* [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1
2019-12-18 21:32 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
@ 2019-12-18 21:32 ` Sukerkar, Amol N
0 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:32 UTC (permalink / raw)
To: devel
This is the HashApiInstance implementation for SHA1 which registers the SHA1
hash library in CryptoPkg with BaseHashLib based on whether a platform supports
SHA1 hash algorithm (provided by PcdTpm2HashMask).
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 128 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf | 40 ++++++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni | 16 +++
SecurityPkg/SecurityPkg.dsc | 5 +
4 files changed, 189 insertions(+)
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
new file mode 100644
index 000000000000..06e88f00d70b
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
@@ -0,0 +1,128 @@
+/** @file
+ This library is BaseCrypto SHA1 hash instance.
+ It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/HashLib.h>
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Init (
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ VOID *Sha1Ctx;
+ UINTN CtxSize;
+
+ CtxSize = Sha1GetContextSize ();
+ Sha1Ctx = AllocatePool (CtxSize);
+ ASSERT (Sha1Ctx != NULL);
+
+ Sha1Init (Sha1Ctx);
+
+ *HashHandle = (HASH_HANDLE)Sha1Ctx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Update (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ VOID *Sha1Ctx;
+
+ Sha1Ctx = (VOID *)HashHandle;
+ Sha1Update (Sha1Ctx, DataToHash, DataToHashLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Complete hash sequence complete.
+
+ @param HashHandle Hash handle.
+ @param DigestList Digest list.
+
+ @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Final (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ UINT8 Sha1Digest[SHA1_DIGEST_SIZE];
+ VOID *Sha1Ctx;
+
+ Sha1Ctx = (VOID *)HashHandle;
+ Sha1Final (Sha1Ctx, Sha1Digest);
+
+ CopyMem (*Digest, Sha1Digest, SHA1_DIGEST_SIZE);
+
+ FreePool (Sha1Ctx);
+
+ return EFI_SUCCESS;
+}
+
+HASH_INTERFACE_UNIFIED_API mSha1InternalHashApiInstance = {
+ HASH_ALGORITHM_SHA1_GUID,
+ Sha1_Init,
+ Sha1_Update,
+ Sha1_Final,
+};
+
+/**
+ The function register SHA1 instance.
+
+ @retval EFI_SUCCESS SHA1 instance is registered, or system dose not surpport registr SHA1 instance
+**/
+EFI_STATUS
+EFIAPI
+HashApiInstanceSha1Constructor (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = RegisterHashApiLib (&mSha1InternalHashApiInstance);
+ if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA1 is registered\n"));
+ return EFI_SUCCESS;
+ }
+ return Status;
+}
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
new file mode 100644
index 000000000000..b59c4d883439
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
@@ -0,0 +1,40 @@
+## @file
+# Provides BaseCrypto SHA1 hash service
+#
+# This library can be registered to BaseCrypto router, to serve as hash engine.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = HashApiInstanceSha1
+ MODULE_UNI_FILE = HashApiInstanceSha1.uni
+ FILE_GUID = 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = HashApiInstanceSha1Constructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ HashApiInstanceSha1.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni
new file mode 100644
index 000000000000..716369d2fb8a
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides BaseCrypto SHA1 hash service
+//
+// This library can be registered to BaseCrypto router, to serve as hash engine.
+//
+// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCrypto SHA1 hash service API"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library can be registered to Base Hash API, to serve as hash engine."
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 9ae134ffee53..6c0832d48e88 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -241,6 +241,11 @@ [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
[Components.IA32, Components.X64]
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ #
+ # Hash API
+ #
+ SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
+
#
# TPM
#
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation
@ 2019-12-18 21:50 Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified " Sukerkar, Amol N
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
Currently the UEFI drivers using the SHA/SM3 hashing algorithms use hard-coded API to calculate the hash, such as, sha_256(…), etc. Since SHA384 and/or SM3 are being increasingly adopted, it becomes cumbersome to modify the driver with SHA384 or SM3 calls for each application.
To better achieve this, we are proposing a unified API which can be used by UEFI drivers that provides the drivers with flexibility to use the hashing algorithm they desired or the strongest hashing algorithm the system supports (with openssl). Attached is the design proposal for the same and we request feedback from the community before we begin the process of making the changes to EDK2 repo.
Alternatively, the design document is also attached to Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. You can also provide the feedback in the Bugzilla.
Sukerkar, Amol N (6):
SecurityPkg/BaseHashLib: Implement a unified API for Hash Calculation
SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism
for SHA1
SecurityPkg/HashApiInstanceSha256: Implement API registration
mechanism for SHA256
SecurityPkg/HashApiInstanceSha384: Implement API registration
mechanism for SHA384
SecurityPkg/BaseHashLib: Modified the Registation Mechanism for
BaseHashLib
SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism
for SM3
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 252 +++++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 396 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 128 +++++++
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 128 +++++++
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 128 +++++++
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c | 128 +++++++
SecurityPkg/Include/Library/BaseHashLib.h | 153 ++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 35 ++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 +++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 +
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 48 +++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 18 +
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf | 40 ++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni | 16 +
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf | 40 ++
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni | 16 +
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf | 40 ++
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni | 16 +
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf | 40 ++
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni | 16 +
SecurityPkg/SecurityPkg.dec | 19 +
SecurityPkg/SecurityPkg.dsc | 11 +
SecurityPkg/SecurityPkg.uni | 14 +
23 files changed, 1747 insertions(+)
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
create mode 100644 SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
create mode 100644 SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
create mode 100644 SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
create mode 100644 SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c
create mode 100644 SecurityPkg/Include/Library/BaseHashLib.h
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
create mode 100644 SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
create mode 100644 SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni
create mode 100644 SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf
create mode 100644 SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni
create mode 100644 SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf
create mode 100644 SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni
create mode 100644 SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf
create mode 100644 SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni
--
2.16.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified API for Hash Calculation
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Sukerkar, Amol N
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
This implementation eliminates the need to use hard-coded API to calculate hash
by PEI and DXE drivers by introducing a common and unified API for hash
calculation.
The common API will execute the hash algorithm specified by the PCD,
PcdSystemHashPolicy.
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 ++++++++++++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 62 +++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 62 +++++
SecurityPkg/Include/Library/HashLib.h | 83 +++++++
SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 +++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 49 ++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 50 +++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 18 ++
SecurityPkg/SecurityPkg.dec | 28 +++
SecurityPkg/SecurityPkg.dsc | 4 +
SecurityPkg/SecurityPkg.uni | 23 ++
12 files changed, 718 insertions(+)
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
new file mode 100644
index 000000000000..2ad83387799d
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
@@ -0,0 +1,236 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+ untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+//#include "BaseHashLib.h"
+
+typedef struct {
+ EFI_GUID Guid;
+ UINT32 Mask;
+} HASH_MASK;
+
+HASH_MASK mHashMask[] = {
+ {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1},
+ {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256},
+ {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384},
+ {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512},
+};
+
+HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] = {{{0}, NULL, NULL, NULL}};
+
+UINTN mHashInterfaceCount = 0;
+UINT32 mCurrentHashMask = 0;
+
+UINT32
+EFIAPI
+GetApiHashMaskFromAlgo (
+ IN EFI_GUID *HashGuid
+ )
+{
+ UINTN Index;
+
+ for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) {
+ if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {
+ return mHashMask[Index].Mask;
+ }
+ }
+ return 0;
+}
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+
+ if (mHashInterfaceCount == 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = AllocatePool (sizeof(*HashCtx));
+ ASSERT (HashCtx != NULL);
+
+ for (Index = 0; Index < mHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+ (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+ mHashOps[Index].HashInit (HashCtx);
+ }
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash updated.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+
+ if (mHashInterfaceCount == 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < mHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+ (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+ mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+
+ if (mHashInterfaceCount == 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < mHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
+ (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
+ mHashOps[Index].HashFinal (HashCtx[0], &Digest);
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This service registers Hash Interface.
+
+ @param HashInterface Hash interface
+
+ @retval EFI_SUCCESS This hash interface is registered successfully.
+ @retval EFI_UNSUPPORTED System does not support register this interface.
+ @retval EFI_ALREADY_STARTED System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+ IN HASH_INTERFACE_UNIFIED_API *HashInterface
+ )
+{
+ EFI_STATUS Status;
+ UINTN Index;
+ UINT32 HashMask;
+
+ //
+ // Check Allow
+ //
+ HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid);
+
+ // check if Hash Mask is supported
+ if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+ return EFI_UNSUPPORTED;
+ }
+
+ if (mHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Check duplication
+ //
+ for (Index = 0; Index < mHashInterfaceCount; Index++) {
+ if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) {
+ DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &HashInterface->HashGuid));
+ return EFI_ALREADY_STARTED;
+ }
+ }
+
+ //
+ // Register the Hash Algo.
+ //
+ mCurrentHashMask = PcdGet32 (PcdHashAlgorithmBitmap) | HashMask;
+ Status = PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask);
+ ASSERT_EFI_ERROR (Status);
+
+ CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInterface));
+ mHashInterfaceCount ++;
+
+ return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..5de94d80fad5
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,62 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+ untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+#include "BaseHashLib.h"
+
+/**
+ The constructor function of BaseHashLib Dxe.
+
+ @param FileHandle The handle of FFS header the loaded driver.
+ @param PeiServices The pointer to the PEI services.
+
+ @retval EFI_SUCCESS The constructor executes successfully.
+ @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiPeiConstructor (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+
+ //
+ // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
+ //
+ Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
+ ASSERT_EFI_ERROR (Status);
+
+ return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..8ffe356b60e7
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,62 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+ untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+
+#include "BaseHashLib.h"
+
+/**
+ The constructor function of BaseHashLib Pei.
+
+ @param FileHandle The handle of FFS header the loaded driver.
+ @param PeiServices The pointer to the PEI services.
+
+ @retval EFI_SUCCESS The constructor executes successfully.
+ @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiPeiConstructor (
+ IN EFI_PEI_FILE_HANDLE FileHandle,
+ IN CONST EFI_PEI_SERVICES **PeiServices
+ )
+{
+ EFI_STATUS Status;
+
+ //
+ // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
+ //
+ Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
+ ASSERT_EFI_ERROR (Status);
+
+ return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Library/HashLib.h
index 6ad960ad70ee..740cb8188e51 100644
--- a/SecurityPkg/Include/Library/HashLib.h
+++ b/SecurityPkg/Include/Library/HashLib.h
@@ -87,6 +87,53 @@ HashAndExtend (
OUT TPML_DIGEST_VALUES *DigestList
);
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash updated.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+);
+
/**
Start hash sequence.
@@ -133,6 +180,21 @@ EFI_STATUS
OUT TPML_DIGEST_VALUES *DigestList
);
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *HASH_FINAL_EX) (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+
#define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID
#define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID
#define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID
@@ -149,6 +211,13 @@ typedef struct {
HASH_FINAL HashFinal;
} HASH_INTERFACE;
+typedef struct {
+ EFI_GUID HashGuid;
+ HASH_INIT HashInit;
+ HASH_UPDATE HashUpdate;
+ HASH_FINAL_EX HashFinal;
+} HASH_INTERFACE_UNIFIED_API;
+
/**
This service register Hash.
@@ -164,4 +233,18 @@ RegisterHashInterfaceLib (
IN HASH_INTERFACE *HashInterface
);
+/**
+ This service registers Hash Interface.
+
+ @param HashInterface Hash interface
+
+ @retval EFI_SUCCESS This hash interface is registered successfully.
+ @retval EFI_UNSUPPORTED System does not support register this interface.
+ @retval EFI_ALREADY_STARTED System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+ IN HASH_INTERFACE_UNIFIED_API *HashInterface
+);
#endif
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
new file mode 100644
index 000000000000..70676c1716c3
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
@@ -0,0 +1,85 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#define HASH_ALGO_COUNT 7
+
+//
+// Hash Algorithms
+//
+#define HASH_ALG_SHA1 0x00000001
+#define HASH_ALG_SHA256 0x00000002
+#define HASH_ALG_SHA384 0x00000004
+#define HASH_ALG_SHA512 0x00000008
+#define HASH_ALG_SM3_256 0x00000010
+#if 0
+typedef
+UINTN
+(EFIAPI *GET_HASH_CTX_SIZE) (
+ VOID
+ );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_INIT) (
+ OUT VOID *ShaContext
+ );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_DUPLICATE) (
+ IN CONST VOID *ShaContext,
+ OUT VOID *NewShaContext
+ );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_UPDATE) (
+ IN OUT VOID *ShaContext,
+ IN CONST VOID *Data,
+ IN UINTN DataSize
+ );
+
+typedef
+BOOLEAN
+(EFIAPI *_HASH_FINAL) (
+ IN OUT VOID *ShaContext,
+ OUT UINT8 *HashValue
+ );
+
+HASH_ALGO_IDX
+GetHashAlgoIndex (
+ VOID
+);
+
+typedef struct {
+ HASH_ALGO_IDX HashAlgo;
+ GET_HASH_CTX_SIZE GetHashCtxSize;
+ _HASH_INIT HashInit;
+ _HASH_DUPLICATE HashDuplicate;
+ _HASH_UPDATE HashUpdate;
+ _HASH_FINAL HashFinal;
+} HASH_OPERATIONS;
+
+
+EFI_STATUS
+EFIAPI
+RegisterHashLib (
+ IN HASH_OPERATIONS *HashInterface
+);
+#endif
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..f5dcbedb2cd9
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,49 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is Base Hash Lib. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SHA384, SM3. Platform can use
+# PcdTpm2HashMask to register hash engines.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibDxe
+ MODULE_UNI_FILE = BaseHashLibDxe.uni
+ FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+ CONSTRUCTOR = BaseHashLibApiDxeConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLib.h
+ BaseHashLibDxe.c
+ BaseHashLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PcdLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..d8b03ea4da63
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,18 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is BaseCrypto router. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by registered hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines."
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..07e95a5a9c0f
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,50 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is BaseCrypto router. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+# mask some hash engines.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibPei
+ MODULE_UNI_FILE = BaseHashLibPei.uni
+ FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|PEIM
+ CONSTRUCTOR = BaseHashLibApiPeiConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLib.h
+ BaseHashLibPei.c
+ BaseHashLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PcdLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..d8b03ea4da63
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,18 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is BaseCrypto router. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by registered hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines."
+
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index cac36caf0a0d..b03677a5411c 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -27,6 +27,10 @@ [LibraryClasses]
#
HashLib|Include/Library/HashLib.h
+ ## @libraryclass Provides hash interfaces from different implementations.
+ #
+ BaseHashLib|Include/Library/HashLib.h
+
## @libraryclass Provides a platform specific interface to detect physically present user.
#
PlatformSecureLib|Include/Library/PlatformSecureLib.h
@@ -496,5 +500,29 @@ [PcdsDynamic, PcdsDynamicEx]
# @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
+ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
+ # Based on the value set, the required algorithm is chosen to verify
+ # the unsigned image during Secure Boot.<BR>
+ # The hashing algorithm selected must match the hashing algorithm used to
+ # hash the image to be added to DB using tools such as KeyEnroll.<BR>
+ # 0x00000001 - SHA1.<BR>
+ # 0x00000002 - SHA256.<BR>
+ # 0x00000004 - SHA384.<BR>
+ # 0x00000008 - SHA512.<BR>
+ # 0x00000010 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024
+
+ ## This PCD indicated final BIOS supported Hash mask for Base Hash API.
+ # Bios may choose to register a subset of PcdTpm2HashMask.
+ # This PCD is final value of how many hash algo are registered with
+ # Base Hash API.
+ # This PCD will start with value 0 by the Base Hash API constructor and
+ # the value will be updated as Hash Algo are registered.
+ # @Prompt Hash Algorithm bitmap for Base Hash API.
+ gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010025
+
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2eeadda7a7e..9ae134ffee53 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
[LibraryClasses.common.DXE_DRIVER]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
@@ -170,6 +171,7 @@ [PcdsDynamicDefault.common.DEFAULT]
gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3
gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3
+ gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|3
[PcdsDynamicHii.common.DEFAULT]
gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS
@@ -211,6 +213,8 @@ [Components]
SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
+ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
+
#
# TCG Storage.
#
diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 68587304d779..2dc77279210c 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -295,3 +295,26 @@
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
"0 means this field is unsupported\n"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to verify\n"
+ "the unsigned image during Secure Boot.<BR>\n"
+ "The hashing algorithm selected must match the hashing algorithm used to\n"
+ "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n"
+ "0x00000000 - SHA1.<BR>\n"
+ "0x00000001 - SHA224.<BR>"
+ "0x00000002 - SHA256.<BR>\n"
+ "0x00000003 - SHA384.<BR>\n"
+ "0x00000004 - SHA512.<BR>\n"
+ "0x00000005 - SM3.<BR>"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #language en-US "Hash Algorithm bitmap for Base Hash API."
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #language en-US "This PCD indicated final BIOS supported Hash mask for Base Hash API.\n"
+ "Bios may choose to register a subset of PcdTpm2HashMask.<BR>\n"
+ "This PCD is final value of how many hash algo are registered with\n"
+ "Base Hash API.<BR>\n"
+ "This PCD will start with value 0 by the Base Hash API constructor and\n"
+ "the value will be updated as Hash Algo are registered.<BR>\n"
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified " Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256 Sukerkar, Amol N
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
This is the HashApiInstance implementation for SHA1 which registers the SHA1
hash library in CryptoPkg with BaseHashLib based on whether a platform supports
SHA1 hash algorithm (provided by PcdTpm2HashMask).
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 128 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf | 40 ++++++
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni | 16 +++
SecurityPkg/SecurityPkg.dsc | 5 +
4 files changed, 189 insertions(+)
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
new file mode 100644
index 000000000000..06e88f00d70b
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
@@ -0,0 +1,128 @@
+/** @file
+ This library is BaseCrypto SHA1 hash instance.
+ It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/HashLib.h>
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Init (
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ VOID *Sha1Ctx;
+ UINTN CtxSize;
+
+ CtxSize = Sha1GetContextSize ();
+ Sha1Ctx = AllocatePool (CtxSize);
+ ASSERT (Sha1Ctx != NULL);
+
+ Sha1Init (Sha1Ctx);
+
+ *HashHandle = (HASH_HANDLE)Sha1Ctx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Update (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ VOID *Sha1Ctx;
+
+ Sha1Ctx = (VOID *)HashHandle;
+ Sha1Update (Sha1Ctx, DataToHash, DataToHashLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Complete hash sequence complete.
+
+ @param HashHandle Hash handle.
+ @param DigestList Digest list.
+
+ @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sha1_Final (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ UINT8 Sha1Digest[SHA1_DIGEST_SIZE];
+ VOID *Sha1Ctx;
+
+ Sha1Ctx = (VOID *)HashHandle;
+ Sha1Final (Sha1Ctx, Sha1Digest);
+
+ CopyMem (*Digest, Sha1Digest, SHA1_DIGEST_SIZE);
+
+ FreePool (Sha1Ctx);
+
+ return EFI_SUCCESS;
+}
+
+HASH_INTERFACE_UNIFIED_API mSha1InternalHashApiInstance = {
+ HASH_ALGORITHM_SHA1_GUID,
+ Sha1_Init,
+ Sha1_Update,
+ Sha1_Final,
+};
+
+/**
+ The function register SHA1 instance.
+
+ @retval EFI_SUCCESS SHA1 instance is registered, or system dose not surpport registr SHA1 instance
+**/
+EFI_STATUS
+EFIAPI
+HashApiInstanceSha1Constructor (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = RegisterHashApiLib (&mSha1InternalHashApiInstance);
+ if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA1 is registered\n"));
+ return EFI_SUCCESS;
+ }
+ return Status;
+}
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
new file mode 100644
index 000000000000..b59c4d883439
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
@@ -0,0 +1,40 @@
+## @file
+# Provides BaseCrypto SHA1 hash service
+#
+# This library can be registered to BaseCrypto router, to serve as hash engine.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = HashApiInstanceSha1
+ MODULE_UNI_FILE = HashApiInstanceSha1.uni
+ FILE_GUID = 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = HashApiInstanceSha1Constructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ HashApiInstanceSha1.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni
new file mode 100644
index 000000000000..716369d2fb8a
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides BaseCrypto SHA1 hash service
+//
+// This library can be registered to BaseCrypto router, to serve as hash engine.
+//
+// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCrypto SHA1 hash service API"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library can be registered to Base Hash API, to serve as hash engine."
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 9ae134ffee53..6c0832d48e88 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -241,6 +241,11 @@ [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
[Components.IA32, Components.X64]
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ #
+ # Hash API
+ #
+ SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
+
#
# TPM
#
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified " Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384 Sukerkar, Amol N
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
This is the HashApiInstance implementation for SHA256 which registers the
SHA256 hash library in CryptoPkg with BaseHashLib based on whether a platform
supports SHA256 hash algorithm (provided by PcdTpm2HashMask).
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 128 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf | 40 ++++++
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni | 16 +++
SecurityPkg/SecurityPkg.dsc | 1 +
4 files changed, 185 insertions(+)
diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
new file mode 100644
index 000000000000..129d60a387fd
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
@@ -0,0 +1,128 @@
+/** @file
+ This library is BaseCrypto SHA256 hash instance.
+ It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/HashLib.h>
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sha256_Init (
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ VOID *Sha256Ctx;
+ UINTN CtxSize;
+
+ CtxSize = Sha256GetContextSize ();
+ Sha256Ctx = AllocatePool (CtxSize);
+ ASSERT (Sha256Ctx != NULL);
+
+ Sha256Init (Sha256Ctx);
+
+ *HashHandle = (HASH_HANDLE)Sha256Ctx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sha256_Update (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ VOID *Sha256Ctx;
+
+ Sha256Ctx = (VOID *)HashHandle;
+ Sha256Update (Sha256Ctx, DataToHash, DataToHashLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Complete hash sequence complete.
+
+ @param HashHandle Hash handle.
+ @param DigestList Digest list.
+
+ @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sha256_Final (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ VOID *Sha256Ctx;
+
+ Sha256Ctx = (VOID *)HashHandle;
+ Sha256Final (Sha256Ctx, Sha256Digest);
+
+ CopyMem (*Digest, Sha256Digest, SHA256_DIGEST_SIZE);
+
+ FreePool (Sha256Ctx);
+
+ return EFI_SUCCESS;
+}
+
+HASH_INTERFACE_UNIFIED_API mSha256InternalHashApiInstance = {
+ HASH_ALGORITHM_SHA256_GUID,
+ Sha256_Init,
+ Sha256_Update,
+ Sha256_Final,
+};
+
+/**
+ The function register SHA256 instance.
+
+ @retval EFI_SUCCESS SHA256 instance is registered, or system dose not surpport registr SHA256 instance
+**/
+EFI_STATUS
+EFIAPI
+HashApiInstanceSha256Constructor (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = RegisterHashApiLib (&mSha256InternalHashApiInstance);
+ if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA256 is registered\n"));
+ return EFI_SUCCESS;
+ }
+ return Status;
+}
diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf
new file mode 100644
index 000000000000..08d802cd69f4
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf
@@ -0,0 +1,40 @@
+## @file
+# Provides BaseCrypto SHA1 hash service
+#
+# This library can be registered to BaseCrypto router, to serve as hash engine.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = HashApiInstanceSha256
+ MODULE_UNI_FILE = HashApiInstanceSha256.uni
+ FILE_GUID = 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = HashApiInstanceSha256Constructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ HashApiInstanceSha256.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni
new file mode 100644
index 000000000000..b2121464c552
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides BaseCrypto SHA256 hash service
+//
+// This library can be registered to BaseCrypto router, to serve as hash engine.
+//
+// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCrypto SHA256 hash service API"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library can be registered to Base Hash API, to serve as hash engine."
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 6c0832d48e88..95a5710735e0 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -245,6 +245,7 @@ [Components.IA32, Components.X64]
# Hash API
#
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
+ SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf
#
# TPM
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
` (2 preceding siblings ...)
2019-12-18 21:50 ` [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256 Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3 Sukerkar, Amol N
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
This is the HashApiInstance implementation for SHA384 which registers the
SHA384 hash library in CryptoPkg with BaseHashLib based on whether a platform
supports SHA384 hash algorithm (provided by PcdTpm2HashMask).
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 128 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf | 40 ++++++
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni | 16 +++
SecurityPkg/SecurityPkg.dsc | 1 +
4 files changed, 185 insertions(+)
diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
new file mode 100644
index 000000000000..0d1b8f3e877a
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
@@ -0,0 +1,128 @@
+/** @file
+ This library is BaseCrypto SHA384 hash instance.
+ It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/HashLib.h>
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sha384_Init (
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ VOID *Sha384Ctx;
+ UINTN CtxSize;
+
+ CtxSize = Sha384GetContextSize ();
+ Sha384Ctx = AllocatePool (CtxSize);
+ ASSERT (Sha384Ctx != NULL);
+
+ Sha384Init (Sha384Ctx);
+
+ *HashHandle = (HASH_HANDLE)Sha384Ctx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sha384_Update (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ VOID *Sha384Ctx;
+
+ Sha384Ctx = (VOID *)HashHandle;
+ Sha384Update (Sha384Ctx, DataToHash, DataToHashLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Complete hash sequence complete.
+
+ @param HashHandle Hash handle.
+ @param DigestList Digest list.
+
+ @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sha384_Final (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ UINT8 Sha384Digest[SHA384_DIGEST_SIZE];
+ VOID *Sha384Ctx;
+
+ Sha384Ctx = (VOID *)HashHandle;
+ Sha384Final (Sha384Ctx, Sha384Digest);
+
+ CopyMem (*Digest, Sha384Digest, SHA384_DIGEST_SIZE);
+
+ FreePool (Sha384Ctx);
+
+ return EFI_SUCCESS;
+}
+
+HASH_INTERFACE_UNIFIED_API mSha384InternalHashApiInstance = {
+ HASH_ALGORITHM_SHA384_GUID,
+ Sha384_Init,
+ Sha384_Update,
+ Sha384_Final,
+};
+
+/**
+ The function register SHA384 instance.
+
+ @retval EFI_SUCCESS SHA384 instance is registered, or system dose not surpport registr SHA384 instance
+**/
+EFI_STATUS
+EFIAPI
+HashApiInstanceSha384Constructor (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = RegisterHashApiLib (&mSha384InternalHashApiInstance);
+ if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA384 is registered\n"));
+ return EFI_SUCCESS;
+ }
+ return Status;
+}
diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf
new file mode 100644
index 000000000000..ee36a926a8b8
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf
@@ -0,0 +1,40 @@
+## @file
+# Provides BaseCrypto SHA1 hash service
+#
+# This library can be registered to BaseCrypto router, to serve as hash engine.
+#
+# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = HashApiInstanceSha384
+ MODULE_UNI_FILE = HashApiInstanceSha384.uni
+ FILE_GUID = 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = HashApiInstanceSha384Constructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ HashApiInstanceSha384.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni
new file mode 100644
index 000000000000..be41375bca7a
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides BaseCrypto SHA384 hash service
+//
+// This library can be registered to BaseCrypto router, to serve as hash engine.
+//
+// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCrypto SHA384 hash service API"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library can be registered to Base Hash API, to serve as hash engine."
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 95a5710735e0..c03822872718 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -246,6 +246,7 @@ [Components.IA32, Components.X64]
#
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf
+ SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf
#
# TPM
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
` (3 preceding siblings ...)
2019-12-18 21:50 ` [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384 Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3 Sukerkar, Amol N
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self
A gEfiCallerIdGuid needs to be introduced in the BaseHashLibPei method to save
the hash mask of registered API instances of hashing algorithms.
gEfiCallerIdGuid saves the last registered hash mask as a HOB that can be
modified or updated with the subsequent registration of API instances of
hashing algorithms based on PcdSystemHashPolicy.
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 -------------
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 210 +++++++++++-
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 348 +++++++++++++++++++-
SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 2 +-
SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 2 +-
SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 2 +-
SecurityPkg/Include/Library/BaseHashLib.h | 153 +++++++++
SecurityPkg/Include/Library/HashLib.h | 83 -----
SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 -----
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 35 ++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 2 -
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 4 +-
SecurityPkg/SecurityPkg.dec | 9 -
SecurityPkg/SecurityPkg.uni | 9 -
14 files changed, 733 insertions(+), 447 deletions(-)
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
deleted file mode 100644
index 2ad83387799d..000000000000
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/** @file
- Implement image verification services for secure boot service
-
- Caution: This file requires additional review when modified.
- This library will have external input - PE/COFF image.
- This external input must be validated carefully to avoid security issue like
- buffer overflow, integer overflow.
-
- DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
- read is within the image buffer.
-
- DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
- untrusted PE/COFF image and validate its data structure within this image buffer before use.
-
-Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/DebugLib.h>
-#include <Library/PcdLib.h>
-#include <Library/HashLib.h>
-
-//#include "BaseHashLib.h"
-
-typedef struct {
- EFI_GUID Guid;
- UINT32 Mask;
-} HASH_MASK;
-
-HASH_MASK mHashMask[] = {
- {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1},
- {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256},
- {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384},
- {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512},
-};
-
-HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] = {{{0}, NULL, NULL, NULL}};
-
-UINTN mHashInterfaceCount = 0;
-UINT32 mCurrentHashMask = 0;
-
-UINT32
-EFIAPI
-GetApiHashMaskFromAlgo (
- IN EFI_GUID *HashGuid
- )
-{
- UINTN Index;
-
- for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) {
- if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {
- return mHashMask[Index].Mask;
- }
- }
- return 0;
-}
-
-/**
- Init hash sequence.
-
- @param HashHandle Hash handle.
-
- @retval EFI_SUCCESS Hash start and HashHandle returned.
