From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 85D5D81ECD for ; Sat, 21 Jan 2017 17:25:58 -0800 (PST) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP; 21 Jan 2017 17:25:58 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,266,1477983600"; d="scan'208";a="56722951" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga006.fm.intel.com with ESMTP; 21 Jan 2017 17:25:58 -0800 Received: from fmsmsx158.amr.corp.intel.com (10.18.116.75) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sat, 21 Jan 2017 17:25:57 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx158.amr.corp.intel.com (10.18.116.75) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sat, 21 Jan 2017 17:25:57 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.204]) with mapi id 14.03.0248.002; Sun, 22 Jan 2017 09:25:54 +0800 From: "Zeng, Star" To: "Zhang, Chao B" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" , "Zeng, Star" Thread-Topic: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Thread-Index: AQHSchLfWMGl0Xl2906JEg2ORkbLp6FDuHmw Date: Sun, 22 Jan 2017 01:25:53 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103B818BE5@shsmsx102.ccr.corp.intel.com> References: <20170119051359.14044-1-chao.b.zhang@intel.com> In-Reply-To: <20170119051359.14044-1-chao.b.zhang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2017 01:25:58 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Chao, I will leave the review for this patch to Jiewen since I am not so familiar= with the code logic. Thanks, Star -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhan= g, Chao B Sent: Thursday, January 19, 2017 1:14 PM To: edk2-devel@lists.01.org Cc: Zhang, Chao B ; Yao, Jiewen ; Zeng, Star ; yao.jiewen@intel.com Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update= PCR[7] measure logic Update PCR[7] measure logic according to TCG PC Client PFP 00.37. Only entries in DB that is used for image authentication need to be measure= d. http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_P= latform_Profile_for_TPM_2p0_Systems_v21.pdf Cc: Star Zeng Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 ++++++= +--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL= ib.c index 7b7e6af..e28e106 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi +++ b.c @@ -12,7 +12,7 @@ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. =20 -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This pro= gram and the accompanying materials are licensed and made available under = the terms and conditions of the BSD License @@ -1026,7 +1026,12 @@ IsSignat= ureFoundInDatabase ( // Find the signature in database. // IsFound =3D TRUE; - SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, Ce= rtList->SignatureSize, Cert); + // + // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to vali= date image should be measured + // + if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) =3D=3D 0) = { + SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, = CertList->SignatureSize, Cert); + } break; } =20 @@ -1309,7 +1314,6 @@ IsForbiddenByDbx ( mImageDigestSize ); if (IsForbidden) { - SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurity= DatabaseGuid, CertList->SignatureSize, CertData); DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed bu= t signature is forbidden by DBX.\n")); goto Done; } -- 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel