[mirror_edk2.git] / SecurityPkg / Library / PeiRsa2048Sha256GuidedSectionExtractLib / PeiRsa2048Sha256GuidedSectionExtractLib.c

/** @file\r
\r
  This library registers RSA 2048 SHA 256 guided section handler\r
  to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
  It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
\r
Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiPei.h>\r
#include <Protocol/Hash.h>\r
#include <Library/ExtractGuidedSectionLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/PcdLib.h>\r
#include <Guid/WinCertificate.h>\r
#include <Library/BaseCryptLib.h>\r
#include <Library/PerformanceLib.h>\r
#include <Guid/SecurityPkgTokenSpace.h>\r
\r
///\r
/// RSA 2048 SHA 256 Guided Section header\r
///\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION          GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION_HEADER;\r
\r
typedef struct {\r
  EFI_GUID_DEFINED_SECTION2         GuidedSectionHeader;    ///< EFI guided section header\r
  EFI_CERT_BLOCK_RSA_2048_SHA256    CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
} RSA_2048_SHA_256_SECTION2_HEADER;\r
\r
///\r
/// Public Exponent of RSA Key.\r
///\r
CONST UINT8  mRsaE[] = { 0x01, 0x00, 0x01 };\r
\r
/**\r
\r
  GetInfo gets raw data size and attribute of the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection       Buffer containing the input GUIDed section to be processed.\r
  @param OutputBufferSize   The size of OutputBuffer.\r
  @param ScratchBufferSize  The size of ScratchBuffer.\r
  @param SectionAttribute   The attribute of the input guided section.\r
\r
  @retval EFI_SUCCESS            The size of destination buffer, the size of scratch buffer and\r
                                 the attribute of the input section are successfully retrieved.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionGetInfo (\r
  IN  CONST VOID  *InputSection,\r
  OUT UINT32      *OutputBufferSize,\r
  OUT UINT32      *ScratchBufferSize,\r
  OUT UINT16      *SectionAttribute\r
  )\r
{\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Retrieve the size and attribute of the input section data.\r
    //\r
    *SectionAttribute  = ((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes;\r
    *ScratchBufferSize = 0;\r
    *OutputBufferSize  = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
\r
  Extraction handler tries to extract raw data from the input guided section.\r
  It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
  It first checks whether the input guid section is supported.\r
  If not, EFI_INVALID_PARAMETER will return.\r
\r
  @param InputSection    Buffer containing the input GUIDed section to be processed.\r
  @param OutputBuffer    Buffer to contain the output raw data allocated by the caller.\r
  @param ScratchBuffer   A pointer to a caller-allocated buffer for function internal use.\r
  @param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
                              authentication status of the output buffer.\r
\r
  @retval EFI_SUCCESS            Section Data and Auth Status is extracted successfully.\r
  @retval EFI_INVALID_PARAMETER  The GUID in InputSection does not match this instance guid.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Rsa2048Sha256GuidedSectionHandler (\r
  IN CONST  VOID    *InputSection,\r
  OUT       VOID    **OutputBuffer,\r
  IN        VOID    *ScratchBuffer         OPTIONAL,\r
  OUT       UINT32  *AuthenticationStatus\r
  )\r
{\r
  EFI_STATUS                      Status;\r
  UINT32                          OutputBufferSize;\r
  EFI_CERT_BLOCK_RSA_2048_SHA256  *CertBlockRsa2048Sha256;\r
  BOOLEAN                         CryptoStatus;\r
  UINT8                           Digest[SHA256_DIGEST_SIZE];\r
  UINT8                           *PublicKey;\r
  UINTN                           PublicKeyBufferSize;\r
  VOID                            *HashContext;\r
  VOID                            *Rsa;\r
\r
  HashContext = NULL;\r
  Rsa         = NULL;\r
\r
  if (IS_SECTION2 (InputSection)) {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  } else {\r
    //\r
    // Check whether the input guid section is recognized.\r
    //\r
    if (!CompareGuid (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
           ))\r
    {\r
      return EFI_INVALID_PARAMETER;\r
    }\r
\r
    //\r
    // Get the RSA 2048 SHA 256 information.\r
    //\r
    CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
    OutputBufferSize       = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
      PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
      CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
      PERF_INMODULE_END ("PeiRsaCopy");\r
    } else {\r
      *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
    }\r
\r
    //\r
    // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
    //\r
    ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
    *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
  }\r
\r
  //\r
  // All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
  //\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // Fail if the HashType is not SHA 256\r
  //\r
  if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Allocate hash context buffer required for SHA 256\r
  //\r
  HashContext = AllocatePool (Sha256GetContextSize ());\r
  if (HashContext == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash public key from data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
  //\r
  PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
  ASSERT (PublicKey != NULL);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
  PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
  DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
  ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
  CryptoStatus = FALSE;\r
  while (PublicKeyBufferSize != 0) {\r
    if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
      CryptoStatus = TRUE;\r
      break;\r
    }\r
\r
    PublicKey           = PublicKey + SHA256_DIGEST_SIZE;\r
    PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
  }\r
\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Generate & Initialize RSA Context.\r
  //\r
  Rsa = RsaNew ();\r
  if (Rsa == NULL) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Set RSA Key Components.\r
  // NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
  //\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Hash data payload with SHA256.\r
  //\r
  ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
  CryptoStatus = Sha256Init (HashContext);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
  CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
  PERF_INMODULE_END ("PeiRsaShaData");\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  CryptoStatus = Sha256Final (HashContext, Digest);\r
  if (!CryptoStatus) {\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
    goto Done;\r
  }\r
\r
  //\r
  // Verify the RSA 2048 SHA 256 signature.\r
  //\r
  PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
  CryptoStatus = RsaPkcs1Verify (\r
                   Rsa,\r
                   Digest,\r
                   SHA256_DIGEST_SIZE,\r
                   CertBlockRsa2048Sha256->Signature,\r
                   sizeof (CertBlockRsa2048Sha256->Signature)\r
                   );\r
  PERF_INMODULE_END ("PeiRsaVerify");\r
  if (!CryptoStatus) {\r
    //\r
    // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
    //\r
    DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
    *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;\r
  }\r
\r
Done:\r
  //\r
  // Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
  //\r
  if (Rsa != NULL) {\r
    RsaFree (Rsa);\r
  }\r
\r
  if (HashContext != NULL) {\r
    FreePool (HashContext);\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r  AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
\r
  return Status;\r
}\r
\r
/**\r
  Register the handler to extract RSA 2048 SHA 256 guided section.\r
\r
  @param  FileHandle   The handle of FFS header the loaded driver.\r
  @param  PeiServices  The pointer to the PEI services.\r
\r
  @retval  EFI_SUCCESS           Register successfully.\r
  @retval  EFI_OUT_OF_RESOURCES  Not enough memory to register this handler.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
  IN EFI_PEI_FILE_HANDLE     FileHandle,\r
  IN CONST EFI_PEI_SERVICES  **PeiServices\r
  )\r
{\r
  return ExtractGuidedSectionRegisterHandlers (\r
           &gEfiCertTypeRsa2048Sha256Guid,\r
           Rsa2048Sha256GuidedSectionGetInfo,\r
           Rsa2048Sha256GuidedSectionHandler\r
           );\r
}\r
Commit	Line	Data
	1	/** @file\r
	2	\r
	3	This library registers RSA 2048 SHA 256 guided section handler\r
	4	to parse RSA 2048 SHA 256 encapsulation section and extract raw data.\r
	5	It uses the BaseCryptLib based on OpenSSL to authenticate the signature.\r
	6	\r
	7	Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
	8	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	9	\r
	10	**/\r
	11	\r
	12	#include <PiPei.h>\r
	13	#include <Protocol/Hash.h>\r
	14	#include <Library/ExtractGuidedSectionLib.h>\r
	15	#include <Library/DebugLib.h>\r
	16	#include <Library/BaseMemoryLib.h>\r
	17	#include <Library/MemoryAllocationLib.h>\r
	18	#include <Library/PcdLib.h>\r
	19	#include <Guid/WinCertificate.h>\r
	20	#include <Library/BaseCryptLib.h>\r
	21	#include <Library/PerformanceLib.h>\r
	22	#include <Guid/SecurityPkgTokenSpace.h>\r
	23	\r
	24	///\r
	25	/// RSA 2048 SHA 256 Guided Section header\r
	26	///\r
	27	typedef struct {\r
	28	EFI_GUID_DEFINED_SECTION GuidedSectionHeader; ///< EFI guided section header\r
	29	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
	30	} RSA_2048_SHA_256_SECTION_HEADER;\r
	31	\r
	32	typedef struct {\r
	33	EFI_GUID_DEFINED_SECTION2 GuidedSectionHeader; ///< EFI guided section header\r
	34	EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature\r
	35	} RSA_2048_SHA_256_SECTION2_HEADER;\r
	36	\r
	37	///\r
	38	/// Public Exponent of RSA Key.\r
	39	///\r
	40	CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };\r
	41	\r
	42	/**\r
	43	\r
	44	GetInfo gets raw data size and attribute of the input guided section.\r
	45	It first checks whether the input guid section is supported.\r
	46	If not, EFI_INVALID_PARAMETER will return.\r
	47	\r
	48	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	49	@param OutputBufferSize The size of OutputBuffer.\r
	50	@param ScratchBufferSize The size of ScratchBuffer.\r
	51	@param SectionAttribute The attribute of the input guided section.\r
	52	\r
	53	@retval EFI_SUCCESS The size of destination buffer, the size of scratch buffer and\r
	54	the attribute of the input section are successfully retrieved.\r
	55	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	56	\r
	57	**/\r
	58	EFI_STATUS\r
	59	EFIAPI\r
	60	Rsa2048Sha256GuidedSectionGetInfo (\r
	61	IN CONST VOID *InputSection,\r
	62	OUT UINT32 *OutputBufferSize,\r
	63	OUT UINT32 *ScratchBufferSize,\r
	64	OUT UINT16 *SectionAttribute\r
	65	)\r
	66	{\r
	67	if (IS_SECTION2 (InputSection)) {\r
	68	//\r
	69	// Check whether the input guid section is recognized.\r
	70	//\r
	71	if (!CompareGuid (\r
	72	&gEfiCertTypeRsa2048Sha256Guid,\r
	73	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	74	))\r
	75	{\r
	76	return EFI_INVALID_PARAMETER;\r
	77	}\r
	78	\r
	79	//\r
	80	// Retrieve the size and attribute of the input section data.\r
	81	//\r
	82	SectionAttribute = ((EFI_GUID_DEFINED_SECTION2 )InputSection)->Attributes;\r
	83	*ScratchBufferSize = 0;\r
	84	*OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	85	} else {\r
	86	//\r
	87	// Check whether the input guid section is recognized.\r
	88	//\r
	89	if (!CompareGuid (\r
	90	&gEfiCertTypeRsa2048Sha256Guid,\r
	91	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	92	))\r
	93	{\r
	94	return EFI_INVALID_PARAMETER;\r
	95	}\r
	96	\r
	97	//\r
	98	// Retrieve the size and attribute of the input section data.\r
	99	//\r
	100	SectionAttribute = ((EFI_GUID_DEFINED_SECTION )InputSection)->Attributes;\r
	101	*ScratchBufferSize = 0;\r
	102	*OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	103	}\r
	104	\r
	105	return EFI_SUCCESS;\r
	106	}\r
	107	\r
	108	/**\r
	109	\r
	110	Extraction handler tries to extract raw data from the input guided section.\r
	111	It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.\r
	112	It first checks whether the input guid section is supported.\r
	113	If not, EFI_INVALID_PARAMETER will return.\r
	114	\r
	115	@param InputSection Buffer containing the input GUIDed section to be processed.\r
	116	@param OutputBuffer Buffer to contain the output raw data allocated by the caller.\r
	117	@param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.\r
	118	@param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the\r
	119	authentication status of the output buffer.\r
	120	\r
	121	@retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.\r
	122	@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.\r
	123	\r
	124	**/\r
	125	EFI_STATUS\r
	126	EFIAPI\r
	127	Rsa2048Sha256GuidedSectionHandler (\r
	128	IN CONST VOID *InputSection,\r
	129	OUT VOID **OutputBuffer,\r
	130	IN VOID *ScratchBuffer OPTIONAL,\r
	131	OUT UINT32 *AuthenticationStatus\r
	132	)\r
	133	{\r
	134	EFI_STATUS Status;\r
	135	UINT32 OutputBufferSize;\r
	136	EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;\r
	137	BOOLEAN CryptoStatus;\r
	138	UINT8 Digest[SHA256_DIGEST_SIZE];\r
	139	UINT8 *PublicKey;\r
	140	UINTN PublicKeyBufferSize;\r
	141	VOID *HashContext;\r
	142	VOID *Rsa;\r
	143	\r
	144	HashContext = NULL;\r
	145	Rsa = NULL;\r
	146	\r
	147	if (IS_SECTION2 (InputSection)) {\r
	148	//\r
	149	// Check whether the input guid section is recognized.\r
	150	//\r
	151	if (!CompareGuid (\r
	152	&gEfiCertTypeRsa2048Sha256Guid,\r
	153	&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)\r
	154	))\r
	155	{\r
	156	return EFI_INVALID_PARAMETER;\r
	157	}\r
	158	\r
	159	//\r
	160	// Get the RSA 2048 SHA 256 information.\r
	161	//\r
	162	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
	163	OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	164	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
	165	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
	166	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);\r
	167	PERF_INMODULE_END ("PeiRsaCopy");\r
	168	} else {\r
	169	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);\r
	170	}\r
	171	\r
	172	//\r
	173	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	174	//\r
	175	ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	176	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	177	} else {\r
	178	//\r
	179	// Check whether the input guid section is recognized.\r
	180	//\r
	181	if (!CompareGuid (\r
	182	&gEfiCertTypeRsa2048Sha256Guid,\r
	183	&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)\r
	184	))\r
	185	{\r
	186	return EFI_INVALID_PARAMETER;\r
	187	}\r
	188	\r
	189	//\r
	190	// Get the RSA 2048 SHA 256 information.\r
	191	//\r
	192	CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;\r
	193	OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	194	if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {\r
	195	PERF_INMODULE_BEGIN ("PeiRsaCopy");\r
	196	CopyMem (OutputBuffer, (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);\r
	197	PERF_INMODULE_END ("PeiRsaCopy");\r
	198	} else {\r
	199	OutputBuffer = (UINT8 )InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);\r
	200	}\r
	201	\r
	202	//\r
	203	// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set\r
	204	//\r
	205	ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);\r
	206	*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;\r
	207	}\r
	208	\r
	209	//\r
	210	// All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus\r
	211	//\r
	212	Status = EFI_SUCCESS;\r
	213	\r
	214	//\r
	215	// Fail if the HashType is not SHA 256\r
	216	//\r
	217	if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {\r
	218	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));\r
	219	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	220	goto Done;\r
	221	}\r
	222	\r
	223	//\r
	224	// Allocate hash context buffer required for SHA 256\r
	225	//\r
	226	HashContext = AllocatePool (Sha256GetContextSize ());\r
	227	if (HashContext == NULL) {\r
	228	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));\r
	229	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	230	goto Done;\r
	231	}\r
	232	\r
	233	//\r
	234	// Hash public key from data payload with SHA256.\r
	235	//\r
	236	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	237	CryptoStatus = Sha256Init (HashContext);\r
	238	if (!CryptoStatus) {\r
	239	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	240	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	241	goto Done;\r
	242	}\r
	243	\r
	244	CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
	245	if (!CryptoStatus) {\r
	246	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	247	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	248	goto Done;\r
	249	}\r
	250	\r
	251	CryptoStatus = Sha256Final (HashContext, Digest);\r
	252	if (!CryptoStatus) {\r
	253	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	254	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	255	goto Done;\r
	256	}\r
	257	\r
	258	//\r
	259	// Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer\r
	260	//\r
	261	PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);\r
	262	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));\r
	263	ASSERT (PublicKey != NULL);\r
	264	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));\r
	265	PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);\r
	266	DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));\r
	267	ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);\r
	268	CryptoStatus = FALSE;\r
	269	while (PublicKeyBufferSize != 0) {\r
	270	if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {\r
	271	CryptoStatus = TRUE;\r
	272	break;\r
	273	}\r
	274	\r
	275	PublicKey = PublicKey + SHA256_DIGEST_SIZE;\r
	276	PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;\r
	277	}\r
	278	\r
	279	if (!CryptoStatus) {\r
	280	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));\r
	281	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	282	goto Done;\r
	283	}\r
	284	\r
	285	//\r
	286	// Generate & Initialize RSA Context.\r
	287	//\r
	288	Rsa = RsaNew ();\r
	289	if (Rsa == NULL) {\r
	290	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));\r
	291	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	292	goto Done;\r
	293	}\r
	294	\r
	295	//\r
	296	// Set RSA Key Components.\r
	297	// NOTE: Only N and E are needed to be set as RSA public key for signature verification.\r
	298	//\r
	299	CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));\r
	300	if (!CryptoStatus) {\r
	301	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));\r
	302	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	303	goto Done;\r
	304	}\r
	305	\r
	306	CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));\r
	307	if (!CryptoStatus) {\r
	308	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));\r
	309	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	310	goto Done;\r
	311	}\r
	312	\r
	313	//\r
	314	// Hash data payload with SHA256.\r
	315	//\r
	316	ZeroMem (Digest, SHA256_DIGEST_SIZE);\r
	317	CryptoStatus = Sha256Init (HashContext);\r
	318	if (!CryptoStatus) {\r
	319	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));\r
	320	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	321	goto Done;\r
	322	}\r
	323	\r
	324	PERF_INMODULE_BEGIN ("PeiRsaShaData");\r
	325	CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);\r
	326	PERF_INMODULE_END ("PeiRsaShaData");\r
	327	if (!CryptoStatus) {\r
	328	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));\r
	329	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	330	goto Done;\r
	331	}\r
	332	\r
	333	CryptoStatus = Sha256Final (HashContext, Digest);\r
	334	if (!CryptoStatus) {\r
	335	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));\r
	336	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	337	goto Done;\r
	338	}\r
	339	\r
	340	//\r
	341	// Verify the RSA 2048 SHA 256 signature.\r
	342	//\r
	343	PERF_INMODULE_BEGIN ("PeiRsaVerify");\r
	344	CryptoStatus = RsaPkcs1Verify (\r
	345	Rsa,\r
	346	Digest,\r
	347	SHA256_DIGEST_SIZE,\r
	348	CertBlockRsa2048Sha256->Signature,\r
	349	sizeof (CertBlockRsa2048Sha256->Signature)\r
	350	);\r
	351	PERF_INMODULE_END ("PeiRsaVerify");\r
	352	if (!CryptoStatus) {\r
	353	//\r
	354	// If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.\r
	355	//\r
	356	DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));\r
	357	*AuthenticationStatus \|= EFI_AUTH_STATUS_TEST_FAILED;\r
	358	}\r
	359	\r
	360	Done:\r
	361	//\r
	362	// Free allocated resources used to perform RSA 2048 SHA 256 signature verification\r
	363	//\r
	364	if (Rsa != NULL) {\r
	365	RsaFree (Rsa);\r
	366	}\r
	367	\r
	368	if (HashContext != NULL) {\r
	369	FreePool (HashContext);\r
	370	}\r
	371	\r
	372	DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));\r
	373	\r
	374	return Status;\r
	375	}\r
	376	\r
	377	/**\r
	378	Register the handler to extract RSA 2048 SHA 256 guided section.\r
	379	\r
	380	@param FileHandle The handle of FFS header the loaded driver.\r
	381	@param PeiServices The pointer to the PEI services.\r
	382	\r
	383	@retval EFI_SUCCESS Register successfully.\r
	384	@retval EFI_OUT_OF_RESOURCES Not enough memory to register this handler.\r
	385	\r
	386	**/\r
	387	EFI_STATUS\r
	388	EFIAPI\r
	389	PeiRsa2048Sha256GuidedSectionExtractLibConstructor (\r
	390	IN EFI_PEI_FILE_HANDLE FileHandle,\r
	391	IN CONST EFI_PEI_SERVICES **PeiServices\r
	392	)\r
	393	{\r
	394	return ExtractGuidedSectionRegisterHandlers (\r
	395	&gEfiCertTypeRsa2048Sha256Guid,\r
	396	Rsa2048Sha256GuidedSectionGetInfo,\r
	397	Rsa2048Sha256GuidedSectionHandler\r
	398	);\r
	399	}\r