[PATCH v2] eficonfig: EFI_VARIABLE_APPEND_WRITE is not set for null key

Tue Dec 20 15:50:48 CET 2022

On 12/20/22 10:38, Masahisa Kojima wrote:
> The signed null key with authenticated header is used to clear
> the PK, KEK, db and dbx. When CONFIG_EFI_MM_COMM_TEE is enabled
> (StMM and OP-TEE based RPMB storage is used as the EFI variable
> storage), clearing KEK, db and dbx by enrolling a signed null
> key does not work as expected if EFI_VARIABLE_APPEND_WRITE
> attritube is set.
>
> This commit checks the selected file is null key, then
> EFI_VARIABLE_APPEND_WRITE attibute will not be used for the null key.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> Changes in v2:
> - s/size == 0/!size/
>
>   cmd/eficonfig_sbkey.c | 40 ++++++++++++++++++++++++++++++++++++++--
>   1 file changed, 38 insertions(+), 2 deletions(-)
>
> diff --git a/cmd/eficonfig_sbkey.c b/cmd/eficonfig_sbkey.c
> index 6e0bebf1d4..7fb0467543 100644
> --- a/cmd/eficonfig_sbkey.c
> +++ b/cmd/eficonfig_sbkey.c
> @@ -72,6 +72,30 @@ static bool file_have_auth_header(void *buf, efi_uintn_t size)
>   	return true;
>   }
>
> +/**
> + * file_is_null_key() - check the file is an authenticated and signed null key
> + * @auth:	pointer to the file
> + * @size:	file size
> + * @null_key:	pointer to store the result
> + * Return:	status code
> + */
> +static efi_status_t file_is_null_key(struct efi_variable_authentication_2 *auth,
> +				     efi_uintn_t size, bool *null_key)
> +{
> +	efi_status_t ret = EFI_SUCCESS;
> +
> +	if (size < (sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength))
> +		return EFI_INVALID_PARAMETER;
> +
> +	size -= (sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength);
> +	if (!size) /* No payload */
> +		*null_key = true;
> +	else
> +		*null_key = false;
> +
> +	return ret;
> +}
> +

When merging I will make this:

+static efi_status_t file_is_null_key(struct
efi_variable_authentication_2 *auth,
+                                    efi_uintn_t size, bool *null_key)
+{
+       efi_uintn_t auth_size =
+               sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength;
+
+       if (size < auth_size)
+               return EFI_INVALID_PARAMETER;
+
+       *null_key = (size == auth_size);
+
+       return EFI_SUCCESS;
+}

Looks easier to read to me.

Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>

>   /**
>    * eficonfig_process_enroll_key() - enroll key into signature database
>    *
> @@ -84,6 +108,7 @@ static efi_status_t eficonfig_process_enroll_key(void *data)
>   	char *buf = NULL;
>   	efi_uintn_t size;
>   	efi_status_t ret;
> +	bool null_key = false;
>   	struct efi_file_handle *f = NULL;
>   	struct efi_device_path *full_dp = NULL;
>   	struct eficonfig_select_file_info file_info;
> @@ -149,13 +174,24 @@ static efi_status_t eficonfig_process_enroll_key(void *data)
>   		goto out;
>   	}
>
> +	ret = file_is_null_key((struct efi_variable_authentication_2 *)buf,
> +			       size, &null_key);
> +	if (ret != EFI_SUCCESS) {
> +		eficonfig_print_msg("ERROR! Invalid file format.");
> +		goto out;
> +	}
> +
>   	attr = EFI_VARIABLE_NON_VOLATILE |
>   	       EFI_VARIABLE_BOOTSERVICE_ACCESS |
>   	       EFI_VARIABLE_RUNTIME_ACCESS |
>   	       EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
>
> -	/* PK can enroll only one certificate */
> -	if (u16_strcmp(data, u"PK")) {
> +	/*
> +	 * PK can enroll only one certificate.
> +	 * The signed null key is used to clear KEK, db and dbx.
> +	 * EFI_VARIABLE_APPEND_WRITE attribute must not be set in these cases.
> +	 */
> +	if (u16_strcmp(data, u"PK") && !null_key) {
>   		efi_uintn_t db_size = 0;
>
>   		/* check the variable exists. If exists, add APPEND_WRITE attribute */