From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <chao.b.zhang@intel.com>
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 3DA1F820A5
 for <edk2-devel@lists.01.org>; Sun, 26 Feb 2017 21:47:30 -0800 (PST)
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
 by fmsmga105.fm.intel.com with ESMTP; 26 Feb 2017 21:47:29 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.35,212,1484035200"; d="scan'208";a="70505696"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
 by fmsmga006.fm.intel.com with ESMTP; 26 Feb 2017 21:47:29 -0800
Received: from FMSMSX110.amr.corp.intel.com (10.18.116.10) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Sun, 26 Feb 2017 21:47:29 -0800
Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by
 fmsmsx110.amr.corp.intel.com (10.18.116.10) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Sun, 26 Feb 2017 21:47:29 -0800
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.88]) by
 SHSMSX152.ccr.corp.intel.com ([169.254.6.132]) with mapi id 14.03.0248.002;
 Mon, 27 Feb 2017 13:47:26 +0800
From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: "Zhang, Lubo" <lubo.zhang@intel.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, "Long, Qin" <qin.long@intel.com>
Thread-Topic: [edk2] [PATCH v2] SecurityPkg: Fix potential bug in Security
 Boot dxe.
Thread-Index: AQHSjOpRKBSNoX2wBUCHfIYCch6YUaF8YAiQ
Date: Mon, 27 Feb 2017 05:47:26 +0000
Message-ID: <FF72C7E4248F3C4E9BDF19D4918E90F249508D7D@shsmsx102.ccr.corp.intel.com>
References: <1487754072-7252-1-git-send-email-lubo.zhang@intel.com>
In-Reply-To: <1487754072-7252-1-git-send-email-lubo.zhang@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v2] SecurityPkg: Fix potential bug in Security Boot dxe.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2017 05:47:30 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhan=
g Lubo
Sent: Wednesday, February 22, 2017 5:01 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.c=
om>; Long, Qin <qin.long@intel.com>
Subject: [edk2] [PATCH v2] SecurityPkg: Fix potential bug in Security Boot =
dxe.

v2: update hash value in SecureBootConfig.vfr to keep them consistent with =
macro definition in SecureBootConfigImpl.h

since we removed the sha-1 definition in Hash table and related macro, but =
the macro definition HashAlg index may be value 4 which is exceed the range=
 of the Hash table array.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
---
 .../SecureBootConfigDxe/SecureBootConfig.vfr                 | 10 +++++---=
--
 .../SecureBootConfigDxe/SecureBootConfigImpl.h               | 12 ++++++--=
----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure=
BootConfig.vfr
index 02ddf4a..6f46d91 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
g.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfig.vfr
@@ -457,17 +457,17 @@ formset
=20
     oneof name =3D SignatureFormatInDbx,
           varid       =3D SECUREBOOT_CONFIGURATION.CertificateFormat,
           prompt      =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
           help        =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
-          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256),=
 value =3D 0x2, flags =3D DEFAULT;
-          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384),=
 value =3D 0x3, flags =3D 0;
-          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512),=
 value =3D 0x4, flags =3D 0;
-          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), va=
lue =3D 0x5, flags =3D 0;
+          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256),=
 value =3D 0x1, flags =3D DEFAULT;
+          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384),=
 value =3D 0x2, flags =3D 0;
+          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512),=
 value =3D 0x3, flags =3D 0;
+          option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW),=20
+ value =3D 0x4, flags =3D 0;
     endoneof;
=20
-    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat =3D=3D 5=
;
+    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat =3D=3D 4=
;
         checkbox varid  =3D SECUREBOOT_CONFIGURATION.AlwaysRevocation,
                prompt =3D STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_P=
ROMPT),
                help   =3D STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_H=
ELP),
                flags  =3D INTERACTIVE,
         endcheckbox;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo=
otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu=
reBootConfigImpl.h
index bea9470..58030c4 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi=
gImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigImpl.h
@@ -89,16 +89,16 @@ extern  EFI_IFR_GUID_LABEL         *mEndLabel;
 #define WIN_CERT_UEFI_RSA2048_SIZE               256
=20
 //
 // Support hash types
 //
-#define HASHALG_SHA224                         0x00000001
-#define HASHALG_SHA256                         0x00000002
-#define HASHALG_SHA384                         0x00000003
-#define HASHALG_SHA512                         0x00000004
-#define HASHALG_RAW                            0x00000005
-#define HASHALG_MAX                            0x00000005
+#define HASHALG_SHA224                         0x00000000
+#define HASHALG_SHA256                         0x00000001
+#define HASHALG_SHA384                         0x00000002
+#define HASHALG_SHA512                         0x00000003
+#define HASHALG_RAW                            0x00000004
+#define HASHALG_MAX                            0x00000004
=20
=20
 typedef struct {
   UINTN             Signature;
   LIST_ENTRY        Head;
--
1.9.5.msysgit.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel