X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FLibrary%2FDxeTpmMeasureBootLib%2FDxeTpmMeasureBootLib.c;h=a55296098840859ed0dde205ff524a1fee1b0490;hp=bbd38b74eda74e235fb20e83cb8d321dc64c519f;hb=5db28a6753d307cdfb1cfdeb2f63739a9f959837;hpb=de2447dd4ca93ca37ff067c325e478dc586235ca diff --git a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c index bbd38b74ed..a552960988 100644 --- a/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c +++ b/SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c @@ -1,6 +1,20 @@ /** @file The library instance provides security service of TPM measure boot. + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image and GPT partition. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + DxeTpmMeasureBootLibImageRead() function will make sure the PE/COFF image content + read is within the image buffer. + + TcgMeasurePeImage() function will accept untrusted PE/COFF image and validate its + data structure within this image buffer before use. + + TcgMeasureGptTable() function will receive untrusted GPT partition table, and parse + partition data carefully. + Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -42,6 +56,10 @@ UINTN mImageSize; /** Reads contents of a PE/COFF image in memory buffer. + Caution: This function may receive untrusted input. + PE/COFF image is external input, so this function will make sure the PE/COFF image content + read is within the image buffer. + @param FileHandle Pointer to the file handle to read the PE/COFF image. @param FileOffset Offset into the PE/COFF image to begin the read operation. @param ReadSize On input, the size in bytes of the requested read operation. @@ -86,6 +104,9 @@ DxeTpmMeasureBootLibImageRead ( /** Measure GPT table data into TPM log. + Caution: This function may receive untrusted input. + The GPT partition table is external input, so this function should parse partition data carefully. + @param TcgProtocol Pointer to the located TCG protocol instance. @param GptHandle Handle that GPT partition was installed. @@ -247,6 +268,10 @@ TcgMeasureGptTable ( Measure PE image into TPM log based on the authenticode image hashing in PE/COFF Specification 8.0 Appendix A. + Caution: This function may receive untrusted input. + PE/COFF image is external input, so this function will validate its data structure + within this image buffer before use. + @param[in] TcgProtocol Pointer to the located TCG protocol instance. @param[in] ImageAddress Start address of image buffer. @param[in] ImageSize Image size @@ -669,34 +694,28 @@ Finish: might be possible to use it at a future time, then EFI_SECURITY_VIOLATION is returned. - @param[in, out] AuthenticationStatus This is the authentication status returned + @param[in] AuthenticationStatus This is the authentication status returned from the securitymeasurement services for the input file. @param[in] File This is a pointer to the device path of the file that is being dispatched. This will optionally be used for logging. @param[in] FileBuffer File buffer matches the input file device path. @param[in] FileSize Size of File buffer matches the input file device path. + @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service. - @retval EFI_SUCCESS The file specified by File did authenticate, and the - platform policy dictates that the DXE Core may use File. - @retval EFI_INVALID_PARAMETER File is NULL. - @retval EFI_SECURITY_VIOLATION The file specified by File did not authenticate, and - the platform policy dictates that File should be placed - in the untrusted state. A file may be promoted from - the untrusted to the trusted state at a future time - with a call to the Trust() DXE Service. - @retval EFI_ACCESS_DENIED The file specified by File did not authenticate, and - the platform policy dictates that File should not be - used for any purpose. - + @retval EFI_SUCCESS The file specified by DevicePath and non-NULL + FileBuffer did authenticate, and the platform policy dictates + that the DXE Foundation may use the file. + @retval other error value **/ EFI_STATUS EFIAPI DxeTpmMeasureBootHandler ( - IN OUT UINT32 AuthenticationStatus, + IN UINT32 AuthenticationStatus, IN CONST EFI_DEVICE_PATH_PROTOCOL *File, - IN VOID *FileBuffer OPTIONAL, - IN UINTN FileSize OPTIONAL + IN VOID *FileBuffer, + IN UINTN FileSize, + IN BOOLEAN BootPolicy ) { EFI_TCG_PROTOCOL *TcgProtocol; @@ -711,10 +730,6 @@ DxeTpmMeasureBootHandler ( BOOLEAN ApplicationRequired; PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; - if (File == NULL) { - return EFI_INVALID_PARAMETER; - } - Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **) &TcgProtocol); if (EFI_ERROR (Status)) { // @@ -743,7 +758,6 @@ DxeTpmMeasureBootHandler ( // Copy File Device Path // OrigDevicePathNode = DuplicateDevicePath (File); - ASSERT (OrigDevicePathNode != NULL); // // 1. Check whether this device path support BlockIo protocol. @@ -903,7 +917,9 @@ DxeTpmMeasureBootHandler ( // Done, free the allocated resource. // Finish: - FreePool (OrigDevicePathNode); + if (OrigDevicePathNode != NULL) { + FreePool (OrigDevicePathNode); + } return Status; } @@ -924,7 +940,7 @@ DxeTpmMeasureBootLibConstructor ( IN EFI_SYSTEM_TABLE *SystemTable ) { - return RegisterSecurityHandler ( + return RegisterSecurity2Handler ( DxeTpmMeasureBootHandler, EFI_AUTH_OPERATION_MEASURE_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED );