From: "Sukerkar, Amol N" <amol.n.sukerkar@intel.com>
To: "Kinney, Michael D" <michael.d.kinney@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Agrawal, Sachin" <sachin.agrawal@intel.com>,
"Musti, Srinivas" <srinivas.musti@intel.com>,
"Lakkimsetti, Subash" <subash.lakkimsetti@intel.com>,
"Sukerkar, Amol N" <amol.n.sukerkar@intel.com>
Subject: Re: [PATCH v3 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Date: Thu, 16 Jan 2020 00:47:36 +0000 [thread overview]
Message-ID: <MWHPR11MB0064B17FADF1A22B0861D972AC360@MWHPR11MB0064.namprd11.prod.outlook.com> (raw)
In-Reply-To: <E92EE9817A31E24EB0585FDF735412F5B9E5EAF0@ORSMSX113.amr.corp.intel.com>
Hi Mike,
This design does not implement any registration. The hashing algorithm is selected from the array index specified by PcdSystemHashPolicy value, just like switch..case, based on recommendation by Jian. Are you referring to the document attached to Bugzilla ticket mentioned below? I plan to update it as soon as we agree on the final design. Apologies if it was misleading today.
The reason this lib was added to SecurityPkg and not CryptoPkg was done because the decision to choose hashing algorithm is based on PCD, PcdSystemHashPolicy. CryptoPkg only provides API for accessing specific hashing algorithm and there is no mechanism to choose, as there is no precedent to using a PCD in CryptoPkg and it does not look like that needs to change. On the other hand, we actually do have API support in SecurityPkg (HashInstanceLib). Our design provides similar API support, although, it is much simpler and does not involve registration as in HashInstanceLib. Do you still think this lib should be implemented in CryptoPkg? If yes, how do you propose the user choose the desired hashing mechanism?
Thanks,
Amol
-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@intel.com>
Sent: Wednesday, January 15, 2020 4:52 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Lakkimsetti, Subash <subash.lakkimsetti@intel.com>
Subject: RE: [PATCH v3 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol,
I still think the handle based registration is too complex for this feature.
I recommend a simpler lib design and add it to CryptoPkg instead of SecurityPkg. Providing a different method to access the hashing functions in BaseCryptLib is not a Security feature, it is a Crypto feature.
Thanks,
Mike
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Wednesday, January 15, 2020 2:57 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> <srinivas.musti@intel.com>; Lakkimsetti, Subash
> <subash.lakkimsetti@intel.com>
> Subject: [PATCH v3 0/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Currently, the UEFI drivers using the SHA/SM3 hashing algorithms use
> hard-coded API to calculate the hash, for instance, sha_256(...), etc.
> Since SHA384 and/or
> SM3_256 are being increasingly adopted for robustness, it becomes
> cumbersome to modify each driver that calls into hash calculating API.
>
> To better achieve this, we are proposing a Unified API, which can be
> used by UEFI drivers, that provides the drivers with flexibility to
> use the desired hashing algorithm based on the required robnustness.
>
> Alternatively, the design document is also attached to Bugzilla,
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
>
> Sukerkar, Amol N (1):
> SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c |
> 151 ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c |
> 100 +++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c |
> 103 +++++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h |
> 85 +++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h |
> 141 ++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf |
> 46 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni |
> 17 +++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf |
> 51 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni |
> 16 +++
> SecurityPkg/SecurityPkg.dec |
> 23 ++-
> SecurityPkg/SecurityPkg.dsc |
> 10 +-
> SecurityPkg/SecurityPkg.uni |
> 15 +-
> 12 files changed, 755 insertions(+), 3 deletions(-) create mode
> 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> create mode 100644
> SecurityPkg/Include/Library/BaseHashLib.h
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> create mode 100644
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
>
> --
> 2.16.2.windows.1
next prev parent reply other threads:[~2020-01-16 0:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-15 22:57 [PATCH v3 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-15 22:57 ` [PATCH v3 1/1] " Sukerkar, Amol N
2020-01-15 23:52 ` [PATCH v3 0/1] " Michael D Kinney
2020-01-16 0:47 ` Sukerkar, Amol N [this message]
2020-01-16 0:55 ` Michael D Kinney
2020-01-16 2:14 ` Wang, Jian J
2020-01-16 4:25 ` Sukerkar, Amol N
2020-01-17 3:49 ` Sukerkar, Amol N
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MWHPR11MB0064B17FADF1A22B0861D972AC360@MWHPR11MB0064.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox