[DRAFT][WIP] SecurityPkg: DxeImageValidationLib rewrite#1809
Conversation
⌛ QEMU Validation PendingQEMU validation is pending on successful CI completion.
This comment was automatically generated by the Mu QEMU PR Validation workflow. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/202511 #1809 +/- ##
=================================================
Coverage ? 2.32%
=================================================
Files ? 1477
Lines ? 383030
Branches ? 4876
=================================================
Hits ? 8900
Misses ? 374046
Partials ? 84
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
I wasn't sure about adding the AI skills to this repo. But in any case, it shouldn't be included in this PR. |
c5f9a3d to
8140e11
Compare
1333d6a to
a38aaf1
Compare
|
I checked the code with AI. It seems the code does not handle 2 cases:
I have not got chance to review all the code yet. Maybe I am wrong. But I feel we have better have a test to cover that. |
e1229cf to
1dcce3c
Compare
@jyao1 - For (1), the current implementation does not support this from my understanding. It uses Pkcs7GetSigners, but I don't believe that returns intermediates, correct? Do we have a working implementation of this for me to integrate, or a PQC Code First item requesting this feature that I can base any work off of, for this implementation? For (2), We do support checking signed images in the DBX. The flow is:
I will also be starting work on a UEFI_APPLICATION test app that will run through a list of scenarios regarding with different image signature states and DB / DBX states. |
|
I think we should design the test cases to ensure we cover all path. For DB and DBX, we have 5 possible value (N/A, ImageHash, RootCert(Hash), InterCert(Hash), LeafCert(Hash)) for an image.
NOTE:
The rule is below in order:
Additional rule for multiple signature:
Additional rule for one signer:
PE/COFF image: the three "multiple signer" mechanisms There are three structurally distinct ways a PE/COFF image can carry more than one
Reference:
BTW: |
|
Another question: When re-write, can you write a common ImageValidation() function, which can be used by both DxeImageVerificationLib, and Pkcs7DxeVerify driver? |
|
@jyao1 I have added a generic UEFI application that can be compiled and ran on any platform (It hooks GetVariable to provide custom DB / DBX, and has self-contained signed images). These are the current scenarios. They all pass with the implementation in this PR. Please let me know if you have any questions or want to see other scenarios.
|
9b07fcd to
1e57f5e
Compare
|
According to the previous discussion, I think we need to change below cases:
|
bc77d3f to
3dd63fc
Compare
@jyao1 I am getting my self confused between the statement you just made (above) and the statement you made on June 9th (below)
In terms of test cases, is this your expectation? If so, this seems to be a drastic change from the status quo. The current implementation (and this change) currently does not track the relative-ness of two certs in a cert chain of one auth data blob. We call AuthenticodeVerify to check if the contents of a DB / DBX entry validate the particular set of auth data, but we do not know where in the chain that entry from the DB / DBX is at.
|
3dd63fc to
2177837
Compare
Adds new BaseCryptLib APIs per microsoft#1819 Signed-off-by: Doug Flick <dougflick@microsoft.com>
Adds an additional field to PE_COFF_LOADER_IMAGE_CONTEXT that is a copy of the Security Data Directory, if it exists. This field gets set when PeCoffLoaderGetImageInfo is called, if the security data directory exists. It is zerod by default.
2177837 to
0684abc
Compare
0684abc to
fb79def
Compare
Description
This is a complete rewrite of DxeImageValidationLib.
Please review the Scenario scoped tests found in
GoogleTest/DxeImageVerificationLibGoogleTest.cpp.Notable differences from original implementation:
ALWAYS_EXECUTE. Anything else is set toDENY_EXECUTE_ON_SECURITY_VIOLATIONand must go through the handler. There are no longer PCDs to configure Policy for certain scenarios.PQC Code First Status (TODOs)
IsCertAuthorizedimplements this.IsSecureBootEnabledfromSecurityManagementLibmHashAlgorithmsand an abstraction (or union) to extract the data we care about from both.