From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web10.14058.1579540631033557572 for ; Mon, 20 Jan 2020 09:17:11 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Jan 2020 09:17:10 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,342,1574150400"; d="scan'208";a="220719641" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga007.fm.intel.com with ESMTP; 20 Jan 2020 09:17:10 -0800 Received: from fmsmsx153.amr.corp.intel.com (10.18.125.6) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 20 Jan 2020 09:17:09 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX153.amr.corp.intel.com (10.18.125.6) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 20 Jan 2020 09:17:09 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.210]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.30]) with mapi id 14.03.0439.000; Tue, 21 Jan 2020 01:17:06 +0800 From: "Wang, Jian J" To: "devel@edk2.groups.io" , "Sukerkar, Amol N" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Agrawal, Sachin" , "Musti, Srinivas" , "Lakkimsetti, Subash" Subject: Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Topic: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Index: AQHVzYX8FTXDhAuUOESrthSViQNP2qfzyeog Date: Mon, 20 Jan 2020 17:17:05 +0000 Message-ID: References: <20200117223200.20504-1-amol.n.sukerkar@intel.com> <20200117223200.20504-3-amol.n.sukerkar@intel.com> In-Reply-To: <20200117223200.20504-3-amol.n.sukerkar@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzAzMGQ3MjItZWZmNC00MmU3LTg5MTQtNmNkMGUyODE5ZjJjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiWkhPRlJ4VHZNNWNRenRmT2x0TGNEb3ZDd3dkQXFUb0ZLd3RaM1R2M2FrblowcGd5akt6NHJEMHo1N1U1a1JaUCJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Amol, One general comment in advance. The switch/case are using parameter HashPo= licy. Since it's a local variable not constant, I'm not sure whether or not the = compiler will optimize out not effective hash algorithm choices. Please double chec= k the linked code. If not, you should not pass the value of PcdSystemHashPol= icy via a parameter. Instead, you should use this PCD directly in switch/case. See my other comments below. > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Sukerkar, > Amol N > Sent: Saturday, January 18, 2020 6:32 AM > To: devel@edk2.groups.io > Cc: Kinney, Michael D ; Yao, Jiewen > ; Wang, Jian J ; Agrawal, > Sachin ; Musti, Srinivas ; > Lakkimsetti, Subash > Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement > Unified Hash Calculation API >=20 > This commit introduces a Unified Hash API to calculate hash using a > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This librar= y > interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256= , > SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate > the desired hash by setting PcdSystemHashPolicy to appropriate value. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Michael D Kinney > Signed-off-by: Sukerkar, Amol N > --- > CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 > ++++++++++++++++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++ > CryptoPkg/CryptoPkg.dec | 21 ++ > CryptoPkg/CryptoPkg.dsc | 6 +- > CryptoPkg/CryptoPkg.uni | 17 ++ > CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++ > 12 files changed, 779 insertions(+), 1 deletion(-) >=20 > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..217537566796 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,254 @@ > +/** @file > + Implement image verification services for secure boot service > + > + Caution: This file requires additional review when modified. > + This library will have external input - PE/COFF image. > + This external input must be validated carefully to avoid security iss= ue like > + buffer overflow, integer overflow. > + > + DxeImageVerificationLibImageRead() function will make sure the PE/COF= F > image content > + read is within the image buffer. > + > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept > + untrusted PE/COFF image and validate its data structure within this i= mage > buffer before use. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
> +This program and the accompanying materials > +are licensed and made available under the terms and conditions of the B= SD > License > +which accompanies this distribution. The full text of the license may = be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + UINTN CtxSize; > + > + switch (HashPolicy) { > + case HASH_MD4: > + CtxSize =3D Md4GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Md4Init (HashCtx); > + break; > + > + case HASH_MD5: > + CtxSize =3D Md5GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Md5Init (HashCtx); > + break; > + > + case HASH_SHA1: > + CtxSize =3D Sha1GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha1Init (HashCtx); > + break; > + > + case HASH_SHA256: > + CtxSize =3D Sha256GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha256Init (HashCtx); > + break; > + > + case HASH_SHA384: > + CtxSize =3D Sha384GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha384Init (HashCtx); > + break; > + > + case HASH_SHA512: > + CtxSize =3D Sha512GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha512Init (HashCtx); > + break; > + > + case HASH_SM3_256: > + CtxSize =3D Sm3GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sm3Init (HashCtx); > + break; > + > + default: > + ASSERT (FALSE); > + break; (1) Status was not initialized before. Although there's ASSERT, still sugg= est to assign FALSE to Status for 'default' case. > + } > + > + *HashHandle =3D (HASH_HANDLE)HashCtx; > + > + return Status; > +} > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + > + HashCtx =3D (VOID *)HashHandle; > + > + switch (HashPolicy) { > + case HASH_MD4: > + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_MD5: > + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA1: > + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA256: > + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA384: > + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA512: > + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SM3_256: > + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + default: > + ASSERT (FALSE); > + break; (2) Same as (1). Suggest assigning FALSE to Status in 'default' case. > + } > + > + return Status; > +} > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + UINT8 DigestData[SHA512_DIGEST_SIZE]; > + (3) Why do you need additional buffer here? The extra copy can be avoided by passing the '*Digest' to XxxFinal function below. Am I missing something here? > + HashCtx =3D (VOID *)HashHandle; > + > + switch (HashPolicy) { > + case HASH_MD4: > + Status =3D Md4Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); > + break; > + > + case HASH_MD5: > + Status =3D Md5Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); > + break; > + > + case HASH_SHA1: > + Status =3D Sha1Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); > + break; > + > + case HASH_SHA256: > + Status =3D Sha256Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); > + break; > + > + case HASH_SHA384: > + Status =3D Sha384Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); > + break; > + > + case HASH_SHA512: > + Status =3D Sha512Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); > + break; > + > + case HASH_SM3_256: > + Status =3D Sm3Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); > + break; > + > + default: > + ASSERT (FALSE); > + break; (4) Same as (1) and (2) > + } > + > + FreePool (HashCtx); > + > + return Status; > +} > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..226c2d6a4aae > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,100 @@ > +/** @file > + This library is Unified Hash API. It will redirect hash request to > + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA25= 6, > + SHA384 and SM3... > + > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
(5) This is new file. Start year should be 2020. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + HASH_HANDLE Handle; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashInitInternal (HashPolicy, &Handle); > + > + *HashHandle =3D Handle; > + > + return Status; > +} > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > + > + return Status; > +} > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); > + > + return Status; > +} > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..a9fa0d978088 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,101 @@ > +/** @file > + This library is Unified Hash API. It will redirect hash request to > + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA25= 6, > + SHA384 and SM3... > + > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
(6) This is new file. Start year should be 2020. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + HASH_HANDLE Handle; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashInitInternal (HashPolicy, &Handle); > + > + *HashHandle =3D Handle; > + > + return Status; > +} > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > + > + return Status; > +} > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); > + > + return Status; > +} > diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec > index a548ec7ddc71..9288c652f8e4 100644 > --- a/CryptoPkg/CryptoPkg.dec > +++ b/CryptoPkg/CryptoPkg.dec > @@ -33,10 +33,31 @@ [LibraryClasses] > ## > TlsLib|Include/Library/TlsLib.h >=20 > + ## @libraryclass Provides Unified API for different hash implementa= tions. > + # > + BaseHashLib|Include/Library/BaseHashLib.h > + > [Guids] > ## Security package token space guid. > # Include/Guid/CryptoPkgTokenSpace.h > gEfiCryptoPkgTokenSpaceGuid =3D { 0xd3fb176, 0x9569, 0x4d51, { 0= xa3, 0xef, > 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }} >=20 > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF i= mage > + # Based on the value set, the required algorithm is chosen to verify > + # the unsigned image during Secure Boot.
> + # The hashing algorithm selected must match the hashing algorithm us= ed to > + # hash the image to be added to DB using tools such as KeyEnroll. > + # 0x00000001 - MD4.
> + # 0x00000002 - MD5.
> + # 0x00000003 - SHA1.
> + # 0x00000004 - SHA256.
> + # 0x00000005 - SHA384.
> + # 0x00000006 - SHA512.
> + # 0x00000007 - SM3_256.
> + # @Prompt Set policy for hashing unsigned image for Secure Boot. > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 > + > gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001 > + > [UserExtensions.TianoCore."ExtraFiles"] > CryptoPkgExtra.uni > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc > index ec43c1f0a47e..1d2956d20483 100644 > --- a/CryptoPkg/CryptoPkg.dsc > +++ b/CryptoPkg/CryptoPkg.dsc > @@ -1,7 +1,7 @@ > ## @file > # Cryptographic Library Package for UEFI Security Implementation. > # > -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved. > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved. > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > ## > @@ -62,9 +62,11 @@ [LibraryClasses.ARM] >=20 > [LibraryClasses.common.PEIM] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > [LibraryClasses.common.DXE_DRIVER] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 > [LibraryClasses.common.DXE_RUNTIME_DRIVER] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > @@ -120,6 +122,8 @@ [Components] > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf > CryptoPkg/Library/OpensslLib/OpensslLib.inf > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > + CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > + CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > [Components.IA32, Components.X64] > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni > index beb0036ef583..ebbebed4924d 100644 > --- a/CryptoPkg/CryptoPkg.uni > +++ b/CryptoPkg/CryptoPkg.uni > @@ -17,3 +17,20 @@ >=20 >=20 >=20 > +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" > + > +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm to verify unsigne= d > PE/COFF image.

\n" > + = "Based on the value set, the > required algorithm is chosen to verify\n" > + = "the unsigned image during > Secure Boot.
\n" > + = "The hashing algorithm > selected must match the hashing algorithm used to\n" > + = "hash the image to be added > to DB using tools such as KeyEnroll.
\n" > + = "0x00000001 - MD4.
\n" > + = "0x00000002 - MD5.
\n" > + = "0x00000003 - SHA1.
\n" > + = "0x00000004 - > SHA256.
\n" > + = "0x00000005 - > SHA384.
\n" > + = "0x00000006 - > SHA512.
\n" > + = "0x00000007 - SM3.
" > + > + > + > diff --git a/CryptoPkg/Include/Library/BaseHashLib.h > b/CryptoPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..c07e4a9a44aa > --- /dev/null > +++ b/CryptoPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,85 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +This program and the accompanying materials > +are licensed and made available under the terms and conditions of the B= SD > License > +which accompanies this distribution. The full text of the license may = be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + (7) License is not correct. Use the standard two-clause one. > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include > + > +typedef UINTN HASH_HANDLE; > + > +// > +// Hash Algorithms > +// > +#define HASH_INVALID 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > +#define HASH_MAX 0x00000008 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..b022284d1a27 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,72 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
> +This program and the accompanying materials > +are licensed and made available under the terms and conditions of the B= SD > License > +which accompanies this distribution. The full text of the license may = be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + (8) License is not correct. Use the standard two-clause one. > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > + > +#endif > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..732c8f0d1f47 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,45 @@ > +## @file > +# Provides hash service by registered hash handler > +# > +# This library is Base Hash Lib. It will redirect hash request to each= individual > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. > +# > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. (9) This is new file. The start year should be this year. > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D BaseHashLibDxe > + MODULE_UNI_FILE =3D BaseHashLibDxe.uni > + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE0= 66 > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME= _DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > + > +# > +# The following information is for reference only and not required by t= he build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > + > +[Sources] > + BaseHashLibCommon.h > + BaseHashLibCommon.c > + BaseHashLibDxe.c > + > +[Packages] > + MdePkg/MdePkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + PcdLib > + > +[Pcd] > + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..53e025918828 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,17 @@ > +// /** @file > +// Provides hash service by registered hash handler > +// > +// This library is Unified Hash API. It will redirect hash request to e= ach individual > +// hash handler registered, such as SHA1, SHA256. Platform can use > PcdTpm2HashMask to > +// mask some hash engines. > +// > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. > +// (10) This is new file. The start year should be this year. > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > + > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler spec= ified by > PcdSystemHashPolicy." > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4ff23f88c1c3 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,46 @@ > +## @file > +# Provides hash service by registered hash handler > +# > +# This library is BaseCrypto router. It will redirect hash request to = each > individual > +# hash handler registered, such as SHA1, SHA256, SM3. > +# > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. (11) This is new file. The start year should be this year. > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D BaseHashLibPei > + MODULE_UNI_FILE =3D BaseHashLibPei.uni > + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E5= 0B > + MODULE_TYPE =3D PEIM > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D BaseHashLib|PEIM > + > +# > +# The following information is for reference only and not required by t= he build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > + > +[Sources] > + BaseHashLibCommon.h > + BaseHashLibCommon.c > + BaseHashLibPei.c > + > +[Packages] > + MdePkg/MdePkg.dec > + CryptoPkg/CryptoPkg.dec > + MdeModulePkg/MdeModulePkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + PcdLib > + > +[Pcd] > + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..a1abcc1cdfa0 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,16 @@ > +// /** @file > +// Provides hash service by registered hash handler > +// > +// This library is Unified Hash API. It will redirect hash request to e= ach individual > +// hash handler registered, such as SHA1, SHA256. > +// > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved. (12) This is new file. The start year should be this year. > +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > + > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler spec= ified by > PcdSystemHashPolicy." > -- > 2.16.2.windows.1 >=20 >=20 >=20