- @retval EFI_UNSUPPORTED System has no HASH library registered.
-**/
-EFI_STATUS
-EFIAPI
-HashApiInit (
- OUT HASH_HANDLE *HashHandle
-)
-{
- HASH_HANDLE *HashCtx;
- UINTN Index;
- UINT32 HashMask;
-
- if (mHashInterfaceCount == 0) {
- return EFI_UNSUPPORTED;
- }
-
- HashCtx = AllocatePool (sizeof(*HashCtx));
- ASSERT (HashCtx != NULL);
-
- for (Index = 0; Index < mHashInterfaceCount; Index++) {
- HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
- if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
- (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
- mHashOps[Index].HashInit (HashCtx);
- }
- }
-
- *HashHandle = (HASH_HANDLE)HashCtx;
-
- return EFI_SUCCESS;
-}
-
-/**
- Update hash data.
-
- @param HashHandle Hash handle.
- @param DataToHash Data to be hashed.
- @param DataToHashLen Data size.
-
- @retval EFI_SUCCESS Hash updated.
- @retval EFI_UNSUPPORTED System has no HASH library registered.
-**/
-EFI_STATUS
-EFIAPI
-HashApiUpdate (
- IN HASH_HANDLE HashHandle,
- IN VOID *DataToHash,
- IN UINTN DataToHashLen
-)
-{
- HASH_HANDLE *HashCtx;
- UINTN Index;
- UINT32 HashMask;
-
- if (mHashInterfaceCount == 0) {
- return EFI_UNSUPPORTED;
- }
-
- HashCtx = (HASH_HANDLE *)HashHandle;
-
- for (Index = 0; Index < mHashInterfaceCount; Index++) {
- HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
- if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
- (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
- mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Hash complete.
-
- @param HashHandle Hash handle.
- @param Digest Hash Digest.
-
- @retval EFI_SUCCESS Hash complete and Digest is returned.
-**/
-EFI_STATUS
-EFIAPI
-HashApiFinal (
- IN HASH_HANDLE HashHandle,
- OUT UINT8 *Digest
-)
-{
- HASH_HANDLE *HashCtx;
- UINTN Index;
- UINT32 HashMask;
-
- if (mHashInterfaceCount == 0) {
- return EFI_UNSUPPORTED;
- }
-
- HashCtx = (HASH_HANDLE *)HashHandle;
-
- for (Index = 0; Index < mHashInterfaceCount; Index++) {
- HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
- if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 &&
- (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) {
- mHashOps[Index].HashFinal (HashCtx[0], &Digest);
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- This service registers Hash Interface.
-
- @param HashInterface Hash interface
-
- @retval EFI_SUCCESS This hash interface is registered successfully.
- @retval EFI_UNSUPPORTED System does not support register this interface.
- @retval EFI_ALREADY_STARTED System already register this interface.
-**/
-EFI_STATUS
-EFIAPI
-RegisterHashApiLib (
- IN HASH_INTERFACE_UNIFIED_API *HashInterface
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- UINT32 HashMask;
-
- //
- // Check Allow
- //
- HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid);
-
- // check if Hash Mask is supported
- if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
- return EFI_UNSUPPORTED;
- }
-
- if (mHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Check duplication
- //
- for (Index = 0; Index < mHashInterfaceCount; Index++) {
- if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) {
- DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &HashInterface->HashGuid));
- return EFI_ALREADY_STARTED;
- }
- }
-
- //
- // Register the Hash Algo.
- //
- mCurrentHashMask = PcdGet32 (PcdHashAlgorithmBitmap) | HashMask;
- Status = PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask);
- ASSERT_EFI_ERROR (Status);
-
- CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInterface));
- mHashInterfaceCount ++;
-
- return EFI_SUCCESS;
-}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
index 5de94d80fad5..f292558e3e40 100644
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -29,9 +29,204 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/MemoryAllocationLib.h>
#include <Library/DebugLib.h>
#include <Library/PcdLib.h>
-#include <Library/HashLib.h>
+#include <Library/BaseHashLib.h>
-#include "BaseHashLib.h"
+#include "BaseHashLibCommon.h"
+
+
+HASH_INTERFACE_UNIFIED_API mHashOps[HASH_ALGO_COUNT] = {{{0}, NULL, NULL, NULL}};
+
+UINTN mBaseHashInterfaceCount = 0;
+UINT32 mCurrentHashMask = 0;
+
+UINT32
+EFIAPI
+GetApiHashMaskFromAlgo (
+ IN EFI_GUID *HashGuid
+ )
+{
+ UINTN Index;
+
+ for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) {
+ if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {
+ return mHashMask[Index].Mask;
+ }
+ }
+ return 0;
+}
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = AllocatePool (sizeof(*HashCtx));
+ ASSERT (HashCtx != NULL);
+
+ for (Index = 0; Index < mBaseHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & HashPolicy) != 0) {
+ mHashOps[Index].HashInit (HashCtx);
+ break;
+ }
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash updated.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < mBaseHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & HashPolicy) != 0) {
+ mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+ break;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < mBaseHashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid);
+ if ((HashMask & HashPolicy) != 0) {
+ mHashOps[Index].HashFinal (HashCtx[0], &Digest);
+ break;
+ }
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This service registers Hash Interface.
+
+ @param HashInterface Hash interface
+
+ @retval EFI_SUCCESS This hash interface is registered successfully.
+ @retval EFI_UNSUPPORTED System does not support register this interface.
+ @retval EFI_ALREADY_STARTED System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+ IN HASH_INTERFACE_UNIFIED_API *HashInterface
+ )
+{
+ UINTN Index;
+ UINT32 HashMask;
+
+ //
+ // Check Allow
+ //
+ HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid);
+
+
+ if (mBaseHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Check duplication
+ //
+ for (Index = 0; Index < mBaseHashInterfaceCount; Index++) {
+ if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) {
+ DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has already been registered\n", &HashInterface->HashGuid));
+ return EFI_ALREADY_STARTED;
+ }
+ }
+
+ //
+ // Register the Hash Algo.
+ //
+ mCurrentHashMask = mCurrentHashMask | HashMask;
+
+ CopyMem (&mHashOps[mBaseHashInterfaceCount], HashInterface, sizeof(*HashInterface));
+ mBaseHashInterfaceCount ++;
+
+ DEBUG ((DEBUG_INFO,"RegisterHashApiLib: mBaseHashInterfaceCount update to 0x%x \n", mBaseHashInterfaceCount));
+
+ return EFI_SUCCESS;
+}
/**
The constructor function of BaseHashLib Dxe.
@@ -45,18 +240,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
EFI_STATUS
EFIAPI
-BaseHashLibApiPeiConstructor (
+BaseHashLibApiDxeConstructor (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- EFI_STATUS Status;
-
- //
- // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
- //
- Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
- ASSERT_EFI_ERROR (Status);
+ mBaseHashInterfaceCount = 0;
+ mCurrentHashMask = 0;
return EFI_SUCCESS;
}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
index 8ffe356b60e7..0fd0e2f42612 100644
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -30,8 +30,318 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/DebugLib.h>
#include <Library/PcdLib.h>
#include <Library/HashLib.h>
+#include <Library/HobLib.h>
+#include <Guid/ZeroGuid.h>
-#include "BaseHashLib.h"
+#include <Library/BaseHashLib.h>
+#include "BaseHashLibCommon.h"
+
+#define BASEHASH_LIB_PEI_ROUTER_GUID \
+ { 0x19ea22c7, 0xf870, 0x4b5e, { 0x98, 0x86, 0x9c, 0x29, 0xb2, 0x20, 0xf0, 0x39 } }
+
+
+EFI_GUID mBaseHashLibPeiRouterGuid = BASEHASH_LIB_PEI_ROUTER_GUID;
+
+typedef struct {
+ //
+ // If gZeroGuid, SupportedHashMask is 0 for FIRST module which consumes HashLib
+ // or the hash algorithm bitmap of LAST module which consumes HashLib.
