From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E035D81ECD for ; Sat, 21 Jan 2017 18:04:09 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga103.fm.intel.com with ESMTP; 21 Jan 2017 18:04:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,267,1477983600"; d="scan'208";a="56081378" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga005.fm.intel.com with ESMTP; 21 Jan 2017 18:04:09 -0800 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sat, 21 Jan 2017 18:04:09 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sat, 21 Jan 2017 18:04:08 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Sun, 22 Jan 2017 10:04:06 +0800 From: "Yao, Jiewen" To: "Zhang, Chao B" , "edk2-devel@lists.01.org" CC: "Zhang, Chao B" , "Zeng, Star" , "yao.jiewen@intel.com" Thread-Topic: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Thread-Index: AQHSchLfU8t57hVhB0CZx7SfGiQ9caFDw3VA Date: Sun, 22 Jan 2017 02:04:06 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503A8E3F62@shsmsx102.ccr.corp.intel.com> References: <20170119051359.14044-1-chao.b.zhang@intel.com> In-Reply-To: <20170119051359.14044-1-chao.b.zhang@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2017 02:04:10 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen.yao@intel.com > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zh= ang, > Chao B > Sent: Thursday, January 19, 2017 1:14 PM > To: edk2-devel@lists.01.org > Cc: Zhang, Chao B ; Yao, Jiewen > ; Zeng, Star ; > yao.jiewen@intel.com > Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Upda= te > PCR[7] measure logic >=20 > Update PCR[7] measure logic according to TCG PC Client PFP 00.37. > Only entries in DB that is used for image authentication need to be > measured. > http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific > _Platform_Profile_for_TPM_2p0_Systems_v21.pdf >=20 > Cc: Star Zeng > Cc: Yao Jiewen > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Chao Zhang > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 > +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) >=20 > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 7b7e6af..e28e106 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib= .c > @@ -12,7 +12,7 @@ > DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept > untrusted PE/COFF image and validate its data structure within this im= age > buffer before use. >=20 > -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
> (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> This program and the accompanying materials > are licensed and made available under the terms and conditions of the BS= D > License > @@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase ( > // Find the signature in database. > // > IsFound =3D TRUE; > - SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, > CertList->SignatureSize, Cert); > + // > + // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to > validate image should be measured > + // > + if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) =3D=3D 0= ) { > + SecureBootHook (VariableName, > &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert); > + } > break; > } >=20 > @@ -1309,7 +1314,6 @@ IsForbiddenByDbx ( > mImageDigestSize > ); > if (IsForbidden) { > - SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, > &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData); > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed > but signature is forbidden by DBX.\n")); > goto Done; > } > -- > 1.9.5.msysgit.1 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel