Changeset 104829 in vbox for trunk/src/VBox/Runtime

Timestamp:

May 31, 2024 3:17:46 PM (8 months ago)

Author:

vboxsync

Message:

Runtime/efi: Deduplicate signature DB after loading and after adding entries. bugref:10699

File:

• trunk/src/VBox/Runtime/common/efi/efisignaturedb.cpp (modified) (6 diffs)

trunk/src/VBox/Runtime/common/efi/efisignaturedb.cpp

@@ -48 +48 @@
 #include <iprt/mem.h>
 #include <iprt/sg.h>
+#include <iprt/uuid.h>
 
 #include <iprt/formats/efi-signature.h>
@@ -158 +159 @@
 
 /**
- * Validates the given signature lsit header.
+ * Validates the given signature list header.
  *
  * @returns Flag whether the list header is considered valid.
@@ -266 +267 @@
 
 /**
- * Variant for written a list of signatures where each signature gets its own signature list header
+ * De-duplicate a signature database.
+ *
+ * @returns IPRT status code.
+ * @param   pThis               The signature database instance.
+ */
+static int rtEfiSigDbDeduplicate(PRTEFISIGDBINT pThis)
+{
+    /** @todo This currently deduplicates list nodes as a whole, not looking into signature lists.
+     * Good enough for the X.509 certificates which matter most to eliminate multiple enrollments. */
+    for (uint32_t i = 0; i < RT_ELEMENTS(pThis->aLstSigTypes); i++)
+    {
+        PRTEFISIGNATURE pIt, pItNext;
+        RTListForEachSafe(&pThis->aLstSigTypes[i], pIt, pItNext, RTEFISIGNATURE, NdLst)
+        {
+            PRTEFISIGNATURE pIt2;
+            RTListForEach(&pThis->aLstSigTypes[i], pIt2, RTEFISIGNATURE, NdLst)
+            {
+                /* Compare up to element before pIt. */
+                if (pIt == pIt2)
+                    break;
+                if (   pIt->cbSignature == pIt2->cbSignature
+                    && !RTUuidCompare(&pIt->UuidOwner, &pIt2->UuidOwner)
+                    && !memcmp(&pIt->abSignature[0], &pIt2->abSignature[0], pIt->cbSignature))
+                {
+                    RTListNodeRemove(&pIt->NdLst);
+                    RTMemFree(pIt);
+                    break;
+                }
+            }
+        }
+    }
+
+    return VINF_SUCCESS;
+}
+
+
+/**
+ * Variant for writing a list of signatures where each signature gets its own signature list header
  * (for types where each signature can differ in size like X.509).
  *
@@ -456 +494 @@
     }
 
+    int rc2 = rtEfiSigDbDeduplicate(pThis);
+    if (RT_SUCCESS(rc))
+        rc = rc2;
+
     return rc;
 }
@@ -492 +534 @@
     }
 
+    int rc2 = rtEfiSigDbDeduplicate(pThis);
+    if (RT_SUCCESS(rc))
+        rc = rc2;
+
     return rc;
 }
@@ -523 +569 @@
         rc = VERR_INVALID_PARAMETER;
 
+    int rc2 = rtEfiSigDbDeduplicate(pThis);
+    if (RT_SUCCESS(rc))
+        rc = rc2;
+
     return rc;
 }