From 159151b6649008793d6204a34d7b9c41221fb4b0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 3 May 2022 17:05:20 -0400 Subject: [PATCH 6/6] Also avoid CVE-2022-28737 in verify_image() PR 446 ("Add verify_image") duplicates some of the code affected by Chris Coulson's defense in depth patch against CVE-2022-28737 ("pe: Perform image verification earlier when loading grub"). This patch makes the same change to the new function. Signed-off-by: Peter Jones --- pe.c | 46 +++++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/pe.c b/pe.c index 1d120f2d78d..ba3e2bbc444 100644 --- a/pe.c +++ b/pe.c @@ -1038,26 +1038,9 @@ EFI_STATUS verify_image(void *data, unsigned int datasize, } /* - * We only need to verify the binary if we're in secure mode + * Perform the image verification before we start copying data around + * in order to load it. */ - efi_status = generate_hash(data, datasize, context, sha256hash, - sha1hash); - if (EFI_ERROR(efi_status)) - return efi_status; - - /* Measure the binary into the TPM */ -#ifdef REQUIRE_TPM - efi_status = -#endif - tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, - (EFI_PHYSICAL_ADDRESS)(UINTN)context->ImageAddress, - li->FilePath, sha1hash, 4); -#ifdef REQUIRE_TPM - if (efi_status != EFI_SUCCESS) { - return efi_status; - } -#endif - if (secure_mode()) { efi_status = verify_buffer(data, datasize, context, sha256hash, sha1hash); @@ -1071,6 +1054,31 @@ EFI_STATUS verify_image(void *data, unsigned int datasize, console_print(L"Verification succeeded\n"); } + /* + * Calculate the hash for the TPM measurement. + * XXX: We're computing these twice in secure boot mode when the + * buffers already contain the previously computed hashes. Also, + * this is only useful for the TPM1.2 case. We should try to fix + * this in a follow-up. + */ + efi_status = generate_hash(data, datasize, context, sha256hash, + sha1hash); + if (EFI_ERROR(efi_status)) + return efi_status; + + /* Measure the binary into the TPM */ +#ifdef REQUIRE_TPM + efi_status = +#endif + tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, + (EFI_PHYSICAL_ADDRESS)(UINTN)context->ImageAddress, + li->FilePath, sha1hash, 4); +#ifdef REQUIRE_TPM + if (efi_status != EFI_SUCCESS) { + return efi_status; + } +#endif + return EFI_SUCCESS; } -- 2.35.1