From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web12.2026.1579058043554380467 for ; Tue, 14 Jan 2020 19:14:03 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Jan 2020 19:14:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,321,1574150400"; d="scan'208";a="242713439" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga002.jf.intel.com with ESMTP; 14 Jan 2020 19:14:02 -0800 Received: from fmsmsx162.amr.corp.intel.com (10.18.125.71) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 14 Jan 2020 19:14:02 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx162.amr.corp.intel.com (10.18.125.71) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 14 Jan 2020 19:14:02 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.210]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.203]) with mapi id 14.03.0439.000; Wed, 15 Jan 2020 11:13:59 +0800 From: "Wang, Jian J" To: "Sukerkar, Amol N" , "devel@edk2.groups.io" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Agrawal, Sachin" , "Musti, Srinivas" Subject: Re: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Topic: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Index: AQHVyvETJsClZTDraE6d24/5UbWyCKfrCD2g Date: Wed, 15 Jan 2020 03:13:58 +0000 Message-ID: References: <20200114154107.655-1-amol.n.sukerkar@intel.com> <20200114154107.655-2-amol.n.sukerkar@intel.com> In-Reply-To: <20200114154107.655-2-amol.n.sukerkar@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYzdjOTdlN2ItODk1Ny00OTcxLTkzNTEtYzZjNWE3YTNiNWMxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoieXNhXC9JYkNIZVhWWkd4akxySUFwdDBCc1V6VVVnVW5jNFFPQUs2NGg4ZU5KWEFpTm83OWEwdEJIcW1ZRitLdnYifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Amol, 1. Your patch doesn't support hashing more than one algorithm at the same t= ime. Is this on purpose? Sorry I don't remember the conclusion in last discus= sion. 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h. You can use BaseTools\Scripts\PatchCheck.py to check it before sending p= atch. See my other comments below. > -----Original Message----- > From: Sukerkar, Amol N > Sent: Tuesday, January 14, 2020 11:41 PM > To: devel@edk2.groups.io > Cc: Kinney, Michael D ; Yao, Jiewen > ; Wang, Jian J ; Agrawal, > Sachin ; Musti, Srinivas > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash > Calculation API >=20 > This commit introduces a Unified Hash API to calculate hash using a > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library > interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256, > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the > desired hash by setting PcdSystemHashPolicy to appropriate value. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Michael D Kinney > Signed-off-by: Sukerkar, Amol N > --- >=20 > Notes: > v2: > - Fixed the commit message format >=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 > ++++++++++++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++ > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++ > SecurityPkg/SecurityPkg.dec | 23 +- > SecurityPkg/SecurityPkg.dsc | 10 +- > SecurityPkg/SecurityPkg.uni | 15 +- > 12 files changed, 833 insertions(+), 3 deletions(-) >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..f8742e55b5f7 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,252 @@ > +/** @file >=20 > + Implement image verification services for secure boot service >=20 > + >=20 > + Caution: This file requires additional review when modified. >=20 > + This library will have external input - PE/COFF image. >=20 > + This external input must be validated carefully to avoid security issu= e like >=20 > + buffer overflow, integer overflow. >=20 > + >=20 > + DxeImageVerificationLibImageRead() function will make sure the PE/COFF > image content >=20 > + read is within the image buffer. >=20 > + >=20 > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept >=20 > + untrusted PE/COFF image and validate its data structure within this im= age > buffer before use. >=20 > + >=20 > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
>=20 > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
>=20 > +This program and the accompanying materials >=20 > +are licensed and made available under the terms and conditions of the BS= D > License >=20 > +which accompanies this distribution. The full text of the license may b= e found > at >=20 > +http://opensource.org/licenses/bsd-license.php >=20 > + >=20 > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, >=20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. >=20 > + >=20 > +**/ >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +/** >=20 > + Init hash sequence with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashInitInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + OUT HASH_HANDLE *HashHandle >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINTN CtxSize; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + CtxSize =3D Md4GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md4Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + CtxSize =3D Md5GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md5Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + CtxSize =3D Sha1GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha1Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + CtxSize =3D Sha256GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha256Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + CtxSize =3D Sha384GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha384Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + CtxSize =3D Sha512GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha512Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + CtxSize =3D Sm3GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sm3Init (HashCtx); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 > + 3. Instead of switch..case, using a global array to defines all supported i= nterfaces would be more efficient, since you can value of PcdSystemHashPolicy to inde= x them directly. >=20 > + *HashHandle =3D (HASH_HANDLE)HashCtx; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashUpdateInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 4. The same as 3 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashFinalInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 **Digest >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINT8 DigestData[SHA512_DIGEST_SIZE]; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 5. The same as 3 > + } >=20 > + >=20 > + FreePool (HashCtx); >=20 > + >=20 > + return Status; >=20 > +} > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..ea22cfe16e2f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,122 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256= , >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Dxe. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiDxeConstructor ( >=20 > + IN EFI_HANDLE ImageHandle, >=20 > + IN EFI_SYSTEM_TABLE *SystemTable >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 6. Constructor is not necessary if you don't have anything to do with it. You can remove it from inf file and here. > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..580ac21fc1d9 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,125 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256= , >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Pei. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiPeiConstructor ( >=20 > + IN EFI_PEI_FILE_HANDLE FileHandle, >=20 > + IN CONST EFI_PEI_SERVICES **PeiServices >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 7. The same as 6 > \ No newline at end of file > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h > b/SecurityPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..e1883fe7ce41 > --- /dev/null > +++ b/SecurityPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,84 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +This program and the accompanying materials > +are licensed and made available under the terms and conditions of the BS= D > License > +which accompanies this distribution. The full text of the license may b= e found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include > +#include > +#include > + > +// > +// Hash Algorithms > +// > +#define HASH_DEFAULT 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..776b74ad753b > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,71 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +This program and the accompanying materials > +are licensed and made available under the terms and conditions of the BS= D > License > +which accompanies this distribution. The full text of the license may b= e found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..f97bda06108f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,47 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is Base Hash Lib. It will redirect hash request to each = individual >=20 > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibDxe >=20 > + MODULE_UNI_FILE =3D BaseHashLibDxe.uni >=20 > + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE06= 6 >=20 > + MODULE_TYPE =3D DXE_DRIVER >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_= DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER >=20 > + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor 8. Since the above function is actually empty, you can remove above line an= d function in c file. >=20 > + >=20 > +# >=20 > +# The following information is for reference only and not required by th= e build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibDxe.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..1865773b4a25 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,18 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to ea= ch individual >=20 > +// hash handler registered, such as SHA1, SHA256. Platform can use > PcdTpm2HashMask to >=20 > +// mask some hash engines. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. >=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler speci= fied by > PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4d36030744bd > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,52 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is BaseCrypto router. It will redirect hash request to e= ach > individual >=20 > +# hash handler registered, such as SHA1, SHA256. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibPei >=20 > + MODULE_UNI_FILE =3D BaseHashLibPei.uni >=20 > + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50= B >=20 > + MODULE_TYPE =3D PEIM >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|PEIM >=20 > + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor >=20 9. The same as 8 > + >=20 > +# >=20 > +# The following information is for reference only and not required by th= e build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibPei.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + MdeModulePkg/MdeModulePkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Guids] >=20 > + ## SOMETIMES_CONSUMES ## GUID >=20 > + gZeroGuid >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..2131b61bd235 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,17 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to ea= ch individual >=20 > +// hash handler registered, such as SHA1, SHA256. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. >=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler speci= fied by > PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index cac36caf0a0d..e0e144124ddd 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -5,7 +5,7 @@ > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and l= ibrary > classes) >=20 > # and libraries instances, which are used for those features. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @@ -27,6 +27,10 @@ [LibraryClasses] > # >=20 > HashLib|Include/Library/HashLib.h >=20 >=20 >=20 > + ## @libraryclass Provides hash interfaces from different implementat= ions. >=20 > + # >=20 > + BaseHashLib|Include/Library/HashLib.h >=20 > + >=20 > ## @libraryclass Provides a platform specific interface to detect ph= ysically > present user. >=20 > # >=20 > PlatformSecureLib|Include/Library/PlatformSecureLib.h >=20 > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx] > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. >=20 >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 >=20 >=20 >=20 > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] >=20 > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF im= age >=20 > + # Based on the value set, the required algorithm is chosen to verify >=20 > + # the unsigned image during Secure Boot.
>=20 > + # The hashing algorithm selected must match the hashing algorithm use= d to >=20 > + # hash the image to be added to DB using tools such as KeyEnroll.
>=20 > + # 0x00000001 - MD4.
>=20 > + # 0x00000002 - MD5.
>=20 > + # 0x00000003 - SHA1.
>=20 > + # 0x00000004 - SHA256.
>=20 > + # 0x00000005 - SHA384.
>=20 > + # 0x00000006 - SHA512.
>=20 > + # 0x00000007 - SM3_256.
>=20 > + # @Prompt Set policy for hashing unsigned image for Secure Boot. >=20 > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 >=20 > + > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002 > 4 >=20 > + >=20 > [UserExtensions.TianoCore."ExtraFiles"] >=20 > SecurityPkgExtra.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index a2eeadda7a7e..86a5847e2509 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file >=20 > # Security Module Package for All Architectures. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > # >=20 > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm. > inf >=20 >=20 > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/Pe= iTc > g2PhysicalPresenceLib.inf >=20 > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 >=20 >=20 > [LibraryClasses.common.DXE_DRIVER] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] >=20 > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i > nf >=20 >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in > f >=20 > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i= nf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 >=20 >=20 > [LibraryClasses.common.UEFI_DRIVER, > LibraryClasses.common.DXE_RUNTIME_DRIVER, > LibraryClasses.common.DXE_SAL_DRIVER,] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -211,6 +213,12 @@ [Components] >=20 >=20 > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf >=20 >=20 >=20 > + # >=20 > + # Unified Hash API >=20 > + # >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > + >=20 > # >=20 > # TCG Storage. >=20 > # >=20 > diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni > index 68587304d779..32ef97f81461 100644 > --- a/SecurityPkg/SecurityPkg.uni > +++ b/SecurityPkg/SecurityPkg.uni > @@ -5,7 +5,7 @@ > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and l= ibrary > classes) >=20 > // and libraries instances, which are used for those features. >=20 > // >=20 > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved. >=20 > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved. >=20 > // >=20 > // SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > // >=20 > @@ -295,3 +295,16 @@ >=20 >=20 > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n" >=20 > = "0 means this field is > unsupported\n" >=20 > + >=20 >=20 > + > #string > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" >=20 > + >=20 > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm used by Unified Ha= sh > API.

\n" >=20 > + = "Based on the value set, the > required algorithm is chosen to calculate\n" >=20 > + = "the hash desired.
\n" >=20 > + = "0x00000001 - MD4.
\n" >=20 > + = "0x00000002 - MD5.
\n" >=20 > + = "0x00000003 - SHA1.
\n" >=20 > + = "0x00000004 - > SHA256.
\n" >=20 > + = "0x00000005 - > SHA384.
\n" >=20 > + = "0x00000006 - > SHA512.
\n" >=20 > + = "0x00000007 - SM3.
" >=20 > -- > 2.16.2.windows.1