sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SecurityPkg/DxeImageVerificationLib: Add DEBUG messages for image verification failures

Browse Source 
Add DEBUG messages in DxeImageerificationLib to help debug Secure Boot image verification failures

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Cinnamon Shia <cinnamon.shia@hpe.com>
Reviewed-by: Samer EL-Haj-Mahmoud <elhaj@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
This commit is contained in:
Cinnamon Shia
2016-05-13 12:24:59 +08:00
committed by Zhang, Chao B
parent 7147077b16
commit 531c89a1ed
1 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
View File

@ -13,6 +13,7 @@
untrusted PE/COFF image and validate its data structure within this image buffer before use. untrusted PE/COFF image and validate its data structure within this image buffer before use.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -71,6 +72,8 @@ HASH_TABLE mHash[] = {
{ L"SHA512", 64, &mHashOidValue[32], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final} { L"SHA512", 64, &mHashOidValue[32], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final}
}; };
EFI_STRING mHashTypeStr;
/** /**
SecureBoot Hook for processing image verification. SecureBoot Hook for processing image verification.
@ -340,6 +343,7 @@ HashPeImage (
return FALSE; return FALSE;
} }
mHashTypeStr = mHash[HashAlg].Name;
CtxSize = mHash[HashAlg].GetContextSize(); CtxSize = mHash[HashAlg].GetContextSize();
HashCtx = AllocatePool (CtxSize); HashCtx = AllocatePool (CtxSize);
@ -1303,6 +1307,7 @@ IsForbiddenByDbx (
); );
if (IsForbidden) { if (IsForbidden) {
SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData); SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));
goto Done; goto Done;
} }
@ -1361,6 +1366,7 @@ IsForbiddenByDbx (
// //
continue; continue;
} }
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature failed the timestamp check.\n"));
goto Done; goto Done;
} }
@ -1476,9 +1482,12 @@ IsAllowedByDb (
if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) { if (IsCertHashFoundInDatabase (RootCert, RootCertSize, (EFI_SIGNATURE_LIST *)DbxData, DbxDataSize, &RevocationTime)) {
// //
// Check the timestamp signature and signing time to determine if the image can be trusted. // Check the timestamp signature and signing time to determine if the RootCert can be trusted.
// //
VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime); VerifyStatus = PassTimestampCheck (AuthData, AuthDataSize, &RevocationTime);
if (!VerifyStatus) {
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed and signature is accepted by DB, but its root cert failed the timestamp check.\n"));
}
} }
goto Done; goto Done;
@ -1679,6 +1688,7 @@ DxeImageVerificationHandler (
// //
// The information can't be got from the invalid PeImage // The information can't be got from the invalid PeImage
// //
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: PeImage invalid. Cannot retrieve image information.\n"));
goto Done; goto Done;
} }
@ -1702,6 +1712,7 @@ DxeImageVerificationHandler (
// //
// It is not a valid Pe/Coff file. // It is not a valid Pe/Coff file.
// //
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Not a valid PE/COFF image.\n"));
goto Done; goto Done;
} }
@ -1747,6 +1758,7 @@ DxeImageVerificationHandler (
// and not be reflected in the security data base "dbx". // and not be reflected in the security data base "dbx".
// //
if (!HashPeImage (HASHALG_SHA256)) { if (!HashPeImage (HASHALG_SHA256)) {
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Failed to hash this image using %s.\n", mHashTypeStr));
goto Done; goto Done;
} }
@ -1754,6 +1766,7 @@ DxeImageVerificationHandler (
// //
// Image Hash is in forbidden database (DBX). // Image Hash is in forbidden database (DBX).
// //
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is forbidden by DBX.\n", mHashTypeStr));
goto Done; goto Done;
} }
@ -1767,6 +1780,7 @@ DxeImageVerificationHandler (
// //
// Image Hash is not found in both forbidden and allowed database. // Image Hash is not found in both forbidden and allowed database.
// //
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is not signed and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
goto Done; goto Done;
} }
@ -1846,11 +1860,14 @@ DxeImageVerificationHandler (
// //
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) { if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, mImageDigest, &mCertType, mImageDigestSize)) {
Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND; Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but %s hash of image is found in DBX.\n", mHashTypeStr));
VerifyStatus = EFI_ACCESS_DENIED; VerifyStatus = EFI_ACCESS_DENIED;
break; break;
} else if (EFI_ERROR (VerifyStatus)) { } else if (EFI_ERROR (VerifyStatus)) {
if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) { if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE, mImageDigest, &mCertType, mImageDigestSize)) {
VerifyStatus = EFI_SUCCESS; VerifyStatus = EFI_SUCCESS;
} else {
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is not allowed by DB and %s hash of image is not found in DB/DBX.\n", mHashTypeStr));
} }
} }
} }