Revision: 13957
http://edk2.svn.sourceforge.net/edk2/?rev=13957&view=rev
Author: sfu5
Date: 2012-11-21 08:06:02 +0000 (Wed, 21 Nov 2012)
Log Message:
-----------
1. Correct the counter-based hash algorithm according to UEFI spec.
2. Check the reserverd bit in variable attribute.
3. Return EFI_OUT_OF_RESOURCE instead of EFI_SECURITY_VIOLATION if there is not
enough speace to store the public key.
4. Fix a bug when deleting a non-existent time-based auth variable, we store
the certificate into cert DB incorrectly.
5. Fix a bug that time-based auth variable can't been updated again after
append operation.
Signed-off-by: Fu Siyuan <[email protected]>
Reviewed-by: Ye Ting <[email protected]>
Reviewed-by: Dong Guo <[email protected]>
Modified Paths:
--------------
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2012-11-21 03:03:32 UTC (rev 13956)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2012-11-21 08:06:02 UTC (rev 13957)
@@ -526,7 +526,9 @@
EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
UINT8 Digest[SHA256_DIGEST_SIZE];
VOID *Rsa;
-
+ UINTN PayloadSize;
+
+ PayloadSize = DataSize - AUTHINFO_SIZE;
Rsa = NULL;
CertData = NULL;
CertBlock = NULL;
@@ -558,11 +560,18 @@
if (!Status) {
goto Done;
}
- Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, (UINTN) (DataSize -
AUTHINFO_SIZE));
+ Status = Sha256Update (mHashCtx, Data + AUTHINFO_SIZE, PayloadSize);
if (!Status) {
goto Done;
}
//
+ // Hash Size.
+ //
+ Status = Sha256Update (mHashCtx, &PayloadSize, sizeof (UINTN));
+ if (!Status) {
+ goto Done;
+ }
+ //
// Hash Monotonic Count.
//
Status = Sha256Update (mHashCtx, &CertData->MonotonicCount, sizeof
(UINT64));
@@ -1099,6 +1108,7 @@
@return EFI_INVALID_PARAMETER Invalid parameter.
@return EFI_WRITE_PROTECTED Variable is write-protected and
needs authentication with
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
+ @return EFI_OUT_OF_RESOURCES The Database to save the public key
is full.
@return EFI_SECURITY_VIOLATION The variable is with
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
set, but the AuthInfo does NOT pass
the validation
check carried out by the firmware.
@@ -1253,7 +1263,7 @@
//
KeyIndex = AddPubKeyInStore (PubKey);
if (KeyIndex == 0) {
- return EFI_SECURITY_VIOLATION;
+ return EFI_OUT_OF_RESOURCES;
}
}
@@ -2155,13 +2165,13 @@
//
// Delete signer's certificates when delete the common authenticated
variable.
//
- if ((PayloadSize == 0) && (Variable->CurrPtr != NULL)) {
+ if ((PayloadSize == 0) && (Variable->CurrPtr != NULL) && ((Attributes &
EFI_VARIABLE_APPEND_WRITE) == 0)) {
Status = DeleteCertsFromDb (VariableName, VendorGuid);
if (EFI_ERROR (Status)) {
VerifyStatus = FALSE;
goto Exit;
}
- } else if (Variable->CurrPtr == NULL) {
+ } else if (Variable->CurrPtr == NULL && PayloadSize != 0) {
//
// Insert signer's certificates when adding a new common authenticated
variable.
//
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2012-11-21 03:03:32 UTC (rev 13956)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2012-11-21 08:06:02 UTC (rev 13957)
@@ -2281,6 +2281,13 @@
}
//
+ // Check for reserverd bit in variable attribute.
+ //
+ if ((Attributes & (~EFI_VARIABLE_ATTRIBUTES_MASK)) != 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
// Make sure if runtime bit is set, boot service bit is set also.
//
if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h
2012-11-21 03:03:32 UTC (rev 13956)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h
2012-11-21 08:06:02 UTC (rev 13957)
@@ -43,6 +43,13 @@
#include <Guid/HardwareErrorVariable.h>
#define VARIABLE_RECLAIM_THRESHOLD (1024)
+#define EFI_VARIABLE_ATTRIBUTES_MASK (EFI_VARIABLE_NON_VOLATILE | \
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | \
+ EFI_VARIABLE_RUNTIME_ACCESS | \
+ EFI_VARIABLE_HARDWARE_ERROR_RECORD | \
+ EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
| \
+
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | \
+ EFI_VARIABLE_APPEND_WRITE)
///
/// The size of a 3 character ISO639 language code.
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
