From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: edk2-devel@lists.01.org
Cc: yao.jiewen@intel.com, star.zeng@intel.com,
Yao Jiewen <jiewen.yao@intel.com>,
Chao Zhang <chao.b.zhang@intel.com>
Subject: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic
Date: Thu, 19 Jan 2017 13:13:57 +0800 [thread overview]
Message-ID: <20170119051359.14044-1-chao.b.zhang@intel.com> (raw)
Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be
measured.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf
Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
.../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 7b7e6af..e28e106 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -12,7 +12,7 @@
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
untrusted PE/COFF image and validate its data structure within this image buffer before use.
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase (
// Find the signature in database.
//
IsFound = TRUE;
- SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
+ //
+ // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured
+ //
+ if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
+ SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
+ }
break;
}
@@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
mImageDigestSize
);
if (IsForbidden) {
- SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));
goto Done;
}
--
1.9.5.msysgit.1
next reply other threads:[~2017-01-19 5:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 5:13 Zhang, Chao B [this message]
2017-01-19 5:13 ` [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7] Zhang, Chao B
2017-01-22 1:22 ` Zeng, Star
2017-01-22 2:03 ` Yao, Jiewen
2017-01-19 5:13 ` [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec Zhang, Chao B
2017-01-22 1:19 ` Zeng, Star
2017-01-22 2:20 ` Yao, Jiewen
2017-01-22 1:25 ` [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Zeng, Star
2017-01-22 2:04 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170119051359.14044-1-chao.b.zhang@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox