public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Zhang, Chao B" <chao.b.zhang@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Zhang, Chao B" <chao.b.zhang@intel.com>,
	"Zeng, Star" <star.zeng@intel.com>,
	"yao.jiewen@intel.com" <yao.jiewen@intel.com>
Subject: Re: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic
Date: Sun, 22 Jan 2017 02:04:06 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A8E3F62@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <20170119051359.14044-1-chao.b.zhang@intel.com>

Reviewed-by: Jiewen.yao@intel.com

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang,
> Chao B
> Sent: Thursday, January 19, 2017 1:14 PM
> To: edk2-devel@lists.01.org
> Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Zeng, Star <star.zeng@intel.com>;
> yao.jiewen@intel.com
> Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update
> PCR[7] measure logic
> 
> Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
> Only entries in DB that is used for image authentication need to be
> measured.
> http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific
> _Platform_Profile_for_TPM_2p0_Systems_v21.pdf
> 
> Cc: Star Zeng <star.zeng@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 10
> +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 7b7e6af..e28e106 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -12,7 +12,7 @@
>    DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>    untrusted PE/COFF image and validate its data structure within this image
> buffer before use.
> 
> -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
>  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
> @@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase (
>            // Find the signature in database.
>            //
>            IsFound = TRUE;
> -          SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid,
> CertList->SignatureSize, Cert);
> +          //
> +          // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to
> validate image should be measured
> +          //
> +          if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
> +            SecureBootHook (VariableName,
> &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
> +          }
>            break;
>          }
> 
> @@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
>                          mImageDigestSize
>                          );
>          if (IsForbidden) {
> -          SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1,
> &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
>            DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
> but signature is forbidden by DBX.\n"));
>            goto Done;
>          }
> --
> 1.9.5.msysgit.1
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel


      parent reply	other threads:[~2017-01-22  2:04 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-19  5:13 [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Zhang, Chao B
2017-01-19  5:13 ` [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7] Zhang, Chao B
2017-01-22  1:22   ` Zeng, Star
2017-01-22  2:03   ` Yao, Jiewen
2017-01-19  5:13 ` [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec Zhang, Chao B
2017-01-22  1:19   ` Zeng, Star
2017-01-22  2:20   ` Yao, Jiewen
2017-01-22  1:25 ` [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Zeng, Star
2017-01-22  2:04 ` Yao, Jiewen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74D8A39837DF1E4DA445A8C0B3885C503A8E3F62@shsmsx102.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox