From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v2 06/17] efi_loader: image_loader: add a check against certificate type of authenticode
Date: Wed, 8 Jul 2020 10:08:21 +0900 [thread overview]
Message-ID: <20200708010821.GA16014@laputa> (raw)
In-Reply-To: <d25f775d-cc51-5f8f-a87b-f2070ba522e3@gmx.de>
Heinrich,
On Fri, Jul 03, 2020 at 12:56:55PM +0200, Heinrich Schuchardt wrote:
> On 09.06.20 07:09, AKASHI Takahiro wrote:
> > UEFI specification requires that we shall support three type of
> > certificates of authenticode in PE image:
> > WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
> > WIN_CERT_TYPE_PKCS_SIGNED_DATA
> > WIN_CERT_TYPE_EFI_PKCS1_15
> >
> > As EDK2 does, we will support the first two that are pkcs7 SignedData.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> > lib/efi_loader/efi_image_loader.c | 56 ++++++++++++++++++++++++-------
> > 1 file changed, 44 insertions(+), 12 deletions(-)
> >
> > diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
> > index 5b00fea2f113..38b2c24ab1d6 100644
> > --- a/lib/efi_loader/efi_image_loader.c
> > +++ b/lib/efi_loader/efi_image_loader.c
> > @@ -484,7 +484,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> > struct efi_signature_store *db = NULL, *dbx = NULL;
> > struct x509_certificate *cert = NULL;
> > void *new_efi = NULL;
> > - size_t new_efi_size;
> > + u8 *auth, *wincerts_end;
> > + size_t new_efi_size, auth_size;
> > bool ret = false;
> >
> > if (!efi_secure_boot_enabled())
> > @@ -533,21 +534,52 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
> > }
> >
> > /* go through WIN_CERTIFICATE list */
> > - for (wincert = wincerts;
> > - (void *)wincert < (void *)wincerts + wincerts_len;
> > - wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) {
> > - if (wincert->dwLength < sizeof(*wincert)) {
> > - EFI_PRINT("%s: dwLength too small: %u < %zu\n",
> > - __func__, wincert->dwLength,
> > - sizeof(*wincert));
> > - goto err;
> > + for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
> > + (u8 *)wincert < wincerts_end;
>
> Shouldn't you compare the end of the current certificate to wincerts_end?
No.
> ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) <= wincerts_end
>
> But you doing such a comparison anyway two lines below. So there is no
> need to duplicate the test here.
>
> > + wincert = (WIN_CERTIFICATE *)
> > + ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) {
> > + if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end)
> > + break;
Is this the line that you mentioned as "two lines below"?
If so, the check is not the exact same.
As an image is provided by a *user*, we have to be as careful
as possible in handling data in an image.
In this case, the value of size in a header may not always be
correct (or at least, can be corrupted). So we will make sure
that we have enough data for accessing a header at the beginning.
> Why is this >= and not >?
Because "<start> + <size>" would be exclusive.
So I will keep my code unchanged.
-Takahiro Akashi
> Best regards
>
> Heinrich
>
> > +
> > + if (wincert->dwLength <= sizeof(*wincert)) {
> > + EFI_PRINT("dwLength too small: %u < %zu\n",
> > + wincert->dwLength, sizeof(*wincert));
> > + continue;
> > + }
> > +
> > + EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n",
> > + wincert->wCertificateType);
> > +
> > + auth = (u8 *)wincert + sizeof(*wincert);
> > + auth_size = wincert->dwLength - sizeof(*wincert);
> > + if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
> > + if (auth + sizeof(efi_guid_t) >= wincerts_end)
> > + break;
> > +
> > + if (auth_size <= sizeof(efi_guid_t)) {
> > + EFI_PRINT("dwLength too small: %u < %zu\n",
> > + wincert->dwLength, sizeof(*wincert));
> > + continue;
> > + }
> > + if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
> > + EFI_PRINT("Certificate type not supported: %pUl\n",
> > + auth);
> > + continue;
> > + }
> > +
> > + auth += sizeof(efi_guid_t);
> > + auth_size -= sizeof(efi_guid_t);
> > + } else if (wincert->wCertificateType
> > + != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
> > + EFI_PRINT("Certificate type not supported\n");
> > + continue;
> > }
> > - msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert),
> > - wincert->dwLength - sizeof(*wincert));
> > +
> > + msg = pkcs7_parse_message(auth, auth_size);
> > if (IS_ERR(msg)) {
> > EFI_PRINT("Parsing image's signature failed\n");
> > msg = NULL;
> > - goto err;
> > + continue;
> > }
> >
> > /* try black-list first */
> >
>
next prev parent reply other threads:[~2020-07-08 1:08 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 5:09 [PATCH v2 00/17] efi_loader: rework/improve UEFI secure boot code AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 01/17] efi_loader: change efi objects initialization order AKASHI Takahiro
2020-07-03 10:29 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 02/17] Revert "test: stabilize test_efi_secboot" AKASHI Takahiro
2020-07-03 10:30 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 03/17] efi_loader: signature: replace debug to EFI_PRINT AKASHI Takahiro
2020-07-03 10:30 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 04/17] efi_loader: variable: " AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 05/17] efi_loader: image_loader: " AKASHI Takahiro
2020-07-03 10:38 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 06/17] efi_loader: image_loader: add a check against certificate type of authenticode AKASHI Takahiro
2020-07-03 10:56 ` Heinrich Schuchardt
2020-07-08 1:08 ` AKASHI Takahiro [this message]
2020-06-09 5:09 ` [PATCH v2 07/17] efi_loader: image_loader: retrieve authenticode only if it exists AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 08/17] efi_loader: signature: fix a size check against revocation list AKASHI Takahiro
2020-07-03 11:00 ` Heinrich Schuchardt
2020-07-08 1:12 ` AKASHI Takahiro
2020-07-08 1:30 ` AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 09/17] efi_loader: signature: make efi_hash_regions more generic AKASHI Takahiro
2020-07-03 11:08 ` Heinrich Schuchardt
2020-07-08 1:22 ` AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 10/17] efi_loader: image_loader: verification for all signatures should pass AKASHI Takahiro
2020-06-09 7:14 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 11/17] efi_loader: image_loader: add digest-based verification for signed image AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 12/17] test/py: efi_secboot: remove all "re.search" AKASHI Takahiro
2020-07-03 15:52 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 13/17] test/py: efi_secboot: fix test case 1g of test_authvar AKASHI Takahiro
2020-07-03 16:08 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 14/17] test/py: efi_secboot: split "signed image" test case-1 into two cases AKASHI Takahiro
2020-07-03 16:14 ` Heinrich Schuchardt
2020-06-09 5:09 ` [PATCH v2 15/17] test/py: efi_secboot: add a test against certificate revocation AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 16/17] test/py: efi_secboot: add a test for multiple signatures AKASHI Takahiro
2020-06-09 5:09 ` [PATCH v2 17/17] test/py: efi_secboot: add a test for verifying with digest of signed image AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200708010821.GA16014@laputa \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox