From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Sukerkar, Amol N" <amol.n.sukerkar@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Agrawal, Sachin" <sachin.agrawal@intel.com>,
"Musti, Srinivas" <srinivas.musti@intel.com>
Subject: Re: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Date: Wed, 15 Jan 2020 03:13:58 +0000 [thread overview]
Message-ID: <D827630B58408649ACB04F44C5100036259F4BF5@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <20200114154107.655-2-amol.n.sukerkar@intel.com>
Amol,
1. Your patch doesn't support hashing more than one algorithm at the same time.
Is this on purpose? Sorry I don't remember the conclusion in last discussion.
2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
See my other comments below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Tuesday, January 14, 2020 11:41 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash
> Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the
> desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
>
> Notes:
> v2:
> - Fixed the commit message format
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 23 +-
> SecurityPkg/SecurityPkg.dsc | 10 +-
> SecurityPkg/SecurityPkg.uni | 15 +-
> 12 files changed, 833 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..f8742e55b5f7
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,252 @@
> +/** @file
>
> + Implement image verification services for secure boot service
>
> +
>
> + Caution: This file requires additional review when modified.
>
> + This library will have external input - PE/COFF image.
>
> + This external input must be validated carefully to avoid security issue like
>
> + buffer overflow, integer overflow.
>
> +
>
> + DxeImageVerificationLibImageRead() function will make sure the PE/COFF
> image content
>
> + read is within the image buffer.
>
> +
>
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>
> + untrusted PE/COFF image and validate its data structure within this image
> buffer before use.
>
> +
>
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> +This program and the accompanying materials
>
> +are licensed and made available under the terms and conditions of the BSD
> License
>
> +which accompanies this distribution. The full text of the license may be found
> at
>
> +http://opensource.org/licenses/bsd-license.php
>
> +
>
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
>
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
>
> +
>
> +**/
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/BaseCryptLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +/**
>
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashInitInternal (
>
> + IN UINT8 HashPolicy,
>
> + OUT HASH_HANDLE *HashHandle
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINTN CtxSize;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + CtxSize = Md4GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md4Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + CtxSize = Md5GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md5Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + CtxSize = Sha1GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha1Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + CtxSize = Sha256GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha256Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + CtxSize = Sha384GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha384Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + CtxSize = Sha512GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha512Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + CtxSize = Sm3GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sm3Init (HashCtx);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
> +
3. Instead of switch..case, using a global array to defines all supported interfaces
would be more efficient, since you can value of PcdSystemHashPolicy to index
them directly.
>
> + *HashHandle = (HASH_HANDLE)HashCtx;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashUpdateInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
4. The same as 3
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashFinalInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 **Digest
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
5. The same as 3
> + }
>
> +
>
> + FreePool (HashCtx);
>
> +
>
> + return Status;
>
> +}
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..ea22cfe16e2f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,122 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Dxe.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiDxeConstructor (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
6. Constructor is not necessary if you don't have anything to do with it.
You can remove it from inf file and here.
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..580ac21fc1d9
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,125 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/HashLib.h>
>
> +#include <Library/HobLib.h>
>
> +#include <Guid/ZeroGuid.h>
>
> +
>
> +#include <Library/BaseHashLib.h>
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Pei.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiPeiConstructor (
>
> + IN EFI_PEI_FILE_HANDLE FileHandle,
>
> + IN CONST EFI_PEI_SERVICES **PeiServices
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
7. The same as 6
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> b/SecurityPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..e1883fe7ce41
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,84 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +#include <Protocol/Hash.h>
> +#include <Library/HashLib.h>
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_DEFAULT 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..776b74ad753b
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,71 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..f97bda06108f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,47 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is Base Hash Lib. It will redirect hash request to each individual
>
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibDxe
>
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
>
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
>
> + CONSTRUCTOR = BaseHashLibApiDxeConstructor
8. Since the above function is actually empty, you can remove above line and
function in c file.
>
> +
>
> +#
>
> +# The following information is for reference only and not required by the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibDxe.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..1865773b4a25
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,18 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to each individual
>
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
>
> +// mask some hash engines.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4d36030744bd
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,52 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is BaseCrypto router. It will redirect hash request to each
> individual
>
> +# hash handler registered, such as SHA1, SHA256.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibPei
>
> + MODULE_UNI_FILE = BaseHashLibPei.uni
>
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
>
> + MODULE_TYPE = PEIM
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|PEIM
>
> + CONSTRUCTOR = BaseHashLibApiPeiConstructor
>
9. The same as 8
> +
>
> +#
>
> +# The following information is for reference only and not required by the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibPei.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + MdeModulePkg/MdeModulePkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Guids]
>
> + ## SOMETIMES_CONSUMES ## GUID
>
> + gZeroGuid
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..2131b61bd235
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,17 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to each individual
>
> +// hash handler registered, such as SHA1, SHA256.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index cac36caf0a0d..e0e144124ddd 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
> classes)
>
> # and libraries instances, which are used for those features.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
>
> # Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -27,6 +27,10 @@ [LibraryClasses]
> #
>
> HashLib|Include/Library/HashLib.h
>
>
>
> + ## @libraryclass Provides hash interfaces from different implementations.
>
> + #
>
> + BaseHashLib|Include/Library/HashLib.h
>
> +
>
> ## @libraryclass Provides a platform specific interface to detect physically
> present user.
>
> #
>
> PlatformSecureLib|Include/Library/PlatformSecureLib.h
>
> @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
>
>
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
>
> + # Based on the value set, the required algorithm is chosen to verify
>
> + # the unsigned image during Secure Boot.<BR>
>
> + # The hashing algorithm selected must match the hashing algorithm used to
>
> + # hash the image to be added to DB using tools such as KeyEnroll.<BR>
>
> + # 0x00000001 - MD4.<BR>
>
> + # 0x00000002 - MD5.<BR>
>
> + # 0x00000003 - SHA1.<BR>
>
> + # 0x00000004 - SHA256.<BR>
>
> + # 0x00000005 - SHA384.<BR>
>
> + # 0x00000006 - SHA512.<BR>
>
> + # 0x00000007 - SM3_256.<BR>
>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
>
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
>
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> 4
>
> +
>
> [UserExtensions.TianoCore."ExtraFiles"]
>
> SecurityPkgExtra.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index a2eeadda7a7e..86a5847e2509 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
>
> # Security Module Package for All Architectures.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTc
> g2PhysicalPresenceLib.inf
>
> RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i
> nf
>
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in
> f
>
> FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
>
>
> [LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.DXE_SAL_DRIVER,]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -211,6 +213,12 @@ [Components]
>
>
> SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
>
>
>
> + #
>
> + # Unified Hash API
>
> + #
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> +
>
> #
>
> # TCG Storage.
>
> #
>
> diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> index 68587304d779..32ef97f81461 100644
> --- a/SecurityPkg/SecurityPkg.uni
> +++ b/SecurityPkg/SecurityPkg.uni
> @@ -5,7 +5,7 @@
> // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
> classes)
>
> // and libraries instances, which are used for those features.
>
> //
>
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> //
>
> // SPDX-License-Identifier: BSD-2-Clause-Patent
>
> //
>
> @@ -295,3 +295,16 @@
>
>
> #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
>
> "0 means this field is
> unsupported\n"
>
> +
>
>
> +
> #string
> STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
>
> +
>
> +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm used by Unified Hash
> API.<BR><BR>\n"
>
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
>
> + "the hash desired.<BR>\n"
>
> + "0x00000001 - MD4.<BR>\n"
>
> + "0x00000002 - MD5.<BR>\n"
>
> + "0x00000003 - SHA1.<BR>\n"
>
> + "0x00000004 -
> SHA256.<BR>\n"
>
> + "0x00000005 -
> SHA384.<BR>\n"
>
> + "0x00000006 -
> SHA512.<BR>\n"
>
> + "0x00000007 - SM3.<BR>"
>
> --
> 2.16.2.windows.1
next prev parent reply other threads:[~2020-01-15 3:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 15:41 [PATCH v2 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-14 15:41 ` [PATCH v2 1/1] " Sukerkar, Amol N
2020-01-15 3:13 ` Wang, Jian J [this message]
2020-01-15 3:47 ` [edk2-devel] " Liming Gao
2020-01-15 23:01 ` Sukerkar, Amol N
2020-01-16 3:38 ` Liming Gao
2020-01-16 4:27 ` Sukerkar, Amol N
2020-01-16 4:35 ` Liming Gao
2020-01-16 16:58 ` Sukerkar, Amol N
2020-01-17 0:31 ` Liming Gao
2020-01-17 3:47 ` Sukerkar, Amol N
2020-01-15 20:13 ` Sukerkar, Amol N
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D827630B58408649ACB04F44C5100036259F4BF5@SHSMSX107.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox