From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH 02/13] efi_loader: image_loader: add a check against certificate type of authenticode
Date: Tue, 2 Jun 2020 11:22:21 +0900 [thread overview]
Message-ID: <20200602022221.GA20446@laputa> (raw)
In-Reply-To: <491f48a1-27a5-9c24-74ba-ac1989c398a7@gmx.de>
Heinrich,
On Fri, May 29, 2020 at 12:37:26PM +0200, Heinrich Schuchardt wrote:
> On 5/29/20 8:41 AM, AKASHI Takahiro wrote:
> > UEFI specification requires that we shall support three type of
> > certificates of authenticode in PE image:
> > WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
> > WIN_CERT_TYPE_PKCS_SIGNED_DATA
> > WIN_CERT_TYPE_EFI_PKCS1_15
> >
> > As EDK2 does, we will support the first two that are pkcs7 SignedData.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> > lib/efi_loader/efi_image_loader.c | 55 ++++++++++++++++++++++++-------
> > 1 file changed, 43 insertions(+), 12 deletions(-)
> >
> > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> > index 7f35b1e58fe5..a13ba3692ec2 100644
> > --- a/lib/efi_loader/efi_image_loader.c
> > +++ b/lib/efi_loader/efi_image_loader.c
> > @@ -375,7 +375,7 @@ bool efi_image_parse(void *efi, size_t len, struct efi_image_regions **regp,
> > }
> >
> > /* Return Certificates Table */
> > - if (authsz) {
> > + if (authsz > 0) {
>
> authsz is unsigned. We should avoid superfluous comparisons with 0.
Okay. I was a bit confused here.
> > if (len < authoff + authsz) {
> > debug("%s: Size for auth too large: %u >= %zu\n",
> > __func__, authsz, len - authoff);
> > @@ -480,8 +480,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> > struct pkcs7_message *msg = NULL;
> > struct efi_signature_store *db = NULL, *dbx = NULL;
> > struct x509_certificate *cert = NULL;
> > - void *new_efi = NULL;
> > - size_t new_efi_size;
> > + void *new_efi = NULL, *auth, *wincerts_end;
> > + size_t new_efi_size, auth_size;
> > bool ret = false;
> >
> > if (!efi_secure_boot_enabled())
> > @@ -530,20 +530,51 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> > }
> >
> > /* go through WIN_CERTIFICATE list */
> > - for (wincert = wincerts;
> > - (void *)wincert < (void *)wincerts + wincerts_len;
> > + for (wincert = wincerts, wincerts_end = (void *)wincerts + wincerts_len;
> > + (void *)wincert < wincerts_end;
>
> Adding to (void *) is not defined in the C spec (though gcc treats it
> according to your intention). Please, use (u8 *) if you want to add byte
> lengths.
Okay.
> > wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) {
> > - if (wincert->dwLength < sizeof(*wincert)) {
> > - debug("%s: dwLength too small: %u < %zu\n",
> > - __func__, wincert->dwLength, sizeof(*wincert));
> > - goto err;
> > + if ((void *)wincert + sizeof(*wincert) >= wincerts_end)
> > + break;
> > +
> > + if (wincert->dwLength <= sizeof(*wincert)) {
> > + debug("dwLength too small: %u < %zu\n",
> > + wincert->dwLength, sizeof(*wincert));
> > + continue;
> > }
> > - msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert),
> > - wincert->dwLength - sizeof(*wincert));
> > +
> > + debug("WIN_CERTIFICATE_TYPE: 0x%x\n",
> > + wincert->wCertificateType);
>
> Should this EFI_PRINT()?
Okay, I will replace all.
Thanks,
-Takahiro Akashi
> Best regards
>
> Heinrich
>
> > +
> > + auth = (void *)wincert + sizeof(*wincert);
> > + auth_size = wincert->dwLength - sizeof(*wincert);
> > + if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
> > + if (auth + sizeof(efi_guid_t) >= wincerts_end)
> > + break;
> > +
> > + if (auth_size <= sizeof(efi_guid_t)) {
> > + debug("dwLength too small: %u < %zu\n",
> > + wincert->dwLength, sizeof(*wincert));
> > + continue;
> > + }
> > + if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
> > + debug("Certificate type not supported: %pUl\n",
> > + auth);
> > + continue;
> > + }
> > +
> > + auth += sizeof(efi_guid_t);
> > + auth_size -= sizeof(efi_guid_t);
> > + } else if (wincert->wCertificateType
> > + != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
> > + debug("Certificate type not supported\n");
> > + continue;
> > + }
> > +
> > + msg = pkcs7_parse_message(auth, auth_size);
> > if (IS_ERR(msg)) {
> > debug("Parsing image's signature failed\n");
> > msg = NULL;
> > - goto err;
> > + continue;
> > }
> >
> > /* try black-list first */
> >
>
next prev parent reply other threads:[~2020-06-02 2:22 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 6:41 [PATCH 00/13] efi_loader: rework/improve UEFI secure boot code AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 01/13] efi_loader: signature: move efi_guid_cert_type_pkcs7 to efi_signature.c AKASHI Takahiro
2020-05-29 10:27 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 02/13] efi_loader: image_loader: add a check against certificate type of authenticode AKASHI Takahiro
2020-05-29 10:37 ` Heinrich Schuchardt
2020-06-02 2:22 ` AKASHI Takahiro [this message]
2020-05-29 6:41 ` [PATCH 03/13] efi_loader: image_loader: retrieve authenticode only if it exists AKASHI Takahiro
2020-05-30 6:02 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 04/13] efi_loader: signature: fix a size check against revocation list AKASHI Takahiro
2020-05-30 6:42 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 05/13] efi_loader: signature: make efi_hash_regions more generic AKASHI Takahiro
2020-05-30 6:58 ` Heinrich Schuchardt
2020-06-02 5:05 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 06/13] efi_loader: image_loader: verification for all signatures should pass AKASHI Takahiro
2020-05-30 7:01 ` Heinrich Schuchardt
2020-06-02 5:22 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 07/13] efi_loader: image_loader: add digest-based verification for signed image AKASHI Takahiro
2020-05-30 7:09 ` Heinrich Schuchardt
2020-06-02 5:31 ` AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 08/13] test/py: efi_secboot: remove all "re.search" AKASHI Takahiro
2020-05-30 7:04 ` Heinrich Schuchardt
2020-06-02 5:58 ` AKASHI Takahiro
2020-06-02 8:27 ` Heinrich Schuchardt
2020-07-02 16:21 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 09/13] test/py: efi_secboot: fix test case 1g of test_authvar AKASHI Takahiro
2020-07-02 16:28 ` Heinrich Schuchardt
2020-05-29 6:41 ` [PATCH 10/13] test/py: efi_secboot: split "signed image" test case-1 into two cases AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 11/13] test/py: efi_secboot: add a test against certificate revocation AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 12/13] test/py: efi_secboot: add a test for multiple signatures AKASHI Takahiro
2020-05-29 6:41 ` [PATCH 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200602022221.GA20446@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.