mirror of
https://github.com/u-boot/u-boot.git
synced 2024-11-24 04:34:22 +08:00
efi_loader: image_loader: add a missing digest verification for signed PE image
At the last step of PE image authentication, an image's hash value must be
compared with a message digest stored as the content (of SpcPeImageData type)
of pkcs7's contentInfo.
Fixes: commit 4540dabdca
("efi_loader: image_loader: support image authentication")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This commit is contained in:
parent
b72d09fa7d
commit
634f6b2fb1
@ -366,6 +366,7 @@ config EFI_SECURE_BOOT
|
||||
select X509_CERTIFICATE_PARSER
|
||||
select PKCS7_MESSAGE_PARSER
|
||||
select PKCS7_VERIFY
|
||||
select MSCODE_PARSER
|
||||
select EFI_SIGNATURE_SUPPORT
|
||||
help
|
||||
Select this option to enable EFI secure boot support.
|
||||
|
@ -16,6 +16,7 @@
|
||||
#include <malloc.h>
|
||||
#include <pe.h>
|
||||
#include <sort.h>
|
||||
#include <crypto/mscode.h>
|
||||
#include <crypto/pkcs7_parser.h>
|
||||
#include <linux/err.h>
|
||||
|
||||
@ -516,6 +517,51 @@ err:
|
||||
}
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT
|
||||
/**
|
||||
* efi_image_verify_digest - verify image's message digest
|
||||
* @regs: Array of memory regions to digest
|
||||
* @msg: Signature in pkcs7 structure
|
||||
*
|
||||
* @regs contains all the data in a PE image to digest. Calculate
|
||||
* a hash value based on @regs and compare it with a messaged digest
|
||||
* in the content (SpcPeImageData) of @msg's contentInfo.
|
||||
*
|
||||
* Return: true if verified, false if not
|
||||
*/
|
||||
static bool efi_image_verify_digest(struct efi_image_regions *regs,
|
||||
struct pkcs7_message *msg)
|
||||
{
|
||||
struct pefile_context ctx;
|
||||
void *hash;
|
||||
int hash_len, ret;
|
||||
|
||||
const void *data;
|
||||
size_t data_len;
|
||||
size_t asn1hdrlen;
|
||||
|
||||
/* get pkcs7's contentInfo */
|
||||
ret = pkcs7_get_content_data(msg, &data, &data_len, &asn1hdrlen);
|
||||
if (ret < 0 || !data)
|
||||
return false;
|
||||
|
||||
/* parse data and retrieve a message digest into ctx */
|
||||
ret = mscode_parse(&ctx, data, data_len, asn1hdrlen);
|
||||
if (ret < 0)
|
||||
return false;
|
||||
|
||||
/* calculate a hash value of PE image */
|
||||
hash = NULL;
|
||||
if (!efi_hash_regions(regs->reg, regs->num, &hash, ctx.digest_algo,
|
||||
&hash_len))
|
||||
return false;
|
||||
|
||||
/* match the digest */
|
||||
if (ctx.digest_len != hash_len || memcmp(ctx.digest, hash, hash_len))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* efi_image_authenticate() - verify a signature of signed image
|
||||
* @efi: Pointer to image
|
||||
@ -645,6 +691,9 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
|
||||
}
|
||||
|
||||
/*
|
||||
* verify signatures in pkcs7's signedInfos which are
|
||||
* to authenticate the integrity of pkcs7's contentInfo.
|
||||
*
|
||||
* NOTE:
|
||||
* UEFI specification defines two signature types possible
|
||||
* in signature database:
|
||||
@ -677,12 +726,21 @@ static bool efi_image_authenticate(void *efi, size_t efi_size)
|
||||
}
|
||||
|
||||
/* try white-list */
|
||||
if (efi_signature_verify(regs, msg, db, dbx)) {
|
||||
if (!efi_signature_verify(regs, msg, db, dbx)) {
|
||||
log_debug("Signature was not verified by \"db\"\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* now calculate an image's hash value and compare it with
|
||||
* a messaged digest embedded in pkcs7's contentInfo
|
||||
*/
|
||||
if (efi_image_verify_digest(regs, msg)) {
|
||||
ret = true;
|
||||
continue;
|
||||
}
|
||||
|
||||
log_debug("Signature was not verified by \"db\"\n");
|
||||
log_debug("Message digest doesn't match\n");
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user