[PATCH v3 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator


Kun Qin
 

From: kuqin <kuqin@...>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910

This change removes the interface of SecureBootFetchData, and replaced
it with `SecureBootCreateDataFromInput`, which will require caller to
prepare available certificates in defined structures.

This improvement will eliminate the dependency of reading from FV,
extending the availability of this library instance.

Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jian J Wang <jian.j.wang@...>
Cc: Min Xu <min.m.xu@...>

Signed-off-by: Kun Qin <kun.qin@...>
Reviewed-by: Jiewen Yao <Jiewen.yao@...>
Acked-by: Michael Kubacki <michael.kubacki@...>
---

Notes:
v3:
- Added reviewed-by tag [Jiewen]
- Added acked-by tag [Michael Kubacki]

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 +=
++++++++++---------
SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 +=
+++---
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 -
3 files changed, 53 insertions(+), 44 deletions(-)

diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi=
b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
index 3b33a356aba3..f56f0322e943 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -10,10 +10,10 @@
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
**/=0D
#include <Uefi.h>=0D
+#include <UefiSecureBoot.h>=0D
#include <Guid/GlobalVariable.h>=0D
#include <Guid/AuthenticatedVariableFormat.h>=0D
#include <Guid/ImageAuthentication.h>=0D
-#include <Library/BaseCryptLib.h>=0D
#include <Library/BaseLib.h>=0D
#include <Library/BaseMemoryLib.h>=0D
#include <Library/DebugLib.h>=0D
@@ -21,7 +21,6 @@
#include <Library/MemoryAllocationLib.h>=0D
#include <Library/UefiRuntimeServicesTableLib.h>=0D
#include <Library/SecureBootVariableLib.h>=0D
-#include "Library/DxeServicesLib.h"=0D
=0D
// This time can be used when deleting variables, as it should be greater =
than any variable time.=0D
EFI_TIME mMaxTimestamp =3D {=0D
@@ -130,24 +129,29 @@ ConcatenateSigList (
}=0D
=0D
/**=0D
- Create a EFI Signature List with data fetched from section specified as =
a argument.=0D
- Found keys are verified using RsaGetPublicKeyFromX509().=0D
+ Create a EFI Signature List with data supplied from input argument.=0D
+ The input certificates from KeyInfo parameter should be DER-encoded=0D
+ format.=0D
=0D
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D
@param[out] SigListsSize A pointer to size of signature list=0D
- @param[out] SigListsOut a pointer to a callee-allocated buffer =
with signature lists=0D
+ @param[out] SigListOut A pointer to a callee-allocated buffer =
with signature lists=0D
+ @param[in] KeyInfoCount The number of certificate pointer and s=
ize pairs inside KeyInfo.=0D
+ @param[in] KeyInfo A pointer to all certificates, in the f=
ormat of DER-encoded,=0D
+ to be concatenated into signature lists=
.=0D
=0D
- @retval EFI_SUCCESS Create time based payload successfully.=
=0D
+ @retval EFI_SUCCESS Created signature list from payload suc=
cessfully.=0D
@retval EFI_NOT_FOUND Section with key has not been found.=0D
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.=0D
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu=
t pointers are NULL.=0D
@retval Others Unexpected error happens.=0D
=0D
**/=0D
EFI_STATUS=0D
-SecureBootFetchData (=0D
- IN EFI_GUID *KeyFileGuid,=0D
- OUT UINTN *SigListsSize,=0D
- OUT EFI_SIGNATURE_LIST **SigListOut=0D
+EFIAPI=0D
+SecureBootCreateDataFromInput (=0D
+ OUT UINTN *SigListsSize,=0D
+ OUT EFI_SIGNATURE_LIST **SigListOut,=0D
+ IN UINTN KeyInfoCount,=0D
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo=0D
)=0D
{=0D
EFI_SIGNATURE_LIST *EfiSig;=0D
@@ -155,36 +159,41 @@ SecureBootFetchData (
EFI_SIGNATURE_LIST *TmpEfiSig2;=0D
EFI_STATUS Status;=0D
VOID *Buffer;=0D
- VOID *RsaPubKey;=0D
UINTN Size;=0D
+ UINTN InputIndex;=0D
UINTN KeyIndex;=0D
=0D
+ if ((SigListOut =3D=3D NULL) || (SigListsSize =3D=3D NULL)) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ if ((KeyInfoCount =3D=3D 0) || (KeyInfo =3D=3D NULL)) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ InputIndex =3D 0;=0D
KeyIndex =3D 0;=0D
EfiSig =3D NULL;=0D
*SigListsSize =3D 0;=0D
- while (1) {=0D
- Status =3D GetSectionFromAnyFv (=0D
- KeyFileGuid,=0D
- EFI_SECTION_RAW,=0D
- KeyIndex,=0D
- &Buffer,=0D
- &Size=0D
- );=0D
-=0D
- if (Status =3D=3D EFI_SUCCESS) {=0D
- RsaPubKey =3D NULL;=0D
- if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)=
{=0D
- DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,=
KeyIndex));=0D
+ while (InputIndex < KeyInfoCount) {=0D
+ if (KeyInfo[InputIndex].Data !=3D NULL) {=0D
+ Size =3D KeyInfo[InputIndex].DataSize;=0D
+ Buffer =3D AllocateCopyPool (Size, KeyInfo[InputIndex].Data);=0D
+ if (Buffer =3D=3D NULL) {=0D
if (EfiSig !=3D NULL) {=0D
FreePool (EfiSig);=0D
}=0D
=0D
- FreePool (Buffer);=0D
- return EFI_INVALID_PARAMETER;=0D
+ return EFI_OUT_OF_RESOURCES;=0D
}=0D
=0D
Status =3D CreateSigList (Buffer, Size, &TmpEfiSig);=0D
=0D
+ if (EFI_ERROR (Status)) {=0D
+ FreePool (Buffer);=0D
+ break;=0D
+ }=0D
+=0D
//=0D
// Concatenate lists if more than one section found=0D
//=0D
@@ -202,9 +211,7 @@ SecureBootFetchData (
FreePool (Buffer);=0D
}=0D
=0D
- if (Status =3D=3D EFI_NOT_FOUND) {=0D
- break;=0D
- }=0D
+ InputIndex++;=0D
}=0D
=0D
if (KeyIndex =3D=3D 0) {=0D
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security=
Pkg/Include/Library/SecureBootVariableLib.h
index 9f2d41220b70..24ff0df067fa 100644
--- a/SecurityPkg/Include/Library/SecureBootVariableLib.h
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -44,24 +44,29 @@ GetSetupMode (
);=0D
=0D
/**=0D
- Create a EFI Signature List with data fetched from section specified as =
a argument.=0D
- Found keys are verified using RsaGetPublicKeyFromX509().=0D
+ Create a EFI Signature List with data supplied from input argument.=0D
+ The input certificates from KeyInfo parameter should be DER-encoded=0D
+ format.=0D
=0D
- @param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D
@param[out] SigListsSize A pointer to size of signature list=0D
- @param[out] SigListsOut a pointer to a callee-allocated buffer =
with signature lists=0D
+ @param[out] SigListOut A pointer to a callee-allocated buffer =
with signature lists=0D
+ @param[in] KeyInfoCount The number of certificate pointer and s=
ize pairs inside KeyInfo.=0D
+ @param[in] KeyInfo A pointer to all certificates, in the f=
ormat of DER-encoded,=0D
+ to be concatenated into signature lists=
.=0D
=0D
- @retval EFI_SUCCESS Create time based payload successfully.=
=0D
+ @retval EFI_SUCCESS Created signature list from payload suc=
cessfully.=0D
@retval EFI_NOT_FOUND Section with key has not been found.=0D
- @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.=0D
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu=
t pointers are NULL.=0D
@retval Others Unexpected error happens.=0D
=0D
--*/=0D
EFI_STATUS=0D
-SecureBootFetchData (=0D
- IN EFI_GUID *KeyFileGuid,=0D
- OUT UINTN *SigListsSize,=0D
- OUT EFI_SIGNATURE_LIST **SigListOut=0D
+EFIAPI=0D
+SecureBootCreateDataFromInput (=0D
+ OUT UINTN *SigListsSize,=0D
+ OUT EFI_SIGNATURE_LIST **SigListOut,=0D
+ IN UINTN KeyInfoCount,=0D
+ IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo=0D
);=0D
=0D
/**=0D
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi=
b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
index 87db5a258021..3d4b77cfb073 100644
--- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -32,15 +32,12 @@ [Packages]
MdePkg/MdePkg.dec=0D
MdeModulePkg/MdeModulePkg.dec=0D
SecurityPkg/SecurityPkg.dec=0D
- CryptoPkg/CryptoPkg.dec=0D
=0D
[LibraryClasses]=0D
BaseLib=0D
BaseMemoryLib=0D
DebugLib=0D
MemoryAllocationLib=0D
- BaseCryptLib=0D
- DxeServicesLib=0D
=0D
[Guids]=0D
## CONSUMES ## Variable:L"SetupMode"=0D
--=20
2.36.0.windows.1