blob: c7ec2754147f713dd571a5b5f1522a53c8054d42 [file] [log] [blame]
AKASHI Takahiro1faaca42020-04-14 11:51:39 +09001// SPDX-License-Identifier: GPL-2.0+
2/*
3 * Copyright (c) 2018 Patrick Wildt <patrick@blueri.se>
4 * Copyright (c) 2019 Linaro Limited, Author: AKASHI Takahiro
5 */
6
7#include <common.h>
8#include <charset.h>
9#include <efi_loader.h>
10#include <image.h>
11#include <hexdump.h>
12#include <malloc.h>
AKASHI Takahiro14afd062020-07-21 19:35:22 +090013#include <crypto/pkcs7.h>
AKASHI Takahiro6ec67672020-04-21 09:38:17 +090014#include <crypto/pkcs7_parser.h>
AKASHI Takahiro14afd062020-07-21 19:35:22 +090015#include <crypto/public_key.h>
AKASHI Takahiro1faaca42020-04-14 11:51:39 +090016#include <linux/compat.h>
17#include <linux/oid_registry.h>
18#include <u-boot/rsa.h>
19#include <u-boot/sha256.h>
AKASHI Takahiro1faaca42020-04-14 11:51:39 +090020
21const efi_guid_t efi_guid_image_security_database =
22 EFI_IMAGE_SECURITY_DATABASE_GUID;
23const efi_guid_t efi_guid_sha256 = EFI_CERT_SHA256_GUID;
24const efi_guid_t efi_guid_cert_rsa2048 = EFI_CERT_RSA2048_GUID;
25const efi_guid_t efi_guid_cert_x509 = EFI_CERT_X509_GUID;
26const efi_guid_t efi_guid_cert_x509_sha256 = EFI_CERT_X509_SHA256_GUID;
AKASHI Takahiro5ed9ada2020-05-29 15:41:18 +090027const efi_guid_t efi_guid_cert_type_pkcs7 = EFI_CERT_TYPE_PKCS7_GUID;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +090028
Sughosh Ganu586bb982020-12-30 19:27:09 +053029#if defined(CONFIG_EFI_SECURE_BOOT) || defined(CONFIG_EFI_CAPSULE_AUTHENTICATE)
Sughosh Ganuea350082020-12-30 19:27:07 +053030static u8 pkcs7_hdr[] = {
31 /* SEQUENCE */
32 0x30, 0x82, 0x05, 0xc7,
33 /* OID: pkcs7-signedData */
34 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02,
35 /* Context Structured? */
36 0xa0, 0x82, 0x05, 0xb8,
37};
38
39/**
40 * efi_parse_pkcs7_header - parse a signature in payload
41 * @buf: Pointer to payload's value
42 * @buflen: Length of @buf
43 * @tmpbuf: Pointer to temporary buffer
44 *
45 * Parse a signature embedded in payload's value and instantiate
46 * a pkcs7_message structure. Since pkcs7_parse_message() accepts only
47 * pkcs7's signedData, some header needed be prepended for correctly
48 * parsing authentication data
49 * A temporary buffer will be allocated if needed, and it should be
50 * kept valid during the authentication because some data in the buffer
51 * will be referenced by efi_signature_verify().
52 *
53 * Return: Pointer to pkcs7_message structure on success, NULL on error
54 */
55struct pkcs7_message *efi_parse_pkcs7_header(const void *buf,
56 size_t buflen,
57 u8 **tmpbuf)
58{
59 u8 *ebuf;
60 size_t ebuflen, len;
61 struct pkcs7_message *msg;
62
63 /*
64 * This is the best assumption to check if the binary is
65 * already in a form of pkcs7's signedData.
66 */
67 if (buflen > sizeof(pkcs7_hdr) &&
68 !memcmp(&((u8 *)buf)[4], &pkcs7_hdr[4], 11)) {
69 msg = pkcs7_parse_message(buf, buflen);
70 if (IS_ERR(msg))
71 return NULL;
72 return msg;
73 }
74
75 /*
76 * Otherwise, we should add a dummy prefix sequence for pkcs7
77 * message parser to be able to process.
78 * NOTE: EDK2 also uses similar hack in WrapPkcs7Data()
79 * in CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
80 * TODO:
81 * The header should be composed in a more refined manner.
82 */
83 EFI_PRINT("Makeshift prefix added to authentication data\n");
84 ebuflen = sizeof(pkcs7_hdr) + buflen;
85 if (ebuflen <= 0x7f) {
86 EFI_PRINT("Data is too short\n");
87 return NULL;
88 }
89
90 ebuf = malloc(ebuflen);
91 if (!ebuf) {
92 EFI_PRINT("Out of memory\n");
93 return NULL;
94 }
95
96 memcpy(ebuf, pkcs7_hdr, sizeof(pkcs7_hdr));
97 memcpy(ebuf + sizeof(pkcs7_hdr), buf, buflen);
98 len = ebuflen - 4;
99 ebuf[2] = (len >> 8) & 0xff;
100 ebuf[3] = len & 0xff;
101 len = ebuflen - 0x13;
102 ebuf[0x11] = (len >> 8) & 0xff;
103 ebuf[0x12] = len & 0xff;
104
105 msg = pkcs7_parse_message(ebuf, ebuflen);
106
107 if (IS_ERR(msg)) {
108 free(ebuf);
109 return NULL;
110 }
111
112 *tmpbuf = ebuf;
113 return msg;
114}
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900115
116/**
117 * efi_hash_regions - calculate a hash value
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900118 * @regs: Array of regions
119 * @count: Number of regions
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900120 * @hash: Pointer to a pointer to buffer holding a hash value
121 * @size: Size of buffer to be returned
122 *
123 * Calculate a sha256 value of @regs and return a value in @hash.
124 *
125 * Return: true on success, false on error
126 */
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900127static bool efi_hash_regions(struct image_region *regs, int count,
128 void **hash, size_t *size)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900129{
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900130 if (!*hash) {
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900131 *hash = calloc(1, SHA256_SUM_LEN);
132 if (!*hash) {
133 EFI_PRINT("Out of memory\n");
134 return false;
135 }
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900136 }
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900137 if (size)
138 *size = SHA256_SUM_LEN;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900139
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900140 hash_calculate("sha256", regs, count, *hash);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900141#ifdef DEBUG
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900142 EFI_PRINT("hash calculated:\n");
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900143 print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
144 *hash, SHA256_SUM_LEN, false);
145#endif
146
147 return true;
148}
149
150/**
AKASHI Takahirode924072020-07-08 14:01:57 +0900151 * efi_signature_lookup_digest - search for an image's digest in sigdb
152 * @regs: List of regions to be authenticated
153 * @db: Signature database for trusted certificates
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900154 *
AKASHI Takahirode924072020-07-08 14:01:57 +0900155 * A message digest of image pointed to by @regs is calculated and
156 * its hash value is compared to entries in signature database pointed
157 * to by @db.
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900158 *
AKASHI Takahirode924072020-07-08 14:01:57 +0900159 * Return: true if found, false if not
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900160 */
AKASHI Takahirode924072020-07-08 14:01:57 +0900161bool efi_signature_lookup_digest(struct efi_image_regions *regs,
162 struct efi_signature_store *db)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900163{
AKASHI Takahirode924072020-07-08 14:01:57 +0900164 struct efi_signature_store *siglist;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900165 struct efi_sig_data *sig_data;
AKASHI Takahirode924072020-07-08 14:01:57 +0900166 void *hash = NULL;
167 size_t size = 0;
168 bool found = false;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900169
AKASHI Takahirode924072020-07-08 14:01:57 +0900170 EFI_PRINT("%s: Enter, %p, %p\n", __func__, regs, db);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900171
AKASHI Takahirode924072020-07-08 14:01:57 +0900172 if (!regs || !db || !db->sig_data_list)
173 goto out;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900174
AKASHI Takahirode924072020-07-08 14:01:57 +0900175 for (siglist = db; siglist; siglist = siglist->next) {
176 /* TODO: support other hash algorithms */
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900177 if (guidcmp(&siglist->sig_type, &efi_guid_sha256)) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900178 EFI_PRINT("Digest algorithm is not supported: %pUl\n",
179 &siglist->sig_type);
AKASHI Takahirode924072020-07-08 14:01:57 +0900180 break;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900181 }
182
AKASHI Takahiroddbfa612020-07-08 14:01:55 +0900183 if (!efi_hash_regions(regs->reg, regs->num, &hash, &size)) {
AKASHI Takahirode924072020-07-08 14:01:57 +0900184 EFI_PRINT("Digesting an image failed\n");
185 break;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900186 }
187
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900188 for (sig_data = siglist->sig_data_list; sig_data;
189 sig_data = sig_data->next) {
190#ifdef DEBUG
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900191 EFI_PRINT("Msg digest in database:\n");
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900192 print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
193 sig_data->data, sig_data->size, false);
194#endif
AKASHI Takahirode924072020-07-08 14:01:57 +0900195 if (sig_data->size == size &&
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900196 !memcmp(sig_data->data, hash, size)) {
AKASHI Takahirode924072020-07-08 14:01:57 +0900197 found = true;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900198 free(hash);
199 goto out;
200 }
201 }
AKASHI Takahirode924072020-07-08 14:01:57 +0900202
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900203 free(hash);
AKASHI Takahirode924072020-07-08 14:01:57 +0900204 hash = NULL;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900205 }
206
AKASHI Takahirode924072020-07-08 14:01:57 +0900207out:
208 EFI_PRINT("%s: Exit, found: %d\n", __func__, found);
209 return found;
210}
211
212/**
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900213 * efi_lookup_certificate - find a certificate within db
214 * @msg: Signature
215 * @db: Signature database
AKASHI Takahirode924072020-07-08 14:01:57 +0900216 *
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900217 * Search signature database pointed to by @db and find a certificate
218 * pointed to by @cert.
AKASHI Takahirode924072020-07-08 14:01:57 +0900219 *
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900220 * Return: true if found, false otherwise.
AKASHI Takahirode924072020-07-08 14:01:57 +0900221 */
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900222static bool efi_lookup_certificate(struct x509_certificate *cert,
223 struct efi_signature_store *db)
AKASHI Takahirode924072020-07-08 14:01:57 +0900224{
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900225 struct efi_signature_store *siglist;
AKASHI Takahirode924072020-07-08 14:01:57 +0900226 struct efi_sig_data *sig_data;
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900227 struct image_region reg[1];
228 void *hash = NULL, *hash_tmp = NULL;
229 size_t size = 0;
230 bool found = false;
AKASHI Takahirode924072020-07-08 14:01:57 +0900231
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900232 EFI_PRINT("%s: Enter, %p, %p\n", __func__, cert, db);
AKASHI Takahirode924072020-07-08 14:01:57 +0900233
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900234 if (!cert || !db || !db->sig_data_list)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900235 goto out;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900236
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900237 /*
238 * TODO: identify a certificate using sha256 digest
239 * Is there any better way?
240 */
241 /* calculate hash of TBSCertificate */
242 reg[0].data = cert->tbs;
243 reg[0].size = cert->tbs_size;
244 if (!efi_hash_regions(reg, 1, &hash, &size))
245 goto out;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900246
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900247 EFI_PRINT("%s: searching for %s\n", __func__, cert->subject);
248 for (siglist = db; siglist; siglist = siglist->next) {
249 /* only with x509 certificate */
250 if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
251 continue;
252
253 for (sig_data = siglist->sig_data_list; sig_data;
254 sig_data = sig_data->next) {
255 struct x509_certificate *cert_tmp;
256
257 cert_tmp = x509_cert_parse(sig_data->data,
258 sig_data->size);
259 if (IS_ERR_OR_NULL(cert_tmp))
260 continue;
261
AKASHI Takahiro16411802020-08-14 14:39:23 +0900262 EFI_PRINT("%s: against %s\n", __func__,
263 cert_tmp->subject);
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900264 reg[0].data = cert_tmp->tbs;
265 reg[0].size = cert_tmp->tbs_size;
266 if (!efi_hash_regions(reg, 1, &hash_tmp, NULL))
267 goto out;
268
269 x509_free_certificate(cert_tmp);
270
271 if (!memcmp(hash, hash_tmp, size)) {
272 found = true;
273 goto out;
274 }
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900275 }
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900276 }
277out:
278 free(hash);
279 free(hash_tmp);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900280
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900281 EFI_PRINT("%s: Exit, found: %d\n", __func__, found);
282 return found;
283}
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900284
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900285/**
286 * efi_verify_certificate - verify certificate's signature with database
287 * @signer: Certificate
288 * @db: Signature database
289 * @root: Certificate to verify @signer
290 *
291 * Determine if certificate pointed to by @signer may be verified
292 * by one of certificates in signature database pointed to by @db.
293 *
294 * Return: true if certificate is verified, false otherwise.
295 */
296static bool efi_verify_certificate(struct x509_certificate *signer,
297 struct efi_signature_store *db,
298 struct x509_certificate **root)
299{
300 struct efi_signature_store *siglist;
301 struct efi_sig_data *sig_data;
302 struct x509_certificate *cert;
303 bool verified = false;
304 int ret;
305
306 EFI_PRINT("%s: Enter, %p, %p\n", __func__, signer, db);
307
308 if (!signer || !db || !db->sig_data_list)
309 goto out;
310
311 for (siglist = db; siglist; siglist = siglist->next) {
312 /* only with x509 certificate */
313 if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509))
314 continue;
315
316 for (sig_data = siglist->sig_data_list; sig_data;
317 sig_data = sig_data->next) {
318 cert = x509_cert_parse(sig_data->data, sig_data->size);
319 if (IS_ERR_OR_NULL(cert)) {
320 EFI_PRINT("Cannot parse x509 certificate\n");
321 continue;
322 }
323
324 ret = public_key_verify_signature(cert->pub,
325 signer->sig);
326 if (!ret) {
327 verified = true;
328 if (root)
329 *root = cert;
330 else
331 x509_free_certificate(cert);
332 goto out;
333 }
334 x509_free_certificate(cert);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900335 }
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900336 }
337
338out:
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900339 EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900340 return verified;
341}
342
343/**
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900344 * efi_signature_check_revocation - check revocation with dbx
345 * @sinfo: Signer's info
346 * @cert: x509 certificate
347 * @dbx: Revocation signature database
348 *
349 * Search revocation signature database pointed to by @dbx and find
350 * an entry matching to certificate pointed to by @cert.
351 *
352 * While this entry contains revocation time, we don't support timestamp
353 * protocol at this time and any image will be unconditionally revoked
354 * when this match occurs.
355 *
AKASHI Takahiro16411802020-08-14 14:39:23 +0900356 * Return: true if check passed (not found), false otherwise.
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900357 */
358static bool efi_signature_check_revocation(struct pkcs7_signed_info *sinfo,
359 struct x509_certificate *cert,
360 struct efi_signature_store *dbx)
361{
362 struct efi_signature_store *siglist;
363 struct efi_sig_data *sig_data;
364 struct image_region reg[1];
365 void *hash = NULL;
366 size_t size = 0;
367 time64_t revoc_time;
368 bool revoked = false;
369
370 EFI_PRINT("%s: Enter, %p, %p, %p\n", __func__, sinfo, cert, dbx);
371
372 if (!sinfo || !cert || !dbx || !dbx->sig_data_list)
373 goto out;
374
375 EFI_PRINT("Checking revocation against %s\n", cert->subject);
376 for (siglist = dbx; siglist; siglist = siglist->next) {
377 if (guidcmp(&siglist->sig_type, &efi_guid_cert_x509_sha256))
378 continue;
379
380 /* calculate hash of TBSCertificate */
381 reg[0].data = cert->tbs;
382 reg[0].size = cert->tbs_size;
383 if (!efi_hash_regions(reg, 1, &hash, &size))
384 goto out;
385
386 for (sig_data = siglist->sig_data_list; sig_data;
387 sig_data = sig_data->next) {
388 /*
389 * struct efi_cert_x509_sha256 {
390 * u8 tbs_hash[256/8];
391 * time64_t revocation_time;
392 * };
393 */
394#ifdef DEBUG
395 if (sig_data->size >= size) {
396 EFI_PRINT("hash in db:\n");
397 print_hex_dump(" ", DUMP_PREFIX_OFFSET,
398 16, 1,
399 sig_data->data, size, false);
400 }
401#endif
402 if ((sig_data->size < size + sizeof(time64_t)) ||
403 memcmp(sig_data->data, hash, size))
404 continue;
405
406 memcpy(&revoc_time, sig_data->data + size,
407 sizeof(revoc_time));
408 EFI_PRINT("revocation time: 0x%llx\n", revoc_time);
409 /*
410 * TODO: compare signing timestamp in sinfo
411 * with revocation time
412 */
413
414 revoked = true;
415 free(hash);
416 goto out;
417 }
418 free(hash);
419 hash = NULL;
420 }
421out:
422 EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked);
423 return !revoked;
424}
425
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900426/*
427 * efi_signature_verify - verify signatures with db and dbx
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900428 * @regs: List of regions to be authenticated
429 * @msg: Signature
430 * @db: Signature database for trusted certificates
431 * @dbx: Revocation signature database
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900432 *
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900433 * All the signature pointed to by @msg against image pointed to by @regs
434 * will be verified by signature database pointed to by @db and @dbx.
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900435 *
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900436 * Return: true if verification for all signatures passed, false otherwise
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900437 */
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900438bool efi_signature_verify(struct efi_image_regions *regs,
439 struct pkcs7_message *msg,
440 struct efi_signature_store *db,
441 struct efi_signature_store *dbx)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900442{
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900443 struct pkcs7_signed_info *sinfo;
444 struct x509_certificate *signer, *root;
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900445 bool verified = false;
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900446 int ret;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900447
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900448 EFI_PRINT("%s: Enter, %p, %p, %p, %p\n", __func__, regs, msg, db, dbx);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900449
AKASHI Takahirode924072020-07-08 14:01:57 +0900450 if (!regs || !msg || !db || !db->sig_data_list)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900451 goto out;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900452
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900453 for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900454 EFI_PRINT("Signed Info: digest algo: %s, pkey algo: %s\n",
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900455 sinfo->sig->hash_algo, sinfo->sig->pkey_algo);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900456
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900457 /*
458 * only for authenticated variable.
459 *
460 * If this function is called for image,
461 * hash calculation will be done in
462 * pkcs7_verify_one().
463 */
464 if (!msg->data &&
465 !efi_hash_regions(regs->reg, regs->num,
466 (void **)&sinfo->sig->digest, NULL)) {
467 EFI_PRINT("Digesting an image failed\n");
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900468 goto out;
469 }
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900470
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900471 EFI_PRINT("Verifying certificate chain\n");
472 signer = NULL;
473 ret = pkcs7_verify_one(msg, sinfo, &signer);
474 if (ret == -ENOPKG)
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900475 continue;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900476
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900477 if (ret < 0 || !signer)
478 goto out;
479
480 if (sinfo->blacklisted)
481 goto out;
482
483 EFI_PRINT("Verifying last certificate in chain\n");
484 if (signer->self_signed) {
485 if (efi_lookup_certificate(signer, db))
486 if (efi_signature_check_revocation(sinfo,
487 signer, dbx))
AKASHI Takahiro16411802020-08-14 14:39:23 +0900488 break;
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900489 } else if (efi_verify_certificate(signer, db, &root)) {
490 bool check;
491
492 check = efi_signature_check_revocation(sinfo, root,
493 dbx);
494 x509_free_certificate(root);
495 if (check)
AKASHI Takahiro16411802020-08-14 14:39:23 +0900496 break;
AKASHI Takahiro14afd062020-07-21 19:35:22 +0900497 }
498
499 EFI_PRINT("Certificate chain didn't reach trusted CA\n");
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900500 }
AKASHI Takahiro16411802020-08-14 14:39:23 +0900501 if (sinfo)
502 verified = true;
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900503out:
504 EFI_PRINT("%s: Exit, verified: %d\n", __func__, verified);
505 return verified;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900506}
507
508/**
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900509 * efi_signature_check_signers - check revocation against all signers with dbx
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900510 * @msg: Signature
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900511 * @dbx: Revocation signature database
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900512 *
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900513 * Determine if none of signers' certificates in @msg are revoked
514 * by signature database pointed to by @dbx.
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900515 *
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900516 * Return: true if all signers passed, false otherwise.
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900517 */
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900518bool efi_signature_check_signers(struct pkcs7_message *msg,
519 struct efi_signature_store *dbx)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900520{
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900521 struct pkcs7_signed_info *sinfo;
522 bool revoked = false;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900523
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900524 EFI_PRINT("%s: Enter, %p, %p\n", __func__, msg, dbx);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900525
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900526 if (!msg || !dbx)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900527 goto out;
528
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900529 for (sinfo = msg->signed_infos; sinfo; sinfo = sinfo->next) {
530 if (sinfo->signer &&
531 !efi_signature_check_revocation(sinfo, sinfo->signer,
532 dbx)) {
533 revoked = true;
534 break;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900535 }
536 }
537out:
AKASHI Takahiro4154b642020-07-08 14:01:56 +0900538 EFI_PRINT("%s: Exit, revoked: %d\n", __func__, revoked);
539 return !revoked;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900540}
541
542/**
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200543 * efi_image_region_add() - add an entry of region
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900544 * @regs: Pointer to array of regions
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200545 * @start: Start address of region (included)
546 * @end: End address of region (excluded)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900547 * @nocheck: flag against overlapped regions
548 *
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200549 * Take one entry of region [@start, @end[ and insert it into the list.
550 *
551 * * If @nocheck is false, the list will be sorted ascending by address.
552 * Overlapping entries will not be allowed.
553 *
554 * * If @nocheck is true, the list will be sorted ascending by sequence
555 * of adding the entries. Overlapping is allowed.
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900556 *
Heinrich Schuchardte2c43da2020-05-03 16:29:00 +0200557 * Return: status code
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900558 */
559efi_status_t efi_image_region_add(struct efi_image_regions *regs,
560 const void *start, const void *end,
561 int nocheck)
562{
563 struct image_region *reg;
564 int i, j;
565
566 if (regs->num >= regs->max) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900567 EFI_PRINT("%s: no more room for regions\n", __func__);
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900568 return EFI_OUT_OF_RESOURCES;
569 }
570
571 if (end < start)
572 return EFI_INVALID_PARAMETER;
573
574 for (i = 0; i < regs->num; i++) {
575 reg = &regs->reg[i];
576 if (nocheck)
577 continue;
578
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200579 /* new data after registered region */
580 if (start >= reg->data + reg->size)
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900581 continue;
582
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200583 /* new data preceding registered region */
584 if (end <= reg->data) {
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900585 for (j = regs->num - 1; j >= i; j--)
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200586 memcpy(&regs->reg[j + 1], &regs->reg[j],
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900587 sizeof(*reg));
588 break;
589 }
Heinrich Schuchardt623e5e52020-07-01 20:01:52 +0200590
591 /* new data overlapping registered region */
592 EFI_PRINT("%s: new region already part of another\n", __func__);
593 return EFI_INVALID_PARAMETER;
AKASHI Takahiro1faaca42020-04-14 11:51:39 +0900594 }
595
596 reg = &regs->reg[i];
597 reg->data = start;
598 reg->size = end - start;
599 regs->num++;
600
601 return EFI_SUCCESS;
602}
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900603
604/**
605 * efi_sigstore_free - free signature store
606 * @sigstore: Pointer to signature store structure
607 *
608 * Feee all the memories held in signature store and itself,
609 * which were allocated by efi_sigstore_parse_sigdb().
