docs/master/_fmp_authentication_lib_pkcs7_8c_source.html

#include <Uefi.h>


#include <Guid/SystemResourceTable.h>

#include <Guid/FirmwareContentsSigned.h>

#include <Guid/WinCertificate.h>


#include <Library/BaseLib.h>

#include <Library/BaseMemoryLib.h>

#include <Library/DebugLib.h>

#include <Library/MemoryAllocationLib.h>

#include <Library/BaseCryptLib.h>

#include <Library/FmpAuthenticationLib.h>

#include <Library/PcdLib.h>

#include <Protocol/FirmwareManagement.h>

#include <Guid/SystemResourceTable.h>


RETURN_STATUS

FmpAuthenticatedHandlerPkcs7 (

  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,

  IN UINTN                              ImageSize,

  IN CONST UINT8                        *PublicKeyData,

  IN UINTN                              PublicKeyDataLength

  )

{

  RETURN_STATUS  Status;

  BOOLEAN        CryptoStatus;

  VOID           *P7Data;

  UINTN          P7Length;

  VOID           *TempBuffer;


  DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));


  P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));

  P7Data   = Image->AuthInfo.CertData;


  // It is a signature across the variable data and the Monotonic Count value.

  TempBuffer = AllocatePool (ImageSize - Image->AuthInfo.Hdr.dwLength);

  if (TempBuffer == NULL) {

    DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));

    Status = RETURN_OUT_OF_RESOURCES;

    goto Done;

  }


  CopyMem (

    TempBuffer,

    (UINT8 *)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,

    ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength

    );

  CopyMem (

    (UINT8 *)TempBuffer + ImageSize - sizeof (Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,

    &Image->MonotonicCount,

    sizeof (Image->MonotonicCount)

    );

  CryptoStatus = Pkcs7Verify (

                   P7Data,

                   P7Length,

                   PublicKeyData,

                   PublicKeyDataLength,

                   (UINT8 *)TempBuffer,

                   ImageSize - Image->AuthInfo.Hdr.dwLength

                   );

  FreePool (TempBuffer);

  if (!CryptoStatus) {

    //

    // If PKCS7 signature verification fails, AUTH tested failed bit is set.

    //

    DEBUG ((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));

    Status = RETURN_SECURITY_VIOLATION;

    goto Done;

  }


  DEBUG ((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));


  Status = RETURN_SUCCESS;


Done:

  return Status;

}


RETURN_STATUS

EFIAPI

AuthenticateFmpImage (

  IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,

  IN UINTN                              ImageSize,

  IN CONST UINT8                        *PublicKeyData,

  IN UINTN                              PublicKeyDataLength

  )

{

  GUID        *CertType;

  EFI_STATUS  Status;


  if ((Image == NULL) || (ImageSize == 0)) {

    return RETURN_UNSUPPORTED;

  }


  if (ImageSize < sizeof (EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));

    return RETURN_INVALID_PARAMETER;

  }


  if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));

    return RETURN_INVALID_PARAMETER;

  }


  if ((UINTN)Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof (UINT64)) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));

    return RETURN_INVALID_PARAMETER;

  }


  if (ImageSize <= sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));

    return RETURN_INVALID_PARAMETER;

  }


  if (Image->AuthInfo.Hdr.wRevision != 0x0200) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));

    return RETURN_INVALID_PARAMETER;

  }


  if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {

    DEBUG ((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));

    return RETURN_INVALID_PARAMETER;

  }


  CertType = &Image->AuthInfo.CertType;

  DEBUG ((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));


  if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {

    //

    // Call the match handler to extract raw data for the input section data.

    //

    Status = FmpAuthenticatedHandlerPkcs7 (

               Image,

               ImageSize,

               PublicKeyData,

               PublicKeyDataLength

               );

    return Status;

  }


  //

  // Not found, the input guided section is not supported.

  //

  return RETURN_UNSUPPORTED;

}

UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112

BaseCryptLib.h

Pkcs7Verify
BOOLEAN EFIAPI Pkcs7Verify(IN CONST UINT8 *P7Data, IN UINTN P7Length, IN CONST UINT8 *TrustedCert, IN UINTN CertLength, IN CONST UINT8 *InData, IN UINTN DataLength)
Definition: CryptPkcs7VerifyCommon.c:776

BaseLib.h

BaseMemoryLib.h

CopyMem
VOID *EFIAPI CopyMem(OUT VOID *DestinationBuffer, IN CONST VOID *SourceBuffer, IN UINTN Length)
Definition: CopyMemWrapper.c:41

CompareGuid
BOOLEAN EFIAPI CompareGuid(IN CONST GUID *Guid1, IN CONST GUID *Guid2)
Definition: MemLibGuid.c:73

FreePool
VOID EFIAPI FreePool(IN VOID *Buffer)
Definition: MemoryAllocationLib.c:266

FirmwareContentsSigned.h

FirmwareManagement.h

FmpAuthenticationLib.h

AuthenticateFmpImage
RETURN_STATUS EFIAPI AuthenticateFmpImage(IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image, IN UINTN ImageSize, IN CONST UINT8 *PublicKeyData, IN UINTN PublicKeyDataLength)
Definition: FmpAuthenticationLibPkcs7.c:157

FmpAuthenticatedHandlerPkcs7
RETURN_STATUS FmpAuthenticatedHandlerPkcs7(IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image, IN UINTN ImageSize, IN CONST UINT8 *PublicKeyData, IN UINTN PublicKeyDataLength)
Definition: FmpAuthenticationLibPkcs7.c:58

NULL
#define NULL
Definition: Base.h:319

CONST
#define CONST
Definition: Base.h:259

RETURN_UNSUPPORTED
#define RETURN_UNSUPPORTED
Definition: Base.h:1081

RETURN_OUT_OF_RESOURCES
#define RETURN_OUT_OF_RESOURCES
Definition: Base.h:1114

RETURN_SECURITY_VIOLATION
#define RETURN_SECURITY_VIOLATION
Definition: Base.h:1203

RETURN_SUCCESS
#define RETURN_SUCCESS
Definition: Base.h:1066

IN
#define IN
Definition: Base.h:279

OFFSET_OF
#define OFFSET_OF(TYPE, Field)
Definition: Base.h:758

RETURN_INVALID_PARAMETER
#define RETURN_INVALID_PARAMETER
Definition: Base.h:1076

DebugLib.h

DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434

MemoryAllocationLib.h

PcdLib.h

AllocatePool
VOID *EFIAPI AllocatePool(IN UINTN AllocationSize)
Definition: MemoryAllocationLib.c:195

SystemResourceTable.h

Uefi.h

EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29

WinCertificate.h

EFI_FIRMWARE_IMAGE_AUTHENTICATION
Definition: FirmwareManagement.h:195

GUID
Definition: Base.h:213

WIN_CERTIFICATE_UEFI_GUID
Definition: WinCertificate.h:67