REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3461
The UEFI specification prohibits loading any UEFI image of which a
matching SHA-256 hash is contained in "dbx" (UEFI 2.9, 32.5.3.3
"Authorization Process", 3.A). Currently, this is only explicitly
checked when the image is unsigned and otherwise the hash algorithms
of the certificates are used.
Align with the UEFI specification by specifically looking up the
SHA-256 hash of the image in "dbx".
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Vitaly Cheptsov <vit9...@protonmail.com>
Signed-off-by: Marvin Häuser <mhaeu...@posteo.de>
---
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 60
++++++++------------
1 file changed, 24 insertions(+), 36 deletions(-)
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index c48861cd6496..1f9bb33e86c3 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1803,34 +1803,36 @@ DxeImageVerificationHandler (
}
}
+ //
+ // The SHA256 hash value of the image must not be reflected in the security
data base "dbx".
+ //
+ if (!HashPeImage (HASHALG_SHA256)) {
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
using %s.\n", mHashTypeStr));
+ goto Failed;
+ }
+
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (EFI_ERROR (DbStatus) || IsFound) {
+ //
+ // Image Hash is in forbidden database (DBX).
+ //
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s
hash of image is forbidden by DBX.\n", mHashTypeStr));
+ goto Failed;
+ }
+
//
// Start Image Validation.
//
if (SecDataDir == NULL || SecDataDir->Size == 0) {
//
- // This image is not signed. The SHA256 hash value of the image must match
a record in the security database "db",
- // and not be reflected in the security data base "dbx".
+ // This image is not signed. The SHA256 hash value of the image must match
a record in the security database "db".
//
- if (!HashPeImage (HASHALG_SHA256)) {
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image
using %s.\n", mHashTypeStr));
- goto Failed;
- }
-
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- //
- // Image Hash is in forbidden database (DBX).
- //
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s
hash of image is forbidden by DBX.\n", mHashTypeStr));
- goto Failed;
- }
-
DbStatus = IsSignatureFoundInDatabase (
EFI_IMAGE_SECURITY_DATABASE,
mImageDigest,
@@ -1932,20 +1934,6 @@ DxeImageVerificationHandler (
//
// Check the image's hash value.
//
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s
hash of image is found in DBX.\n", mHashTypeStr));
- IsVerified = FALSE;
- break;
- }
-
if (!IsVerified) {
DbStatus = IsSignatureFoundInDatabase (
EFI_IMAGE_SECURITY_DATABASE,
--
2.31.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78889): https://edk2.groups.io/g/devel/message/78889
Mute This Topic: https://groups.io/mt/84754063/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
