UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp Verification support for Secure Boot
Main ChangeLogs includes: 1. Introduce the new GUID and structure definitions for certificate hash and timestamp support; 2. Update Image Verification Library to support DBT signature checking; 3. Update the related SecureBoot Configuration Pages; Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Guo Dong <guo.dong@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16380 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
@@ -9,7 +9,7 @@
|
||||
Variable attribute should also be checked to avoid authentication bypass.
|
||||
The whole SMM authentication variable design relies on the integrity of flash part and SMM.
|
||||
which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory
|
||||
may not be modified without authorization. If platform fails to protect these resources,
|
||||
may not be modified without authorization. If platform fails to protect these resources,
|
||||
the authentication service provided in this driver will be broken, and the behavior is undefined.
|
||||
|
||||
ProcessVarWithPk(), ProcessVarWithKek() and ProcessVariable() are the function to do
|
||||
@@ -77,7 +77,10 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
|
||||
{EFI_CERT_X509_GUID, 0, ((UINT32) ~0)},
|
||||
{EFI_CERT_SHA224_GUID, 0, 28 },
|
||||
{EFI_CERT_SHA384_GUID, 0, 48 },
|
||||
{EFI_CERT_SHA512_GUID, 0, 64 }
|
||||
{EFI_CERT_SHA512_GUID, 0, 64 },
|
||||
{EFI_CERT_X509_SHA256_GUID, 0, 48 },
|
||||
{EFI_CERT_X509_SHA384_GUID, 0, 64 },
|
||||
{EFI_CERT_X509_SHA512_GUID, 0, 80 }
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -88,7 +91,7 @@ EFI_SIGNATURE_ITEM mSupportSigItem[] = {
|
||||
|
||||
@retval TRUE This variable is protected, only a physical present user could set this variable.
|
||||
@retval FALSE This variable is not protected.
|
||||
|
||||
|
||||
**/
|
||||
BOOLEAN
|
||||
NeedPhysicallyPresent(
|
||||
@@ -100,7 +103,7 @@ NeedPhysicallyPresent(
|
||||
|| (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@@ -122,7 +125,7 @@ InCustomMode (
|
||||
if (Variable.CurrPtr != NULL && *(GetVariableDataPtr (Variable.CurrPtr)) == CUSTOM_SECURE_BOOT_MODE) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@@ -256,7 +259,7 @@ AutenticatedVariableServiceInitialize (
|
||||
Data = GetVariableDataPtr (Variable.CurrPtr);
|
||||
ASSERT ((DataSize != 0) && (Data != NULL));
|
||||
//
|
||||
// "AuthVarKeyDatabase" is an internal variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
|
||||
// "AuthVarKeyDatabase" is an internal variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
|
||||
// Therefore, there is no memory overflow in underlying CopyMem.
|
||||
//
|
||||
CopyMem (mPubKeyStore, (UINT8 *) Data, DataSize);
|
||||
@@ -269,7 +272,7 @@ AutenticatedVariableServiceInitialize (
|
||||
} else {
|
||||
DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Create "SetupMode" variable with BS+RT attribute set.
|
||||
//
|
||||
@@ -293,7 +296,7 @@ AutenticatedVariableServiceInitialize (
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Create "SignatureSupport" variable with BS+RT attribute set.
|
||||
//
|
||||
@@ -390,12 +393,12 @@ AutenticatedVariableServiceInitialize (
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
||||
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_CUSTOM_MODE_NAME, CustomMode));
|
||||
|
||||
//
|
||||
// Check "certdb" variable's existence.
|
||||
// If it doesn't exist, then create a new one with
|
||||
// If it doesn't exist, then create a new one with
|
||||
// EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
|
||||
//
|
||||
Status = FindVariable (
|
||||
@@ -423,7 +426,7 @@ AutenticatedVariableServiceInitialize (
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
|
||||
@@ -480,7 +483,7 @@ AutenticatedVariableServiceInitialize (
|
||||
Add public key in store and return its index.
|
||||
|
||||
@param[in] PubKey Input pointer to Public Key data
|
||||
@param[in] VariableDataEntry The variable data entry
|
||||
@param[in] VariableDataEntry The variable data entry
|
||||
|
||||
@return Index of new added item
|
||||
|
||||
@@ -543,7 +546,7 @@ AddPubKeyInStore (
|
||||
//
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
Status = Reclaim (
|
||||
mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase,
|
||||
&mVariableModuleGlobal->NonVolatileLastVariableOffset,
|
||||
@@ -573,7 +576,7 @@ AddPubKeyInStore (
|
||||
Data = GetVariableDataPtr (Variable.CurrPtr);
|
||||
ASSERT ((DataSize != 0) && (Data != NULL));
|
||||
//
|
||||
// "AuthVarKeyDatabase" is an internal used variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
|
||||
// "AuthVarKeyDatabase" is an internal used variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
|
||||
// Therefore, there is no memory overflow in underlying CopyMem.
|
||||
//
|
||||
CopyMem (mPubKeyStore, (UINT8 *) Data, DataSize);
|
||||
@@ -581,7 +584,7 @@ AddPubKeyInStore (
|
||||
|
||||
if (mPubKeyNumber == mMaxKeyNumber) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
@@ -656,7 +659,7 @@ VerifyCounterBasedPayload (
|
||||
UINT8 Digest[SHA256_DIGEST_SIZE];
|
||||
VOID *Rsa;
|
||||
UINTN PayloadSize;
|
||||
|
||||
|
||||
PayloadSize = DataSize - AUTHINFO_SIZE;
|
||||
Rsa = NULL;
|
||||
CertData = NULL;
|
||||
@@ -885,7 +888,7 @@ UpdatePlatformMode (
|
||||
}
|
||||
|
||||
/**
|
||||
Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx variable.
|
||||
Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx/dbt variable.
|
||||
|
||||
@param[in] VariableName Name of Variable to be check.
|
||||
@param[in] VendorGuid Variable vendor GUID.
|
||||
@@ -894,7 +897,7 @@ UpdatePlatformMode (
|
||||
|
||||
@return EFI_INVALID_PARAMETER Invalid signature list format.
|
||||
@return EFI_SUCCESS Passed signature list format check successfully.
|
||||
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
CheckSignatureListFormat(
|
||||
@@ -921,9 +924,10 @@ CheckSignatureListFormat(
|
||||
|
||||
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
|
||||
IsPk = TRUE;
|
||||
} else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0) ||
|
||||
(CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
|
||||
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0 || StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))){
|
||||
} else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) ||
|
||||
(CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
|
||||
((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
|
||||
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0)))) {
|
||||
IsPk = FALSE;
|
||||
} else {
|
||||
return EFI_SUCCESS;
|
||||
@@ -942,10 +946,10 @@ CheckSignatureListFormat(
|
||||
for (Index = 0; Index < (sizeof (mSupportSigItem) / sizeof (EFI_SIGNATURE_ITEM)); Index++ ) {
|
||||
if (CompareGuid (&SigList->SignatureType, &mSupportSigItem[Index].SigType)) {
|
||||
//
|
||||
// The value of SignatureSize should always be 16 (size of SignatureOwner
|
||||
// The value of SignatureSize should always be 16 (size of SignatureOwner
|
||||
// component) add the data length according to signature type.
|
||||
//
|
||||
if (mSupportSigItem[Index].SigDataSize != ((UINT32) ~0) &&
|
||||
if (mSupportSigItem[Index].SigDataSize != ((UINT32) ~0) &&
|
||||
(SigList->SignatureSize - sizeof (EFI_GUID)) != mSupportSigItem[Index].SigDataSize) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
@@ -986,7 +990,7 @@ CheckSignatureListFormat(
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
SigCount += (SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) / SigList->SignatureSize;
|
||||
|
||||
|
||||
SigDataSize -= SigList->SignatureListSize;
|
||||
SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize);
|
||||
}
|
||||
@@ -1007,7 +1011,7 @@ CheckSignatureListFormat(
|
||||
|
||||
@return EFI_SUCCESS Variable is updated successfully.
|
||||
@return Others Failed to update variable.
|
||||
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
VendorKeyIsModified (
|
||||
@@ -1021,7 +1025,7 @@ VendorKeyIsModified (
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
mVendorKeyState = VENDOR_KEYS_MODIFIED;
|
||||
|
||||
|
||||
FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
Status = UpdateVariable (
|
||||
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
|
||||
@@ -1093,10 +1097,10 @@ ProcessVarWithPk (
|
||||
UINT8 *Payload;
|
||||
UINTN PayloadSize;
|
||||
|
||||
if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
|
||||
if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
|
||||
(Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
|
||||
//
|
||||
// PK, KEK and db/dbx should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
|
||||
// PK, KEK and db/dbx/dbt should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
|
||||
// authenticated variable.
|
||||
//
|
||||
return EFI_INVALID_PARAMETER;
|
||||
@@ -1221,7 +1225,7 @@ ProcessVarWithKek (
|
||||
if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
|
||||
(Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
|
||||
//
|
||||
// DB and DBX should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
|
||||
// DB, DBX and DBT should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
|
||||
// authenticated variable.
|
||||
//
|
||||
return EFI_INVALID_PARAMETER;
|
||||
@@ -1253,7 +1257,7 @@ ProcessVarWithKek (
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
||||
Status = UpdateVariable (
|
||||
VariableName,
|
||||
VendorGuid,
|
||||
@@ -1338,23 +1342,23 @@ ProcessVariable (
|
||||
//
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// A time-based authenticated variable and a count-based authenticated variable
|
||||
// can't be updated by each other.
|
||||
//
|
||||
if (Variable->CurrPtr != NULL) {
|
||||
//
|
||||
if (Variable->CurrPtr != NULL) {
|
||||
if (((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) &&
|
||||
((Variable->CurrPtr->Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)) {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
||||
if (((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
|
||||
|
||||
if (((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) &&
|
||||
((Variable->CurrPtr->Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0)) {
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Process Time-based Authenticated variable.
|
||||
//
|
||||
@@ -1392,7 +1396,7 @@ ProcessVariable (
|
||||
KeyIndex = Variable->CurrPtr->PubKeyIndex;
|
||||
IsFirstTime = FALSE;
|
||||
}
|
||||
} else if ((Variable->CurrPtr != NULL) &&
|
||||
} else if ((Variable->CurrPtr != NULL) &&
|
||||
((Variable->CurrPtr->Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)
|
||||
) {
|
||||
//
|
||||
@@ -1423,7 +1427,7 @@ ProcessVariable (
|
||||
if (!IsFirstTime) {
|
||||
//
|
||||
// 2 cases need to check here
|
||||
// 1. Internal PubKey variable. PubKeyIndex is always 0
|
||||
// 1. Internal PubKey variable. PubKeyIndex is always 0
|
||||
// 2. Other counter-based AuthVariable. Check input PubKey.
|
||||
//
|
||||
if (KeyIndex == 0 || CompareMem (PubKey, mPubKeyStore + (KeyIndex - 1) * EFI_CERT_TYPE_RSA2048_SIZE, EFI_CERT_TYPE_RSA2048_SIZE) != 0) {
|
||||
@@ -1478,7 +1482,7 @@ ProcessVariable (
|
||||
|
||||
@param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
|
||||
@param[in] DataSize Size of Data buffer.
|
||||
@param[in] FreeBufSize Size of free data buffer
|
||||
@param[in] FreeBufSize Size of free data buffer
|
||||
@param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
|
||||
@param[in] NewDataSize Size of NewData buffer.
|
||||
@param[out] MergedBufSize Size of the merged buffer
|
||||
@@ -1714,7 +1718,7 @@ FindCertsFromDb (
|
||||
//
|
||||
// Check whether VariableName matches.
|
||||
//
|
||||
if ((NameSize == StrLen (VariableName)) &&
|
||||
if ((NameSize == StrLen (VariableName)) &&
|
||||
(CompareMem (Data + Offset, VariableName, NameSize * sizeof (CHAR16)) == 0)) {
|
||||
Offset = Offset + NameSize * sizeof (CHAR16);
|
||||
|
||||
@@ -1723,7 +1727,7 @@ FindCertsFromDb (
|
||||
}
|
||||
|
||||
if (CertDataSize != NULL) {
|
||||
*CertDataSize = CertSize;
|
||||
*CertDataSize = CertSize;
|
||||
}
|
||||
|
||||
if (CertNodeOffset != NULL) {
|
||||
@@ -1744,7 +1748,7 @@ FindCertsFromDb (
|
||||
}
|
||||
}
|
||||
|
||||
return EFI_NOT_FOUND;
|
||||
return EFI_NOT_FOUND;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1778,7 +1782,7 @@ GetCertsFromDb (
|
||||
if ((VariableName == NULL) || (VendorGuid == NULL) || (CertData == NULL) || (CertDataSize == NULL)) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Get variable "certdb".
|
||||
//
|
||||
@@ -1788,7 +1792,7 @@ GetCertsFromDb (
|
||||
&CertDbVariable,
|
||||
&mVariableModuleGlobal->VariableGlobal,
|
||||
FALSE
|
||||
);
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
@@ -1851,7 +1855,7 @@ DeleteCertsFromDb (
|
||||
if ((VariableName == NULL) || (VendorGuid == NULL)) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Get variable "certdb".
|
||||
//
|
||||
@@ -1861,7 +1865,7 @@ DeleteCertsFromDb (
|
||||
&CertDbVariable,
|
||||
&mVariableModuleGlobal->VariableGlobal,
|
||||
FALSE
|
||||
);
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
@@ -1929,8 +1933,8 @@ DeleteCertsFromDb (
|
||||
|
||||
//
|
||||
// Set "certdb".
|
||||
//
|
||||
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
||||
//
|
||||
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
||||
Status = UpdateVariable (
|
||||
EFI_CERT_DB_NAME,
|
||||
&gEfiCertDbGuid,
|
||||
@@ -1984,7 +1988,7 @@ InsertCertsToDb (
|
||||
if ((VariableName == NULL) || (VendorGuid == NULL) || (CertData == NULL)) {
|
||||
return EFI_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Get variable "certdb".
|
||||
//
|
||||
@@ -1994,7 +1998,7 @@ InsertCertsToDb (
|
||||
&CertDbVariable,
|
||||
&mVariableModuleGlobal->VariableGlobal,
|
||||
FALSE
|
||||
);
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
@@ -2030,7 +2034,7 @@ InsertCertsToDb (
|
||||
// Construct new data content of variable "certdb".
|
||||
//
|
||||
NameSize = (UINT32) StrLen (VariableName);
|
||||
CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32) CertDataSize + NameSize * sizeof (CHAR16);
|
||||
CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32) CertDataSize + NameSize * sizeof (CHAR16);
|
||||
NewCertDbSize = (UINT32) DataSize + CertNodeSize;
|
||||
if (NewCertDbSize > mMaxCertDbSize) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
@@ -2053,7 +2057,7 @@ InsertCertsToDb (
|
||||
CopyMem (&Ptr->CertNodeSize, &CertNodeSize, sizeof (UINT32));
|
||||
CopyMem (&Ptr->NameSize, &NameSize, sizeof (UINT32));
|
||||
CopyMem (&Ptr->CertDataSize, &CertDataSize, sizeof (UINT32));
|
||||
|
||||
|
||||
CopyMem (
|
||||
(UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA),
|
||||
VariableName,
|
||||
@@ -2065,11 +2069,11 @@ InsertCertsToDb (
|
||||
CertData,
|
||||
CertDataSize
|
||||
);
|
||||
|
||||
|
||||
//
|
||||
// Set "certdb".
|
||||
//
|
||||
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
||||
//
|
||||
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
|
||||
Status = UpdateVariable (
|
||||
EFI_CERT_DB_NAME,
|
||||
&gEfiCertDbGuid,
|
||||
@@ -2349,7 +2353,7 @@ VerifyTimeBasedPayload (
|
||||
} else if (AuthVarType == AuthVarTypePriv) {
|
||||
|
||||
//
|
||||
// Process common authenticated variable except PK/KEK/DB/DBX.
|
||||
// Process common authenticated variable except PK/KEK/DB/DBX/DBT.
|
||||
// Get signer's certificates from SignedData.
|
||||
//
|
||||
VerifyStatus = Pkcs7GetSigners (
|
||||
@@ -2376,7 +2380,7 @@ VerifyTimeBasedPayload (
|
||||
if (EFI_ERROR (Status)) {
|
||||
goto Exit;
|
||||
}
|
||||
|
||||
|
||||
if ((CertStackSize != CertsSizeinDb) ||
|
||||
(CompareMem (SignerCerts, CertsInCertDb, CertsSizeinDb) != 0)) {
|
||||
goto Exit;
|
||||
@@ -2419,7 +2423,7 @@ VerifyTimeBasedPayload (
|
||||
Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
|
||||
RootCert = Cert->SignatureData;
|
||||
RootCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
|
||||
|
||||
|
||||
// Verify Pkcs7 SignedData via Pkcs7Verify library.
|
||||
//
|
||||
VerifyStatus = Pkcs7Verify (
|
||||
@@ -2469,4 +2473,3 @@ Exit:
|
||||
&CertData->TimeStamp
|
||||
);
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user