+ // HashInterfaceCount and HashInterface are all 0.
+ // If gEfiCallerIdGuid, HashInterfaceCount, HashInterface and SupportedHashMask
+ // are the hash interface information of CURRENT module which consumes HashLib.
+ //
+ EFI_GUID Identifier;
+ UINTN HashInterfaceCount;
+ HASH_INTERFACE_UNIFIED_API HashInterface[HASH_ALGO_COUNT];
+ UINT32 SupportedHashMask;
+} HASH_INTERFACE_HOB;
+
+
+UINT32
+EFIAPI
+GetApiHashMaskFromAlgo (
+ IN EFI_GUID *HashGuid
+ )
+{
+ UINTN Index;
+
+ for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) {
+ if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) {
+ return mHashMask[Index].Mask;
+ }
+ }
+ return 0;
+}
+
+/**
+ This function gets hash interface hob.
+
+ @param Identifier Identifier to get hash interface hob.
+
+ @retval hash interface hob.
+**/
+HASH_INTERFACE_HOB *
+InternalGetBaseHashInterfaceHob (
+ EFI_GUID *Identifier
+ )
+{
+ EFI_PEI_HOB_POINTERS Hob;
+ HASH_INTERFACE_HOB *HashInterfaceHob;
+
+ Hob.Raw = GetFirstGuidHob (&mBaseHashLibPeiRouterGuid);
+ while (Hob.Raw != NULL) {
+ HashInterfaceHob = GET_GUID_HOB_DATA (Hob);
+ if (CompareGuid (&HashInterfaceHob->Identifier, Identifier)) {
+ //
+ // Found the matched one.
+ //
+ return HashInterfaceHob;
+ }
+ Hob.Raw = GET_NEXT_HOB (Hob);
+ Hob.Raw = GetNextGuidHob (&mBaseHashLibPeiRouterGuid, Hob.Raw);
+ }
+
+ return NULL;
+}
+
+/**
+ This function creates hash interface hob.
+
+ @param Identifier Identifier to create hash interface hob.
+
+ @retval hash interface hob.
+**/
+HASH_INTERFACE_HOB *
+InternalCreateBaseHashInterfaceHob (
+ EFI_GUID *Identifier
+ )
+{
+ HASH_INTERFACE_HOB LocalHashInterfaceHob;
+
+ ZeroMem (&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob));
+ CopyGuid (&LocalHashInterfaceHob.Identifier, Identifier);
+ return BuildGuidDataHob (&mBaseHashLibPeiRouterGuid, &LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob));
+}
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ HASH_HANDLE *HashCtx;
+ HASH_INTERFACE_HOB *HashInterfaceHob;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) {
+ DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy));
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = AllocatePool (sizeof(*HashCtx));
+ ASSERT (HashCtx != NULL);
+
+ for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
+ if ((HashMask & HashPolicy) != 0) {
+ HashInterfaceHob->HashInterface[Index].HashInit (HashCtx);
+ break;
+ }
+ }
+
+ // Check for hash type supported
+ if(Index == HashInterfaceHob->HashInterfaceCount)
+ return EFI_UNSUPPORTED;
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash updated.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ HASH_INTERFACE_HOB *HashInterfaceHob;
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) {
+ DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy));
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
+ if ((HashMask & HashPolicy) != 0) {
+ HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen);
+ break;
+ }
+ }
+
+ // Check for hash type supported
+ if(Index == HashInterfaceHob->HashInterfaceCount) {
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ HASH_INTERFACE_HOB *HashInterfaceHob;
+ HASH_HANDLE *HashCtx;
+ UINTN Index;
+ UINT32 HashMask;
+ UINT32 HashPolicy;
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ HashPolicy = PcdGet32 (PcdSystemHashPolicy);
+
+ if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) {
+ DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy));
+ return EFI_UNSUPPORTED;
+ }
+
+ HashCtx = (HASH_HANDLE *)HashHandle;
+
+ for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
+ HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid);
+ if (HashMask & HashPolicy) {
+ HashInterfaceHob->HashInterface[Index].HashFinal (HashCtx[0], &Digest);
+ break;
+ }
+ }
+
+ // Check for hash type supported
+ if(Index == HashInterfaceHob->HashInterfaceCount){
+ return EFI_UNSUPPORTED;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ This service registers Hash Interface.
+
+ @param HashInterface Hash interface
+
+ @retval EFI_SUCCESS This hash interface is registered successfully.
+ @retval EFI_UNSUPPORTED System does not support register this interface.
+ @retval EFI_ALREADY_STARTED System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+ IN HASH_INTERFACE_UNIFIED_API *HashInterface
+ )
+{
+// EFI_STATUS Status;
+ UINTN Index;
+ UINT32 HashMask;
+ HASH_INTERFACE_HOB *HashInterfaceHob;
+
+ //
+ // Check Allow
+ //
+ HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid);
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob == NULL) {
+ HashInterfaceHob = InternalCreateBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ } else {
+ // Initialize SupportedHashMask
+ HashInterfaceHob->SupportedHashMask = 0;
+ }
+ }
+
+ if (HashInterfaceHob->HashInterfaceCount >= HASH_COUNT) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Check duplication
+ //
+ for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) {
+ if (CompareGuid (&HashInterfaceHob->HashInterface[Index].HashGuid, &HashInterface->HashGuid)) {
+ DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been already registered\n", &HashInterface->HashGuid));
+ return EFI_ALREADY_STARTED;
+ }
+ }
+
+ //
+ // Register the Hash Algo.
+ //
+ HashInterfaceHob->SupportedHashMask = HashInterfaceHob->SupportedHashMask | HashMask;
+
+ CopyMem (&HashInterfaceHob->HashInterface[HashInterfaceHob->HashInterfaceCount], HashInterface, sizeof(*HashInterface));
+ HashInterfaceHob->HashInterfaceCount ++;
+
+ DEBUG ((DEBUG_INFO,"RegisterHashApiLib: HashInterfaceCount 0x%x SupportedHashMask 0x%x \n", HashInterfaceHob->HashInterfaceCount, HashInterfaceHob->SupportedHashMask));
+
+ return EFI_SUCCESS;
+}
/**
The constructor function of BaseHashLib Pei.
@@ -50,13 +360,37 @@ BaseHashLibApiPeiConstructor (
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
- EFI_STATUS Status;
+// EFI_STATUS Status;
+ HASH_INTERFACE_HOB *HashInterfaceHob;
- //
- // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module.
- //
- Status = PcdSet32S (PcdHashAlgorithmBitmap, 0);
- ASSERT_EFI_ERROR (Status);
+ DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
+
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gZeroGuid);
+ if (HashInterfaceHob == NULL) {
+ //
+ // No HOB with gZeroGuid Identifier has been created,
+ // this is FIRST module which consumes HashLib.
+ // Create the HOB with gZeroGuid Identifier.
+ //
+ HashInterfaceHob = InternalCreateBaseHashInterfaceHob (&gZeroGuid);
+ if (HashInterfaceHob == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+ }
+
+ HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid);
+ if (HashInterfaceHob != NULL) {
+ //
+ // In PEI phase, some modules may call RegisterForShadow and will be
+ // shadowed and executed again after memory is discovered.
+ // This is the second execution of this module, clear the hash interface
+ // information registered at its first execution.
+ //
+ ZeroMem (&HashInterfaceHob->HashInterface, sizeof (HashInterfaceHob->HashInterface));
+ HashInterfaceHob->HashInterfaceCount = 0;
+ HashInterfaceHob->SupportedHashMask = 0;
+ }
return EFI_SUCCESS;
}
\ No newline at end of file
diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
index 06e88f00d70b..175499e7609c 100644
--- a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
+++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c
@@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/MemoryAllocationLib.h>
-#include <Library/HashLib.h>
+#include <Library/BaseHashLib.h>
/**
Start hash sequence.
diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
index 129d60a387fd..9222a12a3273 100644
--- a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
+++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c
@@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/MemoryAllocationLib.h>
-#include <Library/HashLib.h>
+#include <Library/BaseHashLib.h>
/**
Start hash sequence.
diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
index 0d1b8f3e877a..c23b1a567172 100644
--- a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
+++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c
@@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DebugLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/MemoryAllocationLib.h>
-#include <Library/HashLib.h>
+#include <Library/BaseHashLib.h>
/**
Start hash sequence.
diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Include/Library/BaseHashLib.h
new file mode 100644
index 000000000000..36dd2912d7eb
--- /dev/null
+++ b/SecurityPkg/Include/Library/BaseHashLib.h
@@ -0,0 +1,153 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#include <Uefi.h>
+#include <Protocol/Hash.h>
+#include <Library/HashLib.h>
+
+//
+// Hash Algorithms
+//
+#define HASH_ALG_DEFAULT 0x00000000
+#define HASH_ALG_SHA1 0x00000001
+#define HASH_ALG_SHA256 0x00000002
+#define HASH_ALG_SHA384 0x00000004
+#define HASH_ALG_SHA512 0x00000008
+#define HASH_ALG_SM3_256 0x00000010
+
+
+/**
+ Init hash sequence.
+
+ @param HashType Type of hash algorithm.
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiInit (
+ IN UINT32 HashType,
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param HashType Type of hash algorithm.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash updated.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+EFI_STATUS
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN UINT32 HashType,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param HashType Type of hash algorithm.
+ @param Digest Hash Digest.
+
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+EFI_STATUS
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ IN UINT32 HashType,
+ OUT UINT8 *Digest
+);
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *BASE_HASH_INIT) (
+ OUT HASH_HANDLE *HashHandle
+ );
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *BASE_HASH_UPDATE) (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Hash complete.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+ @retval EFI_SUCCESS Hash complete and Digest is returned.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *BASE_HASH_FINAL_EX) (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+
+typedef struct {
+ EFI_GUID HashGuid;
+ BASE_HASH_INIT HashInit;
+ BASE_HASH_UPDATE HashUpdate;
+ BASE_HASH_FINAL_EX HashFinal;
+} HASH_INTERFACE_UNIFIED_API;
+
+/**
+ This service registers Hash Interface.
+
+ @param HashInterface Hash interface
+
+ @retval EFI_SUCCESS This hash interface is registered successfully.
+ @retval EFI_UNSUPPORTED System does not support register this interface.
+ @retval EFI_ALREADY_STARTED System already register this interface.
+**/
+EFI_STATUS
+EFIAPI
+RegisterHashApiLib (
+ IN HASH_INTERFACE_UNIFIED_API *HashInterface
+);
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Library/HashLib.h
index 740cb8188e51..6ad960ad70ee 100644
--- a/SecurityPkg/Include/Library/HashLib.h
+++ b/SecurityPkg/Include/Library/HashLib.h
@@ -87,53 +87,6 @@ HashAndExtend (
OUT TPML_DIGEST_VALUES *DigestList
);
-/**
- Init hash sequence.
-
- @param HashHandle Hash handle.
-
- @retval EFI_SUCCESS Hash start and HashHandle returned.
- @retval EFI_UNSUPPORTED System has no HASH library registered.
-**/
-EFI_STATUS
-EFIAPI
-HashApiInit (
- OUT HASH_HANDLE *HashHandle
-);
-
-/**
- Update hash data.
-
- @param HashHandle Hash handle.
- @param DataToHash Data to be hashed.
- @param DataToHashLen Data size.
-
- @retval EFI_SUCCESS Hash updated.
- @retval EFI_UNSUPPORTED System has no HASH library registered.
-**/
-EFI_STATUS
-EFIAPI
-HashApiUpdate (
- IN HASH_HANDLE HashHandle,
- IN VOID *DataToHash,
- IN UINTN DataToHashLen
-);
-
-/**
- Hash complete.
-
- @param HashHandle Hash handle.
- @param Digest Hash Digest.
-
- @retval EFI_SUCCESS Hash complete and Digest is returned.
-**/
-EFI_STATUS
-EFIAPI
-HashApiFinal (
- IN HASH_HANDLE HashHandle,
- OUT UINT8 *Digest
-);
-
/**
Start hash sequence.
@@ -180,21 +133,6 @@ EFI_STATUS
OUT TPML_DIGEST_VALUES *DigestList
);
-/**
- Hash complete.
-
- @param HashHandle Hash handle.
- @param Digest Hash Digest.
-
- @retval EFI_SUCCESS Hash complete and Digest is returned.
-**/
-typedef
-EFI_STATUS
-(EFIAPI *HASH_FINAL_EX) (
- IN HASH_HANDLE HashHandle,
- OUT UINT8 **Digest
- );
-
#define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID
#define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID
#define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID
@@ -211,13 +149,6 @@ typedef struct {
HASH_FINAL HashFinal;
} HASH_INTERFACE;
-typedef struct {
- EFI_GUID HashGuid;
- HASH_INIT HashInit;
- HASH_UPDATE HashUpdate;
- HASH_FINAL_EX HashFinal;
-} HASH_INTERFACE_UNIFIED_API;
-
/**
This service register Hash.
@@ -233,18 +164,4 @@ RegisterHashInterfaceLib (
IN HASH_INTERFACE *HashInterface
);
-/**
- This service registers Hash Interface.
-
- @param HashInterface Hash interface
-
- @retval EFI_SUCCESS This hash interface is registered successfully.
- @retval EFI_UNSUPPORTED System does not support register this interface.
- @retval EFI_ALREADY_STARTED System already register this interface.
-**/
-EFI_STATUS
-EFIAPI
-RegisterHashApiLib (
- IN HASH_INTERFACE_UNIFIED_API *HashInterface
-);
#endif
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
deleted file mode 100644
index 70676c1716c3..000000000000
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/** @file
- The internal header file includes the common header files, defines
- internal structure and functions used by ImageVerificationLib.
-
-Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __BASEHASHLIB_H_
-#define __BASEHASHLIB_H_
-
-#define HASH_ALGO_COUNT 7
-
-//
-// Hash Algorithms
-//
-#define HASH_ALG_SHA1 0x00000001
-#define HASH_ALG_SHA256 0x00000002
-#define HASH_ALG_SHA384 0x00000004
-#define HASH_ALG_SHA512 0x00000008
-#define HASH_ALG_SM3_256 0x00000010
-#if 0
-typedef
-UINTN
-(EFIAPI *GET_HASH_CTX_SIZE) (
- VOID
- );
-
-typedef
-BOOLEAN
-(EFIAPI *_HASH_INIT) (
- OUT VOID *ShaContext
- );
-
-typedef
-BOOLEAN
-(EFIAPI *_HASH_DUPLICATE) (
- IN CONST VOID *ShaContext,
- OUT VOID *NewShaContext
- );
-
-typedef
-BOOLEAN
-(EFIAPI *_HASH_UPDATE) (
- IN OUT VOID *ShaContext,
- IN CONST VOID *Data,
- IN UINTN DataSize
- );
-
-typedef
-BOOLEAN
-(EFIAPI *_HASH_FINAL) (
- IN OUT VOID *ShaContext,
- OUT UINT8 *HashValue
- );
-
-HASH_ALGO_IDX
-GetHashAlgoIndex (
- VOID
-);
-
-typedef struct {
- HASH_ALGO_IDX HashAlgo;
- GET_HASH_CTX_SIZE GetHashCtxSize;
- _HASH_INIT HashInit;
- _HASH_DUPLICATE HashDuplicate;
- _HASH_UPDATE HashUpdate;
- _HASH_FINAL HashFinal;
-} HASH_OPERATIONS;
-
-
-EFI_STATUS
-EFIAPI
-RegisterHashLib (
- IN HASH_OPERATIONS *HashInterface
-);
-#endif
-#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
new file mode 100644
index 000000000000..dc4839d16600
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
@@ -0,0 +1,35 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_COMMON_H_
+#define __BASEHASHLIB_COMMON_H_
+
+#define HASH_ALGO_COUNT 5
+
+
+typedef struct {
+ EFI_GUID Guid;
+ UINT32 Mask;
+} HASH_MASK;
+
+HASH_MASK mHashMask[] = {
+ {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1},
+ {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256},
+ {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384},
+ {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512},
+ {HASH_ALGORITHM_SM3_256_GUID, HASH_ALG_SM3_256},
+};
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
index f5dcbedb2cd9..a8d6c0f37570 100644
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -43,7 +43,5 @@ [LibraryClasses]
PcdLib
[Pcd]
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
- gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES
gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
index 07e95a5a9c0f..872989f2352d 100644
--- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -44,7 +44,5 @@ [LibraryClasses]
PcdLib
[Pcd]
- gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES
- gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES
- gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index b03677a5411c..2f31b0192fdb 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -515,14 +515,5 @@ [PcdsDynamic, PcdsDynamicEx]
# @ValidRange 0x80000001 | 0x00000000 - 0x00000005
gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024
- ## This PCD indicated final BIOS supported Hash mask for Base Hash API.
- # Bios may choose to register a subset of PcdTpm2HashMask.
- # This PCD is final value of how many hash algo are registered with
- # Base Hash API.
- # This PCD will start with value 0 by the Base Hash API constructor and
- # the value will be updated as Hash Algo are registered.
- # @Prompt Hash Algorithm bitmap for Base Hash API.
- gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010025
-
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni
diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 2dc77279210c..c9d12535b5f4 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -309,12 +309,3 @@
"0x00000003 - SHA384.<BR>\n"
"0x00000004 - SHA512.<BR>\n"
"0x00000005 - SM3.<BR>"
-
-#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #language en-US "Hash Algorithm bitmap for Base Hash API."
-
-#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #language en-US "This PCD indicated final BIOS supported Hash mask for Base Hash API.\n"
- "Bios may choose to register a subset of PcdTpm2HashMask.<BR>\n"
- "This PCD is final value of how many hash algo are registered with\n"
- "Base Hash API.<BR>\n"
- "This PCD will start with value 0 by the Base Hash API constructor and\n"
- "the value will be updated as Hash Algo are registered.<BR>\n"
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
` (4 preceding siblings ...)
2019-12-18 21:50 ` [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib Sukerkar, Amol N
@ 2019-12-18 21:50 ` Sukerkar, Amol N
5 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2019-12-18 21:50 UTC (permalink / raw)
To: devel; +Cc: michael.d.kinney, sachin.agrawal, self, Subash Lakkimsetti
This is the HashApiInstance implementation for SM3 which registers the SM3
hash library in CryptoPkg with BaseHashLib based on whether a platform supports
SM3 hash algorithm.
Signed-off-by: Subash Lakkimsetti <subashx.lakkimsetti@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c | 128 ++++++++++++++++++++
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf | 40 ++++++
SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni | 16 +++
3 files changed, 184 insertions(+)
diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c
new file mode 100644
index 000000000000..391f482c1520
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c
@@ -0,0 +1,128 @@
+/** @file
+ This library is BaseCrypto Sm3 hash instance.
+ It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiPei.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseHashLib.h>
+
+/**
+ Start hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
+ @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sm3_Init (
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ VOID *Sm3Ctx;
+ UINTN CtxSize;
+
+ CtxSize = Sm3GetContextSize ();
+ Sm3Ctx = AllocatePool (CtxSize);
+ ASSERT (Sm3Ctx != NULL);
+
+ Sm3Init (Sm3Ctx);
+
+ *HashHandle = (HASH_HANDLE)Sm3Ctx;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Update hash sequence data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sm3_Update (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ VOID *Sm3Ctx;
+
+ Sm3Ctx = (VOID *)HashHandle;
+ Sm3Update (Sm3Ctx, DataToHash, DataToHashLen);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Complete hash sequence complete.
+
+ @param HashHandle Hash handle.
+ @param DigestList Digest list.
+
+ @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sm3_Final (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ UINT8 Sm3Digest[SM3_256_DIGEST_SIZE];
+ VOID *Sm3Ctx;
+
+ Sm3Ctx = (VOID *)HashHandle;
+ Sm3Final (Sm3Ctx, Sm3Digest);
+
+ CopyMem (*Digest, Sm3Digest, SM3_256_DIGEST_SIZE);
+
+ FreePool (Sm3Ctx);
+
+ return EFI_SUCCESS;
+}
+
+HASH_INTERFACE_UNIFIED_API mSm3InternalHashApiInstance = {
+ HASH_ALGORITHM_SM3_256_GUID,
+ Sm3_Init,
+ Sm3_Update,
+ Sm3_Final,
+};
+
+/**
+ The function register Sm3 instance.
+
+ @retval EFI_SUCCESS Sm3 instance is registered, or system dose not surpport registr Sm3 instance
+**/
+EFI_STATUS
+EFIAPI
+HashApiInstanceSm3Constructor (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ Status = RegisterHashApiLib (&mSm3InternalHashApiInstance);
+ if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
+ //
+ // Unsupported means platform policy does not need this instance enabled.
+ //
+ DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface Sm3 is registered\n"));
+ return EFI_SUCCESS;
+ }
+ return Status;
+}
diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf
new file mode 100644
index 000000000000..ae328bfbf41f
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf
@@ -0,0 +1,40 @@
+## @file
+# Provides BaseCrypto SM3 hash service
+#
+# This library can be registered to BaseCrypto router, to serve as hash engine.
+#
+# Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = HashApiInstanceSm3
+ MODULE_UNI_FILE = HashApiInstanceSm3.uni
+ FILE_GUID = 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL
+ CONSTRUCTOR = HashApiInstanceSm3Constructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ HashApiInstanceSm3.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni
new file mode 100644
index 000000000000..8f9712b1520e
--- /dev/null
+++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides BaseCrypto SM3 hash service
+//
+// This library can be registered to BaseCrypto router, to serve as hash engine.
+//
+// Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCrypto SM3 hash service API"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library can be registered to Base Hash API, to serve as hash engine."
+
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-12-18 21:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-18 21:50 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified " Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256 Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384 Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib Sukerkar, Amol N
2019-12-18 21:50 ` [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3 Sukerkar, Amol N
-- strict thread matches above, loose matches on Subject: below --
2019-12-18 21:32 [PATCH v1 0/6] SecurityPkg/BaseHashLib: Implement a Unified API for Hash Calculation Sukerkar, Amol N
2019-12-18 21:32 ` [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Sukerkar, Amol N
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox