From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.1767.1576704760204204400 for ; Wed, 18 Dec 2019 13:32:42 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=fail (domain: intel.com, ip: , mailfrom: amol.n.sukerkar@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:32:41 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="212815403" Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga007.fm.intel.com with ESMTP; 18 Dec 2019 13:32:41 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Subject: [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified API for Hash Calculation Date: Wed, 18 Dec 2019 14:32:31 -0700 Message-Id: <20191218213236.1563-2-amol.n.sukerkar@intel.com> X-Mailer: git-send-email 2.24.1.windows.2 In-Reply-To: <20191218213236.1563-1-amol.n.sukerkar@intel.com> References: <20191218213236.1563-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable This implementation eliminates the need to use hard-coded API to calculate = hash by PEI and DXE drivers by introducing a common and unified API for hash calculation. The common API will execute the hash algorithm specified by the PCD, PcdSystemHashPolicy. Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 +++++++++++++++++= +++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 62 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 62 +++++ SecurityPkg/Include/Library/HashLib.h | 83 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 49 ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 50 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 18 ++ SecurityPkg/SecurityPkg.dec | 28 +++ SecurityPkg/SecurityPkg.dsc | 4 + SecurityPkg/SecurityPkg.uni | 23 ++ 12 files changed, 718 insertions(+) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.c new file mode 100644 index 000000000000..2ad83387799d --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c @@ -0,0 +1,236 @@ +/** @file=0D + Implement image verification services for secure boot service=0D +=0D + Caution: This file requires additional review when modified.=0D + This library will have external input - PE/COFF image.=0D + This external input must be validated carefully to avoid security issue = like=0D + buffer overflow, integer overflow.=0D +=0D + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content=0D + read is within the image buffer.=0D +=0D + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept=0D + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use.=0D +=0D +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
=0D +This program and the accompanying materials=0D +are licensed and made available under the terms and conditions of the BSD = License=0D +which accompanies this distribution. The full text of the license may be = found at=0D +http://opensource.org/licenses/bsd-license.php=0D +=0D +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=0D +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED.=0D +=0D +**/=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +//#include "BaseHashLib.h"=0D +=0D +typedef struct {=0D + EFI_GUID Guid;=0D + UINT32 Mask;=0D +} HASH_MASK;=0D +=0D +HASH_MASK mHashMask[] =3D {=0D + {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1},=0D + {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256},=0D + {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384},=0D + {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512},=0D +};=0D +=0D +HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] =3D {{{0}, NULL, NULL, NUL= L}};=0D +=0D +UINTN mHashInterfaceCount =3D 0;=0D +UINT32 mCurrentHashMask =3D 0;=0D +=0D +UINT32=0D +EFIAPI=0D +GetApiHashMaskFromAlgo (=0D + IN EFI_GUID *HashGuid=0D + )=0D +{=0D + UINTN Index;=0D +=0D + for (Index =3D 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index+= +) {=0D + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {=0D + return mHashMask[Index].Mask;=0D + }=0D + }=0D + return 0;=0D +}=0D +=0D +/**=0D + Init hash sequence.=0D +=0D + @param HashHandle Hash handle.=0D +=0D + @retval EFI_SUCCESS Hash start and HashHandle returned.=0D + @retval EFI_UNSUPPORTED System has no HASH library registered.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiInit (=0D + OUT HASH_HANDLE *HashHandle=0D +)=0D +{=0D + HASH_HANDLE *HashCtx;=0D + UINTN Index;=0D + UINT32 HashMask;=0D +=0D + if (mHashInterfaceCount =3D=3D 0) {=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + HashCtx =3D AllocatePool (sizeof(*HashCtx));=0D + ASSERT (HashCtx !=3D NULL);=0D +=0D + for (Index =3D 0; Index < mHashInterfaceCount; Index++) {=0D + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);=0D + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 &&=0D + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) {=0D + mHashOps[Index].HashInit (HashCtx);=0D + }=0D + }=0D +=0D + *HashHandle =3D (HASH_HANDLE)HashCtx;=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D +/**=0D + Update hash data.=0D +=0D + @param HashHandle Hash handle.=0D + @param DataToHash Data to be hashed.=0D + @param DataToHashLen Data size.=0D +=0D + @retval EFI_SUCCESS Hash updated.=0D + @retval EFI_UNSUPPORTED System has no HASH library registered.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiUpdate (=0D + IN HASH_HANDLE HashHandle,=0D + IN VOID *DataToHash,=0D + IN UINTN DataToHashLen=0D +)=0D +{=0D + HASH_HANDLE *HashCtx;=0D + UINTN Index;=0D + UINT32 HashMask;=0D +=0D + if (mHashInterfaceCount =3D=3D 0) {=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + HashCtx =3D (HASH_HANDLE *)HashHandle;=0D +=0D + for (Index =3D 0; Index < mHashInterfaceCount; Index++) {=0D + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);=0D + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 &&=0D + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) {=0D + mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);= =0D + }=0D + }=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D +/**=0D + Hash complete.=0D +=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval EFI_SUCCESS Hash complete and Digest is returned.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiFinal (=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 *Digest=0D +)=0D +{=0D + HASH_HANDLE *HashCtx;=0D + UINTN Index;=0D + UINT32 HashMask;=0D +=0D + if (mHashInterfaceCount =3D=3D 0) {=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + HashCtx =3D (HASH_HANDLE *)HashHandle;=0D +=0D + for (Index =3D 0; Index < mHashInterfaceCount; Index++) {=0D + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);=0D + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 &&=0D + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) {=0D + mHashOps[Index].HashFinal (HashCtx[0], &Digest);=0D + }=0D + }=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D +/**=0D + This service registers Hash Interface.=0D +=0D + @param HashInterface Hash interface=0D +=0D + @retval EFI_SUCCESS This hash interface is registered successfu= lly.=0D + @retval EFI_UNSUPPORTED System does not support register this inter= face.=0D + @retval EFI_ALREADY_STARTED System already register this interface.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +RegisterHashApiLib (=0D + IN HASH_INTERFACE_UNIFIED_API *HashInterface=0D + )=0D +{=0D + EFI_STATUS Status;=0D + UINTN Index;=0D + UINT32 HashMask;=0D +=0D + //=0D + // Check Allow=0D + //=0D + HashMask =3D GetApiHashMaskFromAlgo (&HashInterface->HashGuid);=0D +=0D + // check if Hash Mask is supported=0D + if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) {=0D + return EFI_UNSUPPORTED;=0D + }=0D +=0D + if (mHashInterfaceCount >=3D sizeof(mHashOps)/sizeof(mHashOps[0])) {=0D + return EFI_OUT_OF_RESOURCES;=0D + }=0D +=0D + //=0D + // Check duplication=0D + //=0D + for (Index =3D 0; Index < mHashInterfaceCount; Index++) {=0D + if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid))= {=0D + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &H= ashInterface->HashGuid));=0D + return EFI_ALREADY_STARTED;=0D + }=0D + }=0D +=0D + //=0D + // Register the Hash Algo.=0D + //=0D + mCurrentHashMask =3D PcdGet32 (PcdHashAlgorithmBitmap) | HashMask;=0D + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask);=0D + ASSERT_EFI_ERROR (Status);=0D +=0D + CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInte= rface));=0D + mHashInterfaceCount ++;=0D +=0D + return EFI_SUCCESS;=0D +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibDxe.c new file mode 100644 index 000000000000..5de94d80fad5 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -0,0 +1,62 @@ +/** @file=0D + Implement image verification services for secure boot service=0D +=0D + Caution: This file requires additional review when modified.=0D + This library will have external input - PE/COFF image.=0D + This external input must be validated carefully to avoid security issue = like=0D + buffer overflow, integer overflow.=0D +=0D + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content=0D + read is within the image buffer.=0D +=0D + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept=0D + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use.=0D +=0D +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
=0D +This program and the accompanying materials=0D +are licensed and made available under the terms and conditions of the BSD = License=0D +which accompanies this distribution. The full text of the license may be = found at=0D +http://opensource.org/licenses/bsd-license.php=0D +=0D +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=0D +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED.=0D +=0D +**/=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include "BaseHashLib.h"=0D +=0D +/**=0D + The constructor function of BaseHashLib Dxe.=0D +=0D + @param FileHandle The handle of FFS header the loaded driver.=0D + @param PeiServices The pointer to the PEI services.=0D +=0D + @retval EFI_SUCCESS The constructor executes successfully.=0D + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor.=0D +=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +BaseHashLibApiPeiConstructor (=0D + IN EFI_HANDLE ImageHandle,=0D + IN EFI_SYSTEM_TABLE *SystemTable=0D + )=0D +{=0D + EFI_STATUS Status;=0D +=0D + //=0D + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.=0D + //=0D + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0);=0D + ASSERT_EFI_ERROR (Status);=0D +=0D + return EFI_SUCCESS;=0D +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibPei.c new file mode 100644 index 000000000000..8ffe356b60e7 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -0,0 +1,62 @@ +/** @file=0D + Implement image verification services for secure boot service=0D +=0D + Caution: This file requires additional review when modified.=0D + This library will have external input - PE/COFF image.=0D + This external input must be validated carefully to avoid security issue = like=0D + buffer overflow, integer overflow.=0D +=0D + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content=0D + read is within the image buffer.=0D +=0D + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept=0D + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use.=0D +=0D +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
=0D +This program and the accompanying materials=0D +are licensed and made available under the terms and conditions of the BSD = License=0D +which accompanies this distribution. The full text of the license may be = found at=0D +http://opensource.org/licenses/bsd-license.php=0D +=0D +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=0D +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED.=0D +=0D +**/=0D +=0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +#include =0D +=0D +#include "BaseHashLib.h"=0D +=0D +/**=0D + The constructor function of BaseHashLib Pei.=0D +=0D + @param FileHandle The handle of FFS header the loaded driver.=0D + @param PeiServices The pointer to the PEI services.=0D +=0D + @retval EFI_SUCCESS The constructor executes successfully.=0D + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor.=0D +=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +BaseHashLibApiPeiConstructor (=0D + IN EFI_PEI_FILE_HANDLE FileHandle,=0D + IN CONST EFI_PEI_SERVICES **PeiServices=0D + )=0D +{=0D + EFI_STATUS Status;=0D +=0D + //=0D + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.=0D + //=0D + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0);=0D + ASSERT_EFI_ERROR (Status);=0D +=0D + return EFI_SUCCESS;=0D +} \ No newline at end of file diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Li= brary/HashLib.h index 6ad960ad70ee..740cb8188e51 100644 --- a/SecurityPkg/Include/Library/HashLib.h +++ b/SecurityPkg/Include/Library/HashLib.h @@ -87,6 +87,53 @@ HashAndExtend ( OUT TPML_DIGEST_VALUES *DigestList=0D );=0D =0D +/**=0D + Init hash sequence.=0D +=0D + @param HashHandle Hash handle.=0D +=0D + @retval EFI_SUCCESS Hash start and HashHandle returned.=0D + @retval EFI_UNSUPPORTED System has no HASH library registered.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiInit (=0D + OUT HASH_HANDLE *HashHandle=0D +);=0D +=0D +/**=0D + Update hash data.=0D +=0D + @param HashHandle Hash handle.=0D + @param DataToHash Data to be hashed.=0D + @param DataToHashLen Data size.=0D +=0D + @retval EFI_SUCCESS Hash updated.=0D + @retval EFI_UNSUPPORTED System has no HASH library registered.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiUpdate (=0D + IN HASH_HANDLE HashHandle,=0D + IN VOID *DataToHash,=0D + IN UINTN DataToHashLen=0D +);=0D +=0D +/**=0D + Hash complete.=0D +=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval EFI_SUCCESS Hash complete and Digest is returned.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +HashApiFinal (=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 *Digest=0D +);=0D +=0D /**=0D Start hash sequence.=0D =0D @@ -133,6 +180,21 @@ EFI_STATUS OUT TPML_DIGEST_VALUES *DigestList=0D );=0D =0D +/**=0D + Hash complete.=0D +=0D + @param HashHandle Hash handle.=0D + @param Digest Hash Digest.=0D +=0D + @retval EFI_SUCCESS Hash complete and Digest is returned.=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *HASH_FINAL_EX) (=0D + IN HASH_HANDLE HashHandle,=0D + OUT UINT8 **Digest=0D + );=0D +=0D #define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID=0D #define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID=0D #define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID=0D @@ -149,6 +211,13 @@ typedef struct { HASH_FINAL HashFinal;=0D } HASH_INTERFACE;=0D =0D +typedef struct {=0D + EFI_GUID HashGuid;=0D + HASH_INIT HashInit;=0D + HASH_UPDATE HashUpdate;=0D + HASH_FINAL_EX HashFinal;=0D +} HASH_INTERFACE_UNIFIED_API;=0D +=0D /**=0D This service register Hash.=0D =0D @@ -164,4 +233,18 @@ RegisterHashInterfaceLib ( IN HASH_INTERFACE *HashInterface=0D );=0D =0D +/**=0D + This service registers Hash Interface.=0D +=0D + @param HashInterface Hash interface=0D +=0D + @retval EFI_SUCCESS This hash interface is registered successfu= lly.=0D + @retval EFI_UNSUPPORTED System does not support register this inter= face.=0D + @retval EFI_ALREADY_STARTED System already register this interface.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +RegisterHashApiLib (=0D + IN HASH_INTERFACE_UNIFIED_API *HashInterface=0D +);=0D #endif=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.h new file mode 100644 index 000000000000..70676c1716c3 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h @@ -0,0 +1,85 @@ +/** @file=0D + The internal header file includes the common header files, defines=0D + internal structure and functions used by ImageVerificationLib.=0D +=0D +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
=0D +This program and the accompanying materials=0D +are licensed and made available under the terms and conditions of the BSD = License=0D +which accompanies this distribution. The full text of the license may be = found at=0D +http://opensource.org/licenses/bsd-license.php=0D +=0D +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=0D +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED.=0D +=0D +**/=0D +=0D +#ifndef __BASEHASHLIB_H_=0D +#define __BASEHASHLIB_H_=0D +=0D +#define HASH_ALGO_COUNT 7=0D +=0D +//=0D +// Hash Algorithms=0D +//=0D +#define HASH_ALG_SHA1 0x00000001=0D +#define HASH_ALG_SHA256 0x00000002=0D +#define HASH_ALG_SHA384 0x00000004=0D +#define HASH_ALG_SHA512 0x00000008=0D +#define HASH_ALG_SM3_256 0x00000010=0D +#if 0=0D +typedef =0D +UINTN=0D +(EFIAPI *GET_HASH_CTX_SIZE) (=0D + VOID=0D + );=0D +=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *_HASH_INIT) (=0D + OUT VOID *ShaContext=0D + );=0D +=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *_HASH_DUPLICATE) (=0D + IN CONST VOID *ShaContext,=0D + OUT VOID *NewShaContext=0D + );=0D +=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *_HASH_UPDATE) (=0D + IN OUT VOID *ShaContext,=0D + IN CONST VOID *Data,=0D + IN UINTN DataSize=0D + );=0D +=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *_HASH_FINAL) (=0D + IN OUT VOID *ShaContext,=0D + OUT UINT8 *HashValue=0D + );=0D +=0D +HASH_ALGO_IDX=0D +GetHashAlgoIndex (=0D + VOID=0D +);=0D +=0D +typedef struct {=0D + HASH_ALGO_IDX HashAlgo;=0D + GET_HASH_CTX_SIZE GetHashCtxSize;=0D + _HASH_INIT HashInit;=0D + _HASH_DUPLICATE HashDuplicate;=0D + _HASH_UPDATE HashUpdate;=0D + _HASH_FINAL HashFinal;=0D +} HASH_OPERATIONS;=0D +=0D +=0D +EFI_STATUS=0D +EFIAPI=0D +RegisterHashLib (=0D + IN HASH_OPERATIONS *HashInterface=0D +);=0D +#endif=0D +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.inf new file mode 100644 index 000000000000..f5dcbedb2cd9 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -0,0 +1,49 @@ +## @file=0D +# Provides hash service by registered hash handler=0D +#=0D +# This library is Base Hash Lib. It will redirect hash request to each in= dividual=0D +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. Platform ca= n use=0D +# PcdTpm2HashMask to register hash engines.=0D +#=0D +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D BaseHashLibDxe=0D + MODULE_UNI_FILE =3D BaseHashLibDxe.uni=0D + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE066= =0D + MODULE_TYPE =3D DXE_DRIVER=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_DR= IVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER=0D + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64=0D +#=0D +=0D +[Sources]=0D + BaseHashLib.h=0D + BaseHashLibDxe.c=0D + BaseHashLib.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D + PcdLib=0D +=0D +[Pcd]=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES=0D +=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni @@ -0,0 +1,18 @@ +// /** @file=0D +// Provides hash service by registered hash handler=0D +//=0D +// This library is BaseCrypto router. It will redirect hash request to eac= h individual=0D +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to=0D +// mask some hash engines.=0D +//=0D +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
= =0D +//=0D +// SPDX-License-Identifier: BSD-2-Clause-Patent=0D +//=0D +// **/=0D +=0D +=0D +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by registered hash handler"=0D +=0D +#string STR_MODULE_DESCRIPTION #language en-US "This library is B= aseCrypto router. It will redirect hash request to each individual hash han= dler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to = mask some hash engines."=0D +=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.inf new file mode 100644 index 000000000000..07e95a5a9c0f --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -0,0 +1,50 @@ +## @file=0D +# Provides hash service by registered hash handler=0D +#=0D +# This library is BaseCrypto router. It will redirect hash request to eac= h individual=0D +# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to=0D +# mask some hash engines.=0D +#=0D +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D BaseHashLibPei=0D + MODULE_UNI_FILE =3D BaseHashLibPei.uni=0D + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50B= =0D + MODULE_TYPE =3D PEIM=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D BaseHashLib|PEIM=0D + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64=0D +#=0D +=0D +[Sources]=0D + BaseHashLib.h=0D + BaseHashLibPei.c=0D + BaseHashLib.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D + MdeModulePkg/MdeModulePkg.dec=0D +=0D +[LibraryClasses]=0D + BaseLib=0D + BaseMemoryLib=0D + DebugLib=0D + MemoryAllocationLib=0D + PcdLib=0D +=0D +[Pcd]=0D + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES=0D +=0D diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni @@ -0,0 +1,18 @@ +// /** @file=0D +// Provides hash service by registered hash handler=0D +//=0D +// This library is BaseCrypto router. It will redirect hash request to eac= h individual=0D +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to=0D +// mask some hash engines.=0D +//=0D +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
= =0D +//=0D +// SPDX-License-Identifier: BSD-2-Clause-Patent=0D +//=0D +// **/=0D +=0D +=0D +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by registered hash handler"=0D +=0D +#string STR_MODULE_DESCRIPTION #language en-US "This library is B= aseCrypto router. It will redirect hash request to each individual hash han= dler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to = mask some hash engines."=0D +=0D diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..b03677a5411c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -27,6 +27,10 @@ [LibraryClasses] #=0D HashLib|Include/Library/HashLib.h=0D =0D + ## @libraryclass Provides hash interfaces from different implementatio= ns.=0D + #=0D + BaseHashLib|Include/Library/HashLib.h=0D +=0D ## @libraryclass Provides a platform specific interface to detect phys= ically present user.=0D #=0D PlatformSecureLib|Include/Library/PlatformSecureLib.h=0D @@ -496,5 +500,29 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.=0D gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023=0D =0D + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]=0D + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF imag= e=0D + # Based on the value set, the required algorithm is chosen to verify=0D + # the unsigned image during Secure Boot.
=0D + # The hashing algorithm selected must match the hashing algorithm used = to=0D + # hash the image to be added to DB using tools such as KeyEnroll.
=0D + # 0x00000001 - SHA1.
=0D + # 0x00000002 - SHA256.
=0D + # 0x00000004 - SHA384.
=0D + # 0x00000008 - SHA512.
=0D + # 0x00000010 - SM3_256.
=0D + # @Prompt Set policy for hashing unsigned image for Secure Boot.=0D + # @ValidRange 0x80000001 | 0x00000000 - 0x00000005=0D + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024= =0D +=0D + ## This PCD indicated final BIOS supported Hash mask for Base Hash API.= =0D + # Bios may choose to register a subset of PcdTpm2HashMask.=0D + # This PCD is final value of how many hash algo are registered with=0D + # Base Hash API.=0D + # This PCD will start with value 0 by the Base Hash API constructor and= =0D + # the value will be updated as Hash Algo are registered.=0D + # @Prompt Hash Algorithm bitmap for Base Hash API.=0D + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0= x00010025=0D +=0D [UserExtensions.TianoCore."ExtraFiles"]=0D SecurityPkgExtra.uni=0D diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..9ae134ffee53 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.in= f=0D Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf=0D RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf=0D + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf=0D =0D [LibraryClasses.common.DXE_DRIVER]=0D HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D @@ -170,6 +171,7 @@ [PcdsDynamicDefault.common.DEFAULT] gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1=0D gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3=0D gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3=0D + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|3=0D =0D [PcdsDynamicHii.common.DEFAULT]=0D gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_= VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS=0D @@ -211,6 +213,8 @@ [Components] =0D SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf=0D =0D + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf=0D +=0D #=0D # TCG Storage.=0D #=0D diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 68587304d779..2dc77279210c 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -295,3 +295,26 @@ =0D #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #lang= uage en-US "This PCD defines LASA of TPM2 ACPI table\n\n"=0D = "0 means this field is unsupported\n"=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #lan= guage en-US "HASH algorithm to verify unsigned PE/COFF image"=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #langu= age en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF= image.

\n"=0D + = "Based on the value set, the required algorithm is chosen to = verify\n"=0D + = "the unsigned image during Secure Boot.
\n"=0D + = "The hashing algorithm selected must match the hashing algori= thm used to\n"=0D + = "hash the image to be added to DB using tools such as KeyEnro= ll.
\n"=0D + = "0x00000000 - SHA1.
\n"=0D + = "0x00000001 - SHA224.
"=0D + = "0x00000002 - SHA256.
\n"=0D + = "0x00000003 - SHA384.
\n"=0D + = "0x00000004 - SHA512.
\n"=0D + = "0x00000005 - SM3.
"=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #= language en-US "Hash Algorithm bitmap for Base Hash API."=0D +=0D +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #la= nguage en-US "This PCD indicated final BIOS supported Hash mask for Base Ha= sh API.\n"=0D + = "Bios may choose to register a subset of PcdTpm2HashMask.
= \n"=0D + = "This PCD is final value of how many hash algo are registered= with\n"=0D + = "Base Hash API.
\n"=0D + = "This PCD will start with value 0 by the Base Hash API constr= uctor and\n"=0D + = "the value will be updated as Hash Algo are registered.
\n= "=0D --=20 2.16.2.windows.1