610 */
611void efi_sigstore_free(struct efi_signature_store *sigstore)
612{
613 struct efi_signature_store *sigstore_next;
614 struct efi_sig_data *sig_data, *sig_data_next;
615
616 while (sigstore) {
617 sigstore_next = sigstore->next;
618
619 sig_data = sigstore->sig_data_list;
620 while (sig_data) {
621 sig_data_next = sig_data->next;
622 free(sig_data->data);
623 free(sig_data);
624 sig_data = sig_data_next;
625 }
626
627 free(sigstore);
628 sigstore = sigstore_next;
629 }
630}
631
632/**
633 * efi_sigstore_parse_siglist - parse a signature list
634 * @name: Pointer to signature list
635 *
636 * Parse signature list and instantiate a signature store structure.
637 * Signature database is a simple concatenation of one or more
638 * signature list(s).
639 *
640 * Return: Pointer to signature store on success, NULL on error
641 */
642static struct efi_signature_store *
643efi_sigstore_parse_siglist(struct efi_signature_list *esl)
644{
645 struct efi_signature_store *siglist = NULL;
646 struct efi_sig_data *sig_data, *sig_data_next;
647 struct efi_signature_data *esd;
648 size_t left;
649
650 /*
651 * UEFI specification defines certificate types:
652 * for non-signed images,
653 * EFI_CERT_SHA256_GUID
654 * EFI_CERT_RSA2048_GUID
655 * EFI_CERT_RSA2048_SHA256_GUID
656 * EFI_CERT_SHA1_GUID
657 * EFI_CERT_RSA2048_SHA_GUID
658 * EFI_CERT_SHA224_GUID
659 * EFI_CERT_SHA384_GUID
660 * EFI_CERT_SHA512_GUID
661 *
662 * for signed images,
663 * EFI_CERT_X509_GUID
664 * NOTE: Each certificate will normally be in a separate
665 * EFI_SIGNATURE_LIST as the size may vary depending on
666 * its algo's.
667 *
668 * for timestamp revocation of certificate,
669 * EFI_CERT_X509_SHA512_GUID
670 * EFI_CERT_X509_SHA256_GUID
671 * EFI_CERT_X509_SHA384_GUID
672 */
673
674 if (esl->signature_list_size
675 <= (sizeof(*esl) + esl->signature_header_size)) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900676 EFI_PRINT("Siglist in wrong format\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900677 return NULL;
678 }
679
680 /* Create a head */
681 siglist = calloc(sizeof(*siglist), 1);
682 if (!siglist) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900683 EFI_PRINT("Out of memory\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900684 goto err;
685 }
686 memcpy(&siglist->sig_type, &esl->signature_type, sizeof(efi_guid_t));
687
688 /* Go through the list */
689 sig_data_next = NULL;
690 left = esl->signature_list_size
691 - (sizeof(*esl) + esl->signature_header_size);
692 esd = (struct efi_signature_data *)
693 ((u8 *)esl + sizeof(*esl) + esl->signature_header_size);
694
AKASHI Takahiroa075aa32020-04-21 09:38:57 +0900695 while (left > 0) {
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900696 /* Signature must exist if there is remaining data. */
697 if (left < esl->signature_size) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900698 EFI_PRINT("Certificate is too small\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900699 goto err;
700 }
701
702 sig_data = calloc(esl->signature_size
703 - sizeof(esd->signature_owner), 1);
704 if (!sig_data) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900705 EFI_PRINT("Out of memory\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900706 goto err;
707 }
708
709 /* Append signature data */
710 memcpy(&sig_data->owner, &esd->signature_owner,
711 sizeof(efi_guid_t));
712 sig_data->size = esl->signature_size
713 - sizeof(esd->signature_owner);
714 sig_data->data = malloc(sig_data->size);
715 if (!sig_data->data) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900716 EFI_PRINT("Out of memory\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900717 goto err;
718 }
719 memcpy(sig_data->data, esd->signature_data, sig_data->size);
720
721 sig_data->next = sig_data_next;
722 sig_data_next = sig_data;
723
724 /* Next */
725 esd = (struct efi_signature_data *)
726 ((u8 *)esd + esl->signature_size);
727 left -= esl->signature_size;
728 }
729 siglist->sig_data_list = sig_data_next;
730
731 return siglist;
732
733err:
734 efi_sigstore_free(siglist);
735
736 return NULL;
737}
738
739/**
Sughosh Ganufa0faa62020-12-30 19:27:08 +0530740 * efi_sigstore_parse_sigdb - parse the signature list and populate
741 * the signature store
742 *
743 * @sig_list: Pointer to the signature list
744 * @size: Size of the signature list
745 *
746 * Parse the efi signature list and instantiate a signature store
747 * structure.
748 *
749 * Return: Pointer to signature store on success, NULL on error
750 */
751struct efi_signature_store *efi_build_signature_store(void *sig_list,
752 efi_uintn_t size)
753{
754 struct efi_signature_list *esl;
755 struct efi_signature_store *sigstore = NULL, *siglist;
756
757 esl = sig_list;
758 while (size > 0) {
759 /* List must exist if there is remaining data. */
760 if (size < sizeof(*esl)) {
761 EFI_PRINT("Signature list in wrong format\n");
762 goto err;
763 }
764
765 if (size < esl->signature_list_size) {
766 EFI_PRINT("Signature list in wrong format\n");
767 goto err;
768 }
769
770 /* Parse a single siglist. */
771 siglist = efi_sigstore_parse_siglist(esl);
772 if (!siglist) {
773 EFI_PRINT("Parsing of signature list of failed\n");
774 goto err;
775 }
776
777 /* Append siglist */
778 siglist->next = sigstore;
779 sigstore = siglist;
780
781 /* Next */
782 size -= esl->signature_list_size;
783 esl = (void *)esl + esl->signature_list_size;
784 }
785 free(sig_list);
786
787 return sigstore;
788
789err:
790 efi_sigstore_free(sigstore);
791 free(sig_list);
792
793 return NULL;
794}
795
796/**
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900797 * efi_sigstore_parse_sigdb - parse a signature database variable
798 * @name: Variable's name
799 *
800 * Read in a value of signature database variable pointed to by
801 * @name, parse it and instantiate a signature store structure.
802 *
803 * Return: Pointer to signature store on success, NULL on error
804 */
805struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
806{
Sughosh Ganufa0faa62020-12-30 19:27:08 +0530807 struct efi_signature_store *sigstore = NULL;
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900808 const efi_guid_t *vendor;
809 void *db;
810 efi_uintn_t db_size;
811 efi_status_t ret;
812
813 if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
814 vendor = &efi_global_variable_guid;
815 } else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
816 vendor = &efi_guid_image_security_database;
817 } else {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900818 EFI_PRINT("unknown signature database, %ls\n", name);
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900819 return NULL;
820 }
821
822 /* retrieve variable data */
823 db_size = 0;
824 ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
825 if (ret == EFI_NOT_FOUND) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900826 EFI_PRINT("variable, %ls, not found\n", name);
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900827 sigstore = calloc(sizeof(*sigstore), 1);
828 return sigstore;
829 } else if (ret != EFI_BUFFER_TOO_SMALL) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900830 EFI_PRINT("Getting variable, %ls, failed\n", name);
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900831 return NULL;
832 }
833
834 db = malloc(db_size);
835 if (!db) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900836 EFI_PRINT("Out of memory\n");
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900837 return NULL;
838 }
839
840 ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, db));
841 if (ret != EFI_SUCCESS) {
AKASHI Takahiro10a9fa82020-06-09 14:09:33 +0900842 EFI_PRINT("Getting variable, %ls, failed\n", name);
Sughosh Ganufa0faa62020-12-30 19:27:08 +0530843 free(db);
844 return NULL;
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900845 }
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900846
Sughosh Ganufa0faa62020-12-30 19:27:08 +0530847 return efi_build_signature_store(db, db_size);
AKASHI Takahirod2cefc82020-04-14 11:51:40 +0900848}
Sughosh Ganu586bb982020-12-30 19:27:09 +0530849#endif /* CONFIG_EFI_SECURE_BOOT || CONFIG_EFI_CAPSULE_AUTHENTICATE */