From: AKASHI Takahiro Date: Wed, 8 Jul 2020 05:01:52 +0000 (+0900) Subject: efi_loader: image_loader: add a check against certificate type of authenticode X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=1a44b7059c183a227f2fc4519df24da09d403cba;p=u-boot.git efi_loader: image_loader: add a check against certificate type of authenticode UEFI specification requires that we shall support three type of certificates of authenticode in PE image: WIN_CERT_TYPE_EFI_GUID with the guid, EFI_CERT_TYPE_PCKS7_GUID WIN_CERT_TYPE_PKCS_SIGNED_DATA WIN_CERT_TYPE_EFI_PKCS1_15 As EDK2 does, we will support the first two that are pkcs7 SignedData. Signed-off-by: AKASHI Takahiro --- diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c index 06a2ebdb90..9b01e1ec90 100644 --- a/lib/efi_loader/efi_image_loader.c +++ b/lib/efi_loader/efi_image_loader.c @@ -483,7 +483,8 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) struct efi_signature_store *db = NULL, *dbx = NULL; struct x509_certificate *cert = NULL; void *new_efi = NULL; - size_t new_efi_size; + u8 *auth, *wincerts_end; + size_t new_efi_size, auth_size; bool ret = false; if (!efi_secure_boot_enabled()) @@ -532,21 +533,52 @@ static bool efi_image_authenticate(void *efi, size_t efi_size) } /* go through WIN_CERTIFICATE list */ - for (wincert = wincerts; - (void *)wincert < (void *)wincerts + wincerts_len; - wincert = (void *)wincert + ALIGN(wincert->dwLength, 8)) { - if (wincert->dwLength < sizeof(*wincert)) { - EFI_PRINT("%s: dwLength too small: %u < %zu\n", - __func__, wincert->dwLength, - sizeof(*wincert)); - goto err; + for (wincert = wincerts, wincerts_end = (u8 *)wincerts + wincerts_len; + (u8 *)wincert < wincerts_end; + wincert = (WIN_CERTIFICATE *) + ((u8 *)wincert + ALIGN(wincert->dwLength, 8))) { + if ((u8 *)wincert + sizeof(*wincert) >= wincerts_end) + break; + + if (wincert->dwLength <= sizeof(*wincert)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + + EFI_PRINT("WIN_CERTIFICATE_TYPE: 0x%x\n", + wincert->wCertificateType); + + auth = (u8 *)wincert + sizeof(*wincert); + auth_size = wincert->dwLength - sizeof(*wincert); + if (wincert->wCertificateType == WIN_CERT_TYPE_EFI_GUID) { + if (auth + sizeof(efi_guid_t) >= wincerts_end) + break; + + if (auth_size <= sizeof(efi_guid_t)) { + EFI_PRINT("dwLength too small: %u < %zu\n", + wincert->dwLength, sizeof(*wincert)); + continue; + } + if (guidcmp(auth, &efi_guid_cert_type_pkcs7)) { + EFI_PRINT("Certificate type not supported: %pUl\n", + auth); + continue; + } + + auth += sizeof(efi_guid_t); + auth_size -= sizeof(efi_guid_t); + } else if (wincert->wCertificateType + != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { + EFI_PRINT("Certificate type not supported\n"); + continue; } - msg = pkcs7_parse_message((void *)wincert + sizeof(*wincert), - wincert->dwLength - sizeof(*wincert)); + + msg = pkcs7_parse_message(auth, auth_size); if (IS_ERR(msg)) { EFI_PRINT("Parsing image's signature failed\n"); msg = NULL; - goto err; + continue; } /* try black-list first */