SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2) (CVE-2019...

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1608

To avoid false-negative issue in check hash against dbx, both error
condition (as return value) and check result (as out parameter) of
IsSignatureFoundInDatabase() are added. So the caller of this function
will know exactly if a failure is caused by a black list hit or
other error happening, and enforce a more secure operation to prevent
secure boot from being bypassed. For a white list check (db), there's
no such necessity.

All intermediate results inside this function will be checked and
returned immediately upon any failure or error, like out-of-resource,
hash calculation error or certificate retrieval failure.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index f20640af68b6966fcb503a78069491f690ea4470..0e1587bc3c3c3ca8c0b5f7860e33aaeaa73687e7 100644 (file)
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -955,17 +955,19 @@ Done:
   @param[in]  Signature           Pointer to signature that is searched for.\r
   @param[in]  CertType            Pointer to hash algorithm.\r
   @param[in]  SignatureSize       Size of Signature.\r
   @param[in]  Signature           Pointer to signature that is searched for.\r
   @param[in]  CertType            Pointer to hash algorithm.\r
   @param[in]  SignatureSize       Size of Signature.\r

+  @param[out] IsFound             Search result. Only valid if EFI_SUCCESS returned\r

 \r
 \r

-  @return TRUE                    Found the signature in the variable database.\r
-  @return FALSE                   Not found the signature in the variable database.\r
+  @retval EFI_SUCCESS             Finished the search without any error.\r
+  @retval Others                  Error occurred in the search of database.\r

 \r
 **/\r
 \r
 **/\r

-BOOLEAN\r
+EFI_STATUS\r

 IsSignatureFoundInDatabase (\r
 IsSignatureFoundInDatabase (\r

-  IN CHAR16             *VariableName,\r
-  IN UINT8              *Signature,\r
-  IN EFI_GUID           *CertType,\r
-  IN UINTN              SignatureSize\r
+  IN  CHAR16            *VariableName,\r
+  IN  UINT8             *Signature,\r
+  IN  EFI_GUID          *CertType,\r
+  IN  UINTN             SignatureSize,\r
+  OUT BOOLEAN           *IsFound\r

   )\r
 {\r
   EFI_STATUS          Status;\r
   )\r
 {\r
   EFI_STATUS          Status;\r


@@ -975,22 +977,28 @@ IsSignatureFoundInDatabase (
   UINT8               *Data;\r
   UINTN               Index;\r
   UINTN               CertCount;\r
   UINT8               *Data;\r
   UINTN               Index;\r
   UINTN               CertCount;\r

-  BOOLEAN             IsFound;\r

 \r
   //\r
   // Read signature database variable.\r
   //\r
 \r
   //\r
   // Read signature database variable.\r
   //\r

-  IsFound   = FALSE;\r
+  *IsFound  = FALSE;\r

   Data      = NULL;\r
   DataSize  = 0;\r
   Status    = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
   if (Status != EFI_BUFFER_TOO_SMALL) {\r
   Data      = NULL;\r
   DataSize  = 0;\r
   Status    = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
   if (Status != EFI_BUFFER_TOO_SMALL) {\r

-    return FALSE;\r
+    if (Status == EFI_NOT_FOUND) {\r
+      //\r
+      // No database, no need to search.\r
+      //\r
+      Status = EFI_SUCCESS;\r
+    }\r
+\r
+    return Status;\r

   }\r
 \r
   Data = (UINT8 *) AllocateZeroPool (DataSize);\r
   if (Data == NULL) {\r
   }\r
 \r
   Data = (UINT8 *) AllocateZeroPool (DataSize);\r
   if (Data == NULL) {\r

-    return FALSE;\r
+    return EFI_OUT_OF_RESOURCES;\r

   }\r
 \r
   Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r
   }\r
 \r
   Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r


@@ -1010,7 +1018,7 @@ IsSignatureFoundInDatabase (
           //\r
           // Find the signature in database.\r
           //\r
           //\r
           // Find the signature in database.\r
           //\r

-          IsFound = TRUE;\r
+          *IsFound = TRUE;\r

           //\r
           // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured\r
           //\r
           //\r
           // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured\r
           //\r


@@ -1023,7 +1031,7 @@ IsSignatureFoundInDatabase (
         Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);\r
       }\r
 \r
         Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);\r
       }\r
 \r

-      if (IsFound) {\r
+      if (*IsFound) {\r

         break;\r
       }\r
     }\r
         break;\r
       }\r
     }\r


@@ -1037,7 +1045,7 @@ Done:
     FreePool (Data);\r
   }\r
 \r
     FreePool (Data);\r
   }\r
 \r

-  return IsFound;\r
+  return Status;\r

 }\r
 \r
 /**\r
 }\r
 \r
 /**\r


@@ -1648,6 +1656,8 @@ DxeImageVerificationHandler (
   CHAR16                               *NameStr;\r
   RETURN_STATUS                        PeCoffStatus;\r
   EFI_STATUS                           HashStatus;\r
   CHAR16                               *NameStr;\r
   RETURN_STATUS                        PeCoffStatus;\r
   EFI_STATUS                           HashStatus;\r

+  EFI_STATUS                           DbStatus;\r
+  BOOLEAN                              IsFound;\r

 \r
   SignatureList     = NULL;\r
   SignatureListSize = 0;\r
 \r
   SignatureList     = NULL;\r
   SignatureListSize = 0;\r


@@ -1656,7 +1666,7 @@ DxeImageVerificationHandler (
   PkcsCertData      = NULL;\r
   Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;\r
   IsVerified        = FALSE;\r
   PkcsCertData      = NULL;\r
   Action            = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;\r
   IsVerified        = FALSE;\r

-\r
+  IsFound           = FALSE;\r

 \r
   //\r
   // Check the image type and get policy setting.\r
 \r
   //\r
   // Check the image type and get policy setting.\r


@@ -1798,7 +1808,14 @@ DxeImageVerificationHandler (
       goto Failed;\r
     }\r
 \r
       goto Failed;\r
     }\r
 \r

-    if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
+    DbStatus = IsSignatureFoundInDatabase (\r
+                 EFI_IMAGE_SECURITY_DATABASE1,\r
+                 mImageDigest,\r
+                 &mCertType,\r
+                 mImageDigestSize,\r
+                 &IsFound\r
+                 );\r
+    if (EFI_ERROR (DbStatus) || IsFound) {\r

       //\r
       // Image Hash is in forbidden database (DBX).\r
       //\r
       //\r
       // Image Hash is in forbidden database (DBX).\r
       //\r


@@ -1806,7 +1823,14 @@ DxeImageVerificationHandler (
       goto Failed;\r
     }\r
 \r
       goto Failed;\r
     }\r
 \r

-    if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
+    DbStatus = IsSignatureFoundInDatabase (\r
+                 EFI_IMAGE_SECURITY_DATABASE,\r
+                 mImageDigest,\r
+                 &mCertType,\r
+                 mImageDigestSize,\r
+                 &IsFound\r
+                 );\r
+    if (!EFI_ERROR (DbStatus) && IsFound) {\r

       //\r
       // Image Hash is in allowed database (DB).\r
       //\r
       //\r
       // Image Hash is in allowed database (DB).\r
       //\r


@@ -1894,14 +1918,29 @@ DxeImageVerificationHandler (
     //\r
     // Check the image's hash value.\r
     //\r
     //\r
     // Check the image's hash value.\r
     //\r

-    if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {\r
+    DbStatus = IsSignatureFoundInDatabase (\r
+                 EFI_IMAGE_SECURITY_DATABASE1,\r
+                 mImageDigest,\r
+                 &mCertType,\r
+                 mImageDigestSize,\r
+                 &IsFound\r
+                 );\r
+    if (EFI_ERROR (DbStatus) || IsFound) {\r

       Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;\r
       DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));\r
       IsVerified = FALSE;\r
       break;\r
     }\r
       Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;\r
       DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));\r
       IsVerified = FALSE;\r
       break;\r
     }\r

+\r

     if (!IsVerified) {\r
     if (!IsVerified) {\r

-      if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {\r
+      DbStatus = IsSignatureFoundInDatabase (\r
+                   EFI_IMAGE_SECURITY_DATABASE,\r
+                   mImageDigest,\r
+                   &mCertType,\r
+                   mImageDigestSize,\r
+                   &IsFound\r
+                   );\r
+      if (!EFI_ERROR (DbStatus) && IsFound) {\r

         IsVerified = TRUE;\r
       } else {\r
         DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));\r
         IsVerified = TRUE;\r
       } else {\r
         DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));\r