OrgACRN
/
slimbootloader
mirror of https://github.com/slimbootloader/slimbootloader.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use container format for key hash store 

This patch converted key hash store in SBL image into container
format. In this way unified data structure can be used to
simplify code.

Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This commit is contained in:
Maurice Ma 2020-06-15 18:26:39 -07:00
parent 745555ede5
commit 0311566858
5 changed files with 39 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
BootloaderCommonPkg/Include/Guid/FlashMapInfoGuid.h
View File

@ -31,7 +31,6 @@ extern EFI_GUID gFlashMapInfoGuid;
#define FLASH_MAP_SIG_SPI_IAS2 SIGNATURE_32 ('I', 'A', 'S', '2')
#define FLASH_MAP_SIG_FWUPDATE SIGNATURE_32 ('F', 'W', 'U', 'P')
#define FLASH_MAP_SIG_CFGDATA SIGNATURE_32 ('C', 'N', 'F', 'G')
#define FLASH_MAP_SIG_KEYHASH SIGNATURE_32 ('K', 'E', 'Y', 'H')
#define FLASH_MAP_SIG_BLRESERVED SIGNATURE_32 ('R', 'S', 'V', 'D')
#define FLASH_MAP_SIG_EMPTY SIGNATURE_32 ('E', 'M', 'T', 'Y')
#define FLASH_MAP_SIG_UNKNOWN SIGNATURE_32 ('U', 'N', 'K', 'N')

7
BootloaderCommonPkg/Include/Library/ContainerLib.h
View File

@ -28,9 +28,10 @@ typedef UINT8 AUTH_TYPE;
#define AUTH_TYPE_SIG_RSA2048_PSS_SHA256 5
#define AUTH_TYPE_SIG_RSA3072_PSS_SHA384 6
#define CONTAINER_OEM_BASE_SIGNATURE SIGNATURE_32 ('O', 'E', 'M', 0)
#define CONTAINER_BOOT_SIGNATURE SIGNATURE_32 ('B', 'O', 'O', 'T')
#define CONTAINER_MONO_SIGN_SIGNATURE SIGNATURE_32 ('_', 'S', 'G', '_')
#define CONTAINER_OEM_BASE_SIGNATURE SIGNATURE_32 ('O', 'E', 'M', 0)
#define CONTAINER_BOOT_SIGNATURE SIGNATURE_32 ('B', 'O', 'O', 'T')
#define CONTAINER_MONO_SIGN_SIGNATURE SIGNATURE_32 ('_', 'S', 'G', '_')
#define CONTAINER_KEY_HASH_STORE_SIGNATURE SIGNATURE_32 ('K', 'E', 'Y', 'H')
// Flags for CONTAINER_HDR
#define CONTAINER_HDR_FLAG_MONO_SIGNING BIT0

8
BootloaderCommonPkg/Library/ContainerLib/ContainerLib.c
View File

@ -335,11 +335,11 @@ GetContainerKeyUsageBySig (
{
UINT8 Idx;
if (ContainerSig == CONTAINER_BOOT_SIGNATURE) {
if (ContainerSig == CONTAINER_KEY_HASH_STORE_SIGNATURE) {
return HASH_USAGE_PUBKEY_MASTER;
} else if (ContainerSig == CONTAINER_BOOT_SIGNATURE) {
return HASH_USAGE_PUBKEY_OS;
}
if ((ContainerSig & 0x00FFFFFF) == CONTAINER_OEM_BASE_SIGNATURE) {
} else if ((ContainerSig & 0x00FFFFFF) == CONTAINER_OEM_BASE_SIGNATURE) {
Idx = (ContainerSig >> 24) - '0';
if (Idx < 8) {
return HASH_USAGE_PUBKEY_OEM (Idx);

70
BootloaderCorePkg/Stage1B/Stage1B.c
View File

@ -127,58 +127,25 @@ AppendHashStore (
{
EFI_STATUS Status;
HASH_STORE_TABLE *LdrKeyHashBlob;
HASH_STORE_TABLE *OemKeyHashBlob;
HASH_STORE_TABLE *OemKeyHashComp;
UINT32 OemKeyHashCompBase;
UINT32 OemKeyHashUsedLength;
INT32 KeyHashSize;
UINT8 AuthInfo[SIGNATURE_AND_KEY_SIZE_MAX];
SIGNATURE_HDR *SignHdr;
PUB_KEY_HDR *PubKeyHdr;
UINT8 *OemKeyHashBlob;
UINT32 OemKeyHashLen;
HASH_ALG_TYPE MbHashType;
Status = GetComponentInfo (FLASH_MAP_SIG_KEYHASH, &OemKeyHashCompBase, NULL);
if (EFI_ERROR(Status)) {
return EFI_NOT_FOUND;
}
// Check used length before copying to temporary memory
OemKeyHashComp = (HASH_STORE_TABLE *)(UINTN)OemKeyHashCompBase;
// Request to load at the end of current hash store in memory
LdrKeyHashBlob = (HASH_STORE_TABLE *)(UINTN)LdrGlobal->HashStorePtr;
OemKeyHashUsedLength = OemKeyHashComp->UsedLength;
if (OemKeyHashUsedLength > LdrKeyHashBlob->TotalLength - LdrKeyHashBlob->UsedLength) {
return EFI_OUT_OF_RESOURCES;
}
// Copy to temporary memory
OemKeyHashBlob = (HASH_STORE_TABLE *)((UINT8 *)LdrKeyHashBlob + LdrKeyHashBlob->UsedLength);
CopyMem (OemKeyHashBlob, (UINT8 *)OemKeyHashComp, OemKeyHashUsedLength);
OemKeyHashBlob = (UINT8 *)LdrKeyHashBlob + LdrKeyHashBlob->UsedLength;
OemKeyHashLen = LdrKeyHashBlob->TotalLength - LdrKeyHashBlob->UsedLength;
// Check the header length
KeyHashSize = OemKeyHashUsedLength - OemKeyHashBlob->HeaderLength;
if (KeyHashSize <= 0) {
return EFI_UNSUPPORTED;
Status = LoadComponent ( CONTAINER_KEY_HASH_STORE_SIGNATURE,
HASH_STORE_SIGNATURE,
(VOID **)&OemKeyHashBlob, &OemKeyHashLen );
UnregisterContainer (CONTAINER_KEY_HASH_STORE_SIGNATURE);
if (EFI_ERROR(Status)) {
// Not really necessary, but keep buffer clean
ZeroMem (OemKeyHashBlob, OemKeyHashLen);
return Status;
}
// Copy anthentication info to stack
if (!FeaturePcdGet (PcdVerifiedBootEnabled)) {
Status = EFI_SUCCESS;
} else {
CopyMem (AuthInfo, (UINT8 *)OemKeyHashComp + OemKeyHashUsedLength, sizeof(AuthInfo));
SignHdr = (SIGNATURE_HDR *) AuthInfo;
PubKeyHdr = (PUB_KEY_HDR *)((UINT8 *)SignHdr + sizeof(SIGNATURE_HDR) + SignHdr->SigSize);
Status = DoRsaVerify ((UINT8 *)OemKeyHashBlob,
OemKeyHashBlob->UsedLength,
HASH_USAGE_PUBKEY_MASTER,
SignHdr, PubKeyHdr,
PcdGet8(PcdCompSignHashAlg),
NULL,
Stage1bParam->KeyHashManifestHash);
}
if (EFI_ERROR (Status)) {
Stage1bParam->KeyHashManifestHashValid = 0;
return EFI_SECURITY_VIOLATION;
}
if (MEASURED_BOOT_ENABLED()) {
//Convert Measured boot Hash Mask to HASH_ALG_TYPE (CryptoLib)
@ -187,12 +154,12 @@ AppendHashStore (
if (PcdGet8(PcdCompSignHashAlg) == MbHashType) {
Stage1bParam->KeyHashManifestHashValid = 1;
} else {
// Check validition of Stage1bParam->KeyHashManifestHash generated.
// Calcluate the digest to extend if measured boot hash alg doesn't match
// Check validition of Stage1bParam->KeyHashManifestHash generated.
// Calcluate the digest to extend if measured boot hash alg doesn't match
Status = GetHashToExtend (COMP_TYPE_INVALID,
MbHashType,
(UINT8 *) OemKeyHashBlob,
OemKeyHashBlob->UsedLength,
OemKeyHashLen,
Stage1bParam->KeyHashManifestHash);
if (Status == EFI_SUCCESS) {
Stage1bParam->KeyHashManifestHashValid = 1;
@ -200,10 +167,7 @@ AppendHashStore (
}
}
// Append hash to the end and adjust used length
CopyMem ((UINT8 *)OemKeyHashBlob, (UINT8 *)OemKeyHashBlob + OemKeyHashBlob->HeaderLength, KeyHashSize);
LdrKeyHashBlob->UsedLength += KeyHashSize;
LdrKeyHashBlob->UsedLength += OemKeyHashLen;
return EFI_SUCCESS;
}

23
BootloaderCorePkg/Tools/BuildUtility.py
View File

@ -367,7 +367,7 @@ def adjust_hash_type (pub_key_file):
def gen_pub_key_hash_store (signing_key, pub_key_hash_list, hash_alg, sign_scheme, pub_key_dir, out_file):
# Build key hash blob
key_hash_buf = bytearray (HashStoreTable())
key_hash_buf = bytearray ()
idx = 0
for usage, key_file in pub_key_hash_list:
pub_key_file = os.path.dirname(out_file) + '/PUBKEY%02d.bin' % idx
@ -380,15 +380,20 @@ def gen_pub_key_hash_store (signing_key, pub_key_hash_list, hash_alg, sign_schem
key_hash_entry.DigestLen = len(hash_data)
key_hash_buf.extend (bytearray(key_hash_entry) + hash_data)
idx += 1
hash_store_table = HashStoreTable.from_buffer(key_hash_buf)
hash_store_table.UsedLength = len(key_hash_buf)
hash_store_table.TotalLength = hash_store_table.UsedLength
gen_file_from_object (out_file, key_hash_buf)
# Sign the key hash
if signing_key:
rsa_sign_file (signing_key, None, hash_alg, sign_scheme, out_file, out_file + '.sig', True, True)
shutil.copy(out_file + '.sig', out_file)
key_store_bin_file = out_file + '.raw'
gen_file_from_object (key_store_bin_file, key_hash_buf)
key_store_cnt_file = os.path.basename(out_file)
key_store_bin_file = os.path.basename(key_store_bin_file)
key_type = get_key_type(signing_key)
sign_scheme = sign_scheme[sign_scheme.index("_")+1:]
auth_type = key_type + '_' + sign_scheme + '_' + hash_alg
hash_store = [('KEYH', key_store_cnt_file, '', auth_type, signing_key, 0x10, 0)]
hash_store.append ((HashStoreTable.HASH_STORE_SIGNATURE.decode(), key_store_bin_file, '', hash_alg, '', 0x10, 0))
out_dir = os.path.dirname(out_file)
gen_container_bin ([hash_store], out_dir, out_dir, '', '')
def gen_ias_file (rel_file_path, file_space, out_file):