Use container format for key hash store
This patch converted key hash store in SBL image into container format. In this way unified data structure can be used to simplify code. Signed-off-by: Maurice Ma <maurice.ma@intel.com>
This commit is contained in:
parent
745555ede5
commit
0311566858
|
@ -31,7 +31,6 @@ extern EFI_GUID gFlashMapInfoGuid;
|
|||
#define FLASH_MAP_SIG_SPI_IAS2 SIGNATURE_32 ('I', 'A', 'S', '2')
|
||||
#define FLASH_MAP_SIG_FWUPDATE SIGNATURE_32 ('F', 'W', 'U', 'P')
|
||||
#define FLASH_MAP_SIG_CFGDATA SIGNATURE_32 ('C', 'N', 'F', 'G')
|
||||
#define FLASH_MAP_SIG_KEYHASH SIGNATURE_32 ('K', 'E', 'Y', 'H')
|
||||
#define FLASH_MAP_SIG_BLRESERVED SIGNATURE_32 ('R', 'S', 'V', 'D')
|
||||
#define FLASH_MAP_SIG_EMPTY SIGNATURE_32 ('E', 'M', 'T', 'Y')
|
||||
#define FLASH_MAP_SIG_UNKNOWN SIGNATURE_32 ('U', 'N', 'K', 'N')
|
||||
|
|
|
@ -31,6 +31,7 @@ typedef UINT8 AUTH_TYPE;
|
|||
#define CONTAINER_OEM_BASE_SIGNATURE SIGNATURE_32 ('O', 'E', 'M', 0)
|
||||
#define CONTAINER_BOOT_SIGNATURE SIGNATURE_32 ('B', 'O', 'O', 'T')
|
||||
#define CONTAINER_MONO_SIGN_SIGNATURE SIGNATURE_32 ('_', 'S', 'G', '_')
|
||||
#define CONTAINER_KEY_HASH_STORE_SIGNATURE SIGNATURE_32 ('K', 'E', 'Y', 'H')
|
||||
|
||||
// Flags for CONTAINER_HDR
|
||||
#define CONTAINER_HDR_FLAG_MONO_SIGNING BIT0
|
||||
|
|
|
@ -335,11 +335,11 @@ GetContainerKeyUsageBySig (
|
|||
{
|
||||
UINT8 Idx;
|
||||
|
||||
if (ContainerSig == CONTAINER_BOOT_SIGNATURE) {
|
||||
if (ContainerSig == CONTAINER_KEY_HASH_STORE_SIGNATURE) {
|
||||
return HASH_USAGE_PUBKEY_MASTER;
|
||||
} else if (ContainerSig == CONTAINER_BOOT_SIGNATURE) {
|
||||
return HASH_USAGE_PUBKEY_OS;
|
||||
}
|
||||
|
||||
if ((ContainerSig & 0x00FFFFFF) == CONTAINER_OEM_BASE_SIGNATURE) {
|
||||
} else if ((ContainerSig & 0x00FFFFFF) == CONTAINER_OEM_BASE_SIGNATURE) {
|
||||
Idx = (ContainerSig >> 24) - '0';
|
||||
if (Idx < 8) {
|
||||
return HASH_USAGE_PUBKEY_OEM (Idx);
|
||||
|
|
|
@ -127,58 +127,25 @@ AppendHashStore (
|
|||
{
|
||||
EFI_STATUS Status;
|
||||
HASH_STORE_TABLE *LdrKeyHashBlob;
|
||||
HASH_STORE_TABLE *OemKeyHashBlob;
|
||||
HASH_STORE_TABLE *OemKeyHashComp;
|
||||
UINT32 OemKeyHashCompBase;
|
||||
UINT32 OemKeyHashUsedLength;
|
||||
INT32 KeyHashSize;
|
||||
UINT8 AuthInfo[SIGNATURE_AND_KEY_SIZE_MAX];
|
||||
SIGNATURE_HDR *SignHdr;
|
||||
PUB_KEY_HDR *PubKeyHdr;
|
||||
UINT8 *OemKeyHashBlob;
|
||||
UINT32 OemKeyHashLen;
|
||||
HASH_ALG_TYPE MbHashType;
|
||||
|
||||
|
||||
Status = GetComponentInfo (FLASH_MAP_SIG_KEYHASH, &OemKeyHashCompBase, NULL);
|
||||
if (EFI_ERROR(Status)) {
|
||||
return EFI_NOT_FOUND;
|
||||
}
|
||||
|
||||
// Check used length before copying to temporary memory
|
||||
OemKeyHashComp = (HASH_STORE_TABLE *)(UINTN)OemKeyHashCompBase;
|
||||
// Request to load at the end of current hash store in memory
|
||||
LdrKeyHashBlob = (HASH_STORE_TABLE *)(UINTN)LdrGlobal->HashStorePtr;
|
||||
OemKeyHashUsedLength = OemKeyHashComp->UsedLength;
|
||||
if (OemKeyHashUsedLength > LdrKeyHashBlob->TotalLength - LdrKeyHashBlob->UsedLength) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
// Copy to temporary memory
|
||||
OemKeyHashBlob = (HASH_STORE_TABLE *)((UINT8 *)LdrKeyHashBlob + LdrKeyHashBlob->UsedLength);
|
||||
CopyMem (OemKeyHashBlob, (UINT8 *)OemKeyHashComp, OemKeyHashUsedLength);
|
||||
OemKeyHashBlob = (UINT8 *)LdrKeyHashBlob + LdrKeyHashBlob->UsedLength;
|
||||
OemKeyHashLen = LdrKeyHashBlob->TotalLength - LdrKeyHashBlob->UsedLength;
|
||||
|
||||
// Check the header length
|
||||
KeyHashSize = OemKeyHashUsedLength - OemKeyHashBlob->HeaderLength;
|
||||
if (KeyHashSize <= 0) {
|
||||
return EFI_UNSUPPORTED;
|
||||
Status = LoadComponent ( CONTAINER_KEY_HASH_STORE_SIGNATURE,
|
||||
HASH_STORE_SIGNATURE,
|
||||
(VOID **)&OemKeyHashBlob, &OemKeyHashLen );
|
||||
UnregisterContainer (CONTAINER_KEY_HASH_STORE_SIGNATURE);
|
||||
if (EFI_ERROR(Status)) {
|
||||
// Not really necessary, but keep buffer clean
|
||||
ZeroMem (OemKeyHashBlob, OemKeyHashLen);
|
||||
return Status;
|
||||
}
|
||||
|
||||
// Copy anthentication info to stack
|
||||
if (!FeaturePcdGet (PcdVerifiedBootEnabled)) {
|
||||
Status = EFI_SUCCESS;
|
||||
} else {
|
||||
CopyMem (AuthInfo, (UINT8 *)OemKeyHashComp + OemKeyHashUsedLength, sizeof(AuthInfo));
|
||||
SignHdr = (SIGNATURE_HDR *) AuthInfo;
|
||||
PubKeyHdr = (PUB_KEY_HDR *)((UINT8 *)SignHdr + sizeof(SIGNATURE_HDR) + SignHdr->SigSize);
|
||||
Status = DoRsaVerify ((UINT8 *)OemKeyHashBlob,
|
||||
OemKeyHashBlob->UsedLength,
|
||||
HASH_USAGE_PUBKEY_MASTER,
|
||||
SignHdr, PubKeyHdr,
|
||||
PcdGet8(PcdCompSignHashAlg),
|
||||
NULL,
|
||||
Stage1bParam->KeyHashManifestHash);
|
||||
}
|
||||
if (EFI_ERROR (Status)) {
|
||||
Stage1bParam->KeyHashManifestHashValid = 0;
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
|
||||
if (MEASURED_BOOT_ENABLED()) {
|
||||
//Convert Measured boot Hash Mask to HASH_ALG_TYPE (CryptoLib)
|
||||
|
@ -192,7 +159,7 @@ AppendHashStore (
|
|||
Status = GetHashToExtend (COMP_TYPE_INVALID,
|
||||
MbHashType,
|
||||
(UINT8 *) OemKeyHashBlob,
|
||||
OemKeyHashBlob->UsedLength,
|
||||
OemKeyHashLen,
|
||||
Stage1bParam->KeyHashManifestHash);
|
||||
if (Status == EFI_SUCCESS) {
|
||||
Stage1bParam->KeyHashManifestHashValid = 1;
|
||||
|
@ -200,10 +167,7 @@ AppendHashStore (
|
|||
}
|
||||
}
|
||||
|
||||
// Append hash to the end and adjust used length
|
||||
CopyMem ((UINT8 *)OemKeyHashBlob, (UINT8 *)OemKeyHashBlob + OemKeyHashBlob->HeaderLength, KeyHashSize);
|
||||
LdrKeyHashBlob->UsedLength += KeyHashSize;
|
||||
|
||||
LdrKeyHashBlob->UsedLength += OemKeyHashLen;
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
|
@ -367,7 +367,7 @@ def adjust_hash_type (pub_key_file):
|
|||
|
||||
def gen_pub_key_hash_store (signing_key, pub_key_hash_list, hash_alg, sign_scheme, pub_key_dir, out_file):
|
||||
# Build key hash blob
|
||||
key_hash_buf = bytearray (HashStoreTable())
|
||||
key_hash_buf = bytearray ()
|
||||
idx = 0
|
||||
for usage, key_file in pub_key_hash_list:
|
||||
pub_key_file = os.path.dirname(out_file) + '/PUBKEY%02d.bin' % idx
|
||||
|
@ -380,15 +380,20 @@ def gen_pub_key_hash_store (signing_key, pub_key_hash_list, hash_alg, sign_schem
|
|||
key_hash_entry.DigestLen = len(hash_data)
|
||||
key_hash_buf.extend (bytearray(key_hash_entry) + hash_data)
|
||||
idx += 1
|
||||
hash_store_table = HashStoreTable.from_buffer(key_hash_buf)
|
||||
hash_store_table.UsedLength = len(key_hash_buf)
|
||||
hash_store_table.TotalLength = hash_store_table.UsedLength
|
||||
gen_file_from_object (out_file, key_hash_buf)
|
||||
|
||||
# Sign the key hash
|
||||
if signing_key:
|
||||
rsa_sign_file (signing_key, None, hash_alg, sign_scheme, out_file, out_file + '.sig', True, True)
|
||||
shutil.copy(out_file + '.sig', out_file)
|
||||
key_store_bin_file = out_file + '.raw'
|
||||
gen_file_from_object (key_store_bin_file, key_hash_buf)
|
||||
|
||||
key_store_cnt_file = os.path.basename(out_file)
|
||||
key_store_bin_file = os.path.basename(key_store_bin_file)
|
||||
|
||||
key_type = get_key_type(signing_key)
|
||||
sign_scheme = sign_scheme[sign_scheme.index("_")+1:]
|
||||
auth_type = key_type + '_' + sign_scheme + '_' + hash_alg
|
||||
hash_store = [('KEYH', key_store_cnt_file, '', auth_type, signing_key, 0x10, 0)]
|
||||
hash_store.append ((HashStoreTable.HASH_STORE_SIGNATURE.decode(), key_store_bin_file, '', hash_alg, '', 0x10, 0))
|
||||
out_dir = os.path.dirname(out_file)
|
||||
gen_container_bin ([hash_store], out_dir, out_dir, '', '')
|
||||
|
||||
|
||||
def gen_ias_file (rel_file_path, file_space, out_file):
|
||||
|
|
Loading…
Reference in New Issue