eficonfig: EFI_VARIABLE_APPEND_WRITE is not set for null key

The signed null key with authenticated header is used to clear
the PK, KEK, db and dbx. When CONFIG_EFI_MM_COMM_TEE is enabled
(StMM and OP-TEE based RPMB storage is used as the EFI variable
storage), clearing KEK, db and dbx by enrolling a signed null
key does not work as expected if EFI_VARIABLE_APPEND_WRITE
attritube is set.

This commit checks the selected file is null key, then
EFI_VARIABLE_APPEND_WRITE attibute will not be used for the null key.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Masahisa Kojima 2022-12-20 19:38:52 +09:00 committed by Heinrich Schuchardt
parent 9ba35e64fa
commit ad50ca5019

View File

@ -72,6 +72,28 @@ static bool file_have_auth_header(void *buf, efi_uintn_t size)
return true;
}
/**
* file_is_null_key() - check the file is an authenticated and signed null key
*
* @auth: pointer to the file
* @size: file size
* @null_key: pointer to store the result
* Return: status code
*/
static efi_status_t file_is_null_key(struct efi_variable_authentication_2 *auth,
efi_uintn_t size, bool *null_key)
{
efi_uintn_t auth_size =
sizeof(auth->time_stamp) + auth->auth_info.hdr.dwLength;
if (size < auth_size)
return EFI_INVALID_PARAMETER;
*null_key = (size == auth_size);
return EFI_SUCCESS;
}
/**
* eficonfig_process_enroll_key() - enroll key into signature database
*
@ -84,6 +106,7 @@ static efi_status_t eficonfig_process_enroll_key(void *data)
char *buf = NULL;
efi_uintn_t size;
efi_status_t ret;
bool null_key = false;
struct efi_file_handle *f = NULL;
struct efi_device_path *full_dp = NULL;
struct eficonfig_select_file_info file_info;
@ -149,13 +172,24 @@ static efi_status_t eficonfig_process_enroll_key(void *data)
goto out;
}
ret = file_is_null_key((struct efi_variable_authentication_2 *)buf,
size, &null_key);
if (ret != EFI_SUCCESS) {
eficonfig_print_msg("ERROR! Invalid file format.");
goto out;
}
attr = EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
/* PK can enroll only one certificate */
if (u16_strcmp(data, u"PK")) {
/*
* PK can enroll only one certificate.
* The signed null key is used to clear KEK, db and dbx.
* EFI_VARIABLE_APPEND_WRITE attribute must not be set in these cases.
*/
if (u16_strcmp(data, u"PK") && !null_key) {
efi_uintn_t db_size = 0;
/* check the variable exists. If exists, add APPEND_WRITE attribute */