From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8003581F9A for ; Wed, 25 Jan 2017 21:14:19 -0800 (PST) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga104.jf.intel.com with ESMTP; 25 Jan 2017 21:14:19 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,287,1477983600"; d="scan'208";a="1117973648" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga002.fm.intel.com with ESMTP; 25 Jan 2017 21:14:18 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 25 Jan 2017 21:14:18 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Thu, 26 Jan 2017 13:14:16 +0800 From: "Zhang, Chao B" To: "Zeng, Star" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" Thread-Topic: [PATCH] SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgorithmBitmap Thread-Index: AQHSdimfUQBaQomdM027oSMSBVsGw6FKOTkQ Date: Thu, 26 Jan 2017 05:14:15 +0000 Message-ID: References: <1485252410-17656-1-git-send-email-star.zeng@intel.com> In-Reply-To: <1485252410-17656-1-git-send-email-star.zeng@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgorithmBitmap X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2017 05:14:19 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Star: The patch is good to me. Reviewed-by: Chao Zhang -----Original Message----- From: Zeng, Star=20 Sent: Tuesday, January 24, 2017 6:07 PM To: edk2-devel@lists.01.org Cc: Zeng, Star ; Yao, Jiewen ; Z= hang, Chao B Subject: [PATCH] SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgo= rithmBitmap REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D244 Currently, when software HashLib (HashLibBaseCryptoRouter) and related Hash= InstanceLib instances are used, PcdTcg2HashAlgorithmBitmap is expected to b= e configured to 0 in platform dsc. But PcdTcg2HashAlgorithmBitmap has default value 0xFFFFFFFF in SecurityPkg.= dec, and some platforms forget to configure it to 0 or still configure it t= o 0xFFFFFFFF in platform dsc, that will make final PcdTcg2HashAlgorithmBitm= ap value incorrect. This patch is to add CONSTRUCTOR in HashLib (HashLibBaseCryptoRouter) and P= cdTcg2HashAlgorithmBitmap will be set to 0 in the CONSTRUCTOR. Current HASH_LIB_PEI_ROUTER_GUID HOB created in HashLibBaseCryptoRouterPei = is shared between modules that links HashLibBaseCryptoRouterPei. To avoid mutual interference, separated HASH_LIB_PEI_ROUTER_GUID HOBs with = gEfiCallerIdGuid Identifier will be created for those modules. This patch is also to add check in HashLib (HashLibBaseCryptoRouter) for th= e mismatch of supported HashMask between modules that may link different Ha= shInstanceLib instances, warning will be reported if mismatch is found. Cc: Yao Jiewen Cc: Chao Zhang Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng --- .../HashLibBaseCryptoRouterDxe.c | 80 ++++++++- .../HashLibBaseCryptoRouterDxe.inf | 3 +- .../HashLibBaseCryptoRouterPei.c | 190 +++++++++++++++++= ---- .../HashLibBaseCryptoRouterPei.inf | 8 +- SecurityPkg/SecurityPkg.dec | 4 + SecurityPkg/SecurityPkg.uni | 8 +- 6 files changed, 254 insertions(+), 39 deletions(-) diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c index 3250c3a01a0c..4775cfee2d7a 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.c +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute +++ rDxe.c @@ -3,7 +3,7 @@ hash handler registerd, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -28,6 +28,= 30 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR = IMPLIED. HASH_INTERFACE mHashInterface[HASH_COUNT] =3D {{{0}, NULL, NULL, NULL}}; UINTN mHashInterfaceCount =3D 0; =20 +UINT32 mSupportedHashMaskLast =3D 0; +UINT32 mSupportedHashMaskCurrent =3D 0; + +/** + Check mismatch of supported HashMask between modules + that may link different HashInstanceLib instances. + +**/ +VOID +CheckSupportedHashMaskMismatch ( + VOID + ) +{ + if (mSupportedHashMaskCurrent !=3D mSupportedHashMaskLast) { + DEBUG (( + DEBUG_WARN, + "WARNING: There is mismatch of supported HashMask (0x%x - 0x%x) betw= een modules\n", + mSupportedHashMaskCurrent, + mSupportedHashMaskLast + )); + DEBUG ((DEBUG_WARN, "that are linking different HashInstanceLib=20 +instances!\n")); + } +} + /** Start hash sequence. =20 @@ -50,6 +74,8 @@ HashStart ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (); + HashCtx =3D AllocatePool (sizeof(*HashCtx) * mHashInterfaceCount); ASSERT (HashCtx !=3D NULL); =20 @@ -90,6 +116,8 @@ HashUpdate ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (); + HashCtx =3D (HASH_HANDLE *)HashHandle; =20 for (Index =3D 0; Index < mHashInterfaceCount; Index++) { @@ -133,6 +161= ,8 @@ HashCompleteAndExtend ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (); + HashCtx =3D (HASH_HANDLE *)HashHandle; ZeroMem (DigestList, sizeof(*DigestList)); =20 @@ -180,6 +210,8 @@ HashAndExtend ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (); + HashStart (&HashHandle); HashUpdate (HashHandle, DataToHash, DataToHashLen); Status =3D HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestL= ist); @@ -204,7 +236,6 @@ RegisterHashInterfaceLib ( { UINTN Index; UINT32 HashMask; - UINT32 BiosSupportedHashMask; EFI_STATUS Status; =20 // @@ -218,21 +249,58 @@ RegisterHashInterfaceLib ( if (mHashInterfaceCount >=3D sizeof(mHashInterface)/sizeof(mHashInterfac= e[0])) { return EFI_OUT_OF_RESOURCES; } - BiosSupportedHashMask =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap); - Status =3D PcdSet32S (PcdTcg2HashAlgorithmBitmap, BiosSupportedHashMask = | HashMask); - ASSERT_EFI_ERROR (Status); =20 // // Check duplication // for (Index =3D 0; Index < mHashInterfaceCount; Index++) { if (CompareGuid (&mHashInterface[Index].HashGuid, &HashInterface->Hash= Guid)) { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been=20 + registered\n")); return EFI_ALREADY_STARTED; } } =20 + // + // Record hash algorithm bitmap of CURRENT module which consumes HashLib= . + // + mSupportedHashMaskCurrent =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap) |=20 + HashMask; Status =3D PcdSet32S (PcdTcg2HashAlgorithmBitmap,=20 + mSupportedHashMaskCurrent); ASSERT_EFI_ERROR (Status); + CopyMem (&mHashInterface[mHashInterfaceCount], HashInterface, sizeof(*Ha= shInterface)); mHashInterfaceCount ++; =20 return EFI_SUCCESS; -} \ No newline at end of file +} + +/** + The constructor function of HashLibBaseCryptoRouterDxe. + =20 + @param ImageHandle The firmware allocated handle for the EFI image. + @param SystemTable A pointer to the EFI System Table. + =20 + @retval EFI_SUCCESS The constructor executed correctly. + +**/ +EFI_STATUS +EFIAPI +HashLibBaseCryptoRouterDxeConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // + // Record hash algorithm bitmap of LAST module which also consumes HashL= ib. + // + mSupportedHashMaskLast =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap); + + // + // Set PcdTcg2HashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module= . + // + Status =3D PcdSet32S (PcdTcg2HashAlgorithmBitmap, 0); ASSERT_EFI_ERROR= =20 + (Status); + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.inf b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt= oRouterDxe.inf index c4e40d47d998..6e660d4f14f8 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.inf +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute +++ rDxe.inf @@ -5,7 +5,7 @@ # hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to # mask some hash engines. # -# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2013 - 2017, Intel Corporation. All rights=20 +reserved.
# This program and the accompanying materials # are licensed and made ava= ilable under the terms and conditions of the BSD License # which accompani= es this distribution. The full text of the license may be found at @@ -23,6= +23,7 @@ [Defines] MODULE_TYPE =3D DXE_DRIVER VERSION_STRING =3D 1.0 LIBRARY_CLASS =3D HashLib|DXE_DRIVER DXE_RUNTIME_DRIVER= DXE_SAL_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER=20 + CONSTRUCTOR =3D HashLibBaseCryptoRouterDxeConstructor =20 # # The following information is for reference only and not required by the = build tools. diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerPei.c index a4fc0c6595d8..3ed56f337942 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPe= i.c +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute +++ rPei.c @@ -3,7 +3,7 @@ hash handler registerd, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines. =20 -Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -23,6 +23,= 7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR I= MPLIED. #include #include #include +#include =20 #include "HashLibBaseCryptoRouterCommon.h" =20 @@ -32,27 +33,95 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. EFI_GUID mHashLibPeiRouterGuid =3D HASH_LIB_PEI_ROUTER_GUID; =20 typedef struct { + // + // If gZeroGuid, SupportedHashMask is 0 for FIRST module which consumes = HashLib + // or the hash algorithm bitmap of LAST module which consumes HashLib. + // HashInterfaceCount and HashInterface are all 0. + // If gEfiCallerIdGuid, HashInterfaceCount, HashInterface and SupportedH= ashMask + // are the hash interface information of CURRENT module which consumes= HashLib. + // + EFI_GUID Identifier; UINTN HashInterfaceCount; HASH_INTERFACE HashInterface[HASH_COUNT]; + UINT32 SupportedHashMask; } HASH_INTERFACE_HOB; =20 /** - This function get hash interface. + This function gets hash interface hob. + + @param Identifier Identifier to get hash interface hob. + + @retval hash interface hob. +**/ +HASH_INTERFACE_HOB * +InternalGetHashInterfaceHob ( + EFI_GUID *Identifier + ) +{ + EFI_PEI_HOB_POINTERS Hob; + HASH_INTERFACE_HOB *HashInterfaceHob; + + Hob.Raw =3D GetFirstGuidHob (&mHashLibPeiRouterGuid); + while (Hob.Raw !=3D NULL) { + HashInterfaceHob =3D GET_GUID_HOB_DATA (Hob); + if (CompareGuid (&HashInterfaceHob->Identifier, Identifier)) { + // + // Found the matched one. + // + return HashInterfaceHob; + } + Hob.Raw =3D GET_NEXT_HOB (Hob); + Hob.Raw =3D GetNextGuidHob (&mHashLibPeiRouterGuid, Hob.Raw); + } + return NULL; +} + +/** + This function creates hash interface hob. =20 - @retval hash interface. + @param Identifier Identifier to create hash interface hob. + + @retval hash interface hob. **/ HASH_INTERFACE_HOB * -InternalGetHashInterface ( - VOID +InternalCreateHashInterfaceHob ( + EFI_GUID *Identifier ) { - EFI_HOB_GUID_TYPE *Hob; + HASH_INTERFACE_HOB LocalHashInterfaceHob; + + ZeroMem (&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); + CopyGuid (&LocalHashInterfaceHob.Identifier, Identifier); + return BuildGuidDataHob (&mHashLibPeiRouterGuid,=20 +&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); } =20 - Hob =3D GetFirstGuidHob (&mHashLibPeiRouterGuid); - if (Hob =3D=3D NULL) { - return NULL; +/** + Check mismatch of supported HashMask between modules + that may link different HashInstanceLib instances. + + @param HashInterfaceHobCurrent Pointer to hash interface hob for CURR= ENT module. + +**/ +VOID +CheckSupportedHashMaskMismatch ( + IN HASH_INTERFACE_HOB *HashInterfaceHobCurrent + ) +{ + HASH_INTERFACE_HOB *HashInterfaceHobLast; + + HashInterfaceHobLast =3D InternalGetHashInterfaceHob (&gZeroGuid); =20 + ASSERT (HashInterfaceHobLast !=3D NULL); + + if ((HashInterfaceHobLast->SupportedHashMask !=3D 0) && + (HashInterfaceHobCurrent->SupportedHashMask !=3D HashInterfaceHobLas= t->SupportedHashMask)) { + DEBUG (( + DEBUG_WARN, + "WARNING: There is mismatch of supported HashMask (0x%x - 0x%x) betw= een modules\n", + HashInterfaceHobCurrent->SupportedHashMask, + HashInterfaceHobLast->SupportedHashMask + )); + DEBUG ((DEBUG_WARN, "that are linking different HashInstanceLib=20 + instances!\n")); } - return (HASH_INTERFACE_HOB *)(Hob + 1); } =20 /** @@ -74,7 +143,7 @@ HashStart ( UINTN Index; UINT32 HashMask; =20 - HashInterfaceHob =3D InternalGetHashInterface (); + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { return EFI_UNSUPPORTED; } @@ -83,6 +152,8 @@ HashStart ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (HashInterfaceHob); + HashCtx =3D AllocatePool (sizeof(*HashCtx) * HashInterfaceHob->HashInter= faceCount); ASSERT (HashCtx !=3D NULL); =20 @@ -120,7 +191,7 @@ HashUpdate ( UINTN Index; UINT32 HashMask; =20 - HashInterfaceHob =3D InternalGetHashInterface (); + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { return EFI_UNSUPPORTED; } @@ -129,6 +200,8 @@ HashUpdate ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (HashInterfaceHob); + HashCtx =3D (HASH_HANDLE *)HashHandle; =20 for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { @@ -169,7 +242,7 @@ HashCompleteAndExtend ( EFI_STATUS Status; UINT32 HashMask; =20 - HashInterfaceHob =3D InternalGetHashInterface (); + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { return EFI_UNSUPPORTED; } @@ -178,6 +251,8 @@ HashCompleteAndExtend ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (HashInterfaceHob); + HashCtx =3D (HASH_HANDLE *)HashHandle; ZeroMem (DigestList, sizeof(*DigestList)); =20 @@ -222,7 +297,7 @@ HashAndExtend ( HASH_HANDLE HashHandle; EFI_STATUS Status; =20 - HashInterfaceHob =3D InternalGetHashInterface (); + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { return EFI_UNSUPPORTED; } @@ -231,6 +306,8 @@ HashAndExtend ( return EFI_UNSUPPORTED; } =20 + CheckSupportedHashMaskMismatch (HashInterfaceHob); + HashStart (&HashHandle); HashUpdate (HashHandle, DataToHash, DataToHashLen); Status =3D HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestL= ist); @@ -255,9 +332,7 @@ RegisterHashInterfaceLib ( { UINTN Index; HASH_INTERFACE_HOB *HashInterfaceHob; - HASH_INTERFACE_HOB LocalHashInterfaceHob; UINT32 HashMask; - UINT32 BiosSupportedHashMask; EFI_STATUS Status; =20 // @@ -268,10 +343,9 @@ RegisterHashInterfaceLib ( return EFI_UNSUPPORTED; } =20 - HashInterfaceHob =3D InternalGetHashInterface (); + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { - ZeroMem (&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); - HashInterfaceHob =3D BuildGuidDataHob (&mHashLibPeiRouterGuid, &LocalH= ashInterfaceHob, sizeof(LocalHashInterfaceHob)); + HashInterfaceHob =3D InternalCreateHashInterfaceHob=20 + (&gEfiCallerIdGuid); if (HashInterfaceHob =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } @@ -280,26 +354,84 @@ RegisterHashInterfaceLib ( if (HashInterfaceHob->HashInterfaceCount >=3D HASH_COUNT) { return EFI_OUT_OF_RESOURCES; } - BiosSupportedHashMask =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap); - Status =3D PcdSet32S (PcdTcg2HashAlgorithmBitmap, BiosSupportedHashMask = | HashMask); - ASSERT_EFI_ERROR (Status); =20 // // Check duplication // for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { if (CompareGuid (&HashInterfaceHob->HashInterface[Index].HashGuid, &Ha= shInterface->HashGuid)) { - // - // In PEI phase, there will be shadow driver dispatched again. - // - DEBUG ((EFI_D_INFO, "RegisterHashInterfaceLib - Override\n")); - CopyMem (&HashInterfaceHob->HashInterface[Index], HashInterface, siz= eof(*HashInterface)); - return EFI_SUCCESS; + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n")); + return EFI_ALREADY_STARTED; } } =20 + // + // Record hash algorithm bitmap of CURRENT module which consumes HashLib= . + // + HashInterfaceHob->SupportedHashMask =3D PcdGet32=20 + (PcdTcg2HashAlgorithmBitmap) | HashMask; Status =3D PcdSet32S=20 + (PcdTcg2HashAlgorithmBitmap, HashInterfaceHob->SupportedHashMask); + ASSERT_EFI_ERROR (Status); + CopyMem (&HashInterfaceHob->HashInterface[HashInterfaceHob->HashInterfac= eCount], HashInterface, sizeof(*HashInterface)); HashInterfaceHob->HashInterfaceCount ++; =20 return EFI_SUCCESS; -} \ No newline at end of file +} + +/** + The constructor function of HashLibBaseCryptoRouterPei. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor. + +**/ +EFI_STATUS +EFIAPI +HashLibBaseCryptoRouterPeiConstructor ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + EFI_STATUS Status; + HASH_INTERFACE_HOB *HashInterfaceHob; + + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gZeroGuid); if=20 + (HashInterfaceHob =3D=3D NULL) { + // + // No HOB with gZeroGuid Identifier has been created, + // this is FIRST module which consumes HashLib. + // Create the HOB with gZeroGuid Identifier. + // + HashInterfaceHob =3D InternalCreateHashInterfaceHob (&gZeroGuid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + } else { + // + // Record hash algorithm bitmap of LAST module which also consumes Has= hLib. + // + HashInterfaceHob->SupportedHashMask =3D PcdGet32=20 + (PcdTcg2HashAlgorithmBitmap); } + + HashInterfaceHob =3D InternalGetHashInterfaceHob (&gEfiCallerIdGuid); =20 + if (HashInterfaceHob !=3D NULL) { + // + // In PEI phase, some modules may call RegisterForShadow and will be + // shadowed and executed again after memory is discovered. + // This is the second execution of this module, clear the hash interfa= ce + // information registered at its first execution. + // + ZeroMem (&HashInterfaceHob->HashInterface, sizeof=20 + (*HashInterfaceHob) - sizeof (EFI_GUID)); } + + // + // Set PcdTcg2HashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module= . + // + Status =3D PcdSet32S (PcdTcg2HashAlgorithmBitmap, 0); ASSERT_EFI_ERROR= =20 + (Status); + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerPei.inf b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCrypt= oRouterPei.inf index f5ca5d4635d8..eebf90e2ef40 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPe= i.inf +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute +++ rPei.inf @@ -5,7 +5,7 @@ # hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to # mask some hash engines. # -# Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+# Copyright (c) 2013 - 2017, Intel Corporation. All rights=20 +reserved.
# This program and the accompanying materials # are licensed and made ava= ilable under the terms and conditions of the BSD License # which accompani= es this distribution. The full text of the license may be found at @@ -23,6= +23,7 @@ [Defines] MODULE_TYPE =3D PEIM VERSION_STRING =3D 1.0 LIBRARY_CLASS =3D HashLib|PEIM + CONSTRUCTOR =3D HashLibBaseCryptoRouterPeiConstructor =20 # # The following information is for reference only and not required by the = build tools. @@ -38,6 +39,7 @@ [Sources] [Packages] MdePkg/MdePkg.dec SecurityPkg/SecurityPkg.dec + MdeModulePkg/MdeModulePkg.dec =20 [LibraryClasses] BaseLib @@ -48,6 +50,10 @@ [LibraryClasses] PcdLib HobLib =20 +[Guids] + ## CONSUMES ## GUID + gZeroGuid + [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES ## SOMETIMES_CONSUMES diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec inde= x 0c64d25b0cbc..88154611ae9c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -458,6 +458,10 @@ [PcdsDynamic, PcdsDynamicEx] ## This PCD indicated final BIOS supported Hash mask. # Bios may choose to register a subset of PcdTpm2HashMask. # So this PCD is final value of how many hash algo is extended to PCR= . + # If software HashLib(HashLibBaseCryptoRouter) solution is chosen,=20 + this PCD # has no need to be configured in platform dsc and will be=20 + set to correct # value by the HashLib instance according to the=20 + HashInstanceLib instances # linked, and the value of this PCD should be = got in module entrypoint. # @Prompt Hash Algorithm bitmap. gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0xFFFFFFFF|UINT= 32|0x00010016 =20 diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni inde= x 17d36c0d6014..126351624056 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -191,7 +191,11 @@ =20 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2HashAlgorithmBitmap_HELP = #language en-US "This PCD indicated final BIOS supported Hash mask.\n" = "Bios may choose to register a subset of PcdTpm2HashMask.\= n" - = "So this PCD is final value of how many hash algo is exten= ded to PCR." + = "So this PCD is final value of how many hash algo is exten= ded to PCR.\n" + = "If software HashLib(HashLibBaseCryptoRouter) solution is = chosen, this PCD\n" + = "has no need to be configured in platform dsc and will be = set to correct\n" + = "value by the HashLib instance according to the HashInstan= ceLib instances\n" + = "linked, and the value of this PCD should be got in module= entrypoint." =20 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcgLogAreaMinLen_PROMPT #lan= guage en-US "Minimum length(in bytes) of the system preboot TCG event log a= rea(LAML)." =20 @@ -233,4 +237,4 @@ #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableRev_HELP #langu= age en-US "This PCD defines initial revision of TPM2 ACPI table\n" = "To support configuring from setup page, this PCD can be DynamicH= ii type and map to a setup option.
\n" = "For example, map to TCG2_VERSION.Tpm2AcpiTableRev to be configur= ed by Tcg2ConfigDxe driver.
\n" - = "gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L\"TCG2_VERSIO= N\"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
" \ No newline at end of file + = "gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L\"TCG2_VERSIO= N\"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
" -- 2.7.0.windows.1