[PATCH v2 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator


Kun Qin
 

From: kuqin <kuqin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910

This change removes the interface of SecureBootFetchData, and replaced
it with `SecureBootCreateDataFromInput`, which will require caller to
prepare available certificates in defined structures.

This improvement will eliminate the dependency of reading from FV,
extending the availability of this library instance.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Min Xu <min.m.xu@...>

Signed-off-by: Kun Qin <kun.qin@...>
---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 +++++++++++---------
SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 ++++---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 -
3 files changed, 53 insertions(+), 44 deletions(-)

diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index 3b33a356aba3..f56f0322e943 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -10,10 +10,10 @@
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
+#include <UefiSecureBoot.h>
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
-#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
@@ -21,7 +21,6 @@
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
-#include "Library/DxeServicesLib.h"

// This time can be used when deleting variables, as it should be greater than any variable time.
EFI_TIME mMaxTimestamp = {
@@ -130,24 +129,29 @@ ConcatenateSigList (
}

/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.

- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.

- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.

**/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
)
{
EFI_SIGNATURE_LIST *EfiSig;
@@ -155,36 +159,41 @@ SecureBootFetchData (
EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
- VOID *RsaPubKey;
UINTN Size;
+ UINTN InputIndex;
UINTN KeyIndex;

+ if ((SigListOut == NULL) || (SigListsSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if ((KeyInfoCount == 0) || (KeyInfo == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ InputIndex = 0;
KeyIndex = 0;
EfiSig = NULL;
*SigListsSize = 0;
- while (1) {
- Status = GetSectionFromAnyFv (
- KeyFileGuid,
- EFI_SECTION_RAW,
- KeyIndex,
- &Buffer,
- &Size
- );
-
- if (Status == EFI_SUCCESS) {
- RsaPubKey = NULL;
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ while (InputIndex < KeyInfoCount) {
+ if (KeyInfo[InputIndex].Data != NULL) {
+ Size = KeyInfo[InputIndex].DataSize;
+ Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data);
+ if (Buffer == NULL) {
if (EfiSig != NULL) {
FreePool (EfiSig);
}

- FreePool (Buffer);
- return EFI_INVALID_PARAMETER;
+ return EFI_OUT_OF_RESOURCES;
}

Status = CreateSigList (Buffer, Size, &TmpEfiSig);

+ if (EFI_ERROR (Status)) {
+ FreePool (Buffer);
+ break;
+ }
+
//
// Concatenate lists if more than one section found
//
@@ -202,9 +211,7 @@ SecureBootFetchData (
FreePool (Buffer);
}

- if (Status == EFI_NOT_FOUND) {
- break;
- }
+ InputIndex++;
}

if (KeyIndex == 0) {
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
index 9f2d41220b70..24ff0df067fa 100644
--- a/SecurityPkg/Include/Library/SecureBootVariableLib.h
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -44,24 +44,29 @@ GetSetupMode (
);

/**
- Create a EFI Signature List with data fetched from section specified as a argument.
- Found keys are verified using RsaGetPublicKeyFromX509().
+ Create a EFI Signature List with data supplied from input argument.
+ The input certificates from KeyInfo parameter should be DER-encoded
+ format.

- @param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
- @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+ @param[out] SigListOut A pointer to a callee-allocated buffer with signature lists
+ @param[in] KeyInfoCount The number of certificate pointer and size pairs inside KeyInfo.
+ @param[in] KeyInfo A pointer to all certificates, in the format of DER-encoded,
+ to be concatenated into signature lists.

- @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_SUCCESS Created signature list from payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or input pointers are NULL.
@retval Others Unexpected error happens.

--*/
EFI_STATUS
-SecureBootFetchData (
- IN EFI_GUID *KeyFileGuid,
- OUT UINTN *SigListsSize,
- OUT EFI_SIGNATURE_LIST **SigListOut
+EFIAPI
+SecureBootCreateDataFromInput (
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN UINTN KeyInfoCount,
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
);

/**
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
index 87db5a258021..3d4b77cfb073 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -32,15 +32,12 @@ [Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec

[LibraryClasses]
BaseLib
BaseMemoryLib
DebugLib
MemoryAllocationLib
- BaseCryptLib
- DxeServicesLib

[Guids]
## CONSUMES ## Variable:L"SetupMode"
--
2.35.1.windows.2

Join devel@edk2.groups.io to automatically receive all group messages.