Ping. Can I get a review and/or some comments on this patch, please?
Thanks,
-Jan
Jan Bobek writes:
> Based on whether the DER-encoded ContentInfo structure is present in
> authenticated SetVariable payload or not, the SHA-256 OID can be
> located at different places.
>
> UEFI specification explicitly states the driver shall support both
> cases, but the old code assumed ContentInfo was not present and
> incorrectly rejected authenticated variable updates when it were
> present.
>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Min Xu <min.m...@intel.com>
> Signed-off-by: Jan Bobek <jbo...@nvidia.com>
> ---
> .../Library/AuthVariableLib/AuthService.c | 18 +++++++++++-------
> 1 file changed, 11 insertions(+), 7 deletions(-)
>
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index 054ee4d1d988..de8baccab410 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -1933,15 +1933,19 @@ VerifyTimeBasedPayload (
> // .... }
> // The DigestAlgorithmIdentifiers can be used to determine the hash
> algorithm
> // in VARIABLE_AUTHENTICATION_2 descriptor.
> - // This field has the fixed offset (+13) and be calculated based on two
> bytes of length encoding.
> + // This field has the fixed offset (+13) or (+32) based on whether the
> DER-encoded
> + // ContentInfo structure is present or not, and can be calculated based
> on two
> + // bytes of length encoding.
> //
> if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=
> 0) {
> - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
> - if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
> - (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))
> - {
> - return EFI_SECURITY_VIOLATION;
> - }
> + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue)))
> + && ( ((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> + || (CompareMem (SigData + 13, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0)))
> + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue)))
> + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)
> + || (CompareMem (SigData + 32, &mSha256OidValue, sizeof
> (mSha256OidValue)) != 0))))
> + {
> + return EFI_SECURITY_VIOLATION;
> }
> }
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#97323): https://edk2.groups.io/g/devel/message/97323
Mute This Topic: https://groups.io/mt/95419835/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
