Update the chaining requirements with regards to the Platform Key.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14661 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 909de960b723ddf9f9cfe71526cf9d6525f05a74..1f930e8a11e820d1dbe83025bf6c126c22675f21 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -2195,7 +2195,24 @@ VerifyTimeBasedPayload (
 \r
   if (AuthVarType == AuthVarTypePk) {\r
     //\r
-    // Get platform key from variable.\r
+    // Verify that the signature has been made with the current Platform Key (no chaining for PK).\r
+    // First, get signer's certificates from SignedData.\r
+    //\r
+    VerifyStatus = Pkcs7GetSigners (\r
+                     SigData,\r
+                     SigDataSize,\r
+                     &SignerCerts,\r
+                     &CertStackSize,\r
+                     &RootCert,\r
+                     &RootCertSize\r
+                     );\r
+    if (!VerifyStatus) {\r
+      goto Exit;\r
+    }\r
+\r
+    //\r
+    // Second, get the current platform key from variable. Check whether it's identical with signer's certificates\r
+    // in SignedData. If not, return error immediately.\r
     //\r
     Status = FindVariable (\r
                EFI_PLATFORM_KEY_NAME,\r
@@ -2205,14 +2222,16 @@ VerifyTimeBasedPayload (
                FALSE\r
                );\r
     if (EFI_ERROR (Status)) {\r
-      return Status;\r
+      VerifyStatus = FALSE;\r
+      goto Exit;\r
     }\r
-\r
     CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
     Cert     = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
-    RootCert      = Cert->SignatureData;\r
-    RootCertSize  = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);\r
-\r
+    if ((RootCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||\r
+        (CompareMem (Cert->SignatureData, RootCert, RootCertSize) != 0)) {\r
+      VerifyStatus = FALSE;\r
+      goto Exit;\r
+    }\r
 \r
     //\r
     // Verify Pkcs7 SignedData via Pkcs7Verify library.\r
@@ -2368,7 +2387,7 @@ VerifyTimeBasedPayload (
 \r
 Exit:\r
 \r
-  if (AuthVarType == AuthVarTypePriv) {\r
+  if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {\r
     Pkcs7FreeSigners (RootCert);\r
     Pkcs7FreeSigners (SignerCerts);\r
   }\r