Calculate key manifest public key hashes that could be written into FPFs

This commit is contained in:
Nikolaj Schlej 2022-10-09 11:24:27 +02:00
parent 7e5e02b4b4
commit 89a302e5d9
2 changed files with 37 additions and 5 deletions

View File

@ -3766,7 +3766,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel
} }
if (protectedRangesFound) { if (protectedRangesFound) {
securityInfo += usprintf("Phoenix hash file found at base %08Xh\nProtected ranges:", model->base(index)); securityInfo += usprintf("Phoenix hash file found at base %08Xh\nProtected ranges:\n", model->base(index));
for (UINT32 i = 0; i < header->NumEntries; i++) { for (UINT32 i = 0; i < header->NumEntries; i++) {
const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY* entry = (const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY*)(header + 1) + i; const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY* entry = (const PROTECTED_RANGE_VENDOR_HASH_FILE_ENTRY*)(header + 1) + i;
securityInfo += usprintf("RelativeOffset: %08Xh Size: %Xh\nHash: ", entry->Base, entry->Size); securityInfo += usprintf("RelativeOffset: %08Xh Size: %Xh\nHash: ", entry->Base, entry->Size);
@ -3828,7 +3828,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel
protectedRanges.push_back(range); protectedRanges.push_back(range);
} }
msg(usprintf("%s: new AMI hash file found", __FUNCTION__), fileIndex); msg(usprintf("%s: AMI hash file v2 found", __FUNCTION__), fileIndex);
} }
else if (size == sizeof(PROTECTED_RANGE_VENDOR_HASH_FILE_HEADER_AMI_V1)) { else if (size == sizeof(PROTECTED_RANGE_VENDOR_HASH_FILE_HEADER_AMI_V1)) {
securityInfo += usprintf("AMI hash file v1 found at base %08Xh\nProtected range:\n", model->base(fileIndex)); securityInfo += usprintf("AMI hash file v1 found at base %08Xh\nProtected range:\n", model->base(fileIndex));
@ -3849,7 +3849,7 @@ USTATUS FfsParser::parseVendorHashFile(const UByteArray & fileGuid, const UModel
protectedRanges.push_back(range); protectedRanges.push_back(range);
} }
msg(usprintf("%s: old AMI hash file found", __FUNCTION__), fileIndex); msg(usprintf("%s: AMI hash file v1 found", __FUNCTION__), fileIndex);
} }
else { else {
msg(usprintf("%s: unknown or corrupted AMI hash file found", __FUNCTION__), index); msg(usprintf("%s: unknown or corrupted AMI hash file found", __FUNCTION__), index);

View File

@ -486,6 +486,22 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif
} }
kmInfo += "\n"; kmInfo += "\n";
// Calculate the hashes of public key modulus only
// One of those hashes is what's getting written into Field Programmable Fuses
UINT8 hash[SHA384_HASH_SIZE] = {};
sha256(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash);
kmInfo += usprintf("Key Manifest Public Key Hash (SHA256): ");
for (UINT8 i = 0; i < SHA256_HASH_SIZE; i++) {
kmInfo += usprintf("%02X", hash[i]);
}
kmInfo += "\n";
sha384(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash);
kmInfo += usprintf("Key Manifest Public Key Hash (SHA384): ");
for (UINT8 i = 0; i < SHA384_HASH_SIZE; i++) {
kmInfo += usprintf("%02X", hash[i]);
}
kmInfo += "\n";
// Add Signature // Add Signature
kmInfo += UString("Key Manifest Signature: "); kmInfo += UString("Key Manifest Signature: ");
for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) { for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) {
@ -493,7 +509,7 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif
kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i)); kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i));
} }
kmInfo += "\n"; kmInfo += "\n";
securityInfo += kmInfo + "\n"; securityInfo += kmInfo + "\n";
bgKeyManifestFound = true; bgKeyManifestFound = true;
return U_SUCCESS; return U_SUCCESS;
@ -578,6 +594,22 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif
} }
kmInfo += "\n"; kmInfo += "\n";
// Calculate the hashes of public key modulus only
// One of those hashes is what's getting written into Field Programmable Fuses
UINT8 hash[SHA384_HASH_SIZE] = {};
sha256(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash);
kmInfo += usprintf("Key Manifest Public Key Hash (SHA256): ");
for (UINT8 i = 0; i < SHA256_HASH_SIZE; i++) {
kmInfo += usprintf("%02X", hash[i]);
}
kmInfo += "\n";
sha384(key_signature->public_key()->modulus().data(), key_signature->public_key()->modulus().length(), hash);
kmInfo += usprintf("Key Manifest Public Key Hash (SHA384): ");
for (UINT8 i = 0; i < SHA384_HASH_SIZE; i++) {
kmInfo += usprintf("%02X", hash[i]);
}
kmInfo += "\n";
// Add Signature // Add Signature
kmInfo += UString("Key Manifest Signature: "); kmInfo += UString("Key Manifest Signature: ");
for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) { for (UINT16 i = 0; i < (UINT16)key_signature->signature()->signature().length(); i++) {
@ -585,7 +617,7 @@ USTATUS FitParser::parseFitEntryBootGuardKeyManifest(const UByteArray & keyManif
kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i)); kmInfo += usprintf("%02X", (UINT8)key_signature->signature()->signature().at(i));
} }
kmInfo += "\n"; kmInfo += "\n";
securityInfo += kmInfo + "\n"; securityInfo += kmInfo + "\n";
bgKeyManifestFound = true; bgKeyManifestFound = true;
return U_SUCCESS; return U_SUCCESS;