SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.c

   1 /** @file
   2   FMP Authentication PKCS7 handler.
   3   Provide generic FMP authentication functions for DXE/PEI post memory phase.
   4
   5   Caution: This module requires additional review when modified.
   6   This module will have external input - capsule image.
   7   This external input must be validated carefully to avoid security issue like
   8   buffer overflow, integer overflow.
   9
  10   FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive
  11   untrusted input and do basic validation.
  12
  13   Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
  14   SPDX-License-Identifier: BSD-2-Clause-Patent
  15
  16 **/
  17
  18 #include <Uefi.h>
  19
  20 #include <Guid/SystemResourceTable.h>
  21 #include <Guid/FirmwareContentsSigned.h>
  22 #include <Guid/WinCertificate.h>
  23
  24 #include <Library/BaseLib.h>
  25 #include <Library/BaseMemoryLib.h>
  26 #include <Library/DebugLib.h>
  27 #include <Library/MemoryAllocationLib.h>
  28 #include <Library/BaseCryptLib.h>
  29 #include <Library/FmpAuthenticationLib.h>
  30 #include <Library/PcdLib.h>
  31 #include <Protocol/FirmwareManagement.h>
  32 #include <Guid/SystemResourceTable.h>
  33
  34 /**
  35   The handler is used to do the authentication for FMP capsule based upon
  36   EFI_FIRMWARE_IMAGE_AUTHENTICATION.
  37
  38   Caution: This function may receive untrusted input.
  39
  40   This function assumes the caller AuthenticateFmpImage()
  41   already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.
  42
  43   @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
  44   @param[in]  ImageSize               Size of the authentication image in bytes.
  45   @param[in]  PublicKeyData           The public key data used to validate the signature.
  46   @param[in]  PublicKeyDataLength     The length of the public key data.
  47
  48   @retval RETURN_SUCCESS            Authentication pass.
  49                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
  50   @retval RETURN_SECURITY_VIOLATION Authentication fail.
  51                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
  52   @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.
  53                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
  54   @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.
  55                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
  56 **/
  57 RETURN_STATUS
  58 FmpAuthenticatedHandlerPkcs7 (
  59   IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,
  60   IN UINTN                              ImageSize,
  61   IN CONST UINT8                        *PublicKeyData,
  62   IN UINTN                              PublicKeyDataLength
  63   )
  64 {
  65   RETURN_STATUS                             Status;
  66   BOOLEAN                                   CryptoStatus;
  67   VOID                                      *P7Data;
  68   UINTN                                     P7Length;
  69   VOID                                      *TempBuffer;
  70
  71   DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));
  72
  73   P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData));
  74   P7Data = Image->AuthInfo.CertData;
  75
  76   // It is a signature across the variable data and the Monotonic Count value.
  77   TempBuffer = AllocatePool(ImageSize - Image->AuthInfo.Hdr.dwLength);
  78   if (TempBuffer == NULL) {
  79     DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));
  80     Status = RETURN_OUT_OF_RESOURCES;
  81     goto Done;
  82   }
  83
  84   CopyMem(
  85     TempBuffer,
  86     (UINT8 *)Image + sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,
  87     ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength
  88     );
  89   CopyMem(
  90     (UINT8 *)TempBuffer + ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,
  91     &Image->MonotonicCount,
  92     sizeof(Image->MonotonicCount)
  93     );
  94   CryptoStatus = Pkcs7Verify(
  95                    P7Data,
  96                    P7Length,
  97                    PublicKeyData,
  98                    PublicKeyDataLength,
  99                    (UINT8 *)TempBuffer,
 100                    ImageSize - Image->AuthInfo.Hdr.dwLength
 101                    );
 102   FreePool(TempBuffer);
 103   if (!CryptoStatus) {
 104     //
 105     // If PKCS7 signature verification fails, AUTH tested failed bit is set.
 106     //
 107     DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));
 108     Status = RETURN_SECURITY_VIOLATION;
 109     goto Done;
 110   }
 111   DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));
 112
 113   Status = RETURN_SUCCESS;
 114
 115 Done:
 116   return Status;
 117 }
 118
 119 /**
 120   The function is used to do the authentication for FMP capsule based upon
 121   EFI_FIRMWARE_IMAGE_AUTHENTICATION.
 122
 123   The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,
 124   followed by the payload.
 125
 126   If the return status is RETURN_SUCCESS, the caller may continue the rest
 127   FMP update process.
 128   If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP
 129   update process and convert the return status to LastAttemptStatus
 130   to indicate that FMP update fails.
 131   The LastAttemptStatus can be got from ESRT table or via
 132   EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().
 133
 134   Caution: This function may receive untrusted input.
 135
 136   @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
 137   @param[in]  ImageSize               Size of the authentication image in bytes.
 138   @param[in]  PublicKeyData           The public key data used to validate the signature.
 139   @param[in]  PublicKeyDataLength     The length of the public key data.
 140
 141   @retval RETURN_SUCCESS            Authentication pass.
 142                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
 143   @retval RETURN_SECURITY_VIOLATION Authentication fail.
 144                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
 145   @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.
 146                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
 147   @retval RETURN_UNSUPPORTED        No Authentication handler associated with CertType.
 148                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
 149   @retval RETURN_UNSUPPORTED        Image or ImageSize is invalid.
 150                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
 151   @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.
 152                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
 153 **/
 154 RETURN_STATUS
 155 EFIAPI
 156 AuthenticateFmpImage (
 157   IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,
 158   IN UINTN                              ImageSize,
 159   IN CONST UINT8                        *PublicKeyData,
 160   IN UINTN                              PublicKeyDataLength
 161   )
 162 {
 163   GUID                                      *CertType;
 164   EFI_STATUS                                Status;
 165
 166   if ((Image == NULL) || (ImageSize == 0)) {
 167     return RETURN_UNSUPPORTED;
 168   }
 169
 170   if (ImageSize < sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {
 171     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));
 172     return RETURN_INVALID_PARAMETER;
 173   }
 174   if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
 175     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));
 176     return RETURN_INVALID_PARAMETER;
 177   }
 178   if ((UINTN) Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof(UINT64)) {
 179     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));
 180     return RETURN_INVALID_PARAMETER;
 181   }
 182   if (ImageSize <= sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {
 183     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));
 184     return RETURN_INVALID_PARAMETER;
 185   }
 186   if (Image->AuthInfo.Hdr.wRevision != 0x0200) {
 187     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));
 188     return RETURN_INVALID_PARAMETER;
 189   }
 190   if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
 191     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));
 192     return RETURN_INVALID_PARAMETER;
 193   }
 194
 195   CertType = &Image->AuthInfo.CertType;
 196   DEBUG((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));
 197
 198   if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {
 199     //
 200     // Call the match handler to extract raw data for the input section data.
 201     //
 202     Status = FmpAuthenticatedHandlerPkcs7 (
 203                Image,
 204                ImageSize,
 205                PublicKeyData,
 206                PublicKeyDataLength
 207                );
 208     return Status;
 209   }
 210
 211   //
 212   // Not found, the input guided section is not supported.
 213   //
 214   return RETURN_UNSUPPORTED;
 215 }
 216