X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FVariableAuthenticated%2FRuntimeDxe%2FAuthService.c;h=07a41b06f8ad01a52d5e232d63cc4357d0986d66;hp=7da0d63aba90dc86448cd9b46b4e8512afd386af;hb=e3ff137e3652a85944ba1ba91ad61f09ef1ff248;hpb=0ba17ade477cda3cac9419f6b00996b3b45135c5
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 7da0d63aba..07a41b06f8 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -15,7 +15,7 @@
They will do basic validation for authentication data structure, then call crypto library
to verify the signature.
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -36,6 +36,8 @@ UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
UINT32 mPubKeyNumber;
UINT8 mCertDbStore[MAX_CERTDB_SIZE];
UINT32 mPlatformMode;
+UINT8 mVendorKeyState;
+
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
//
// Public Exponent of RSA Key.
@@ -46,14 +48,6 @@ CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
//
VOID *mHashCtx = NULL;
-//
-// Pointer to runtime buffer.
-// For "Append" operation to an existing variable, a read/modify/write operation
-// is supported by firmware internally. Reserve runtime buffer to cache previous
-// variable data in runtime phase because memory allocation is forbidden in virtual mode.
-//
-VOID *mStorageArea = NULL;
-
//
// The serialization of the values of the VariableName, VendorGuid and Attributes
// parameters of the SetVariable() call and the TimeStamp component of the
@@ -189,14 +183,6 @@ AutenticatedVariableServiceInitialize (
return EFI_OUT_OF_RESOURCES;
}
- //
- // Reserved runtime buffer for "Append" operation in virtual mode.
- //
- mStorageArea = AllocateRuntimePool (MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)));
- if (mStorageArea == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
//
// Prepare runtime buffer for serialized data of time-based authenticated
// Variable, i.e. (VariableName, VendorGuid, Attributes, TimeStamp, Data).
@@ -255,7 +241,7 @@ AutenticatedVariableServiceInitialize (
}
//
- // Create "SetupMode" varable with BS+RT attribute set.
+ // Create "SetupMode" variable with BS+RT attribute set.
//
FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (PkVariable.CurrPtr == NULL) {
@@ -279,7 +265,7 @@ AutenticatedVariableServiceInitialize (
}
//
- // Create "SignatureSupport" varable with BS+RT attribute set.
+ // Create "SignatureSupport" variable with BS+RT attribute set.
//
FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (
@@ -328,7 +314,7 @@ AutenticatedVariableServiceInitialize (
}
//
- // Create "SecureBoot" varable with BS+RT attribute set.
+ // Create "SecureBoot" variable with BS+RT attribute set.
//
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
@@ -409,6 +395,54 @@ AutenticatedVariableServiceInitialize (
}
}
+ //
+ // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
+ //
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ if (Variable.CurrPtr != NULL) {
+ mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));
+ } else {
+ //
+ // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
+ //
+ mVendorKeyState = VENDOR_KEYS_VALID;
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+ &gEfiVendorKeysNvGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ //
+ // Create "VendorKeys" variable with BS+RT attribute set.
+ //
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
+
return Status;
}
@@ -416,22 +450,26 @@ AutenticatedVariableServiceInitialize (
Add public key in store and return its index.
@param[in] PubKey Input pointer to Public Key data
+ @param[in] VariableDataEntry The variable data entry
@return Index of new added item
**/
UINT32
AddPubKeyInStore (
- IN UINT8 *PubKey
+ IN UINT8 *PubKey,
+ IN VARIABLE_ENTRY_CONSISTENCY *VariableDataEntry
)
{
- EFI_STATUS Status;
- BOOLEAN IsFound;
- UINT32 Index;
- VARIABLE_POINTER_TRACK Variable;
- UINT8 *Ptr;
- UINT8 *Data;
- UINTN DataSize;
+ EFI_STATUS Status;
+ BOOLEAN IsFound;
+ UINT32 Index;
+ VARIABLE_POINTER_TRACK Variable;
+ UINT8 *Ptr;
+ UINT8 *Data;
+ UINTN DataSize;
+ VARIABLE_ENTRY_CONSISTENCY PublicKeyEntry;
+ UINT32 Attributes;
if (PubKey == NULL) {
return 0;
@@ -444,8 +482,8 @@ AddPubKeyInStore (
&mVariableModuleGlobal->VariableGlobal,
FALSE
);
- ASSERT_EFI_ERROR (Status);
if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_ERROR, "Get public key database variable failure, Status = %r\n", Status));
return 0;
}
@@ -481,7 +519,8 @@ AddPubKeyInStore (
&mVariableModuleGlobal->NonVolatileLastVariableOffset,
FALSE,
NULL,
- TRUE,
+ NULL,
+ 0,
TRUE
);
if (EFI_ERROR (Status)) {
@@ -495,8 +534,8 @@ AddPubKeyInStore (
&mVariableModuleGlobal->VariableGlobal,
FALSE
);
- ASSERT_EFI_ERROR (Status);
if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_ERROR, "Get public key database variable failure, Status = %r\n", Status));
return 0;
}
@@ -511,6 +550,21 @@ AddPubKeyInStore (
}
}
+ //
+ // Check the variable space for both public key and variable data.
+ //
+ PublicKeyEntry.VariableSize = (mPubKeyNumber + 1) * EFI_CERT_TYPE_RSA2048_SIZE;
+ PublicKeyEntry.Guid = &gEfiAuthenticatedVariableGuid;
+ PublicKeyEntry.Name = AUTHVAR_KEYDB_NAME;
+ Attributes = VARIABLE_ATTRIBUTE_NV_BS_RT | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
+
+ if (!CheckRemainingSpaceForConsistency (Attributes, &PublicKeyEntry, VariableDataEntry, NULL)) {
+ //
+ // No enough variable space.
+ //
+ return 0;
+ }
+
CopyMem (mPubKeyStore + mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE, PubKey, EFI_CERT_TYPE_RSA2048_SIZE);
Index = ++mPubKeyNumber;
//
@@ -521,13 +575,16 @@ AddPubKeyInStore (
&gEfiAuthenticatedVariableGuid,
mPubKeyStore,
mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
+ Attributes,
0,
0,
&Variable,
NULL
);
- ASSERT_EFI_ERROR (Status);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((EFI_D_ERROR, "Update public key database variable failure, Status = %r\n", Status));
+ return 0;
+ }
}
return Index;
@@ -911,6 +968,56 @@ CheckSignatureListFormat(
return EFI_SUCCESS;
}
+/**
+ Update "VendorKeys" variable to record the out of band secure boot key modification.
+
+ @return EFI_SUCCESS Variable is updated successfully.
+ @return Others Failed to update variable.
+
+**/
+EFI_STATUS
+VendorKeyIsModified (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ VARIABLE_POINTER_TRACK Variable;
+
+ if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
+ return EFI_SUCCESS;
+ }
+ mVendorKeyState = VENDOR_KEYS_MODIFIED;
+
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+ &gEfiVendorKeysNvGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ return UpdateVariable (
+ EFI_VENDOR_KEYS_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+}
+
/**
Process variable with platform key for verification.
@@ -985,6 +1092,13 @@ ProcessVarWithPk (
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }
+
+ if ((mPlatformMode != SETUP_MODE) || IsPk) {
+ Status = VendorKeyIsModified ();
+ }
} else if (mPlatformMode == USER_MODE) {
//
// Verify against X509 Cert in PK database.
@@ -1117,6 +1231,13 @@ ProcessVarWithKek (
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ if (mPlatformMode != SETUP_MODE) {
+ Status = VendorKeyIsModified ();
+ }
}
return Status;
@@ -1169,6 +1290,7 @@ ProcessVariable (
EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
UINT32 KeyIndex;
UINT64 MonotonicCount;
+ VARIABLE_ENTRY_CONSISTENCY VariableDataEntry;
KeyIndex = 0;
CertData = NULL;
@@ -1294,10 +1416,14 @@ ProcessVariable (
// Now, the signature has been verified!
//
if (IsFirstTime && !IsDeletion) {
+ VariableDataEntry.VariableSize = DataSize - AUTHINFO_SIZE;
+ VariableDataEntry.Guid = VendorGuid;
+ VariableDataEntry.Name = VariableName;
+
//
// Update public key database variable if need.
//
- KeyIndex = AddPubKeyInStore (PubKey);
+ KeyIndex = AddPubKeyInStore (PubKey, &VariableDataEntry);
if (KeyIndex == 0) {
return EFI_OUT_OF_RESOURCES;
}
@@ -2081,7 +2207,24 @@ VerifyTimeBasedPayload (
if (AuthVarType == AuthVarTypePk) {
//
- // Get platform key from variable.
+ // Verify that the signature has been made with the current Platform Key (no chaining for PK).
+ // First, get signer's certificates from SignedData.
+ //
+ VerifyStatus = Pkcs7GetSigners (
+ SigData,
+ SigDataSize,
+ &SignerCerts,
+ &CertStackSize,
+ &RootCert,
+ &RootCertSize
+ );
+ if (!VerifyStatus) {
+ goto Exit;
+ }
+
+ //
+ // Second, get the current platform key from variable. Check whether it's identical with signer's certificates
+ // in SignedData. If not, return error immediately.
//
Status = FindVariable (
EFI_PLATFORM_KEY_NAME,
@@ -2091,14 +2234,16 @@ VerifyTimeBasedPayload (
FALSE
);
if (EFI_ERROR (Status)) {
- return Status;
+ VerifyStatus = FALSE;
+ goto Exit;
}
-
CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- RootCert = Cert->SignatureData;
- RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
-
+ if ((RootCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||
+ (CompareMem (Cert->SignatureData, RootCert, RootCertSize) != 0)) {
+ VerifyStatus = FALSE;
+ goto Exit;
+ }
//
// Verify Pkcs7 SignedData via Pkcs7Verify library.
@@ -2254,7 +2399,7 @@ VerifyTimeBasedPayload (
Exit:
- if (AuthVarType == AuthVarTypePriv) {
+ if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
Pkcs7FreeSigners (RootCert);
Pkcs7FreeSigners (SignerCerts);
}