* [PATCH v4 0/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
@ 2020-01-17 22:31 Sukerkar, Amol N
2020-01-17 22:31 ` [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Sukerkar, Amol N
2020-01-17 22:32 ` [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
0 siblings, 2 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2020-01-17 22:31 UTC (permalink / raw)
To: devel
Cc: michael.d.kinney, jiewen.yao, jian.j.wang, sachin.agrawal,
srinivas.musti, subash.lakkimsetti
Currently, the UEFI drivers using the SHA/SM3 hashing algorithms use hard-coded
API to calculate the hash, for instance, sha_256(...), etc. Since SHA384 and/or
SM3_256 are being increasingly adopted for robustness, it becomes cumbersome to
modify each driver that calls into hash calculating API.
To better achieve this, we are proposing a Unified API, which can be used by UEFI
drivers, that provides the drivers with flexibility to use the desired hashing
algorithm based on the required robnustness.
Alternatively, the design document is also attached to Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
Sukerkar, Amol N (2):
CryptoPkg: Add CryptoPkg Token Space GUID
CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 ++++++++++++++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
CryptoPkg/CryptoPkg.dec | 28 ++-
CryptoPkg/CryptoPkg.dsc | 6 +-
CryptoPkg/CryptoPkg.uni | 17 ++
CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h | 19 ++
CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
13 files changed, 804 insertions(+), 2 deletions(-)
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
create mode 100644 CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
create mode 100644 CryptoPkg/Include/Library/BaseHashLib.h
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
create mode 100644 CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
--
2.16.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID
2020-01-17 22:31 [PATCH v4 0/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
@ 2020-01-17 22:31 ` Sukerkar, Amol N
2020-01-20 16:54 ` Wang, Jian J
2020-01-17 22:32 ` [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
1 sibling, 1 reply; 8+ messages in thread
From: Sukerkar, Amol N @ 2020-01-17 22:31 UTC (permalink / raw)
To: devel
Cc: michael.d.kinney, jiewen.yao, jian.j.wang, sachin.agrawal,
srinivas.musti, subash.lakkimsetti
Added CryptoPkg Token Space GUID to be able to define PCDs.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
CryptoPkg/CryptoPkg.dec | 7 ++++++-
CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h | 19 +++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index 08bedd57daad..a548ec7ddc71 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -4,7 +4,7 @@
# This Package provides cryptographic-related libraries for UEFI security modules.
# It also provides a test application to test libraries.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -33,5 +33,10 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+[Guids]
+ ## Security package token space guid.
+ # Include/Guid/CryptoPkgTokenSpace.h
+ gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
diff --git a/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h b/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
new file mode 100644
index 000000000000..ed3626d7b4e1
--- /dev/null
+++ b/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
@@ -0,0 +1,19 @@
+/** @file
+ GUID for CryptoPkg PCD Token Space.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _CRYPTOPKG_TOKEN_SPACE_GUID_H_
+#define _CRYPTOPKG_TOKEN_SPACE_GUID_H_
+
+#define CRYPTOPKG_TOKEN_SPACE_GUID \
+ { \
+ 0x7c4b0548, 0xd267, 0x451f, { 0xb5, 0x68, 0x58, 0x4f, 0x82, 0xb2, 0x1c, 0x89 } \
+ }
+
+extern EFI_GUID gEfiCryptoPkgTokenSpaceGuid;
+
+#endif
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-17 22:31 [PATCH v4 0/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-17 22:31 ` [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Sukerkar, Amol N
@ 2020-01-17 22:32 ` Sukerkar, Amol N
2020-01-17 23:33 ` [edk2-devel] " Hot Tian
2020-01-20 17:17 ` Wang, Jian J
1 sibling, 2 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2020-01-17 22:32 UTC (permalink / raw)
To: devel
Cc: michael.d.kinney, jiewen.yao, jian.j.wang, sachin.agrawal,
srinivas.musti, subash.lakkimsetti
This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
the desired hash by setting PcdSystemHashPolicy to appropriate value.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 ++++++++++++++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
CryptoPkg/CryptoPkg.dec | 21 ++
CryptoPkg/CryptoPkg.dsc | 6 +-
CryptoPkg/CryptoPkg.uni | 17 ++
CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
12 files changed, 779 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
new file mode 100644
index 000000000000..217537566796
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
@@ -0,0 +1,254 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+ untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINTN CtxSize;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ CtxSize = Md4GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md4Init (HashCtx);
+ break;
+
+ case HASH_MD5:
+ CtxSize = Md5GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md5Init (HashCtx);
+ break;
+
+ case HASH_SHA1:
+ CtxSize = Sha1GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha1Init (HashCtx);
+ break;
+
+ case HASH_SHA256:
+ CtxSize = Sha256GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha256Init (HashCtx);
+ break;
+
+ case HASH_SHA384:
+ CtxSize = Sha384GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha384Init (HashCtx);
+ break;
+
+ case HASH_SHA512:
+ CtxSize = Sha512GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha512Init (HashCtx);
+ break;
+
+ case HASH_SM3_256:
+ CtxSize = Sm3GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sm3Init (HashCtx);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return Status;
+}
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ return Status;
+}
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINT8 DigestData[SHA512_DIGEST_SIZE];
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ FreePool (HashCtx);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..226c2d6a4aae
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,100 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..a9fa0d978088
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,101 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HobLib.h>
+#include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index a548ec7ddc71..9288c652f8e4 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -33,10 +33,31 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+ ## @libraryclass Provides Unified API for different hash implementations.
+ #
+ BaseHashLib|Include/Library/BaseHashLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/CryptoPkgTokenSpace.h
gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
+ # Based on the value set, the required algorithm is chosen to verify
+ # the unsigned image during Secure Boot.<BR>
+ # The hashing algorithm selected must match the hashing algorithm used to
+ # hash the image to be added to DB using tools such as KeyEnroll.<BR>
+ # 0x00000001 - MD4.<BR>
+ # 0x00000002 - MD5.<BR>
+ # 0x00000003 - SHA1.<BR>
+ # 0x00000004 - SHA256.<BR>
+ # 0x00000005 - SHA384.<BR>
+ # 0x00000006 - SHA512.<BR>
+ # 0x00000007 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index ec43c1f0a47e..1d2956d20483 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -1,7 +1,7 @@
## @file
# Cryptographic Library Package for UEFI Security Implementation.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -62,9 +62,11 @@ [LibraryClasses.ARM]
[LibraryClasses.common.PEIM]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[LibraryClasses.common.DXE_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -120,6 +122,8 @@ [Components]
CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
CryptoPkg/Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[Components.IA32, Components.X64]
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
index beb0036ef583..ebbebed4924d 100644
--- a/CryptoPkg/CryptoPkg.uni
+++ b/CryptoPkg/CryptoPkg.uni
@@ -17,3 +17,20 @@
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to verify\n"
+ "the unsigned image during Secure Boot.<BR>\n"
+ "The hashing algorithm selected must match the hashing algorithm used to\n"
+ "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n"
+ "0x00000001 - MD4.<BR>\n"
+ "0x00000002 - MD5.<BR>\n"
+ "0x00000003 - SHA1.<BR>\n"
+ "0x00000004 - SHA256.<BR>\n"
+ "0x00000005 - SHA384.<BR>\n"
+ "0x00000006 - SHA512.<BR>\n"
+ "0x00000007 - SM3.<BR>"
+
+
+
diff --git a/CryptoPkg/Include/Library/BaseHashLib.h b/CryptoPkg/Include/Library/BaseHashLib.h
new file mode 100644
index 000000000000..c07e4a9a44aa
--- /dev/null
+++ b/CryptoPkg/Include/Library/BaseHashLib.h
@@ -0,0 +1,85 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#include <Uefi.h>
+
+typedef UINTN HASH_HANDLE;
+
+//
+// Hash Algorithms
+//
+#define HASH_INVALID 0x00000000
+#define HASH_MD4 0x00000001
+#define HASH_MD5 0x00000002
+#define HASH_SHA1 0x00000003
+#define HASH_SHA256 0x00000004
+#define HASH_SHA384 0x00000005
+#define HASH_SHA512 0x00000006
+#define HASH_SM3_256 0x00000007
+#define HASH_MAX 0x00000008
+
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+);
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
new file mode 100644
index 000000000000..b022284d1a27
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
@@ -0,0 +1,72 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_COMMON_H_
+#define __BASEHASHLIB_COMMON_H_
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ );
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..732c8f0d1f47
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,45 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is Base Hash Lib. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibDxe
+ MODULE_UNI_FILE = BaseHashLibDxe.uni
+ FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..53e025918828
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..4ff23f88c1c3
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,46 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is BaseCrypto router. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibPei
+ MODULE_UNI_FILE = BaseHashLibPei.uni
+ FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|PEIM
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibPei.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..a1abcc1cdfa0
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-17 22:32 ` [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
@ 2020-01-17 23:33 ` Hot Tian
2020-01-23 15:07 ` Sukerkar, Amol N
2020-01-20 17:17 ` Wang, Jian J
1 sibling, 1 reply; 8+ messages in thread
From: Hot Tian @ 2020-01-17 23:33 UTC (permalink / raw)
To: devel@edk2.groups.io, Sukerkar, Amol N
Cc: Kinney, Michael D, Yao, Jiewen, Wang, Jian J, Agrawal, Sachin,
Musti, Srinivas, Lakkimsetti, Subash
Edk2 is now using BSD-2-Clause-Patent license.
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
+program and the accompanying materials are licensed and made available
+under the terms and conditions of the BSD License which accompanies
+this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
Thanks,
Hot
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sukerkar, Amol N
Sent: Saturday, January 18, 2020 6:32
To: devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
This commit introduces a Unified Hash API to calculate hash using a hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate the desired hash by setting PcdSystemHashPolicy to appropriate value.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 ++++++++++++++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
CryptoPkg/CryptoPkg.dec | 21 ++
CryptoPkg/CryptoPkg.dsc | 6 +-
CryptoPkg/CryptoPkg.uni | 17 ++
CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
12 files changed, 779 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
new file mode 100644
index 000000000000..217537566796
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
@@ -0,0 +1,254 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security
+ issue like buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the
+ PE/COFF image content read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
+ function will accept untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
+program and the accompanying materials are licensed and made available
+under the terms and conditions of the BSD License which accompanies
+this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include
+<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
+<Library/PcdLib.h> #include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINTN CtxSize;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ CtxSize = Md4GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md4Init (HashCtx);
+ break;
+
+ case HASH_MD5:
+ CtxSize = Md5GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md5Init (HashCtx);
+ break;
+
+ case HASH_SHA1:
+ CtxSize = Sha1GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha1Init (HashCtx);
+ break;
+
+ case HASH_SHA256:
+ CtxSize = Sha256GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha256Init (HashCtx);
+ break;
+
+ case HASH_SHA384:
+ CtxSize = Sha384GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha384Init (HashCtx);
+ break;
+
+ case HASH_SHA512:
+ CtxSize = Sha512GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha512Init (HashCtx);
+ break;
+
+ case HASH_SM3_256:
+ CtxSize = Sm3GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sm3Init (HashCtx);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return Status;
+}
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ return Status;
+}
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINT8 DigestData[SHA512_DIGEST_SIZE];
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ FreePool (HashCtx);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..226c2d6a4aae
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,100 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1,
+SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include <Library/DebugLib.h>
+#include <Library/PcdLib.h> #include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
+ DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..a9fa0d978088
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,101 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1,
+SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include <Library/DebugLib.h>
+#include <Library/PcdLib.h> #include <Library/HobLib.h> #include
+<Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
+ DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index a548ec7ddc71..9288c652f8e4 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -33,10 +33,31 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+ ## @libraryclass Provides Unified API for different hash implementations.
+ #
+ BaseHashLib|Include/Library/BaseHashLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/CryptoPkgTokenSpace.h
gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
+image
+ # Based on the value set, the required algorithm is chosen to verify
+ # the unsigned image during Secure Boot.<BR>
+ # The hashing algorithm selected must match the hashing algorithm
+used to
+ # hash the image to be added to DB using tools such as KeyEnroll.<BR>
+ # 0x00000001 - MD4.<BR>
+ # 0x00000002 - MD5.<BR>
+ # 0x00000003 - SHA1.<BR>
+ # 0x00000004 - SHA256.<BR>
+ # 0x00000005 - SHA384.<BR>
+ # 0x00000006 - SHA512.<BR>
+ # 0x00000007 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index ec43c1f0a47e..1d2956d20483 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -1,7 +1,7 @@
## @file
# Cryptographic Library Package for UEFI Security Implementation.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights
+reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -62,9 +62,11 @@ [LibraryClasses.ARM]
[LibraryClasses.common.PEIM]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[LibraryClasses.common.DXE_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -120,6 +122,8 @@ [Components]
CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
CryptoPkg/Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[Components.IA32, Components.X64]
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni index beb0036ef583..ebbebed4924d 100644
--- a/CryptoPkg/CryptoPkg.uni
+++ b/CryptoPkg/CryptoPkg.uni
@@ -17,3 +17,20 @@
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to verify\n"
+ "the unsigned image during Secure Boot.<BR>\n"
+ "The hashing algorithm selected must match the hashing algorithm used to\n"
+ "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n"
+ "0x00000001 - MD4.<BR>\n"
+ "0x00000002 - MD5.<BR>\n"
+ "0x00000003 - SHA1.<BR>\n"
+ "0x00000004 - SHA256.<BR>\n"
+ "0x00000005 - SHA384.<BR>\n"
+ "0x00000006 - SHA512.<BR>\n"
+ "0x00000007 - SM3.<BR>"
+
+
+
diff --git a/CryptoPkg/Include/Library/BaseHashLib.h b/CryptoPkg/Include/Library/BaseHashLib.h
new file mode 100644
index 000000000000..c07e4a9a44aa
--- /dev/null
+++ b/CryptoPkg/Include/Library/BaseHashLib.h
@@ -0,0 +1,85 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made
+available under the terms and conditions of the BSD License which
+accompanies this distribution. The full text of the license may be
+found at http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#include <Uefi.h>
+
+typedef UINTN HASH_HANDLE;
+
+//
+// Hash Algorithms
+//
+#define HASH_INVALID 0x00000000
+#define HASH_MD4 0x00000001
+#define HASH_MD5 0x00000002
+#define HASH_SHA1 0x00000003
+#define HASH_SHA256 0x00000004
+#define HASH_SHA384 0x00000005
+#define HASH_SHA512 0x00000006
+#define HASH_SM3_256 0x00000007
+#define HASH_MAX 0x00000008
+
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+);
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
new file mode 100644
index 000000000000..b022284d1a27
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
@@ -0,0 +1,72 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made
+available under the terms and conditions of the BSD License which
+accompanies this distribution. The full text of the license may be
+found at http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_COMMON_H_
+#define __BASEHASHLIB_COMMON_H_
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ );
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..732c8f0d1f47
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,45 @@
+## @file
+# Provides hash service by registered hash handler # # This library
+is Base Hash Lib. It will redirect hash request to each individual #
+hash handler registered, such as SHA1, SHA256, SHA384, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibDxe
+ MODULE_UNI_FILE = BaseHashLibDxe.uni
+ FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..53e025918828
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides hash service by registered hash handler // // This library
+is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use
+PcdTpm2HashMask to // mask some hash engines.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> // // SPDX-License-Identifier: BSD-2-Clause-Patent // //
+**/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..4ff23f88c1c3
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,46 @@
+## @file
+# Provides hash service by registered hash handler # # This library
+is BaseCrypto router. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibPei
+ MODULE_UNI_FILE = BaseHashLibPei.uni
+ FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|PEIM
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibPei.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..a1abcc1cdfa0
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides hash service by registered hash handler // // This library
+is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> // // SPDX-License-Identifier: BSD-2-Clause-Patent // //
+**/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID
2020-01-17 22:31 ` [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Sukerkar, Amol N
@ 2020-01-20 16:54 ` Wang, Jian J
0 siblings, 0 replies; 8+ messages in thread
From: Wang, Jian J @ 2020-01-20 16:54 UTC (permalink / raw)
To: Sukerkar, Amol N, devel@edk2.groups.io
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Lakkimsetti, Subash
Amol,
One comment below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Saturday, January 18, 2020 6:32 AM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>;
> Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
> Subject: [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID
>
> Added CryptoPkg Token Space GUID to be able to define PCDs.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
> CryptoPkg/CryptoPkg.dec | 7 ++++++-
> CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h | 19 +++++++++++++++++++
> 2 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index 08bedd57daad..a548ec7ddc71 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -4,7 +4,7 @@
> # This Package provides cryptographic-related libraries for UEFI security
> modules.
> # It also provides a test application to test libraries.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -33,5 +33,10 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> +[Guids]
> + ## Security package token space guid.
> + # Include/Guid/CryptoPkgTokenSpace.h
> + gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef,
> 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
> b/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
> new file mode 100644
> index 000000000000..ed3626d7b4e1
> --- /dev/null
> +++ b/CryptoPkg/Include/Guid/CryptoPkgTokenSpace.h
> @@ -0,0 +1,19 @@
> +/** @file
> + GUID for CryptoPkg PCD Token Space.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
I think this is new file, which should start from this year
Regards,
Jian
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef _CRYPTOPKG_TOKEN_SPACE_GUID_H_
> +#define _CRYPTOPKG_TOKEN_SPACE_GUID_H_
> +
> +#define CRYPTOPKG_TOKEN_SPACE_GUID \
> + { \
> + 0x7c4b0548, 0xd267, 0x451f, { 0xb5, 0x68, 0x58, 0x4f, 0x82, 0xb2, 0x1c,
> 0x89 } \
> + }
> +
> +extern EFI_GUID gEfiCryptoPkgTokenSpaceGuid;
> +
> +#endif
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-17 22:32 ` [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-17 23:33 ` [edk2-devel] " Hot Tian
@ 2020-01-20 17:17 ` Wang, Jian J
2020-01-23 15:24 ` Sukerkar, Amol N
1 sibling, 1 reply; 8+ messages in thread
From: Wang, Jian J @ 2020-01-20 17:17 UTC (permalink / raw)
To: devel@edk2.groups.io, Sukerkar, Amol N
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Lakkimsetti, Subash
Amol,
One general comment in advance. The switch/case are using parameter HashPolicy.
Since it's a local variable not constant, I'm not sure whether or not the compiler
will optimize out not effective hash algorithm choices. Please double check
the linked code. If not, you should not pass the value of PcdSystemHashPolicy via
a parameter. Instead, you should use this PCD directly in switch/case.
See my other comments below.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sukerkar,
> Amol N
> Sent: Saturday, January 18, 2020 6:32 AM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>;
> Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
> Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement
> Unified Hash Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
> the desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
> CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254
> ++++++++++++++++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
> CryptoPkg/CryptoPkg.dec | 21 ++
> CryptoPkg/CryptoPkg.dsc | 6 +-
> CryptoPkg/CryptoPkg.uni | 17 ++
> CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
> 12 files changed, 779 insertions(+), 1 deletion(-)
>
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..217537566796
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,254 @@
> +/** @file
> + Implement image verification services for secure boot service
> +
> + Caution: This file requires additional review when modified.
> + This library will have external input - PE/COFF image.
> + This external input must be validated carefully to avoid security issue like
> + buffer overflow, integer overflow.
> +
> + DxeImageVerificationLibImageRead() function will make sure the PE/COFF
> image content
> + read is within the image buffer.
> +
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
> + untrusted PE/COFF image and validate its data structure within this image
> buffer before use.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> + UINTN CtxSize;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + CtxSize = Md4GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Md4Init (HashCtx);
> + break;
> +
> + case HASH_MD5:
> + CtxSize = Md5GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Md5Init (HashCtx);
> + break;
> +
> + case HASH_SHA1:
> + CtxSize = Sha1GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha1Init (HashCtx);
> + break;
> +
> + case HASH_SHA256:
> + CtxSize = Sha256GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha256Init (HashCtx);
> + break;
> +
> + case HASH_SHA384:
> + CtxSize = Sha384GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha384Init (HashCtx);
> + break;
> +
> + case HASH_SHA512:
> + CtxSize = Sha512GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha512Init (HashCtx);
> + break;
> +
> + case HASH_SM3_256:
> + CtxSize = Sm3GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sm3Init (HashCtx);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(1) Status was not initialized before. Although there's ASSERT, still suggest
to assign FALSE to Status for 'default' case.
> + }
> +
> + *HashHandle = (HASH_HANDLE)HashCtx;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> +
> + HashCtx = (VOID *)HashHandle;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_MD5:
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA1:
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA256:
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA384:
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA512:
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SM3_256:
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(2) Same as (1). Suggest assigning FALSE to Status in 'default' case.
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
> +
(3) Why do you need additional buffer here? The extra copy can be
avoided by passing the '*Digest' to XxxFinal function below. Am I
missing something here?
> + HashCtx = (VOID *)HashHandle;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + Status = Md4Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> + break;
> +
> + case HASH_MD5:
> + Status = Md5Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA1:
> + Status = Sha1Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA256:
> + Status = Sha256Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA384:
> + Status = Sha384Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA512:
> + Status = Sha512Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> + break;
> +
> + case HASH_SM3_256:
> + Status = Sm3Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(4) Same as (1) and (2)
> + }
> +
> + FreePool (HashCtx);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..226c2d6a4aae
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,100 @@
> +/** @file
> + This library is Unified Hash API. It will redirect hash request to
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
> + SHA384 and SM3...
> +
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
(5) This is new file. Start year should be 2020.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> + HASH_HANDLE Handle;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashInitInternal (HashPolicy, &Handle);
> +
> + *HashHandle = Handle;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..a9fa0d978088
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,101 @@
> +/** @file
> + This library is Unified Hash API. It will redirect hash request to
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
> + SHA384 and SM3...
> +
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
(6) This is new file. Start year should be 2020.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/HobLib.h>
> +#include <Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> + HASH_HANDLE Handle;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashInitInternal (HashPolicy, &Handle);
> +
> + *HashHandle = Handle;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index a548ec7ddc71..9288c652f8e4 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -33,10 +33,31 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> + ## @libraryclass Provides Unified API for different hash implementations.
> + #
> + BaseHashLib|Include/Library/BaseHashLib.h
> +
> [Guids]
> ## Security package token space guid.
> # Include/Guid/CryptoPkgTokenSpace.h
> gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef,
> 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
> + # Based on the value set, the required algorithm is chosen to verify
> + # the unsigned image during Secure Boot.<BR>
> + # The hashing algorithm selected must match the hashing algorithm used to
> + # hash the image to be added to DB using tools such as KeyEnroll.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index ec43c1f0a47e..1d2956d20483 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
> # Cryptographic Library Package for UEFI Security Implementation.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -62,9 +62,11 @@ [LibraryClasses.ARM]
>
> [LibraryClasses.common.PEIM]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> [LibraryClasses.common.DXE_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -120,6 +122,8 @@ [Components]
> CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> + CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> + CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> [Components.IA32, Components.X64]
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
> index beb0036ef583..ebbebed4924d 100644
> --- a/CryptoPkg/CryptoPkg.uni
> +++ b/CryptoPkg/CryptoPkg.uni
> @@ -17,3 +17,20 @@
>
>
>
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> +
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm to verify unsigned
> PE/COFF image.<BR><BR>\n"
> + "Based on the value set, the
> required algorithm is chosen to verify\n"
> + "the unsigned image during
> Secure Boot.<BR>\n"
> + "The hashing algorithm
> selected must match the hashing algorithm used to\n"
> + "hash the image to be added
> to DB using tools such as KeyEnroll.<BR>\n"
> + "0x00000001 - MD4.<BR>\n"
> + "0x00000002 - MD5.<BR>\n"
> + "0x00000003 - SHA1.<BR>\n"
> + "0x00000004 -
> SHA256.<BR>\n"
> + "0x00000005 -
> SHA384.<BR>\n"
> + "0x00000006 -
> SHA512.<BR>\n"
> + "0x00000007 - SM3.<BR>"
> +
> +
> +
> diff --git a/CryptoPkg/Include/Library/BaseHashLib.h
> b/CryptoPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..c07e4a9a44aa
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,85 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
(7) License is not correct. Use the standard two-clause one.
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +
> +typedef UINTN HASH_HANDLE;
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_INVALID 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +#define HASH_MAX 0x00000008
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..b022284d1a27
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,72 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
(8) License is not correct. Use the standard two-clause one.
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..732c8f0d1f47
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,45 @@
> +## @file
> +# Provides hash service by registered hash handler
> +#
> +# This library is Base Hash Lib. It will redirect hash request to each individual
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> +#
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
(9) This is new file. The start year should be this year.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashLibDxe
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashLibCommon.h
> + BaseHashLibCommon.c
> + BaseHashLibDxe.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..53e025918828
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides hash service by registered hash handler
> +//
> +// This library is Unified Hash API. It will redirect hash request to each individual
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
> +// mask some hash engines.
> +//
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
> +//
(10) This is new file. The start year should be this year.
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4ff23f88c1c3
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,46 @@
> +## @file
> +# Provides hash service by registered hash handler
> +#
> +# This library is BaseCrypto router. It will redirect hash request to each
> individual
> +# hash handler registered, such as SHA1, SHA256, SM3.
> +#
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
(11) This is new file. The start year should be this year.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashLibPei
> + MODULE_UNI_FILE = BaseHashLibPei.uni
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> + MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashLib|PEIM
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashLibCommon.h
> + BaseHashLibCommon.c
> + BaseHashLibPei.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..a1abcc1cdfa0
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +// Provides hash service by registered hash handler
> +//
> +// This library is Unified Hash API. It will redirect hash request to each individual
> +// hash handler registered, such as SHA1, SHA256.
> +//
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
(12) This is new file. The start year should be this year.
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
> --
> 2.16.2.windows.1
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-17 23:33 ` [edk2-devel] " Hot Tian
@ 2020-01-23 15:07 ` Sukerkar, Amol N
0 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2020-01-23 15:07 UTC (permalink / raw)
To: Tian, Hot, devel@edk2.groups.io
Cc: Kinney, Michael D, Yao, Jiewen, Wang, Jian J, Agrawal, Sachin,
Musti, Srinivas, Lakkimsetti, Subash, Sukerkar, Amol N
Thanks, Hot! I will change the license to reflect it.
~ Amol
-----Original Message-----
From: Tian, Hot <hot.tian@intel.com>
Sent: Friday, January 17, 2020 4:33 PM
To: devel@edk2.groups.io; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Subject: RE: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
Edk2 is now using BSD-2-Clause-Patent license.
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
+program and the accompanying materials are licensed and made available
+under the terms and conditions of the BSD License which accompanies
+this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
Thanks,
Hot
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sukerkar, Amol N
Sent: Saturday, January 18, 2020 6:32
To: devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
This commit introduces a Unified Hash API to calculate hash using a hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate the desired hash by setting PcdSystemHashPolicy to appropriate value.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 ++++++++++++++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
CryptoPkg/CryptoPkg.dec | 21 ++
CryptoPkg/CryptoPkg.dsc | 6 +-
CryptoPkg/CryptoPkg.uni | 17 ++
CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
12 files changed, 779 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
new file mode 100644
index 000000000000..217537566796
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
@@ -0,0 +1,254 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security
+ issue like buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the
+ PE/COFF image content read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
+ function will accept untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
+program and the accompanying materials are licensed and made available
+under the terms and conditions of the BSD License which accompanies
+this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include
+<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
+<Library/PcdLib.h> #include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINTN CtxSize;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ CtxSize = Md4GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md4Init (HashCtx);
+ break;
+
+ case HASH_MD5:
+ CtxSize = Md5GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md5Init (HashCtx);
+ break;
+
+ case HASH_SHA1:
+ CtxSize = Sha1GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha1Init (HashCtx);
+ break;
+
+ case HASH_SHA256:
+ CtxSize = Sha256GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha256Init (HashCtx);
+ break;
+
+ case HASH_SHA384:
+ CtxSize = Sha384GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha384Init (HashCtx);
+ break;
+
+ case HASH_SHA512:
+ CtxSize = Sha512GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha512Init (HashCtx);
+ break;
+
+ case HASH_SM3_256:
+ CtxSize = Sm3GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sm3Init (HashCtx);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return Status;
+}
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ return Status;
+}
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINT8 DigestData[SHA512_DIGEST_SIZE];
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ FreePool (HashCtx);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..226c2d6a4aae
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,100 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1,
+SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include <Library/DebugLib.h>
+#include <Library/PcdLib.h> #include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
+ DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..a9fa0d978088
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,101 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1,
+SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h> #include <Library/DebugLib.h>
+#include <Library/PcdLib.h> #include <Library/HobLib.h> #include
+<Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
+ DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
+
+ return Status;
+}
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index a548ec7ddc71..9288c652f8e4 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -33,10 +33,31 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+ ## @libraryclass Provides Unified API for different hash implementations.
+ #
+ BaseHashLib|Include/Library/BaseHashLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/CryptoPkgTokenSpace.h
gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
+image
+ # Based on the value set, the required algorithm is chosen to verify
+ # the unsigned image during Secure Boot.<BR>
+ # The hashing algorithm selected must match the hashing algorithm
+used to
+ # hash the image to be added to DB using tools such as KeyEnroll.<BR>
+ # 0x00000001 - MD4.<BR>
+ # 0x00000002 - MD5.<BR>
+ # 0x00000003 - SHA1.<BR>
+ # 0x00000004 - SHA256.<BR>
+ # 0x00000005 - SHA384.<BR>
+ # 0x00000006 - SHA512.<BR>
+ # 0x00000007 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index ec43c1f0a47e..1d2956d20483 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -1,7 +1,7 @@
## @file
# Cryptographic Library Package for UEFI Security Implementation.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights
+reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -62,9 +62,11 @@ [LibraryClasses.ARM]
[LibraryClasses.common.PEIM]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[LibraryClasses.common.DXE_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+ BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -120,6 +122,8 @@ [Components]
CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
CryptoPkg/Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
+ CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
[Components.IA32, Components.X64]
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni index beb0036ef583..ebbebed4924d 100644
--- a/CryptoPkg/CryptoPkg.uni
+++ b/CryptoPkg/CryptoPkg.uni
@@ -17,3 +17,20 @@
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to verify\n"
+ "the unsigned image during Secure Boot.<BR>\n"
+ "The hashing algorithm selected must match the hashing algorithm used to\n"
+ "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n"
+ "0x00000001 - MD4.<BR>\n"
+ "0x00000002 - MD5.<BR>\n"
+ "0x00000003 - SHA1.<BR>\n"
+ "0x00000004 - SHA256.<BR>\n"
+ "0x00000005 - SHA384.<BR>\n"
+ "0x00000006 - SHA512.<BR>\n"
+ "0x00000007 - SM3.<BR>"
+
+
+
diff --git a/CryptoPkg/Include/Library/BaseHashLib.h b/CryptoPkg/Include/Library/BaseHashLib.h
new file mode 100644
index 000000000000..c07e4a9a44aa
--- /dev/null
+++ b/CryptoPkg/Include/Library/BaseHashLib.h
@@ -0,0 +1,85 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made
+available under the terms and conditions of the BSD License which
+accompanies this distribution. The full text of the license may be
+found at http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#include <Uefi.h>
+
+typedef UINTN HASH_HANDLE;
+
+//
+// Hash Algorithms
+//
+#define HASH_INVALID 0x00000000
+#define HASH_MD4 0x00000001
+#define HASH_MD5 0x00000002
+#define HASH_SHA1 0x00000003
+#define HASH_SHA256 0x00000004
+#define HASH_SHA384 0x00000005
+#define HASH_SHA512 0x00000006
+#define HASH_SM3_256 0x00000007
+#define HASH_MAX 0x00000008
+
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+);
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
new file mode 100644
index 000000000000..b022284d1a27
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
@@ -0,0 +1,72 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials are licensed and made
+available under the terms and conditions of the BSD License which
+accompanies this distribution. The full text of the license may be
+found at http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_COMMON_H_
+#define __BASEHASHLIB_COMMON_H_
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ );
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..732c8f0d1f47
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,45 @@
+## @file
+# Provides hash service by registered hash handler # # This library
+is Base Hash Lib. It will redirect hash request to each individual #
+hash handler registered, such as SHA1, SHA256, SHA384, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibDxe
+ MODULE_UNI_FILE = BaseHashLibDxe.uni
+ FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..53e025918828
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides hash service by registered hash handler // // This library
+is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use
+PcdTpm2HashMask to // mask some hash engines.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> // // SPDX-License-Identifier: BSD-2-Clause-Patent // //
+**/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..4ff23f88c1c3
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,46 @@
+## @file
+# Provides hash service by registered hash handler # # This library
+is BaseCrypto router. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> # SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibPei
+ MODULE_UNI_FILE = BaseHashLibPei.uni
+ FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|PEIM
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibPei.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..a1abcc1cdfa0
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides hash service by registered hash handler // // This library
+is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights
+reserved.<BR> // // SPDX-License-Identifier: BSD-2-Clause-Patent // //
+**/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-20 17:17 ` Wang, Jian J
@ 2020-01-23 15:24 ` Sukerkar, Amol N
0 siblings, 0 replies; 8+ messages in thread
From: Sukerkar, Amol N @ 2020-01-23 15:24 UTC (permalink / raw)
To: Wang, Jian J, devel@edk2.groups.io
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Lakkimsetti, Subash, Sukerkar, Amol N
Hi Jian,
You are correct that using local variable will link the unused libraries. In any case, I will simplify the BaseHashLib library further based on comments so far.
About your comment:
(3) Why do you need additional buffer here? The extra copy can be avoided by passing the '*Digest' to XxxFinal function below. Am I missing something here?
[ANS] Initially the idea was to make sure that the buffer passed into xxxFinal call didn't cause any buffer overflow since there is no way to detect the size of the buffer allocated by the caller. However, you are correct. We cannot prevent it. Next call CopyMem will cause the same issue. It is the responsibility of the caller to allocate enough memory for the digest based on the hashing algorithm used.
Thanks,
Amol
-----Original Message-----
From: Wang, Jian J <jian.j.wang@intel.com>
Sent: Monday, January 20, 2020 10:17 AM
To: devel@edk2.groups.io; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Subject: RE: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol,
One general comment in advance. The switch/case are using parameter HashPolicy.
Since it's a local variable not constant, I'm not sure whether or not the compiler will optimize out not effective hash algorithm choices. Please double check the linked code. If not, you should not pass the value of PcdSystemHashPolicy via a parameter. Instead, you should use this PCD directly in switch/case.
See my other comments below.
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> Sukerkar, Amol N
> Sent: Saturday, January 18, 2020 6:32 AM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> <srinivas.musti@intel.com>; Lakkimsetti, Subash
> <subash.lakkimsetti@intel.com>
> Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement
> Unified Hash Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> library interfaces with the various hashing API, such as, MD4, MD5,
> SHA1, SHA256,
> SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
> the desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
> CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254
> ++++++++++++++++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++
> CryptoPkg/CryptoPkg.dec | 21 ++
> CryptoPkg/CryptoPkg.dsc | 6 +-
> CryptoPkg/CryptoPkg.uni | 17 ++
> CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++
> CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++
> 12 files changed, 779 insertions(+), 1 deletion(-)
>
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..217537566796
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,254 @@
> +/** @file
> + Implement image verification services for secure boot service
> +
> + Caution: This file requires additional review when modified.
> + This library will have external input - PE/COFF image.
> + This external input must be validated carefully to avoid security
> + issue like buffer overflow, integer overflow.
> +
> + DxeImageVerificationLibImageRead() function will make sure the
> + PE/COFF
> image content
> + read is within the image buffer.
> +
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
> + untrusted PE/COFF image and validate its data structure within this
> + image
> buffer before use.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> This
> +program and the accompanying materials are licensed and made
> +available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
> +<Library/PcdLib.h> #include <Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> + UINTN CtxSize;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + CtxSize = Md4GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Md4Init (HashCtx);
> + break;
> +
> + case HASH_MD5:
> + CtxSize = Md5GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Md5Init (HashCtx);
> + break;
> +
> + case HASH_SHA1:
> + CtxSize = Sha1GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha1Init (HashCtx);
> + break;
> +
> + case HASH_SHA256:
> + CtxSize = Sha256GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha256Init (HashCtx);
> + break;
> +
> + case HASH_SHA384:
> + CtxSize = Sha384GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha384Init (HashCtx);
> + break;
> +
> + case HASH_SHA512:
> + CtxSize = Sha512GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sha512Init (HashCtx);
> + break;
> +
> + case HASH_SM3_256:
> + CtxSize = Sm3GetContextSize ();
> + HashCtx = AllocatePool (CtxSize);
> + ASSERT (HashCtx != NULL);
> +
> + Status = Sm3Init (HashCtx);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(1) Status was not initialized before. Although there's ASSERT, still suggest to assign FALSE to Status for 'default' case.
> + }
> +
> + *HashHandle = (HASH_HANDLE)HashCtx;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> +
> + HashCtx = (VOID *)HashHandle;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_MD5:
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA1:
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA256:
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA384:
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SHA512:
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_SM3_256:
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(2) Same as (1). Suggest assigning FALSE to Status in 'default' case.
> + }
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + )
> +{
> + BOOLEAN Status;
> + VOID *HashCtx;
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
> +
(3) Why do you need additional buffer here? The extra copy can be avoided by passing the '*Digest' to XxxFinal function below. Am I missing something here?
> + HashCtx = (VOID *)HashHandle;
> +
> + switch (HashPolicy) {
> + case HASH_MD4:
> + Status = Md4Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> + break;
> +
> + case HASH_MD5:
> + Status = Md5Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA1:
> + Status = Sha1Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA256:
> + Status = Sha256Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA384:
> + Status = Sha384Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> + break;
> +
> + case HASH_SHA512:
> + Status = Sha512Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> + break;
> +
> + case HASH_SM3_256:
> + Status = Sm3Final (HashCtx, DigestData);
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + break;
(4) Same as (1) and (2)
> + }
> +
> + FreePool (HashCtx);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..226c2d6a4aae
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,100 @@
> +/** @file
> + This library is Unified Hash API. It will redirect hash request to
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> +SHA256,
> + SHA384 and SM3...
> +
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
(5) This is new file. Start year should be 2020.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/DebugLib.h> #include <Library/PcdLib.h> #include
> +<Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> + HASH_HANDLE Handle;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashInitInternal (HashPolicy, &Handle);
> +
> + *HashHandle = Handle;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..a9fa0d978088
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,101 @@
> +/** @file
> + This library is Unified Hash API. It will redirect hash request to
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> +SHA256,
> + SHA384 and SM3...
> +
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
(6) This is new file. Start year should be 2020.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/DebugLib.h> #include <Library/PcdLib.h> #include
> +<Library/HobLib.h> #include <Library/BaseHashLib.h>
> +
> +#include "BaseHashLibCommon.h"
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> + HASH_HANDLE Handle;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashInitInternal (HashPolicy, &Handle);
> +
> + *HashHandle = Handle;
> +
> + return Status;
> +}
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
> +
> + return Status;
> +}
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +)
> +{
> + BOOLEAN Status;
> + UINT8 HashPolicy;
> +
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> +
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> +
> + return Status;
> +}
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index
> a548ec7ddc71..9288c652f8e4 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -33,10 +33,31 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> + ## @libraryclass Provides Unified API for different hash implementations.
> + #
> + BaseHashLib|Include/Library/BaseHashLib.h
> +
> [Guids]
> ## Security package token space guid.
> # Include/Guid/CryptoPkgTokenSpace.h
> gEfiCryptoPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef,
> 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
> +image
> + # Based on the value set, the required algorithm is chosen to
> +verify
> + # the unsigned image during Secure Boot.<BR>
> + # The hashing algorithm selected must match the hashing algorithm
> +used to
> + # hash the image to be added to DB using tools such as KeyEnroll.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index
> ec43c1f0a47e..1d2956d20483 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
> # Cryptographic Library Package for UEFI Security Implementation.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights
> reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -62,9
> +62,11 @@ [LibraryClasses.ARM]
>
> [LibraryClasses.common.PEIM]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> [LibraryClasses.common.DXE_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -120,6 +122,8 @@ [Components]
> CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> + CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> + CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> [Components.IA32, Components.X64]
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni index
> beb0036ef583..ebbebed4924d 100644
> --- a/CryptoPkg/CryptoPkg.uni
> +++ b/CryptoPkg/CryptoPkg.uni
> @@ -17,3 +17,20 @@
>
>
>
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> +
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm to verify
> unsigned PE/COFF image.<BR><BR>\n"
> +
> + "Based on the value set, the
> required algorithm is chosen to verify\n"
> +
> + "the unsigned image during
> Secure Boot.<BR>\n"
> +
> + "The hashing algorithm
> selected must match the hashing algorithm used to\n"
> +
> + "hash the image to be added
> to DB using tools such as KeyEnroll.<BR>\n"
> + "0x00000001 - MD4.<BR>\n"
> + "0x00000002 - MD5.<BR>\n"
> + "0x00000003 - SHA1.<BR>\n"
> +
> + "0x00000004 -
> SHA256.<BR>\n"
> +
> + "0x00000005 -
> SHA384.<BR>\n"
> +
> + "0x00000006 -
> SHA512.<BR>\n"
> + "0x00000007 - SM3.<BR>"
> +
> +
> +
> diff --git a/CryptoPkg/Include/Library/BaseHashLib.h
> b/CryptoPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..c07e4a9a44aa
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,85 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
(7) License is not correct. Use the standard two-clause one.
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +
> +typedef UINTN HASH_HANDLE;
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_INVALID 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +#define HASH_MAX 0x00000008
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..b022284d1a27
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,72 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
(8) License is not correct. Use the standard two-clause one.
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..732c8f0d1f47
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,45 @@
> +## @file
> +# Provides hash service by registered hash handler # # This library
> +is Base Hash Lib. It will redirect hash request to each individual #
> +hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> +#
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
(9) This is new file. The start year should be this year.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashLibDxe
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> +
> +#
> +# The following information is for reference only and not required by
> +the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashLibCommon.h
> + BaseHashLibCommon.c
> + BaseHashLibDxe.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..53e025918828
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides hash service by registered hash handler // // This
> +library is Unified Hash API. It will redirect hash request to each
> +individual // hash handler registered, such as SHA1, SHA256. Platform
> +can use
> PcdTpm2HashMask to
> +// mask some hash engines.
> +//
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR> //
(10) This is new file. The start year should be this year.
> +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4ff23f88c1c3
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,46 @@
> +## @file
> +# Provides hash service by registered hash handler # # This library
> +is BaseCrypto router. It will redirect hash request to each
> individual
> +# hash handler registered, such as SHA1, SHA256, SM3.
> +#
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
(11) This is new file. The start year should be this year.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashLibPei
> + MODULE_UNI_FILE = BaseHashLibPei.uni
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> + MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashLib|PEIM
> +
> +#
> +# The following information is for reference only and not required by
> +the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashLibCommon.h
> + BaseHashLibCommon.c
> + BaseHashLibPei.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..a1abcc1cdfa0
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +// Provides hash service by registered hash handler // // This
> +library is Unified Hash API. It will redirect hash request to each
> +individual // hash handler registered, such as SHA1, SHA256.
> +//
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
(12) This is new file. The start year should be this year.
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
> --
> 2.16.2.windows.1
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-01-23 15:25 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-17 22:31 [PATCH v4 0/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-17 22:31 ` [PATCH v4 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Sukerkar, Amol N
2020-01-20 16:54 ` Wang, Jian J
2020-01-17 22:32 ` [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-17 23:33 ` [edk2-devel] " Hot Tian
2020-01-23 15:07 ` Sukerkar, Amol N
2020-01-20 17:17 ` Wang, Jian J
2020-01-23 15:24 ` Sukerkar, Amol N
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox