]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Apply uncrustify changes
[mirror_edk2.git] / SecurityPkg / Library / PeiRsa2048Sha256GuidedSectionExtractLib / PeiRsa2048Sha256GuidedSectionExtractLib.c
1 /** @file
2
3 This library registers RSA 2048 SHA 256 guided section handler
4 to parse RSA 2048 SHA 256 encapsulation section and extract raw data.
5 It uses the BaseCryptLib based on OpenSSL to authenticate the signature.
6
7 Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
8 SPDX-License-Identifier: BSD-2-Clause-Patent
9
10 **/
11
12 #include <PiPei.h>
13 #include <Protocol/Hash.h>
14 #include <Library/ExtractGuidedSectionLib.h>
15 #include <Library/DebugLib.h>
16 #include <Library/BaseMemoryLib.h>
17 #include <Library/MemoryAllocationLib.h>
18 #include <Library/PcdLib.h>
19 #include <Guid/WinCertificate.h>
20 #include <Library/BaseCryptLib.h>
21 #include <Library/PerformanceLib.h>
22 #include <Guid/SecurityPkgTokenSpace.h>
23
24 ///
25 /// RSA 2048 SHA 256 Guided Section header
26 ///
27 typedef struct {
28 EFI_GUID_DEFINED_SECTION GuidedSectionHeader; ///< EFI guided section header
29 EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature
30 } RSA_2048_SHA_256_SECTION_HEADER;
31
32 typedef struct {
33 EFI_GUID_DEFINED_SECTION2 GuidedSectionHeader; ///< EFI guided section header
34 EFI_CERT_BLOCK_RSA_2048_SHA256 CertBlockRsa2048Sha256; ///< RSA 2048-bit Signature
35 } RSA_2048_SHA_256_SECTION2_HEADER;
36
37 ///
38 /// Public Exponent of RSA Key.
39 ///
40 CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
41
42 /**
43
44 GetInfo gets raw data size and attribute of the input guided section.
45 It first checks whether the input guid section is supported.
46 If not, EFI_INVALID_PARAMETER will return.
47
48 @param InputSection Buffer containing the input GUIDed section to be processed.
49 @param OutputBufferSize The size of OutputBuffer.
50 @param ScratchBufferSize The size of ScratchBuffer.
51 @param SectionAttribute The attribute of the input guided section.
52
53 @retval EFI_SUCCESS The size of destination buffer, the size of scratch buffer and
54 the attribute of the input section are successfully retrieved.
55 @retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.
56
57 **/
58 EFI_STATUS
59 EFIAPI
60 Rsa2048Sha256GuidedSectionGetInfo (
61 IN CONST VOID *InputSection,
62 OUT UINT32 *OutputBufferSize,
63 OUT UINT32 *ScratchBufferSize,
64 OUT UINT16 *SectionAttribute
65 )
66 {
67 if (IS_SECTION2 (InputSection)) {
68 //
69 // Check whether the input guid section is recognized.
70 //
71 if (!CompareGuid (
72 &gEfiCertTypeRsa2048Sha256Guid,
73 &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)
74 ))
75 {
76 return EFI_INVALID_PARAMETER;
77 }
78
79 //
80 // Retrieve the size and attribute of the input section data.
81 //
82 *SectionAttribute = ((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes;
83 *ScratchBufferSize = 0;
84 *OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);
85 } else {
86 //
87 // Check whether the input guid section is recognized.
88 //
89 if (!CompareGuid (
90 &gEfiCertTypeRsa2048Sha256Guid,
91 &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)
92 ))
93 {
94 return EFI_INVALID_PARAMETER;
95 }
96
97 //
98 // Retrieve the size and attribute of the input section data.
99 //
100 *SectionAttribute = ((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes;
101 *ScratchBufferSize = 0;
102 *OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);
103 }
104
105 return EFI_SUCCESS;
106 }
107
108 /**
109
110 Extraction handler tries to extract raw data from the input guided section.
111 It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.
112 It first checks whether the input guid section is supported.
113 If not, EFI_INVALID_PARAMETER will return.
114
115 @param InputSection Buffer containing the input GUIDed section to be processed.
116 @param OutputBuffer Buffer to contain the output raw data allocated by the caller.
117 @param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.
118 @param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the
119 authentication status of the output buffer.
120
121 @retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.
122 @retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.
123
124 **/
125 EFI_STATUS
126 EFIAPI
127 Rsa2048Sha256GuidedSectionHandler (
128 IN CONST VOID *InputSection,
129 OUT VOID **OutputBuffer,
130 IN VOID *ScratchBuffer OPTIONAL,
131 OUT UINT32 *AuthenticationStatus
132 )
133 {
134 EFI_STATUS Status;
135 UINT32 OutputBufferSize;
136 EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;
137 BOOLEAN CryptoStatus;
138 UINT8 Digest[SHA256_DIGEST_SIZE];
139 UINT8 *PublicKey;
140 UINTN PublicKeyBufferSize;
141 VOID *HashContext;
142 VOID *Rsa;
143
144 HashContext = NULL;
145 Rsa = NULL;
146
147 if (IS_SECTION2 (InputSection)) {
148 //
149 // Check whether the input guid section is recognized.
150 //
151 if (!CompareGuid (
152 &gEfiCertTypeRsa2048Sha256Guid,
153 &(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid)
154 ))
155 {
156 return EFI_INVALID_PARAMETER;
157 }
158
159 //
160 // Get the RSA 2048 SHA 256 information.
161 //
162 CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *)InputSection)->CertBlockRsa2048Sha256;
163 OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);
164 if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
165 PERF_INMODULE_BEGIN ("PeiRsaCopy");
166 CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);
167 PERF_INMODULE_END ("PeiRsaCopy");
168 } else {
169 *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);
170 }
171
172 //
173 // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set
174 //
175 ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);
176 *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;
177 } else {
178 //
179 // Check whether the input guid section is recognized.
180 //
181 if (!CompareGuid (
182 &gEfiCertTypeRsa2048Sha256Guid,
183 &(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid)
184 ))
185 {
186 return EFI_INVALID_PARAMETER;
187 }
188
189 //
190 // Get the RSA 2048 SHA 256 information.
191 //
192 CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;
193 OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);
194 if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
195 PERF_INMODULE_BEGIN ("PeiRsaCopy");
196 CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);
197 PERF_INMODULE_END ("PeiRsaCopy");
198 } else {
199 *OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);
200 }
201
202 //
203 // Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set
204 //
205 ASSERT ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);
206 *AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;
207 }
208
209 //
210 // All paths from here return EFI_SUCCESS and result is returned in AuthenticationStatus
211 //
212 Status = EFI_SUCCESS;
213
214 //
215 // Fail if the HashType is not SHA 256
216 //
217 if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {
218 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: HASH type of section is not supported\n"));
219 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
220 goto Done;
221 }
222
223 //
224 // Allocate hash context buffer required for SHA 256
225 //
226 HashContext = AllocatePool (Sha256GetContextSize ());
227 if (HashContext == NULL) {
228 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Can not allocate hash context\n"));
229 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
230 goto Done;
231 }
232
233 //
234 // Hash public key from data payload with SHA256.
235 //
236 ZeroMem (Digest, SHA256_DIGEST_SIZE);
237 CryptoStatus = Sha256Init (HashContext);
238 if (!CryptoStatus) {
239 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));
240 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
241 goto Done;
242 }
243
244 CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));
245 if (!CryptoStatus) {
246 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));
247 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
248 goto Done;
249 }
250
251 CryptoStatus = Sha256Final (HashContext, Digest);
252 if (!CryptoStatus) {
253 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));
254 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
255 goto Done;
256 }
257
258 //
259 // Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer
260 //
261 PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);
262 DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));
263 ASSERT (PublicKey != NULL);
264 DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));
265 PublicKeyBufferSize = PcdGetSize (PcdRsa2048Sha256PublicKeyBuffer);
266 DEBUG ((DEBUG_VERBOSE, "PeiPcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));
267 ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);
268 CryptoStatus = FALSE;
269 while (PublicKeyBufferSize != 0) {
270 if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {
271 CryptoStatus = TRUE;
272 break;
273 }
274
275 PublicKey = PublicKey + SHA256_DIGEST_SIZE;
276 PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;
277 }
278
279 if (!CryptoStatus) {
280 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Public key in section is not supported\n"));
281 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
282 goto Done;
283 }
284
285 //
286 // Generate & Initialize RSA Context.
287 //
288 Rsa = RsaNew ();
289 if (Rsa == NULL) {
290 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaNew() failed\n"));
291 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
292 goto Done;
293 }
294
295 //
296 // Set RSA Key Components.
297 // NOTE: Only N and E are needed to be set as RSA public key for signature verification.
298 //
299 CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof (CertBlockRsa2048Sha256->PublicKey));
300 if (!CryptoStatus) {
301 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));
302 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
303 goto Done;
304 }
305
306 CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));
307 if (!CryptoStatus) {
308 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));
309 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
310 goto Done;
311 }
312
313 //
314 // Hash data payload with SHA256.
315 //
316 ZeroMem (Digest, SHA256_DIGEST_SIZE);
317 CryptoStatus = Sha256Init (HashContext);
318 if (!CryptoStatus) {
319 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Init() failed\n"));
320 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
321 goto Done;
322 }
323
324 PERF_INMODULE_BEGIN ("PeiRsaShaData");
325 CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);
326 PERF_INMODULE_END ("PeiRsaShaData");
327 if (!CryptoStatus) {
328 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Update() failed\n"));
329 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
330 goto Done;
331 }
332
333 CryptoStatus = Sha256Final (HashContext, Digest);
334 if (!CryptoStatus) {
335 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: Sha256Final() failed\n"));
336 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
337 goto Done;
338 }
339
340 //
341 // Verify the RSA 2048 SHA 256 signature.
342 //
343 PERF_INMODULE_BEGIN ("PeiRsaVerify");
344 CryptoStatus = RsaPkcs1Verify (
345 Rsa,
346 Digest,
347 SHA256_DIGEST_SIZE,
348 CertBlockRsa2048Sha256->Signature,
349 sizeof (CertBlockRsa2048Sha256->Signature)
350 );
351 PERF_INMODULE_END ("PeiRsaVerify");
352 if (!CryptoStatus) {
353 //
354 // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.
355 //
356 DEBUG ((DEBUG_ERROR, "PeiRsa2048Sha256: RsaPkcs1Verify() failed\n"));
357 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
358 }
359
360 Done:
361 //
362 // Free allocated resources used to perform RSA 2048 SHA 256 signature verification
363 //
364 if (Rsa != NULL) {
365 RsaFree (Rsa);
366 }
367
368 if (HashContext != NULL) {
369 FreePool (HashContext);
370 }
371
372 DEBUG ((DEBUG_VERBOSE, "PeiRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));
373
374 return Status;
375 }
376
377 /**
378 Register the handler to extract RSA 2048 SHA 256 guided section.
379
380 @param FileHandle The handle of FFS header the loaded driver.
381 @param PeiServices The pointer to the PEI services.
382
383 @retval EFI_SUCCESS Register successfully.
384 @retval EFI_OUT_OF_RESOURCES Not enough memory to register this handler.
385
386 **/
387 EFI_STATUS
388 EFIAPI
389 PeiRsa2048Sha256GuidedSectionExtractLibConstructor (
390 IN EFI_PEI_FILE_HANDLE FileHandle,
391 IN CONST EFI_PEI_SERVICES **PeiServices
392 )
393 {
394 return ExtractGuidedSectionRegisterHandlers (
395 &gEfiCertTypeRsa2048Sha256Guid,
396 Rsa2048Sha256GuidedSectionGetInfo,
397 Rsa2048Sha256GuidedSectionHandler
398 );
399 }
EFI Development Kit II mirror for PVE