James,

Yes, I agree with you. The padding issue may lead to un-matched result against 
signed and unsigned image. 
The current implementation try to follow the steps described in "Calculating 
the PE Image Hash" section of Authenticode specification, where no clear 
padding clarification. 
There are also some similar cases we need to concern in measured boot (e.g. 
TcgMeasurePeImage in DxeTpmMeasureBootLib.c, and MeasurePeImageAndExtend in 
MeasureBootPeCoff.c). 

I can't recall how MSFT SignTool calculate the PE/COFF hash (before or after 
the zero padding) when appending the result Authenticode signature. So need 
some time to double-check this. 


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: James Bottomley [mailto:[email protected]] 
Sent: Friday, January 23, 2015 10:19 AM
To: [email protected]
Subject: Re: [edk2] [PATCH 1/1] DxeImageVerificationLib: Fix bug in padding 
leading to wrong hashes

On Thu, 2015-01-22 at 18:12 -0800, James Bottomley wrote:
> The authenticode spec is a bit unclear on padding when it comes to 
> computing hashes.  However, it is clear that when we add the signature 
> table, we must align it and pad to the alignment.  This pad is 
> conventionally zeroes and becomes part of the hash.  This means that 
> when computing the hash of an unsigned binary you must also zero pad 
> the hash up to the aligned size otherwise the hashes of signed and unsigned 
> binaries would differ by the pad.
> 
> Fix this by adding a zero pad into the hash up to where the aligned 
> size of the binary would be

Incidentally, what's the tag for stable process?  This bug is present in both 
UDK2010 and UDK2014.

James



------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-devel

Reply via email to