CryptoPkg: Add DxeImageVerification Rewrite Support#1819
Draft
Flickdm wants to merge 6 commits into
Draft
Conversation
Flickdm
changed the title
Contributor
❌ QEMU Validation FailedSource Dependencies
Results
Workflow run: https://github.com/microsoft/mu_basecore/actions/runs/27377089683 This comment was automatically generated by the Mu QEMU PR Validation workflow. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release/202511 #1819 +/- ##
=================================================
Coverage ? 1.78%
=================================================
Files ? 479
Lines ? 139220
Branches ? 2593
=================================================
Hits ? 2490
Misses ? 136699
Partials ? 31
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Flickdm
force-pushed
the
feat/dxe-image-verification-support
branch
from
4d7d4c0 to
2efdb60
Compare
Add the GetAuthenticodeHash() function to the BaseCryptLib API for computing PE/COFF Authenticode-style image hashes. The function returns EFI_STATUS and selects the digest algorithm by signature- type GUID (gEfiCertSha1Guid, gEfiCertSha256Guid, gEfiCertSha384Guid, gEfiCertSha512Guid). This change covers only the API surface, the BaseCryptLibNull stub, and the BaseCryptLibOnOneCrypto shim. The OneCrypto protocol is bumped to v1.1 and the new GetAuthenticodeHash protocol entry is appended at the end of ONE_CRYPTO_PROTOCOL so existing v1.0 consumers remain compatible. The shim uses CALL_CRYPTO_SERVICE with a minimum protocol version of 1.1 and returns EFI_UNSUPPORTED on older providers. Real implementations live in the OneCrypto provider repository (OpensslPkg / MbedTlsPkg / OneCryptoBin). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add the GetTrustAnchorX509FromAuthData() and FreeTrustAnchorX509Cache() functions to the BaseCryptLib API. Given a PKCS#7 SignedData blob and a TBSCertificate digest, the new function returns the matching X.509 certificate as a newly allocated DER buffer. The hash algorithm is selected by the supplied digest size (SHA-1 / SHA-256 / SHA-384 / SHA-512). An optional caller-managed cache (allocated on first call, released by FreeTrustAnchorX509Cache) memoizes per-certificate TBS digests so repeated lookups against the same AuthData do not re-hash. This change covers only the API surface, the BaseCryptLibNull stubs, the OneCrypto v1.1 protocol typedefs and slots, and the BaseCryptLibOnOneCrypto shims. The shims use CALL_CRYPTO_SERVICE / CALL_VOID_CRYPTO_SERVICE with a minimum protocol version of 1.1 and return EFI_UNSUPPORTED on older providers. Real implementations live in the OneCrypto provider repository (OpensslPkg / MbedTlsPkg / OneCryptoBin). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add an end-to-end host-side unit test suite that verifies the new GetTrustAnchorX509FromAuthData() and FreeTrustAnchorX509Cache() APIs against a hand-built minimal PKCS#7 SignedData blob. The tests construct a SignedData container at runtime around a known X.509 certificate, compute the expected TBSCertificate digest with the public BaseCryptLib hash primitives, and assert that the function returns the matching certificate. Coverage includes: - SHA-1, SHA-256, SHA-384, and SHA-512 lookups - Bare SignedData and ContentInfo wrapper encodings - Wrong-hash returns EFI_NOT_FOUND - NULL / zero-size / unsupported-size parameter validation - Truncated AuthData rejection - Cache reuse across back-to-back calls + free - FreeTrustAnchorX509Cache(NULL) safety The tests depend only on public BaseCryptLib API and exercise the real OpenSSL- and MbedTLS-backed implementations through the shared TestBaseCryptLibHost.inf host application. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add the GetAuthenticodeHashAlgorithm interface to the BaseCryptLib public header, the OneCrypto protocol, the BaseCryptLibNull stub, and the BaseCryptLibOnOneCrypto dispatch shim. The function parses an Authenticode PKCS#7 SignedData blob's embedded SpcIndirectDataContent (OID 1.3.6.1.4.1.311.2.1.4) and returns the signature-type GUID identifying the digest algorithm the signer used, so callers can hash the image with the matching algorithm via GetAuthenticodeHash(). Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add a host- and platform-runnable BaseCryptLib unit test suite that builds minimal Authenticode PKCS#7 SignedData blobs and asserts that GetAuthenticodeHashAlgorithm() recovers the correct signature-type GUID for SHA-1/256/384/512, and rejects bad parameters, truncated input, wrong content-type OIDs, and unsupported digest algorithms. Register the suite in both the host (TestBaseCryptLibHost.inf) and platform (BaseCryptLibUnitTestApp.inf) test apps. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Add the X509GetTbsCertHash() BaseCryptLib interface, which extracts the TBSCertificate from a DER-encoded X.509 certificate and returns its digest under a caller-selected hash algorithm. Declare the public API, add the ONE_CRYPTO_X509_GET_TBS_CERT_HASH protocol entry, the BaseCryptLibNull stub, and the BaseCryptLibOnOneCrypto dispatch shim. Add provider-independent unit tests covering all four digest sizes, bad parameters, unsupported algorithms, and malformed certificates. Signed-off-by: Doug Flick <dougflick@microsoft.com>
Flickdm
force-pushed
the
feat/dxe-image-verification-support
branch
from
709ab9b to
3a3ca8c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
In order to support DxeImageVerification rewrite this PR is tracking
Add more needed
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
How This Was Tested
Unit Test
Integration Instructions
N/A