The authenticode spec is a bit unclear on padding when it comes to computing
hashes.  However, it is clear that when we add the signature table, we must
align it and pad to the alignment.  This pad is conventionally zeroes and
becomes part of the hash.  This means that when computing the hash of an
unsigned binary you must also zero pad the hash up to the aligned size
otherwise the hashes of signed and unsigned binaries would differ by the pad.

Fix this by adding a zero pad into the hash up to where the aligned size of
the binary would be

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: James Bottomley <[email protected]>
---
 .../DxeImageVerificationLib/DxeImageVerificationLib.c        | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git 
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 959a9b0..5df4d27 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -590,6 +590,18 @@ HashPeImage (
       if (!Status) {
         goto Done;
       }
+      /*
+       * Problem: some unsigned PECOFF binaries don't always end on an aligned
+       * size. For this case, pad them with zeros up to the aligned size
+       */
+      if (ALIGN_SIZE(mImageSize)) {
+       UINT64 zerofill = 0;
+
+       Status  = mHash[HashAlg].HashUpdate(HashCtx, &zerofill, 
ALIGN_SIZE(mImageSize));
+       if (!Status) {
+         goto Done;
+       }
+      }
     } else if (mImageSize < CertSize + SumOfBytesHashed) {
       Status = FALSE;
       goto Done;
-- 
2.1.2




------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Reply via email to