scrub seed and rpmb key passed to TOS

To reduce the risk of seed and rpmb key leak, scrub seed and rpmb key passed to TOS after TOS loaded. Signed-off-by: JianFeng,Zhou <[email protected]>
intel · May 14, 2020 · 7735f69 · 7735f69
1 parent 70a38c2
commit 7735f69
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/libkernelflinger/trusty_efi.c b/libkernelflinger/trusty_efi.c
@@ -32,6 +32,7 @@
 #include <efiapi.h>
 #include <efilib.h>
 #include <uefi_utils.h>
+#include <openssl/crypto.h>
 
 #include "vars.h"
 #include "lib.h"
@@ -381,7 +382,6 @@ static EFI_STATUS start_tos_image(IN VOID *bootimage)
                         (UINTN)load_base + tos_header->entry_offset);
         debug(L"Call TOS loader entry_addr = 0x%x", call_entry);
         tos_ret = call_entry(startup_info_v2);
-
         if (tos_ret) {
                 efi_perror(tos_ret, L"Load and start Trusty OS failed");
                 ret = EFI_INVALID_PARAMETER;
@@ -390,6 +390,8 @@ static EFI_STATUS start_tos_image(IN VOID *bootimage)
         debug(L"TOS launch succeeded!");
 
 cleanup:
+        OPENSSL_cleanse(startup_info_v2->seed_list, sizeof(startup_info_v2->seed_list));
+        OPENSSL_cleanse(startup_info_v2->rpmb_key, sizeof(startup_info_v2->rpmb_key));
         stop_bls_proto();
         if (EFI_ERROR(ret)) {
                 efi_perror(ret, L"Error has occurred!");