Home | History | Annotate | Download | only in FmpAuthenticationLibPkcs7 
      1 /** @file
      2   FMP Authentication PKCS7 handler.
      3   Provide generic FMP authentication functions for DXE/PEI post memory phase.
      4 
      5   Caution: This module requires additional review when modified.
      6   This module will have external input - capsule image.
      7   This external input must be validated carefully to avoid security issue like
      8   buffer overflow, integer overflow.
      9 
     10   FmpAuthenticatedHandlerPkcs7(), AuthenticateFmpImage() will receive
     11   untrusted input and do basic validation.
     12 
     13   Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
     14   This program and the accompanying materials
     15   are licensed and made available under the terms and conditions of the BSD License
     16   which accompanies this distribution.  The full text of the license may be found at
     17   http://opensource.org/licenses/bsd-license.php
     18 
     19   THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
     20   WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
     21 
     22 **/
     23 
     24 #include <Uefi.h>
     25 
     26 #include <Guid/SystemResourceTable.h>
     27 #include <Guid/FirmwareContentsSigned.h>
     28 #include <Guid/WinCertificate.h>
     29 
     30 #include <Library/BaseLib.h>
     31 #include <Library/BaseMemoryLib.h>
     32 #include <Library/DebugLib.h>
     33 #include <Library/MemoryAllocationLib.h>
     34 #include <Library/BaseCryptLib.h>
     35 #include <Library/FmpAuthenticationLib.h>
     36 #include <Library/PcdLib.h>
     37 #include <Protocol/FirmwareManagement.h>
     38 #include <Guid/SystemResourceTable.h>
     39 
     40 /**
     41   The handler is used to do the authentication for FMP capsule based upon
     42   EFI_FIRMWARE_IMAGE_AUTHENTICATION.
     43 
     44   Caution: This function may receive untrusted input.
     45 
     46   This function assumes the caller AuthenticateFmpImage()
     47   already did basic validation for EFI_FIRMWARE_IMAGE_AUTHENTICATION.
     48 
     49   @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
     50   @param[in]  ImageSize               Size of the authentication image in bytes.
     51   @param[in]  PublicKeyData           The public key data used to validate the signature.
     52   @param[in]  PublicKeyDataLength     The length of the public key data.
     53 
     54   @retval RETURN_SUCCESS            Authentication pass.
     55                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
     56   @retval RETURN_SECURITY_VIOLATION Authentication fail.
     57                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
     58   @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.
     59                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
     60   @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.
     61                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
     62 **/
     63 RETURN_STATUS
     64 FmpAuthenticatedHandlerPkcs7 (
     65   IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,
     66   IN UINTN                              ImageSize,
     67   IN CONST UINT8                        *PublicKeyData,
     68   IN UINTN                              PublicKeyDataLength
     69   )
     70 {
     71   RETURN_STATUS                             Status;
     72   BOOLEAN                                   CryptoStatus;
     73   VOID                                      *P7Data;
     74   UINTN                                     P7Length;
     75   VOID                                      *TempBuffer;
     76 
     77   DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7 - Image: 0x%08x - 0x%08x\n", (UINTN)Image, (UINTN)ImageSize));
     78 
     79   P7Length = Image->AuthInfo.Hdr.dwLength - (OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData));
     80   P7Data = Image->AuthInfo.CertData;
     81 
     82   // It is a signature across the variable data and the Monotonic Count value.
     83   TempBuffer = AllocatePool(ImageSize - Image->AuthInfo.Hdr.dwLength);
     84   if (TempBuffer == NULL) {
     85     DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: TempBuffer == NULL\n"));
     86     Status = RETURN_OUT_OF_RESOURCES;
     87     goto Done;
     88   }
     89 
     90   CopyMem(
     91     TempBuffer,
     92     (UINT8 *)Image + sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength,
     93     ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength
     94     );
     95   CopyMem(
     96     (UINT8 *)TempBuffer + ImageSize - sizeof(Image->MonotonicCount) - Image->AuthInfo.Hdr.dwLength,
     97     &Image->MonotonicCount,
     98     sizeof(Image->MonotonicCount)
     99     );
    100   CryptoStatus = Pkcs7Verify(
    101                    P7Data,
    102                    P7Length,
    103                    PublicKeyData,
    104                    PublicKeyDataLength,
    105                    (UINT8 *)TempBuffer,
    106                    ImageSize - Image->AuthInfo.Hdr.dwLength
    107                    );
    108   FreePool(TempBuffer);
    109   if (!CryptoStatus) {
    110     //
    111     // If PKCS7 signature verification fails, AUTH tested failed bit is set.
    112     //
    113     DEBUG((DEBUG_ERROR, "FmpAuthenticatedHandlerPkcs7: Pkcs7Verify() failed\n"));
    114     Status = RETURN_SECURITY_VIOLATION;
    115     goto Done;
    116   }
    117   DEBUG((DEBUG_INFO, "FmpAuthenticatedHandlerPkcs7: PASS verification\n"));
    118 
    119   Status = RETURN_SUCCESS;
    120 
    121 Done:
    122   return Status;
    123 }
    124 
    125 /**
    126   The function is used to do the authentication for FMP capsule based upon
    127   EFI_FIRMWARE_IMAGE_AUTHENTICATION.
    128 
    129   The FMP capsule image should start with EFI_FIRMWARE_IMAGE_AUTHENTICATION,
    130   followed by the payload.
    131 
    132   If the return status is RETURN_SUCCESS, the caller may continue the rest
    133   FMP update process.
    134   If the return status is NOT RETURN_SUCCESS, the caller should stop the FMP
    135   update process and convert the return status to LastAttemptStatus
    136   to indicate that FMP update fails.
    137   The LastAttemptStatus can be got from ESRT table or via
    138   EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo().
    139 
    140   Caution: This function may receive untrusted input.
    141 
    142   @param[in]  Image                   Points to an FMP authentication image, started from EFI_FIRMWARE_IMAGE_AUTHENTICATION.
    143   @param[in]  ImageSize               Size of the authentication image in bytes.
    144   @param[in]  PublicKeyData           The public key data used to validate the signature.
    145   @param[in]  PublicKeyDataLength     The length of the public key data.
    146 
    147   @retval RETURN_SUCCESS            Authentication pass.
    148                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_SUCCESS.
    149   @retval RETURN_SECURITY_VIOLATION Authentication fail.
    150                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_AUTH_ERROR.
    151   @retval RETURN_INVALID_PARAMETER  The image is in an invalid format.
    152                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
    153   @retval RETURN_UNSUPPORTED        No Authentication handler associated with CertType.
    154                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
    155   @retval RETURN_UNSUPPORTED        Image or ImageSize is invalid.
    156                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT.
    157   @retval RETURN_OUT_OF_RESOURCES   No Authentication handler associated with CertType.
    158                                     The LastAttemptStatus should be LAST_ATTEMPT_STATUS_ERROR_INSUFFICIENT_RESOURCES.
    159 **/
    160 RETURN_STATUS
    161 EFIAPI
    162 AuthenticateFmpImage (
    163   IN EFI_FIRMWARE_IMAGE_AUTHENTICATION  *Image,
    164   IN UINTN                              ImageSize,
    165   IN CONST UINT8                        *PublicKeyData,
    166   IN UINTN                              PublicKeyDataLength
    167   )
    168 {
    169   GUID                                      *CertType;
    170   EFI_STATUS                                Status;
    171 
    172   if ((Image == NULL) || (ImageSize == 0)) {
    173     return RETURN_UNSUPPORTED;
    174   }
    175 
    176   if (ImageSize < sizeof(EFI_FIRMWARE_IMAGE_AUTHENTICATION)) {
    177     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));
    178     return RETURN_INVALID_PARAMETER;
    179   }
    180   if (Image->AuthInfo.Hdr.dwLength <= OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
    181     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too small\n"));
    182     return RETURN_INVALID_PARAMETER;
    183   }
    184   if (Image->AuthInfo.Hdr.dwLength > MAX_UINTN - sizeof(UINT64)) {
    185     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - dwLength too big\n"));
    186     return RETURN_INVALID_PARAMETER;
    187   }
    188   if (ImageSize <= sizeof(Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) {
    189     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - ImageSize too small\n"));
    190     return RETURN_INVALID_PARAMETER;
    191   }
    192   if (Image->AuthInfo.Hdr.wRevision != 0x0200) {
    193     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wRevision: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wRevision, (UINTN)0x0200));
    194     return RETURN_INVALID_PARAMETER;
    195   }
    196   if (Image->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
    197     DEBUG((DEBUG_ERROR, "AuthenticateFmpImage - wCertificateType: 0x%02x, expect - 0x%02x\n", (UINTN)Image->AuthInfo.Hdr.wCertificateType, (UINTN)WIN_CERT_TYPE_EFI_GUID));
    198     return RETURN_INVALID_PARAMETER;
    199   }
    200 
    201   CertType = &Image->AuthInfo.CertType;
    202   DEBUG((DEBUG_INFO, "AuthenticateFmpImage - CertType: %g\n", CertType));
    203 
    204   if (CompareGuid (&gEfiCertPkcs7Guid, CertType)) {
    205     //
    206     // Call the match handler to extract raw data for the input section data.
    207     //
    208     Status = FmpAuthenticatedHandlerPkcs7 (
    209                Image,
    210                ImageSize,
    211                PublicKeyData,
    212                PublicKeyDataLength
    213                );
    214     return Status;
    215   }
    216 
    217   //
    218   // Not found, the input guided section is not supported.
    219   //
    220   return RETURN_UNSUPPORTED;
    221 }
    222 
    223