GitHub-Mirror/u-boot
2
0
Fork 0
mirror of https://github.com/Fishwaldo/u-boot.git synced 2025-03-17 12:41:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

efi_loader: image_loader: add a check against certificate type of authenticode

Browse source 
UEFI specification requires that we shall support three type of
certificates of authenticode in PE image:
  WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID
  WIN_CERT_TYPE_PKCS_SIGNED_DATA
  WIN_CERT_TYPE_EFI_PKCS1_15

As EDK2 does, we will support the first two that are pkcs7 SignedData.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This commit is contained in:
AKASHI Takahiro 2020-07-08 14:01:52 +09:00 committed by Heinrich Schuchardt
parent b9f217a4cb
commit 1a44b7059c
1 changed files with 44 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
lib/efi_loader/efi_image_loader.c
View file

@ -483,7 +483,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
struct efi_signature_store *db = NULL, *dbx = NULL;
struct x509_certificate *cert = NULL;
void *new_efi = NULL;
size_t new_efi_size;
u8 *auth, *wincerts_end;
size_t new_efi_size, auth_size;
bool ret = false;
if (!efi_secure_boot_enabled())
@ -532,21 +533,52 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
}
/* go through WIN_CERTIFICATE list */
for (wincert = wincerts;
(void *)wincert < (void *)wincerts + wincerts_len;
wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) {
if (wincert->dwLength < sizeof(*wincert)) {
EFI_PRINT("%s: dwLength too small: %u < %zu\n",
__func__, wincert->dwLength,
sizeof(*wincert));
goto err;
for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len;
(u8 *)wincert < wincerts_end;
wincert = (WIN_CERTIFICATE *)
((u8 *)wincert + ALIGN(wincert->dwLength, 8))) {
if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end)
break;
if (wincert->dwLength <= sizeof(*wincert)) {
EFI_PRINT("dwLength too small: %u < %zu\n",
wincert->dwLength, sizeof(*wincert));
continue;
}
msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert),
wincert->dwLength - sizeof(*wincert));
EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n",
wincert->wCertificateType);
auth = (u8 *)wincert + sizeof(*wincert);
auth_size = wincert->dwLength - sizeof(*wincert);
if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
if (auth + sizeof(efi_guid_t) >= wincerts_end)
break;
if (auth_size <= sizeof(efi_guid_t)) {
EFI_PRINT("dwLength too small: %u < %zu\n",
wincert->dwLength, sizeof(*wincert));
continue;
}
if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) {
EFI_PRINT("Certificate type not supported: %pUl\n",
auth);
continue;
}
auth += sizeof(efi_guid_t);
auth_size -= sizeof(efi_guid_t);
} else if (wincert->wCertificateType
!= WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
EFI_PRINT("Certificate type not supported\n");
continue;
}
msg = pkcs7_parse_message(auth, auth_size);
if (IS_ERR(msg)) {
EFI_PRINT("Parsing image's signature failed\n");
msg = NULL;
goto err;
continue;
}
/* try black-list first */