From: Fu Siyuan <siyuan.fu@intel.com>
Date: Thu, 12 Sep 2013 05:26:15 +0000 (+0000)
Subject: Update the chaining requirements with regards to the Platform Key.
X-Git-Tag: edk2-stable201903~12265
X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=74b5fd7a112746e9166ff204db4331f0eeb2ba4c

Update the chaining requirements with regards to the Platform Key.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14661 6f19259b-4bc3-4df7-8a09-765794883524
---

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index 909de960b7..1f930e8a11 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -2195,7 +2195,24 @@ VerifyTimeBasedPayload (
 
   if (AuthVarType == AuthVarTypePk) {
     //
-    // Get platform key from variable.
+    // Verify that the signature has been made with the current Platform Key (no chaining for PK).
+    // First, get signer's certificates from SignedData.
+    //
+    VerifyStatus = Pkcs7GetSigners (
+                     SigData,
+                     SigDataSize,
+                     &SignerCerts,
+                     &CertStackSize,
+                     &RootCert,
+                     &RootCertSize
+                     );
+    if (!VerifyStatus) {
+      goto Exit;
+    }
+
+    //
+    // Second, get the current platform key from variable. Check whether it's identical with signer's certificates
+    // in SignedData. If not, return error immediately.
     //
     Status = FindVariable (
                EFI_PLATFORM_KEY_NAME,
@@ -2205,14 +2222,16 @@ VerifyTimeBasedPayload (
                FALSE
                );
     if (EFI_ERROR (Status)) {
-      return Status;
+      VerifyStatus = FALSE;
+      goto Exit;
     }
-
     CertList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);
     Cert     = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
-    RootCert      = Cert->SignatureData;
-    RootCertSize  = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
-
+    if ((RootCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||
+        (CompareMem (Cert->SignatureData, RootCert, RootCertSize) != 0)) {
+      VerifyStatus = FALSE;
+      goto Exit;
+    }
 
     //
     // Verify Pkcs7 SignedData via Pkcs7Verify library.
@@ -2368,7 +2387,7 @@ VerifyTimeBasedPayload (
 
 Exit:
 
-  if (AuthVarType == AuthVarTypePriv) {
+  if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
     Pkcs7FreeSigners (RootCert);
     Pkcs7FreeSigners (SignerCerts);
   }