data payload with SHA256.\r
	235	//\r
	236	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	237	CryptoStatus = Sha256Init (HashContext);\r
	238	if (!CryptoStatus) {\r
	239	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	240	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	241	goto Done;\r
	242	}\r
c411b485 MK	243	\r
c411b485 MK	244	CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
1a53a034 MK	245	if (!CryptoStatus) {\r
	246	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	247	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	248	goto Done;\r
	249	}\r
c411b485 MK	250	\r
c411b485 MK	251	CryptoStatus = Sha256Final (HashContext, Digest);\r
1a53a034 MK	252	if (!CryptoStatus) {\r
	253	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	254	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	255	goto Done;\r
	256	}\r
b3548d32	257	\r
1a53a034 MK	258	//\r
	259	// Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
	260	//\r
	261	PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
	262	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
	263	ASSERT (PublicKey != NULL);\r
	264	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
6bb832b3	265	PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
1a53a034 MK	266	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
	267	ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
	268	CryptoStatus = FALSE;\r
	269	while (PublicKeyBufferSize != 0) {\r
	270	if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
	271	CryptoStatus = TRUE;\r
	272	break;\r
	273	}\r
c411b485 MK	274	\r
c411b485 MK	275	PublicKey = PublicKey + SHA256_DIGEST_SIZE;\r
1a53a034 MK	276	PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
1a53a034 MK	277	}\r
c411b485	278	\r
1a53a034 MK	279	if (!CryptoStatus) {\r
	280	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
	281	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	282	goto Done;\r
	283	}\r
	284	\r
	285	//\r
	286	// Generate & Initialize RSA Context.\r
	287	//\r
	288	Rsa = RsaNew ();\r
	289	if (Rsa == NULL) {\r
	290	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
	291	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	292	goto Done;\r
	293	}\r
b3548d32 LG	294	\r
b3548d32 LG	295	//\r
1a53a034 MK	296	// Set RSA Key Components.\r
	297	// NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
	298	//\r
c411b485	299	CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
1a53a034 MK	300	if (!CryptoStatus) {\r
	301	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
	302	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	303	goto Done;\r
	304	}\r
c411b485	305	\r
1a53a034 MK	306	CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
	307	if (!CryptoStatus) {\r
	308	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
	309	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	310	goto Done;\r
	311	}\r
	312	\r
	313	//\r
	314	// Hash data payload with SHA256.\r
	315	//\r
	316	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	317	CryptoStatus = Sha256Init (HashContext);\r
	318	if (!CryptoStatus) {\r
	319	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	320	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	321	goto Done;\r
	322	}\r
c411b485	323	\r
e1dea56b	324	PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
1a53a034	325	CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
e1dea56b	326	PERF_INMODULE_END ("PeiRsaShaData");\r
1a53a034 MK	327	if (!CryptoStatus) {\r
	328	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	329	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	330	goto Done;\r
	331	}\r
c411b485 MK	332	\r
c411b485 MK	333	CryptoStatus = Sha256Final (HashContext, Digest);\r
1a53a034 MK	334	if (!CryptoStatus) {\r
	335	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	336	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	337	goto Done;\r
	338	}\r
	339	\r
	340	//\r
	341	// Verify the RSA 2048 SHA 256 signature.\r
	342	//\r
e1dea56b	343	PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
1a53a034	344	CryptoStatus = RsaPkcs1Verify (\r
b3548d32 LG	345	Rsa,\r
	346	Digest,\r
	347	SHA256_DIGEST_SIZE,\r
	348	CertBlockRsa2048Sha256->Signature,\r
1a53a034 MK	349	sizeof (CertBlockRsa2048Sha256->Signature)\r
1a53a034 MK	350	);\r
e1dea56b	351	PERF_INMODULE_END ("PeiRsaVerify");\r
1a53a034 MK	352	if (!CryptoStatus) {\r
	353	//\r
	354	// If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
	355	//\r
	356	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
	357	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	358	}\r
	359	\r
	360	Done:\r
	361	//\r
	362	// Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
	363	//\r
	364	if (Rsa != NULL) {\r
	365	RsaFree (Rsa);\r
	366	}\r
c411b485	367	\r
1a53a034 MK	368	if (HashContext != NULL) {\r
	369	FreePool (HashContext);\r
	370	}\r
	371	\r
1a53a034 MK	372	DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
	373	\r
	374	return Status;\r
	375	}\r
	376	\r
	377	/**\r
	378	Register the handler to extract RSA 2048 SHA 256 guided section.\r
	379	\r
	380	@param FileHandle The handle of FFS header the loaded driver.\r
	381	@param PeiServices The pointer to the PEI services.\r
	382	\r
	383	@retval EFI_SUCCESS Register successfully.\r
	384	@retval EFI_OUT_OF_RESOURCES Not enough memory to register this handler.\r
	385	\r
	386	**/\r
	387	EFI_STATUS\r
	388	EFIAPI\r
	389	PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
c411b485 MK	390	IN EFI_PEI_FILE_HANDLE FileHandle,\r
c411b485 MK	391	IN CONST EFI_PEI_SERVICES **PeiServices\r
1a53a034 MK	392	)\r
	393	{\r
	394	return ExtractGuidedSectionRegisterHandlers (\r
	395	&gEfiCertTypeRsa2048Sha256Guid,\r
	396	Rsa2048Sha256GuidedSectionGetInfo,\r
	397	Rsa2048Sha256GuidedSectionHandler\r
	398	);\r
	399	}\r