public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Sukerkar, Amol N" <amol.n.sukerkar@intel.com>
To: devel@edk2.groups.io
Subject: [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified API for Hash Calculation
Date: Wed, 18 Dec 2019 14:32:31 -0700	[thread overview]
Message-ID: <20191218213236.1563-2-amol.n.sukerkar@intel.com> (raw)
In-Reply-To: <20191218213236.1563-1-amol.n.sukerkar@intel.com>

This implementation eliminates the need to use hard-coded API to calculate hash
by PEI and DXE drivers by introducing a common and unified API for hash
calculation.

The common API will execute the hash algorithm specified by the PCD,
PcdSystemHashPolicy.

Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
 SecurityPkg/Library/BaseHashLib/BaseHashLib.c      | 236 ++++++++++++++++++++
 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c   |  62 +++++
 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c   |  62 +++++
 SecurityPkg/Include/Library/HashLib.h              |  83 +++++++
 SecurityPkg/Library/BaseHashLib/BaseHashLib.h      |  85 +++++++
 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf |  49 ++++
 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni |  18 ++
 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf |  50 +++++
 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni |  18 ++
 SecurityPkg/SecurityPkg.dec                        |  28 +++
 SecurityPkg/SecurityPkg.dsc                        |   4 +
 SecurityPkg/SecurityPkg.uni                        |  23 ++
 12 files changed, 718 insertions(+)

diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
new file mode 100644
index 000000000000..2ad83387799d
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
@@ -0,0 +1,236 @@
+/** @file
+  Implement image verification services for secure boot service
+
+  Caution: This file requires additional review when modified.
+  This library will have external input - PE/COFF image.
+  This external input must be validated carefully to avoid security issue like
+  buffer overflow, integer overflow.
+
+  DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+  read is within the image buffer.
+
+  DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+  untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+//#include "BaseHashLib.h"
+
+typedef struct {
+  EFI_GUID  Guid;
+  UINT32    Mask;
+} HASH_MASK;
+
+HASH_MASK mHashMask[] = {
+  {HASH_ALGORITHM_SHA1_GUID,         HASH_ALG_SHA1},
+  {HASH_ALGORITHM_SHA256_GUID,       HASH_ALG_SHA256},
+  {HASH_ALGORITHM_SHA384_GUID,       HASH_ALG_SHA384},
+  {HASH_ALGORITHM_SHA512_GUID,       HASH_ALG_SHA512},
+};
+
+HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] = {{{0}, NULL, NULL, NULL}};
+
+UINTN mHashInterfaceCount = 0;
+UINT32 mCurrentHashMask = 0;
+
+UINT32
+EFIAPI
+GetApiHashMaskFromAlgo (
+  IN EFI_GUID  *HashGuid
+  )
+{
+  UINTN  Index;
+
+  for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) {
+    if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {
+      return mHashMask[Index].Mask;
+    }
+  }
+  return 0;
+}
+
+/**
+  Init hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS          Hash start and HashHandle returned.
+  @retval EFI_UNSUPPORTED      System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+  OUT  HASH_HANDLE   *HashHandle
+)
+{
+  HASH_HANDLE    *HashCtx;
+  UINTN   Index;
+  UINT32  HashMask;
+
+  if (mHashInterfaceCount == 0) {
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = AllocatePool (sizeof(*HashCtx));
+  ASSERT (HashCtx != NULL);
+
+  for (Index = 0; Index < mHashInterfaceCount; Index++) {
+    HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+    if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+        (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+      mHashOps[Index].HashInit (HashCtx);
+    }
+  }
+
+  *HashHandle = (HASH_HANDLE)HashCtx;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Update hash data.
+
+  @param HashHandle    Hash handle.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS          Hash updated.
+  @retval EFI_UNSUPPORTED      System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+  IN HASH_HANDLE    HashHandle,
+  IN VOID           *DataToHash,
+  IN UINTN          DataToHashLen
+)
+{
+  HASH_HANDLE  *HashCtx;
+  UINTN        Index;
+  UINT32       HashMask;
+
+  if (mHashInterfaceCount == 0) {
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = (HASH_HANDLE *)HashHandle;
+
+  for (Index = 0; Index < mHashInterfaceCount; Index++) {
+    HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+    if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+        (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+      mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+    }
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Hash complete.
+
+  @param HashHandle    Hash handle.
+  @param Digest        Hash Digest.
+
+  @retval EFI_SUCCESS     Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+  IN  HASH_HANDLE HashHandle,
+  OUT UINT8       *Digest
+)
+{
+  HASH_HANDLE  *HashCtx;
+  UINTN        Index;
+  UINT32       HashMask;
+
+  if (mHashInterfaceCount == 0) {
+    return EFI_UNSUPPORTED;
+  }
+
+  HashCtx = (HASH_HANDLE *)HashHandle;
+
+  for (Index = 0; Index < mHashInterfaceCount; Index++) {
+    HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+    if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+        (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+      mHashOps[Index].HashFinal (HashCtx[0], &Digest);
+    }
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
+  This service registers Hash Interface.
+
+  @param HashInterface  Hash interface
+
+  @retval EFI_SUCCESS          This hash interface is registered successfully.
+  @retval EFI_UNSUPPORTED      System does not support register this interface.
+  @retval EFI_ALREADY_STARTED  System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+  IN HASH_INTERFACE_UNIFIED_API   *HashInterface
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       Index;
+  UINT32      HashMask;
+
+  //
+  // Check Allow
+  //
+  HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid);
+
+  // check if Hash Mask is supported
+  if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (mHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  //
+  // Check duplication
+  //
+  for (Index = 0; Index < mHashInterfaceCount; Index++) {
+    if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) {
+      DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &HashInterface->HashGuid));
+      return EFI_ALREADY_STARTED;
+    }
+  }
+
+  //
+  // Register the Hash Algo.
+  //
+  mCurrentHashMask = PcdGet32 (PcdHashAlgorithmBitmap) | HashMask;
+  Status = PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask);
+  ASSERT_EFI_ERROR (Status);
+
+  CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInterface));
+  mHashInterfaceCount ++;
+
+  return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..5de94d80fad5
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,62 @@
+/** @file
+  Implement image verification services for secure boot service
+
+  Caution: This file requires additional review when modified.
+  This library will have external input - PE/COFF image.
+  This external input must be validated carefully to avoid security issue like
+  buffer overflow, integer overflow.
+
+  DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+  read is within the image buffer.
+
+  DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+  untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+#include "BaseHashLib.h"
+
+/**
+  The constructor function of BaseHashLib Dxe.
+
+  @param  FileHandle   The handle of FFS header the loaded driver.
+  @param  PeiServices  The pointer to the PEI services.
+
+  @retval EFI_SUCCESS           The constructor executes successfully.
+  @retval EFI_OUT_OF_RESOURCES  There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiPeiConstructor (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS    Status;
+
+  //
+  // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
+  //
+  Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
+  ASSERT_EFI_ERROR (Status);
+
+  return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..8ffe356b60e7
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,62 @@
+/** @file
+  Implement image verification services for secure boot service
+
+  Caution: This file requires additional review when modified.
+  This library will have external input - PE/COFF image.
+  This external input must be validated carefully to avoid security issue like
+  buffer overflow, integer overflow.
+
+  DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+  read is within the image buffer.
+
+  DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+  untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+#include "BaseHashLib.h"
+
+/**
+  The constructor function of BaseHashLib Pei.
+
+  @param  FileHandle   The handle of FFS header the loaded driver.
+  @param  PeiServices  The pointer to the PEI services.
+
+  @retval EFI_SUCCESS           The constructor executes successfully.
+  @retval EFI_OUT_OF_RESOURCES  There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiPeiConstructor (
+  IN EFI_PEI_FILE_HANDLE        FileHandle,
+  IN CONST EFI_PEI_SERVICES     **PeiServices
+  )
+{
+  EFI_STATUS    Status;
+
+  //
+  // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
+  //
+  Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
+  ASSERT_EFI_ERROR (Status);
+
+  return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Library/HashLib.h
index 6ad960ad70ee..740cb8188e51 100644
--- a/SecurityPkg/Include/Library/HashLib.h
+++ b/SecurityPkg/Include/Library/HashLib.h
@@ -87,6 +87,53 @@ HashAndExtend (
   OUT TPML_DIGEST_VALUES            *DigestList
   );
 
+/**
+  Init hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS          Hash start and HashHandle returned.
+  @retval EFI_UNSUPPORTED      System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+  OUT  HASH_HANDLE   *HashHandle
+);
+
+/**
+  Update hash data.
+
+  @param HashHandle    Hash handle.
+  @param DataToHash    Data to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS          Hash updated.
+  @retval EFI_UNSUPPORTED      System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+  IN HASH_HANDLE    HashHandle,
+  IN VOID           *DataToHash,
+  IN UINTN          DataToHashLen
+);
+
+/**
+  Hash complete.
+
+  @param HashHandle    Hash handle.
+  @param Digest        Hash Digest.
+
+  @retval EFI_SUCCESS     Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+  IN  HASH_HANDLE HashHandle,
+  OUT UINT8       *Digest
+);
+
 /**
   Start hash sequence.
 
@@ -133,6 +180,21 @@ EFI_STATUS
   OUT TPML_DIGEST_VALUES *DigestList
   );
 
+/**
+  Hash complete.
+
+  @param HashHandle    Hash handle.
+  @param Digest        Hash Digest.
+
+  @retval EFI_SUCCESS     Hash complete and Digest is returned.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *HASH_FINAL_EX) (
+  IN  HASH_HANDLE      HashHandle,
+  OUT UINT8            **Digest
+  );
+
 #define HASH_ALGORITHM_SHA1_GUID    EFI_HASH_ALGORITHM_SHA1_GUID
 #define HASH_ALGORITHM_SHA256_GUID  EFI_HASH_ALGORITHM_SHA256_GUID
 #define HASH_ALGORITHM_SHA384_GUID  EFI_HASH_ALGORITHM_SHA384_GUID
@@ -149,6 +211,13 @@ typedef struct {
   HASH_FINAL                         HashFinal;
 } HASH_INTERFACE;
 
+typedef struct {
+  EFI_GUID                           HashGuid;
+  HASH_INIT                          HashInit;
+  HASH_UPDATE                        HashUpdate;
+  HASH_FINAL_EX                      HashFinal;
+} HASH_INTERFACE_UNIFIED_API;
+
 /**
   This service register Hash.
 
@@ -164,4 +233,18 @@ RegisterHashInterfaceLib (
   IN HASH_INTERFACE   *HashInterface
   );
 
+/**
+  This service registers Hash Interface.
+
+  @param HashInterface  Hash interface
+
+  @retval EFI_SUCCESS          This hash interface is registered successfully.
+  @retval EFI_UNSUPPORTED      System does not support register this interface.
+  @retval EFI_ALREADY_STARTED  System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+  IN HASH_INTERFACE_UNIFIED_API *HashInterface
+);
 #endif
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
new file mode 100644
index 000000000000..70676c1716c3
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
@@ -0,0 +1,85 @@
+/** @file
+  The internal header file includes the common header files, defines
+  internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#define HASH_ALGO_COUNT 7
+
+//
+// Hash Algorithms
+//
+#define HASH_ALG_SHA1    0x00000001
+#define HASH_ALG_SHA256  0x00000002
+#define HASH_ALG_SHA384  0x00000004
+#define HASH_ALG_SHA512  0x00000008
+#define HASH_ALG_SM3_256 0x00000010
+#if 0
+typedef 
+UINTN
+(EFIAPI *GET_HASH_CTX_SIZE) (
+  VOID
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_INIT) (
+  OUT  VOID  *ShaContext
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_DUPLICATE) (
+  IN   CONST VOID  *ShaContext,
+  OUT  VOID        *NewShaContext
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_UPDATE) (
+  IN OUT  VOID        *ShaContext,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataSize
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_FINAL) (
+  IN OUT  VOID   *ShaContext,
+  OUT     UINT8  *HashValue
+  );
+
+HASH_ALGO_IDX
+GetHashAlgoIndex (
+  VOID
+);
+
+typedef struct {
+  HASH_ALGO_IDX     HashAlgo;
+  GET_HASH_CTX_SIZE  GetHashCtxSize;
+  _HASH_INIT          HashInit;
+  _HASH_DUPLICATE     HashDuplicate;
+  _HASH_UPDATE        HashUpdate;
+  _HASH_FINAL         HashFinal;
+} HASH_OPERATIONS;
+
+
+EFI_STATUS
+EFIAPI
+RegisterHashLib (
+  IN HASH_OPERATIONS   *HashInterface
+);
+#endif
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..f5dcbedb2cd9
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,49 @@
+## @file
+#  Provides hash service by registered hash handler
+#
+#  This library is Base Hash Lib. It will redirect hash request to each individual
+#  hash handler registered, such as SHA1, SHA256, SHA384, SM3. Platform can use
+#  PcdTpm2HashMask to register hash engines.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = BaseHashLibDxe
+  MODULE_UNI_FILE                = BaseHashLibDxe.uni
+  FILE_GUID                      = 158DC712-F15A-44dc-93BB-1675045BE066
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+  CONSTRUCTOR                    = BaseHashLibApiDxeConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64
+#
+
+[Sources]
+  BaseHashLib.h
+  BaseHashLibDxe.c
+  BaseHashLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  PcdLib
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask             ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap    ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy    ## CONSUMES
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..d8b03ea4da63
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,18 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is BaseCrypto router. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Provides hash service by registered hash handler"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines."
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..07e95a5a9c0f
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,50 @@
+## @file
+#  Provides hash service by registered hash handler
+#
+#  This library is BaseCrypto router. It will redirect hash request to each individual
+#  hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+#  mask some hash engines.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = BaseHashLibPei
+  MODULE_UNI_FILE                = BaseHashLibPei.uni
+  FILE_GUID                      = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = BaseHashLib|PEIM
+  CONSTRUCTOR                    = BaseHashLibApiPeiConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64
+#
+
+[Sources]
+  BaseHashLib.h
+  BaseHashLibPei.c
+  BaseHashLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  PcdLib
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask             ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap    ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy    ## CONSUMES
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..d8b03ea4da63
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,18 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is BaseCrypto router. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Provides hash service by registered hash handler"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines."
+
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index cac36caf0a0d..b03677a5411c 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -27,6 +27,10 @@ [LibraryClasses]
   #
   HashLib|Include/Library/HashLib.h
 
+  ##  @libraryclass  Provides hash interfaces from different implementations.
+  #
+  BaseHashLib|Include/Library/HashLib.h
+
   ##  @libraryclass  Provides a platform specific interface to detect physically present user.
   #
   PlatformSecureLib|Include/Library/PlatformSecureLib.h
@@ -496,5 +500,29 @@ [PcdsDynamic, PcdsDynamicEx]
   # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
 
+  [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
+  #  Based on the value set, the required algorithm is chosen to verify
+  #  the unsigned image during Secure Boot.<BR>
+  #  The hashing algorithm selected must match the hashing algorithm used to
+  #  hash the image to be added to DB using tools such as KeyEnroll.<BR>
+  #     0x00000001    - SHA1.<BR>
+  #     0x00000002    - SHA256.<BR>
+  #     0x00000004    - SHA384.<BR>
+  #     0x00000008    - SHA512.<BR>
+  #     0x00000010    - SM3_256.<BR>
+  # @Prompt Set policy for hashing unsigned image for Secure Boot.
+  # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
+  gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024
+
+  ## This PCD indicated final BIOS supported Hash mask for Base Hash API.
+  #    Bios may choose to register a subset of PcdTpm2HashMask.
+  #    This PCD is final value of how many hash algo are registered with
+  #    Base Hash API.
+  # This PCD will start with value 0 by the Base Hash API constructor and
+  # the value will be updated as Hash Algo are registered.
+  # @Prompt Hash Algorithm bitmap for Base Hash API.
+  gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010025
+
 [UserExtensions.TianoCore."ExtraFiles"]
   SecurityPkgExtra.uni
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2eeadda7a7e..9ae134ffee53 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
   Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
   RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+  BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
 
 [LibraryClasses.common.DXE_DRIVER]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
@@ -170,6 +171,7 @@ [PcdsDynamicDefault.common.DEFAULT]
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
   gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
+  gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|3
 
 [PcdsDynamicHii.common.DEFAULT]
   gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
@@ -211,6 +213,8 @@ [Components]
 
   SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
 
+  SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
+
   #
   # TCG Storage.
   #
diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 68587304d779..2dc77279210c 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -295,3 +295,26 @@
 
 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP  #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
                                                                                      "0 means this field is unsupported\n"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT  #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP  #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n"
+                                                                                        "Based on the value set, the required algorithm is chosen to verify\n"
+                                                                                        "the unsigned image during Secure Boot.<BR>\n"
+                                                                                        "The hashing algorithm selected must match the hashing algorithm used to\n"
+                                                                                        "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n"
+                                                                                        "0x00000000  -  SHA1.<BR>\n"
+                                                                                        "0x00000001  -  SHA224.<BR>"
+                                                                                        "0x00000002  -  SHA256.<BR>\n"
+                                                                                        "0x00000003  -  SHA384.<BR>\n"
+                                                                                        "0x00000004  -  SHA512.<BR>\n"
+                                                                                        "0x00000005  -  SM3.<BR>"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT  #language en-US "Hash Algorithm bitmap for Base Hash API."
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP  #language en-US "This PCD indicated final BIOS supported Hash mask for Base Hash API.\n"
+                                                                                        "Bios may choose to register a subset of PcdTpm2HashMask.<BR>\n"
+                                                                                        "This PCD is final value of how many hash algo are registered with\n"
+                                                                                        "Base Hash API.<BR>\n"
+                                                                                        "This PCD will start with value 0 by the Base Hash API constructor and\n"
+                                                                                        "the value will be updated as Hash Algo are registered.<BR>\n"
-- 
2.16.2.windows.1


  reply	other threads:[~2019-12-18 21:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-18 21:32 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:32 ` Sukerkar, Amol N [this message]
2019-12-18 21:32 ` [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Sukerkar, Amol N
2019-12-18 21:32 ` [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256 Sukerkar, Amol N
2019-12-18 21:32 ` [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384 Sukerkar, Amol N
2019-12-18 21:32 ` [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib Sukerkar, Amol N
2019-12-18 21:32 ` [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3 Sukerkar, Amol N
  -- strict thread matches above, loose matches on Subject: below --
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified " Sukerkar, Amol N

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191218213236.1563-2-amol.n.sukerkar@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox