From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 10E1281E69 for ; Wed, 18 Jan 2017 21:14:03 -0800 (PST) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP; 18 Jan 2017 21:14:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,252,1477983600"; d="scan'208";a="55673689" Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.166]) by fmsmga006.fm.intel.com with ESMTP; 18 Jan 2017 21:14:01 -0800 From: "Zhang, Chao B" To: edk2-devel@lists.01.org Cc: yao.jiewen@intel.com, star.zeng@intel.com, Yao Jiewen , Chao Zhang Date: Thu, 19 Jan 2017 13:13:57 +0800 Message-Id: <20170119051359.14044-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2017 05:14:03 -0000 Update PCR[7] measure logic according to TCG PC Client PFP 00.37. Only entries in DB that is used for image authentication need to be measured. http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf Cc: Star Zeng Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index 7b7e6af..e28e106 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -12,7 +12,7 @@ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept untrusted PE/COFF image and validate its data structure within this image buffer before use. -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase ( // Find the signature in database. // IsFound = TRUE; - SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert); + // + // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured + // + if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) { + SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert); + } break; } @@ -1309,7 +1314,6 @@ IsForbiddenByDbx ( mImageDigestSize ); if (IsForbidden) { - SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData); DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n")); goto Done; } -- 1.9.5.msysgit.1