From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <star.zeng@intel.com>
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 85D5D81ECD
 for <edk2-devel@lists.01.org>; Sat, 21 Jan 2017 17:25:58 -0800 (PST)
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
 by orsmga103.jf.intel.com with ESMTP; 21 Jan 2017 17:25:58 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,266,1477983600"; d="scan'208";a="56722951"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by fmsmga006.fm.intel.com with ESMTP; 21 Jan 2017 17:25:58 -0800
Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Sat, 21 Jan 2017 17:25:57 -0800
Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by
 fmsmsx158.amr.corp.intel.com (10.18.116.75) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Sat, 21 Jan 2017 17:25:57 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by
 SHSMSX151.ccr.corp.intel.com ([169.254.3.204]) with mapi id 14.03.0248.002;
 Sun, 22 Jan 2017 09:25:54 +0800
From: "Zeng, Star" <star.zeng@intel.com>
To: "Zhang, Chao B" <chao.b.zhang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, "Zeng, Star" <star.zeng@intel.com>
Thread-Topic: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib:
 Update PCR[7] measure logic
Thread-Index: AQHSchLfWMGl0Xl2906JEg2ORkbLp6FDuHmw
Date: Sun, 22 Jan 2017 01:25:53 +0000
Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103B818BE5@shsmsx102.ccr.corp.intel.com>
References: <20170119051359.14044-1-chao.b.zhang@intel.com>
In-Reply-To: <20170119051359.14044-1-chao.b.zhang@intel.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jan 2017 01:25:58 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Chao,

I will leave the review for this patch to Jiewen since I am not so familiar=
 with the code logic.

Thanks,
Star
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhan=
g, Chao B
Sent: Thursday, January 19, 2017 1:14 PM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Yao, Jiewen <jiewen.yao@intel.c=
om>; Zeng, Star <star.zeng@intel.com>; yao.jiewen@intel.com
Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update=
 PCR[7] measure logic

Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be measure=
d.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_P=
latform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 10 ++++++=
+---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati=
onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL=
ib.c
index 7b7e6af..e28e106 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
+++ b.c
@@ -12,7 +12,7 @@
   DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi=
on will accept
   untrusted PE/COFF image and validate its data structure within this imag=
e buffer before use.
=20
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>  This pro=
gram and the accompanying materials  are licensed and made available under =
the terms and conditions of the BSD License @@ -1026,7 +1026,12 @@ IsSignat=
ureFoundInDatabase (
           // Find the signature in database.
           //
           IsFound =3D TRUE;
-          SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, Ce=
rtList->SignatureSize, Cert);
+          //
+          // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to vali=
date image should be measured
+          //
+          if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) =3D=3D 0) =
{
+            SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, =
CertList->SignatureSize, Cert);
+          }
           break;
         }
=20
@@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
                         mImageDigestSize
                         );
         if (IsForbidden) {
-          SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurity=
DatabaseGuid, CertList->SignatureSize, CertData);
           DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed bu=
t signature is forbidden by DBX.\n"));
           goto Done;
         }
--
1.9.5.msysgit.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel