[DRAFT][WIP] SecurityPkg: DxeImageValidationLib rewrite#1809
Conversation
❌ QEMU Validation FailedSource Dependencies
Results
Workflow run: https://github.com/microsoft/mu_basecore/actions/runs/28398499863 This comment was automatically generated by the Mu QEMU PR Validation workflow. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/202511 #1809 +/- ##
=================================================
Coverage ? 1.09%
=================================================
Files ? 1477
Lines ? 378118
Branches ? 4771
=================================================
Hits ? 4142
Misses ? 373032
Partials ? 944
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
I wasn't sure about adding the AI skills to this repo. But in any case, it shouldn't be included in this PR. |
c5f9a3d to
8140e11
Compare
1333d6a to
a38aaf1
Compare
|
I checked the code with AI. It seems the code does not handle 2 cases:
I have not got chance to review all the code yet. Maybe I am wrong. But I feel we have better have a test to cover that. |
Adds a API to the BaseCryptLib Library that accepts a image buffer and a hash type guid and returns a digest buffer and size.
Adds an API to the BaseCryptLib that accepts an X.509 buffer and a hash type guid and returns a digest buffer and size
Adds two additional fields of PE_COFF_LOADER_IMAGE_CONTEXT: 1. `DataDirectoryRead`: An optional caller provided callback to to execute code on the given `EFI_IMAGE_DATA_DIRECTORY` 2. `DataDirectoryReadContext`: An optional caller provided opaque pointer that can be used by `DataDirectoryRead`.
e1229cf to
1dcce3c
Compare
@jyao1 - For (1), the current implementation does not support this from my understanding. It uses Pkcs7GetSigners, but I don't believe that returns intermediates, correct? Do we have a working implementation of this for me to integrate, or a PQC Code First item requesting this feature that I can base any work off of, for this implementation? For (2), We do support checking signed images in the DBX. The flow is:
I will also be starting work on a UEFI_APPLICATION test app that will run through a list of scenarios regarding with different image signature states and DB / DBX states. |
|
I think we should design the test cases to ensure we cover all path. For DB and DBX, we have 5 possible value (N/A, ImageHash, RootCert(Hash), InterCert(Hash), LeafCert(Hash)) for an image.
NOTE:
The rule is below in order:
Additional rule for multiple signature:
Additional rule for one signer:
PE/COFF image: the three "multiple signer" mechanisms There are three structurally distinct ways a PE/COFF image can carry more than one
Reference:
BTW: |
|
Another question: When re-write, can you write a common ImageValidation() function, which can be used by both DxeImageVerificationLib, and Pkcs7DxeVerify driver? |
|
@jyao1 I have added a generic UEFI application that can be compiled and ran on any platform (It hooks GetVariable to provide custom DB / DBX, and has self-contained signed images). These are the current scenarios. They all pass with the implementation in this PR. Please let me know if you have any questions or want to see other scenarios.
|
9b07fcd to
1e57f5e
Compare
Description
This is a complete rewrite of DxeImageValidationLib.
Please review the Scenario scoped tests found in
GoogleTest/DxeImageVerificationLibGoogleTest.cpp.Notable differences from original implementation:
ALWAYS_EXECUTE. Anything else is set toDENY_EXECUTE_ON_SECURITY_VIOLATIONand must go through the handler. There are no longer PCDs to configure Policy for certain scenarios.PQC Code First Status (TODOs)
IsCertAuthorizedIsSecureBootEnabledfromSecurityManagementLibmHashAlgorithmsand an abstraction (or union) to extract the data we care about from both.