Skip to content

Commit

Permalink
[Release/202302] SecurityPkg: SECURITY PATCH 4117 - 4118 CVE-2022-367…
Browse files Browse the repository at this point in the history 
…63 (#225)

# Preface

## Description

Security Patches for CVE-2022-36763 for release/202302

- [ ] Impacts functionality?
- [X] Impacts security?
  - **Security** - Patches CVE-2022-36763
- [ ] Breaking change?
- [X] Includes tests?
  - **Tests** -  Unit tests
- [ ] Includes documentation?

## How This Was Tested

These have been shipping in MSFT firmware for months now and have been
unit tested.

## Integration Instructions

N/A

---------

Co-authored-by: Douglas Flick [MSFT] <doug.edk2@gmail.com>
  • Loading branch information
@Flickdm
Flickdm and Douglas Flick [MSFT] authored Jan 25, 2024
1 parent 52b018f commit a385922
Show file tree
Hide file tree
Showing 15 changed files with 1,793 additions and 51 deletions.
79 changes: 47 additions & 32 deletions SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/

#include <PiDxe.h>
Expand All @@ -46,6 +48,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/HobLib.h>
#include <Protocol/CcMeasurement.h>

#include "DxeTpm2MeasureBootLibSanitization.h"

typedef struct {
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
Expand Down Expand Up @@ -147,10 +151,11 @@ Tcg2MeasureGptTable (
EFI_TCG2_EVENT *Tcg2Event;
EFI_CC_EVENT *CcEvent;
EFI_GPT_DATA *GptData;
UINT32 EventSize;
UINT32 TcgEventSize;
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_CC_MEASUREMENT_PROTOCOL *CcProtocol;
EFI_CC_MR_INDEX MrIndex;
UINT32 AllocSize;

if (mTcg2MeasureGptCount > 0) {
return EFI_SUCCESS;
Expand Down Expand Up @@ -198,25 +203,22 @@ Tcg2MeasureGptTable (
BlockIo->Media->BlockSize,
(UINT8 *)PrimaryHeader
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Failed to Read Partition Table Header!\n"));
if (EFI_ERROR (Status) || EFI_ERROR (Tpm2SanitizeEfiPartitionTableHeader (PrimaryHeader, BlockIo))) {
DEBUG ((DEBUG_ERROR, "Failed to read Partition Table Header or invalid Partition Table Header!\n"));
FreePool (PrimaryHeader);
return EFI_DEVICE_ERROR;
}

//
// PrimaryHeader->SizeOfPartitionEntry should not be zero
// Read the partition entry.
//
if (PrimaryHeader->SizeOfPartitionEntry == 0) {
DEBUG ((DEBUG_ERROR, "SizeOfPartitionEntry should not be zero!\n"));
Status = Tpm2SanitizePrimaryHeaderAllocationSize (PrimaryHeader, &AllocSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
return EFI_BAD_BUFFER_SIZE;
}

//
// Read the partition entry.
//
EntryPtr = (UINT8 *)AllocatePool (PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry);
EntryPtr = (UINT8 *)AllocatePool (AllocSize);
if (EntryPtr == NULL) {
FreePool (PrimaryHeader);
return EFI_OUT_OF_RESOURCES;
Expand All @@ -226,7 +228,7 @@ Tcg2MeasureGptTable (
DiskIo,
BlockIo->Media->MediaId,
MultU64x32 (PrimaryHeader->PartitionEntryLBA, BlockIo->Media->BlockSize),
PrimaryHeader->NumberOfPartitionEntries * PrimaryHeader->SizeOfPartitionEntry,
AllocSize,
EntryPtr
);
if (EFI_ERROR (Status)) {
Expand All @@ -251,16 +253,21 @@ Tcg2MeasureGptTable (
//
// Prepare Data for Measurement (CcProtocol and Tcg2Protocol)
//
EventSize = (UINT32)(sizeof (EFI_GPT_DATA) - sizeof (GptData->Partitions)
+ NumberOfPartition * PrimaryHeader->SizeOfPartitionEntry);
EventPtr = (UINT8 *)AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
Status = Tpm2SanitizePrimaryHeaderGptEventSize (PrimaryHeader, NumberOfPartition, &TcgEventSize);
if (EFI_ERROR (Status)) {
FreePool (PrimaryHeader);
FreePool (EntryPtr);
return EFI_DEVICE_ERROR;
}

EventPtr = (UINT8 *)AllocateZeroPool (TcgEventSize);
if (EventPtr == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
}

Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
Tcg2Event->Size = TcgEventSize;
Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
Tcg2Event->Header.PCRIndex = 5;
Expand Down Expand Up @@ -313,7 +320,7 @@ Tcg2MeasureGptTable (
CcProtocol,
0,
(EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
(UINT64)EventSize,
(UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event),
CcEvent
);
if (!EFI_ERROR (Status)) {
Expand All @@ -329,7 +336,7 @@ Tcg2MeasureGptTable (
Tcg2Protocol,
0,
(EFI_PHYSICAL_ADDRESS)(UINTN)(VOID *)GptData,
(UINT64)EventSize,
(UINT64)TcgEventSize - OFFSET_OF (EFI_TCG2_EVENT, Event),
Tcg2Event
);
if (!EFI_ERROR (Status)) {
Expand Down Expand Up @@ -374,7 +381,6 @@ Tcg2MeasureGptTable (
@retval EFI_OUT_OF_RESOURCES No enough resource to measure image.
@retval EFI_UNSUPPORTED ImageType is unsupported or PE image is mal-format.
@retval other error value
**/
EFI_STATUS
EFIAPI
Expand All @@ -401,6 +407,7 @@ Tcg2MeasurePeImage (
Status = EFI_UNSUPPORTED;
ImageLoad = NULL;
EventPtr = NULL;
Tcg2Event = NULL;

Tcg2Protocol = MeasureBootProtocols->Tcg2Protocol;
CcProtocol = MeasureBootProtocols->CcProtocol;
Expand All @@ -416,18 +423,22 @@ Tcg2MeasurePeImage (
}

FilePathSize = (UINT32)GetDevicePathSize (FilePath);
Status = Tpm2SanitizePeImageEventSize (FilePathSize, &EventSize);
if (EFI_ERROR (Status)) {
return EFI_UNSUPPORTED;
}

//
// Determine destination PCR by BootPolicy
//
EventSize = sizeof (*ImageLoad) - sizeof (ImageLoad->DevicePath) + FilePathSize;
EventPtr = AllocateZeroPool (EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event));
// from a malicious GPT disk partition
EventPtr = AllocateZeroPool (EventSize);
if (EventPtr == NULL) {
return EFI_OUT_OF_RESOURCES;
}

Tcg2Event = (EFI_TCG2_EVENT *)EventPtr;
Tcg2Event->Size = EventSize + sizeof (EFI_TCG2_EVENT) - sizeof (Tcg2Event->Event);
Tcg2Event->Size = EventSize;
Tcg2Event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
Tcg2Event->Header.HeaderVersion = EFI_TCG2_EVENT_HEADER_VERSION;
ImageLoad = (EFI_IMAGE_LOAD_EVENT *)Tcg2Event->Event;
Expand All @@ -446,11 +457,13 @@ Tcg2MeasurePeImage (
Tcg2Event->Header.PCRIndex = 2;
break;
default:
DEBUG ((
DEBUG_ERROR,
"Tcg2MeasurePeImage: Unknown subsystem type %d",
ImageType
));
DEBUG (
(
DEBUG_ERROR,
"Tcg2MeasurePeImage: Unknown subsystem type %d",
ImageType
)
);
goto Finish;
}

Expand Down Expand Up @@ -652,12 +665,14 @@ DxeTpm2MeasureBootHandler (
return EFI_SUCCESS;
}

DEBUG ((
DEBUG_INFO,
"Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
MeasureBootProtocols.Tcg2Protocol,
MeasureBootProtocols.CcProtocol
));
DEBUG (
(
DEBUG_INFO,
"Tcg2Protocol = %p, CcMeasurementProtocol = %p\n",
MeasureBootProtocols.Tcg2Protocol,
MeasureBootProtocols.CcProtocol
)
);

//
// Copy File Device Path
Expand Down
4 changes: 3 additions & 1 deletion SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@

[Sources]
DxeTpm2MeasureBootLib.c
DxeTpm2MeasureBootLibSanitization.c
DxeTpm2MeasureBootLibSanitization.h

[Packages]
MdePkg/MdePkg.dec
Expand All @@ -46,6 +48,7 @@

[LibraryClasses]
BaseMemoryLib
SafeIntLib
DebugLib
MemoryAllocationLib
DevicePathLib
Expand All @@ -66,4 +69,3 @@
gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
gEfiDiskIoProtocolGuid ## SOMETIMES_CONSUMES

Loading

0 comments on commit a385922

Please # to comment.