* [PATCH v2 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
@ 2020-01-14 15:41 Sukerkar, Amol N
2020-01-14 15:41 ` [PATCH v2 1/1] " Sukerkar, Amol N
0 siblings, 1 reply; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-14 15:41 UTC (permalink / raw)
To: devel
Cc: michael.d.kinney, jiewen.yao, jian.j.wang, sachin.agrawal,
srinivas.musti
Currently, the UEFI drivers using the SHA/SM3 hashing algorithms use hard-coded
API to calculate the hash, for instance, sha_256(...), etc. Since SHA384 and/or
SM3_256 are being increasingly adopted for robustness, it becomes cumbersome to
modify each driver that calls into hash calculating API.
To better achieve this, we are proposing a Unified API, which can be used by UEFI
drivers, that provides the drivers with flexibility to use the desired hashing
algorithm based on the required robnustness.
Alternatively, the design document is also attached to Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
Sukerkar, Amol N (1):
SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 ++++++++++++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
SecurityPkg/SecurityPkg.dec | 23 +-
SecurityPkg/SecurityPkg.dsc | 10 +-
SecurityPkg/SecurityPkg.uni | 15 +-
12 files changed, 833 insertions(+), 3 deletions(-)
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
create mode 100644 SecurityPkg/Include/Library/BaseHashLib.h
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
create mode 100644 SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
--
2.16.2.windows.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-14 15:41 [PATCH v2 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
@ 2020-01-14 15:41 ` Sukerkar, Amol N
2020-01-15 3:13 ` Wang, Jian J
0 siblings, 1 reply; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-14 15:41 UTC (permalink / raw)
To: devel
Cc: michael.d.kinney, jiewen.yao, jian.j.wang, sachin.agrawal,
srinivas.musti
This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the
desired hash by setting PcdSystemHashPolicy to appropriate value.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
---
Notes:
v2:
- Fixed the commit message format
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 ++++++++++++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
SecurityPkg/SecurityPkg.dec | 23 +-
SecurityPkg/SecurityPkg.dsc | 10 +-
SecurityPkg/SecurityPkg.uni | 15 +-
12 files changed, 833 insertions(+), 3 deletions(-)
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
new file mode 100644
index 000000000000..f8742e55b5f7
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
@@ -0,0 +1,252 @@
+/** @file
+ Implement image verification services for secure boot service
+
+ Caution: This file requires additional review when modified.
+ This library will have external input - PE/COFF image.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content
+ read is within the image buffer.
+
+ DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
+ untrusted PE/COFF image and validate its data structure within this image buffer before use.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/BaseHashLib.h>
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINTN CtxSize;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ CtxSize = Md4GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md4Init (HashCtx);
+ break;
+
+ case HASH_MD5:
+ CtxSize = Md5GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Md5Init (HashCtx);
+ break;
+
+ case HASH_SHA1:
+ CtxSize = Sha1GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha1Init (HashCtx);
+ break;
+
+ case HASH_SHA256:
+ CtxSize = Sha256GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha256Init (HashCtx);
+ break;
+
+ case HASH_SHA384:
+ CtxSize = Sha384GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha384Init (HashCtx);
+ break;
+
+ case HASH_SHA512:
+ CtxSize = Sha512GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sha512Init (HashCtx);
+ break;
+
+ case HASH_SM3_256:
+ CtxSize = Sm3GetContextSize ();
+ HashCtx = AllocatePool (CtxSize);
+ ASSERT (HashCtx != NULL);
+
+ Status = Sm3Init (HashCtx);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ *HashHandle = (HASH_HANDLE)HashCtx;
+
+ return Status;
+}
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ return Status;
+}
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ )
+{
+ BOOLEAN Status;
+ VOID *HashCtx;
+ UINT8 DigestData[SHA512_DIGEST_SIZE];
+
+ HashCtx = (VOID *)HashHandle;
+
+ switch (HashPolicy) {
+ case HASH_MD4:
+ Status = Md4Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
+ break;
+
+ case HASH_MD5:
+ Status = Md5Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA1:
+ Status = Sha1Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA256:
+ Status = Sha256Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA384:
+ Status = Sha384Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
+ break;
+
+ case HASH_SHA512:
+ Status = Sha512Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
+ break;
+
+ case HASH_SM3_256:
+ Status = Sm3Final (HashCtx, DigestData);
+ CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ break;
+ }
+
+ FreePool (HashCtx);
+
+ return Status;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
new file mode 100644
index 000000000000..ea22cfe16e2f
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
@@ -0,0 +1,122 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/BaseHashLib.h>
+
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
+
+ return Status;
+}
+
+/**
+ The constructor function of BaseHashLib Dxe.
+
+ @param FileHandle The handle of FFS header the loaded driver.
+ @param PeiServices The pointer to the PEI services.
+
+ @retval EFI_SUCCESS The constructor executes successfully.
+ @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiDxeConstructor (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
+
+ return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
new file mode 100644
index 000000000000..580ac21fc1d9
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
@@ -0,0 +1,125 @@
+/** @file
+ This library is Unified Hash API. It will redirect hash request to
+ the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
+ SHA384 and SM3...
+
+Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashLib.h>
+#include <Library/HobLib.h>
+#include <Guid/ZeroGuid.h>
+
+#include <Library/BaseHashLib.h>
+#include "BaseHashLibCommon.h"
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+ HASH_HANDLE Handle;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashInitInternal (HashPolicy, &Handle);
+
+ *HashHandle = Handle;
+
+ return Status;
+}
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataToHashLen);
+
+ return Status;
+}
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+)
+{
+ BOOLEAN Status;
+ UINT8 HashPolicy;
+
+ HashPolicy = PcdGet8 (PcdSystemHashPolicy);
+
+ Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
+
+ return Status;
+}
+
+/**
+ The constructor function of BaseHashLib Pei.
+
+ @param FileHandle The handle of FFS header the loaded driver.
+ @param PeiServices The pointer to the PEI services.
+
+ @retval EFI_SUCCESS The constructor executes successfully.
+ @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor.
+
+**/
+EFI_STATUS
+EFIAPI
+BaseHashLibApiPeiConstructor (
+ IN EFI_PEI_FILE_HANDLE FileHandle,
+ IN CONST EFI_PEI_SERVICES **PeiServices
+ )
+{
+ DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
+
+ return EFI_SUCCESS;
+}
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Include/Library/BaseHashLib.h
new file mode 100644
index 000000000000..e1883fe7ce41
--- /dev/null
+++ b/SecurityPkg/Include/Library/BaseHashLib.h
@@ -0,0 +1,84 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_H_
+#define __BASEHASHLIB_H_
+
+#include <Uefi.h>
+#include <Protocol/Hash.h>
+#include <Library/HashLib.h>
+
+//
+// Hash Algorithms
+//
+#define HASH_DEFAULT 0x00000000
+#define HASH_MD4 0x00000001
+#define HASH_MD5 0x00000002
+#define HASH_SHA1 0x00000003
+#define HASH_SHA256 0x00000004
+#define HASH_SHA384 0x00000005
+#define HASH_SHA512 0x00000006
+#define HASH_SM3_256 0x00000007
+
+
+/**
+ Init hash sequence.
+
+ @param HashHandle Hash handle.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_HANDLE *HashHandle
+);
+
+/**
+ Update hash data.
+
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+);
+
+/**
+ Hash complete.
+
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 *Digest
+);
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
new file mode 100644
index 000000000000..776b74ad753b
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
@@ -0,0 +1,71 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by ImageVerificationLib.
+
+Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef __BASEHASHLIB_COMMON_H_
+#define __BASEHASHLIB_COMMON_H_
+
+/**
+ Init hash sequence with Hash Algorithm specified by HashPolicy.
+
+ @param HashHandle Hash handle.
+
+ @retval EFI_SUCCESS Hash start and HashHandle returned.
+ @retval EFI_UNSUPPORTED System has no HASH library registered.
+**/
+BOOLEAN
+EFIAPI
+HashInitInternal (
+ IN UINT8 HashPolicy,
+ OUT HASH_HANDLE *HashHandle
+ );
+
+/**
+ Hash complete with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashUpdateInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Update hash data with Hash Algorithm specified by HashPolicy.
+
+ @param HashPolicy Hash Algorithm Policy.
+ @param HashHandle Hash handle.
+ @param DataToHash Data to be hashed.
+ @param DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashFinalInternal (
+ IN UINT8 HashPolicy,
+ IN HASH_HANDLE HashHandle,
+ OUT UINT8 **Digest
+ );
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
new file mode 100644
index 000000000000..f97bda06108f
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
@@ -0,0 +1,47 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is Base Hash Lib. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibDxe
+ MODULE_UNI_FILE = BaseHashLibDxe.uni
+ FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
+ CONSTRUCTOR = BaseHashLibApiDxeConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
new file mode 100644
index 000000000000..1865773b4a25
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
@@ -0,0 +1,18 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to
+// mask some hash engines.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
+
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
new file mode 100644
index 000000000000..4d36030744bd
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
@@ -0,0 +1,52 @@
+## @file
+# Provides hash service by registered hash handler
+#
+# This library is BaseCrypto router. It will redirect hash request to each individual
+# hash handler registered, such as SHA1, SHA256.
+#
+# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashLibPei
+ MODULE_UNI_FILE = BaseHashLibPei.uni
+ FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashLib|PEIM
+ CONSTRUCTOR = BaseHashLibApiPeiConstructor
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashLibCommon.h
+ BaseHashLibCommon.c
+ BaseHashLibPei.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Guids]
+ ## SOMETIMES_CONSUMES ## GUID
+ gZeroGuid
+
+[Pcd]
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
new file mode 100644
index 000000000000..2131b61bd235
--- /dev/null
+++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides hash service by registered hash handler
+//
+// This library is Unified Hash API. It will redirect hash request to each individual
+// hash handler registered, such as SHA1, SHA256.
+//
+// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdSystemHashPolicy."
+
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index cac36caf0a0d..e0e144124ddd 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -5,7 +5,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes)
# and libraries instances, which are used for those features.
#
-# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
# Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -27,6 +27,10 @@ [LibraryClasses]
#
HashLib|Include/Library/HashLib.h
+ ## @libraryclass Provides hash interfaces from different implementations.
+ #
+ BaseHashLib|Include/Library/HashLib.h
+
## @libraryclass Provides a platform specific interface to detect physically present user.
#
PlatformSecureLib|Include/Library/PlatformSecureLib.h
@@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
# @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
+ # Based on the value set, the required algorithm is chosen to verify
+ # the unsigned image during Secure Boot.<BR>
+ # The hashing algorithm selected must match the hashing algorithm used to
+ # hash the image to be added to DB using tools such as KeyEnroll.<BR>
+ # 0x00000001 - MD4.<BR>
+ # 0x00000002 - MD5.<BR>
+ # 0x00000003 - SHA1.<BR>
+ # 0x00000004 - SHA256.<BR>
+ # 0x00000005 - SHA384.<BR>
+ # 0x00000006 - SHA512.<BR>
+ # 0x00000007 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
+ gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00010024
+
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2eeadda7a7e..86a5847e2509 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -1,7 +1,7 @@
## @file
# Security Module Package for All Architectures.
#
-# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
+ BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
[LibraryClasses.common.DXE_DRIVER]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
@@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
+ BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
[LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.DXE_SAL_DRIVER,]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
@@ -211,6 +213,12 @@ [Components]
SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
+ #
+ # Unified Hash API
+ #
+ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
+ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
+
#
# TCG Storage.
#
diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 68587304d779..32ef97f81461 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -5,7 +5,7 @@
// It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes)
// and libraries instances, which are used for those features.
//
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
@@ -295,3 +295,16 @@
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
"0 means this field is unsupported\n"
+
+ #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm used by Unified Hash API.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to calculate\n"
+ "the hash desired.<BR>\n"
+ "0x00000001 - MD4.<BR>\n"
+ "0x00000002 - MD5.<BR>\n"
+ "0x00000003 - SHA1.<BR>\n"
+ "0x00000004 - SHA256.<BR>\n"
+ "0x00000005 - SHA384.<BR>\n"
+ "0x00000006 - SHA512.<BR>\n"
+ "0x00000007 - SM3.<BR>"
--
2.16.2.windows.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-14 15:41 ` [PATCH v2 1/1] " Sukerkar, Amol N
@ 2020-01-15 3:13 ` Wang, Jian J
2020-01-15 3:47 ` [edk2-devel] " Liming Gao
2020-01-15 20:13 ` Sukerkar, Amol N
0 siblings, 2 replies; 12+ messages in thread
From: Wang, Jian J @ 2020-01-15 3:13 UTC (permalink / raw)
To: Sukerkar, Amol N, devel@edk2.groups.io
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas
Amol,
1. Your patch doesn't support hashing more than one algorithm at the same time.
Is this on purpose? Sorry I don't remember the conclusion in last discussion.
2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
See my other comments below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Tuesday, January 14, 2020 11:41 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash
> Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the
> desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
>
> Notes:
> v2:
> - Fixed the commit message format
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 23 +-
> SecurityPkg/SecurityPkg.dsc | 10 +-
> SecurityPkg/SecurityPkg.uni | 15 +-
> 12 files changed, 833 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..f8742e55b5f7
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,252 @@
> +/** @file
>
> + Implement image verification services for secure boot service
>
> +
>
> + Caution: This file requires additional review when modified.
>
> + This library will have external input - PE/COFF image.
>
> + This external input must be validated carefully to avoid security issue like
>
> + buffer overflow, integer overflow.
>
> +
>
> + DxeImageVerificationLibImageRead() function will make sure the PE/COFF
> image content
>
> + read is within the image buffer.
>
> +
>
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>
> + untrusted PE/COFF image and validate its data structure within this image
> buffer before use.
>
> +
>
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> +This program and the accompanying materials
>
> +are licensed and made available under the terms and conditions of the BSD
> License
>
> +which accompanies this distribution. The full text of the license may be found
> at
>
> +http://opensource.org/licenses/bsd-license.php
>
> +
>
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
>
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
>
> +
>
> +**/
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/BaseCryptLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +/**
>
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashInitInternal (
>
> + IN UINT8 HashPolicy,
>
> + OUT HASH_HANDLE *HashHandle
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINTN CtxSize;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + CtxSize = Md4GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md4Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + CtxSize = Md5GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md5Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + CtxSize = Sha1GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha1Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + CtxSize = Sha256GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha256Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + CtxSize = Sha384GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha384Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + CtxSize = Sha512GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha512Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + CtxSize = Sm3GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sm3Init (HashCtx);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
> +
3. Instead of switch..case, using a global array to defines all supported interfaces
would be more efficient, since you can value of PcdSystemHashPolicy to index
them directly.
>
> + *HashHandle = (HASH_HANDLE)HashCtx;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashUpdateInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
4. The same as 3
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashFinalInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 **Digest
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
5. The same as 3
> + }
>
> +
>
> + FreePool (HashCtx);
>
> +
>
> + return Status;
>
> +}
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..ea22cfe16e2f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,122 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Dxe.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiDxeConstructor (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
6. Constructor is not necessary if you don't have anything to do with it.
You can remove it from inf file and here.
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..580ac21fc1d9
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,125 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. <BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/HashLib.h>
>
> +#include <Library/HobLib.h>
>
> +#include <Guid/ZeroGuid.h>
>
> +
>
> +#include <Library/BaseHashLib.h>
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Pei.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiPeiConstructor (
>
> + IN EFI_PEI_FILE_HANDLE FileHandle,
>
> + IN CONST EFI_PEI_SERVICES **PeiServices
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
7. The same as 6
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> b/SecurityPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..e1883fe7ce41
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,84 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +#include <Protocol/Hash.h>
> +#include <Library/HashLib.h>
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_DEFAULT 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..776b74ad753b
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,71 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> +This program and the accompanying materials
> +are licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..f97bda06108f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,47 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is Base Hash Lib. It will redirect hash request to each individual
>
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibDxe
>
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
>
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
>
> + CONSTRUCTOR = BaseHashLibApiDxeConstructor
8. Since the above function is actually empty, you can remove above line and
function in c file.
>
> +
>
> +#
>
> +# The following information is for reference only and not required by the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibDxe.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..1865773b4a25
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,18 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to each individual
>
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
>
> +// mask some hash engines.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4d36030744bd
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,52 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is BaseCrypto router. It will redirect hash request to each
> individual
>
> +# hash handler registered, such as SHA1, SHA256.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibPei
>
> + MODULE_UNI_FILE = BaseHashLibPei.uni
>
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
>
> + MODULE_TYPE = PEIM
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|PEIM
>
> + CONSTRUCTOR = BaseHashLibApiPeiConstructor
>
9. The same as 8
> +
>
> +#
>
> +# The following information is for reference only and not required by the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibPei.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + MdeModulePkg/MdeModulePkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Guids]
>
> + ## SOMETIMES_CONSUMES ## GUID
>
> + gZeroGuid
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..2131b61bd235
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,17 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to each individual
>
> +// hash handler registered, such as SHA1, SHA256.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index cac36caf0a0d..e0e144124ddd 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
> classes)
>
> # and libraries instances, which are used for those features.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
>
> # Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -27,6 +27,10 @@ [LibraryClasses]
> #
>
> HashLib|Include/Library/HashLib.h
>
>
>
> + ## @libraryclass Provides hash interfaces from different implementations.
>
> + #
>
> + BaseHashLib|Include/Library/HashLib.h
>
> +
>
> ## @libraryclass Provides a platform specific interface to detect physically
> present user.
>
> #
>
> PlatformSecureLib|Include/Library/PlatformSecureLib.h
>
> @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
>
>
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image
>
> + # Based on the value set, the required algorithm is chosen to verify
>
> + # the unsigned image during Secure Boot.<BR>
>
> + # The hashing algorithm selected must match the hashing algorithm used to
>
> + # hash the image to be added to DB using tools such as KeyEnroll.<BR>
>
> + # 0x00000001 - MD4.<BR>
>
> + # 0x00000002 - MD5.<BR>
>
> + # 0x00000003 - SHA1.<BR>
>
> + # 0x00000004 - SHA256.<BR>
>
> + # 0x00000005 - SHA384.<BR>
>
> + # 0x00000006 - SHA512.<BR>
>
> + # 0x00000007 - SM3_256.<BR>
>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
>
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
>
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> 4
>
> +
>
> [UserExtensions.TianoCore."ExtraFiles"]
>
> SecurityPkgExtra.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index a2eeadda7a7e..86a5847e2509 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
>
> # Security Module Package for All Architectures.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTc
> g2PhysicalPresenceLib.inf
>
> RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i
> nf
>
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in
> f
>
> FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
>
>
> [LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.DXE_SAL_DRIVER,]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -211,6 +213,12 @@ [Components]
>
>
> SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
>
>
>
> + #
>
> + # Unified Hash API
>
> + #
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> +
>
> #
>
> # TCG Storage.
>
> #
>
> diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> index 68587304d779..32ef97f81461 100644
> --- a/SecurityPkg/SecurityPkg.uni
> +++ b/SecurityPkg/SecurityPkg.uni
> @@ -5,7 +5,7 @@
> // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
> classes)
>
> // and libraries instances, which are used for those features.
>
> //
>
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>
> //
>
> // SPDX-License-Identifier: BSD-2-Clause-Patent
>
> //
>
> @@ -295,3 +295,16 @@
>
>
> #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
>
> "0 means this field is
> unsupported\n"
>
> +
>
>
> +
> #string
> STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
>
> +
>
> +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm used by Unified Hash
> API.<BR><BR>\n"
>
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
>
> + "the hash desired.<BR>\n"
>
> + "0x00000001 - MD4.<BR>\n"
>
> + "0x00000002 - MD5.<BR>\n"
>
> + "0x00000003 - SHA1.<BR>\n"
>
> + "0x00000004 -
> SHA256.<BR>\n"
>
> + "0x00000005 -
> SHA384.<BR>\n"
>
> + "0x00000006 -
> SHA512.<BR>\n"
>
> + "0x00000007 - SM3.<BR>"
>
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-15 3:13 ` Wang, Jian J
@ 2020-01-15 3:47 ` Liming Gao
2020-01-15 23:01 ` Sukerkar, Amol N
2020-01-15 20:13 ` Sukerkar, Amol N
1 sibling, 1 reply; 12+ messages in thread
From: Liming Gao @ 2020-01-15 3:47 UTC (permalink / raw)
To: devel@edk2.groups.io, Wang, Jian J, Sukerkar, Amol N
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas
Amol:
This is new feature. Please submit BZ (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
Thanks
Liming
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang, Jian J
Sent: 2020年1月15日 11:14
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol,
1. Your patch doesn't support hashing more than one algorithm at the same time.
Is this on purpose? Sorry I don't remember the conclusion in last discussion.
2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
See my other comments below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Tuesday, January 14, 2020 11:41 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> <srinivas.musti@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> Hash Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> library interfaces with the various hashing API, such as, MD4, MD5,
> SHA1, SHA256,
> SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> the desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
>
> Notes:
> v2:
> - Fixed the commit message format
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 23 +-
> SecurityPkg/SecurityPkg.dsc | 10 +-
> SecurityPkg/SecurityPkg.uni | 15 +-
> 12 files changed, 833 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..f8742e55b5f7
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,252 @@
> +/** @file
>
> + Implement image verification services for secure boot service
>
> +
>
> + Caution: This file requires additional review when modified.
>
> + This library will have external input - PE/COFF image.
>
> + This external input must be validated carefully to avoid security
> + issue like
>
> + buffer overflow, integer overflow.
>
> +
>
> + DxeImageVerificationLibImageRead() function will make sure the
> + PE/COFF
> image content
>
> + read is within the image buffer.
>
> +
>
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>
> + untrusted PE/COFF image and validate its data structure within this
> + image
> buffer before use.
>
> +
>
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> +This program and the accompanying materials
>
> +are licensed and made available under the terms and conditions of the
> +BSD
> License
>
> +which accompanies this distribution. The full text of the license
> +may be found
> at
>
> +http://opensource.org/licenses/bsd-license.php
>
> +
>
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
>
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
>
> +
>
> +**/
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/BaseCryptLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +/**
>
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashInitInternal (
>
> + IN UINT8 HashPolicy,
>
> + OUT HASH_HANDLE *HashHandle
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINTN CtxSize;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + CtxSize = Md4GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md4Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + CtxSize = Md5GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md5Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + CtxSize = Sha1GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha1Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + CtxSize = Sha256GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha256Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + CtxSize = Sha384GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha384Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + CtxSize = Sha512GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha512Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + CtxSize = Sm3GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sm3Init (HashCtx);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
> +
3. Instead of switch..case, using a global array to defines all supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
>
> + *HashHandle = (HASH_HANDLE)HashCtx;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashUpdateInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
4. The same as 3
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashFinalInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 **Digest
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
5. The same as 3
> + }
>
> +
>
> + FreePool (HashCtx);
>
> +
>
> + return Status;
>
> +}
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..ea22cfe16e2f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,122 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Dxe.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiDxeConstructor (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
6. Constructor is not necessary if you don't have anything to do with it.
You can remove it from inf file and here.
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..580ac21fc1d9
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,125 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/HashLib.h>
>
> +#include <Library/HobLib.h>
>
> +#include <Guid/ZeroGuid.h>
>
> +
>
> +#include <Library/BaseHashLib.h>
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Pei.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiPeiConstructor (
>
> + IN EFI_PEI_FILE_HANDLE FileHandle,
>
> + IN CONST EFI_PEI_SERVICES **PeiServices
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
7. The same as 6
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> b/SecurityPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..e1883fe7ce41
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,84 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +#include <Protocol/Hash.h>
> +#include <Library/HashLib.h>
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_DEFAULT 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..776b74ad753b
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,71 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..f97bda06108f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,47 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is Base Hash Lib. It will redirect hash request to
> +each individual
>
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibDxe
>
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
>
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
>
> + CONSTRUCTOR = BaseHashLibApiDxeConstructor
8. Since the above function is actually empty, you can remove above line and
function in c file.
>
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibDxe.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..1865773b4a25
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,18 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
>
> +// mask some hash engines.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4d36030744bd
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,52 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is BaseCrypto router. It will redirect hash request
> +to each
> individual
>
> +# hash handler registered, such as SHA1, SHA256.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibPei
>
> + MODULE_UNI_FILE = BaseHashLibPei.uni
>
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
>
> + MODULE_TYPE = PEIM
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|PEIM
>
> + CONSTRUCTOR = BaseHashLibApiPeiConstructor
>
9. The same as 8
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibPei.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + MdeModulePkg/MdeModulePkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Guids]
>
> + ## SOMETIMES_CONSUMES ## GUID
>
> + gZeroGuid
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..2131b61bd235
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,17 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index cac36caf0a0d..e0e144124ddd 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> # and libraries instances, which are used for those features.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
>
> # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> <BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -27,6 +27,10 @@ [LibraryClasses]
> #
>
> HashLib|Include/Library/HashLib.h
>
>
>
> + ## @libraryclass Provides hash interfaces from different implementations.
>
> + #
>
> + BaseHashLib|Include/Library/HashLib.h
>
> +
>
> ## @libraryclass Provides a platform specific interface to detect
> physically present user.
>
> #
>
> PlatformSecureLib|Include/Library/PlatformSecureLib.h
>
> @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
>
>
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
> + image
>
> + # Based on the value set, the required algorithm is chosen to
> + verify
>
> + # the unsigned image during Secure Boot.<BR>
>
> + # The hashing algorithm selected must match the hashing algorithm
> + used to
>
> + # hash the image to be added to DB using tools such as
> + KeyEnroll.<BR>
>
> + # 0x00000001 - MD4.<BR>
>
> + # 0x00000002 - MD5.<BR>
>
> + # 0x00000003 - SHA1.<BR>
>
> + # 0x00000004 - SHA256.<BR>
>
> + # 0x00000005 - SHA384.<BR>
>
> + # 0x00000006 - SHA512.<BR>
>
> + # 0x00000007 - SM3_256.<BR>
>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
>
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
>
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> 4
>
> +
>
> [UserExtensions.TianoCore."ExtraFiles"]
>
> SecurityPkgExtra.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index a2eeadda7a7e..86a5847e2509 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
>
> # Security Module Package for All Architectures.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib
> Tcg2PhysicalPresenceLib|/PeiTc
> g2PhysicalPresenceLib.inf
>
> RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg
> Tpm12DeviceLib|.i
> nf
>
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> Tpm2DeviceLib|in
> f
>
>
> FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i
> nf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
>
>
> [LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.DXE_SAL_DRIVER,]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -211,6 +213,12 @@ [Components]
>
>
> SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
>
>
>
> + #
>
> + # Unified Hash API
>
> + #
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> +
>
> #
>
> # TCG Storage.
>
> #
>
> diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> index 68587304d779..32ef97f81461 100644
> --- a/SecurityPkg/SecurityPkg.uni
> +++ b/SecurityPkg/SecurityPkg.uni
> @@ -5,7 +5,7 @@
> // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> // and libraries instances, which are used for those features.
>
> //
>
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> reserved.<BR>
>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> //
>
> // SPDX-License-Identifier: BSD-2-Clause-Patent
>
> //
>
> @@ -295,3 +295,16 @@
>
>
> #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
>
>
> "0 means this field is unsupported\n"
>
> +
>
>
> +
> #string
> STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
>
> +
>
> +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm used by Unified
> Hash API.<BR><BR>\n"
>
> +
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
>
> + "the hash desired.<BR>\n"
>
> + "0x00000001 - MD4.<BR>\n"
>
> + "0x00000002 - MD5.<BR>\n"
>
> + "0x00000003 - SHA1.<BR>\n"
>
> +
> + "0x00000004 -
> SHA256.<BR>\n"
>
> +
> + "0x00000005 -
> SHA384.<BR>\n"
>
> +
> + "0x00000006 -
> SHA512.<BR>\n"
>
> + "0x00000007 - SM3.<BR>"
>
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-15 3:13 ` Wang, Jian J
2020-01-15 3:47 ` [edk2-devel] " Liming Gao
@ 2020-01-15 20:13 ` Sukerkar, Amol N
1 sibling, 0 replies; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-15 20:13 UTC (permalink / raw)
To: Wang, Jian J, devel@edk2.groups.io
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Sukerkar, Amol N
Thanks, Jian!
Please find my answer below.
~ Amol
-----Original Message-----
From: Wang, Jian J <jian.j.wang@intel.com>
Sent: Tuesday, January 14, 2020 8:14 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol,
1. Your patch doesn't support hashing more than one algorithm at the same time.
Is this on purpose? Sorry I don't remember the conclusion in last discussion.
[ANS] This feature supports only one hashing algorithm at a given time as per our last discussion. The PcdSystemHashPolicy can be overridden at platform level DSC.
2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
[ANS] OK. I will run the tool before uploading the next version with the changes suggested below.
See my other comments below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Tuesday, January 14, 2020 11:41 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> <srinivas.musti@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> Hash Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> library interfaces with the various hashing API, such as, MD4, MD5,
> SHA1, SHA256,
> SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> the desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
>
> Notes:
> v2:
> - Fixed the commit message format
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 23 +-
> SecurityPkg/SecurityPkg.dsc | 10 +-
> SecurityPkg/SecurityPkg.uni | 15 +-
> 12 files changed, 833 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..f8742e55b5f7
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,252 @@
> +/** @file
>
> + Implement image verification services for secure boot service
>
> +
>
> + Caution: This file requires additional review when modified.
>
> + This library will have external input - PE/COFF image.
>
> + This external input must be validated carefully to avoid security
> + issue like
>
> + buffer overflow, integer overflow.
>
> +
>
> + DxeImageVerificationLibImageRead() function will make sure the
> + PE/COFF
> image content
>
> + read is within the image buffer.
>
> +
>
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>
> + untrusted PE/COFF image and validate its data structure within this
> + image
> buffer before use.
>
> +
>
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> +This program and the accompanying materials
>
> +are licensed and made available under the terms and conditions of the
> +BSD
> License
>
> +which accompanies this distribution. The full text of the license
> +may be found
> at
>
> +http://opensource.org/licenses/bsd-license.php
>
> +
>
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
>
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
>
> +
>
> +**/
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/BaseCryptLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +/**
>
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashInitInternal (
>
> + IN UINT8 HashPolicy,
>
> + OUT HASH_HANDLE *HashHandle
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINTN CtxSize;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + CtxSize = Md4GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md4Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + CtxSize = Md5GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md5Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + CtxSize = Sha1GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha1Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + CtxSize = Sha256GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha256Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + CtxSize = Sha384GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha384Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + CtxSize = Sha512GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha512Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + CtxSize = Sm3GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sm3Init (HashCtx);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
> +
3. Instead of switch..case, using a global array to defines all supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
>
> + *HashHandle = (HASH_HANDLE)HashCtx;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashUpdateInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
4. The same as 3
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashFinalInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 **Digest
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
5. The same as 3
> + }
>
> +
>
> + FreePool (HashCtx);
>
> +
>
> + return Status;
>
> +}
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..ea22cfe16e2f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,122 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Dxe.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiDxeConstructor (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
6. Constructor is not necessary if you don't have anything to do with it.
You can remove it from inf file and here.
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..580ac21fc1d9
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,125 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/HashLib.h>
>
> +#include <Library/HobLib.h>
>
> +#include <Guid/ZeroGuid.h>
>
> +
>
> +#include <Library/BaseHashLib.h>
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Pei.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiPeiConstructor (
>
> + IN EFI_PEI_FILE_HANDLE FileHandle,
>
> + IN CONST EFI_PEI_SERVICES **PeiServices
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
7. The same as 6
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> b/SecurityPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..e1883fe7ce41
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,84 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +#include <Protocol/Hash.h>
> +#include <Library/HashLib.h>
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_DEFAULT 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..776b74ad753b
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,71 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..f97bda06108f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,47 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is Base Hash Lib. It will redirect hash request to
> +each individual
>
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibDxe
>
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
>
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
>
> + CONSTRUCTOR = BaseHashLibApiDxeConstructor
8. Since the above function is actually empty, you can remove above line and
function in c file.
>
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibDxe.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..1865773b4a25
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,18 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
>
> +// mask some hash engines.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4d36030744bd
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,52 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is BaseCrypto router. It will redirect hash request
> +to each
> individual
>
> +# hash handler registered, such as SHA1, SHA256.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibPei
>
> + MODULE_UNI_FILE = BaseHashLibPei.uni
>
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
>
> + MODULE_TYPE = PEIM
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|PEIM
>
> + CONSTRUCTOR = BaseHashLibApiPeiConstructor
>
9. The same as 8
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibPei.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + MdeModulePkg/MdeModulePkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Guids]
>
> + ## SOMETIMES_CONSUMES ## GUID
>
> + gZeroGuid
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..2131b61bd235
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,17 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index cac36caf0a0d..e0e144124ddd 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> # and libraries instances, which are used for those features.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
>
> # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> <BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -27,6 +27,10 @@ [LibraryClasses]
> #
>
> HashLib|Include/Library/HashLib.h
>
>
>
> + ## @libraryclass Provides hash interfaces from different implementations.
>
> + #
>
> + BaseHashLib|Include/Library/HashLib.h
>
> +
>
> ## @libraryclass Provides a platform specific interface to detect
> physically present user.
>
> #
>
> PlatformSecureLib|Include/Library/PlatformSecureLib.h
>
> @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
>
>
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
> + image
>
> + # Based on the value set, the required algorithm is chosen to
> + verify
>
> + # the unsigned image during Secure Boot.<BR>
>
> + # The hashing algorithm selected must match the hashing algorithm
> + used to
>
> + # hash the image to be added to DB using tools such as
> + KeyEnroll.<BR>
>
> + # 0x00000001 - MD4.<BR>
>
> + # 0x00000002 - MD5.<BR>
>
> + # 0x00000003 - SHA1.<BR>
>
> + # 0x00000004 - SHA256.<BR>
>
> + # 0x00000005 - SHA384.<BR>
>
> + # 0x00000006 - SHA512.<BR>
>
> + # 0x00000007 - SM3_256.<BR>
>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
>
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
>
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> 4
>
> +
>
> [UserExtensions.TianoCore."ExtraFiles"]
>
> SecurityPkgExtra.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index a2eeadda7a7e..86a5847e2509 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
>
> # Security Module Package for All Architectures.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib
> Tcg2PhysicalPresenceLib|/PeiTc
> g2PhysicalPresenceLib.inf
>
> RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg
> Tpm12DeviceLib|.i
> nf
>
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> Tpm2DeviceLib|in
> f
>
>
> FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i
> nf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
>
>
> [LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.DXE_SAL_DRIVER,]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -211,6 +213,12 @@ [Components]
>
>
> SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
>
>
>
> + #
>
> + # Unified Hash API
>
> + #
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> +
>
> #
>
> # TCG Storage.
>
> #
>
> diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> index 68587304d779..32ef97f81461 100644
> --- a/SecurityPkg/SecurityPkg.uni
> +++ b/SecurityPkg/SecurityPkg.uni
> @@ -5,7 +5,7 @@
> // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> // and libraries instances, which are used for those features.
>
> //
>
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> reserved.<BR>
>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> //
>
> // SPDX-License-Identifier: BSD-2-Clause-Patent
>
> //
>
> @@ -295,3 +295,16 @@
>
>
> #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
>
>
> "0 means this field is unsupported\n"
>
> +
>
>
> +
> #string
> STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
>
> +
>
> +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm used by Unified
> Hash API.<BR><BR>\n"
>
> +
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
>
> + "the hash desired.<BR>\n"
>
> + "0x00000001 - MD4.<BR>\n"
>
> + "0x00000002 - MD5.<BR>\n"
>
> + "0x00000003 - SHA1.<BR>\n"
>
> +
> + "0x00000004 -
> SHA256.<BR>\n"
>
> +
> + "0x00000005 -
> SHA384.<BR>\n"
>
> +
> + "0x00000006 -
> SHA512.<BR>\n"
>
> + "0x00000007 - SM3.<BR>"
>
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-15 3:47 ` [edk2-devel] " Liming Gao
@ 2020-01-15 23:01 ` Sukerkar, Amol N
2020-01-16 3:38 ` Liming Gao
0 siblings, 1 reply; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-15 23:01 UTC (permalink / raw)
To: Gao, Liming, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Sukerkar, Amol N
Hi Liming,
We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
Thanks,
Amol
-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Tuesday, January 14, 2020 8:47 PM
To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol:
This is new feature. Please submit BZ (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
Thanks
Liming
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang, Jian J
Sent: 2020年1月15日 11:14
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol,
1. Your patch doesn't support hashing more than one algorithm at the same time.
Is this on purpose? Sorry I don't remember the conclusion in last discussion.
2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
See my other comments below.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Tuesday, January 14, 2020 11:41 PM
> To: devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> <srinivas.musti@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> Hash Calculation API
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> library interfaces with the various hashing API, such as, MD4, MD5,
> SHA1, SHA256,
> SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> the desired hash by setting PcdSystemHashPolicy to appropriate value.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> ---
>
> Notes:
> v2:
> - Fixed the commit message format
>
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> ++++++++++++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> SecurityPkg/SecurityPkg.dec | 23 +-
> SecurityPkg/SecurityPkg.dsc | 10 +-
> SecurityPkg/SecurityPkg.uni | 15 +-
> 12 files changed, 833 insertions(+), 3 deletions(-)
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> new file mode 100644
> index 000000000000..f8742e55b5f7
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> @@ -0,0 +1,252 @@
> +/** @file
>
> + Implement image verification services for secure boot service
>
> +
>
> + Caution: This file requires additional review when modified.
>
> + This library will have external input - PE/COFF image.
>
> + This external input must be validated carefully to avoid security
> + issue like
>
> + buffer overflow, integer overflow.
>
> +
>
> + DxeImageVerificationLibImageRead() function will make sure the
> + PE/COFF
> image content
>
> + read is within the image buffer.
>
> +
>
> + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>
> + untrusted PE/COFF image and validate its data structure within this
> + image
> buffer before use.
>
> +
>
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>
> +This program and the accompanying materials
>
> +are licensed and made available under the terms and conditions of the
> +BSD
> License
>
> +which accompanies this distribution. The full text of the license
> +may be found
> at
>
> +http://opensource.org/licenses/bsd-license.php
>
> +
>
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
>
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
>
> +
>
> +**/
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/BaseCryptLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +/**
>
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashInitInternal (
>
> + IN UINT8 HashPolicy,
>
> + OUT HASH_HANDLE *HashHandle
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINTN CtxSize;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + CtxSize = Md4GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md4Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + CtxSize = Md5GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Md5Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + CtxSize = Sha1GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha1Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + CtxSize = Sha256GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha256Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + CtxSize = Sha384GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha384Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + CtxSize = Sha512GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sha512Init (HashCtx);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + CtxSize = Sm3GetContextSize ();
>
> + HashCtx = AllocatePool (CtxSize);
>
> + ASSERT (HashCtx != NULL);
>
> +
>
> + Status = Sm3Init (HashCtx);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
> +
3. Instead of switch..case, using a global array to defines all supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
>
> + *HashHandle = (HASH_HANDLE)HashCtx;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashUpdateInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
> + }
>
4. The same as 3
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete with Hash Algorithm specified by HashPolicy.
>
> +
>
> + @param HashPolicy Hash Algorithm Policy.
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashFinalInternal (
>
> + IN UINT8 HashPolicy,
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 **Digest
>
> + )
>
> +{
>
> + BOOLEAN Status;
>
> + VOID *HashCtx;
>
> + UINT8 DigestData[SHA512_DIGEST_SIZE];
>
> +
>
> + HashCtx = (VOID *)HashHandle;
>
> +
>
> + switch (HashPolicy) {
>
> + case HASH_MD4:
>
> + Status = Md4Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_MD5:
>
> + Status = Md5Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA1:
>
> + Status = Sha1Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA256:
>
> + Status = Sha256Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA384:
>
> + Status = Sha384Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SHA512:
>
> + Status = Sha512Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
>
> + break;
>
> +
>
> + case HASH_SM3_256:
>
> + Status = Sm3Final (HashCtx, DigestData);
>
> + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
>
> + break;
>
> +
>
> + default:
>
> + ASSERT (FALSE);
>
> + break;
>
5. The same as 3
> + }
>
> +
>
> + FreePool (HashCtx);
>
> +
>
> + return Status;
>
> +}
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> new file mode 100644
> index 000000000000..ea22cfe16e2f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> @@ -0,0 +1,122 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/BaseHashLib.h>
>
> +
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Dxe.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiDxeConstructor (
>
> + IN EFI_HANDLE ImageHandle,
>
> + IN EFI_SYSTEM_TABLE *SystemTable
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
6. Constructor is not necessary if you don't have anything to do with it.
You can remove it from inf file and here.
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> new file mode 100644
> index 000000000000..580ac21fc1d9
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> @@ -0,0 +1,125 @@
> +/** @file
>
> + This library is Unified Hash API. It will redirect hash request to
>
> + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> + SHA256,
>
> + SHA384 and SM3...
>
> +
>
> +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> +<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/PcdLib.h>
>
> +#include <Library/HashLib.h>
>
> +#include <Library/HobLib.h>
>
> +#include <Guid/ZeroGuid.h>
>
> +
>
> +#include <Library/BaseHashLib.h>
>
> +#include "BaseHashLibCommon.h"
>
> +
>
> +/**
>
> + Init hash sequence.
>
> +
>
> + @param HashHandle Hash handle.
>
> +
>
> + @retval TRUE Hash start and HashHandle returned.
>
> + @retval FALSE Hash Init unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiInit (
>
> + OUT HASH_HANDLE *HashHandle
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> + HASH_HANDLE Handle;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashInitInternal (HashPolicy, &Handle);
>
> +
>
> + *HashHandle = Handle;
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Update hash data.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param DataToHash Data to be hashed.
>
> + @param DataToHashLen Data size.
>
> +
>
> + @retval TRUE Hash updated.
>
> + @retval FALSE Hash updated unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiUpdate (
>
> + IN HASH_HANDLE HashHandle,
>
> + IN VOID *DataToHash,
>
> + IN UINTN DataToHashLen
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> DataToHashLen);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + Hash complete.
>
> +
>
> + @param HashHandle Hash handle.
>
> + @param Digest Hash Digest.
>
> +
>
> + @retval TRUE Hash complete and Digest is returned.
>
> + @retval FALSE Hash complete unsuccessful.
>
> +**/
>
> +BOOLEAN
>
> +EFIAPI
>
> +HashApiFinal (
>
> + IN HASH_HANDLE HashHandle,
>
> + OUT UINT8 *Digest
>
> +)
>
> +{
>
> + BOOLEAN Status;
>
> + UINT8 HashPolicy;
>
> +
>
> + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
>
> +
>
> + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
>
> +
>
> + return Status;
>
> +}
>
> +
>
> +/**
>
> + The constructor function of BaseHashLib Pei.
>
> +
>
> + @param FileHandle The handle of FFS header the loaded driver.
>
> + @param PeiServices The pointer to the PEI services.
>
> +
>
> + @retval EFI_SUCCESS The constructor executes successfully.
>
> + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> constructor.
>
> +
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +BaseHashLibApiPeiConstructor (
>
> + IN EFI_PEI_FILE_HANDLE FileHandle,
>
> + IN CONST EFI_PEI_SERVICES **PeiServices
>
> + )
>
> +{
>
> + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
>
> +
>
> + return EFI_SUCCESS;
>
> +}
7. The same as 6
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> b/SecurityPkg/Include/Library/BaseHashLib.h
> new file mode 100644
> index 000000000000..e1883fe7ce41
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> @@ -0,0 +1,84 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_H_
> +#define __BASEHASHLIB_H_
> +
> +#include <Uefi.h>
> +#include <Protocol/Hash.h>
> +#include <Library/HashLib.h>
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_DEFAULT 0x00000000
> +#define HASH_MD4 0x00000001
> +#define HASH_MD5 0x00000002
> +#define HASH_SHA1 0x00000003
> +#define HASH_SHA256 0x00000004
> +#define HASH_SHA384 0x00000005
> +#define HASH_SHA512 0x00000006
> +#define HASH_SM3_256 0x00000007
> +
> +
> +/**
> + Init hash sequence.
> +
> + @param HashHandle Hash handle.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_HANDLE *HashHandle
> +);
> +
> +/**
> + Update hash data.
> +
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> +);
> +
> +/**
> + Hash complete.
> +
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 *Digest
> +);
> +
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> new file mode 100644
> index 000000000000..776b74ad753b
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> @@ -0,0 +1,71 @@
> +/** @file
> + The internal header file includes the common header files, defines
> + internal structure and functions used by ImageVerificationLib.
> +
> +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR> This program and the accompanying materials are
> +licensed and made available under the terms and conditions of the BSD
> License
> +which accompanies this distribution. The full text of the license
> +may be found
> at
> +http://opensource.org/licenses/bsd-license.php
> +
> +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> OR IMPLIED.
> +
> +**/
> +
> +#ifndef __BASEHASHLIB_COMMON_H_
> +#define __BASEHASHLIB_COMMON_H_
> +
> +/**
> + Init hash sequence with Hash Algorithm specified by HashPolicy.
> +
> + @param HashHandle Hash handle.
> +
> + @retval EFI_SUCCESS Hash start and HashHandle returned.
> + @retval EFI_UNSUPPORTED System has no HASH library registered.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashInitInternal (
> + IN UINT8 HashPolicy,
> + OUT HASH_HANDLE *HashHandle
> + );
> +
> +/**
> + Hash complete with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashUpdateInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Update hash data with Hash Algorithm specified by HashPolicy.
> +
> + @param HashPolicy Hash Algorithm Policy.
> + @param HashHandle Hash handle.
> + @param DataToHash Data to be hashed.
> + @param DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashFinalInternal (
> + IN UINT8 HashPolicy,
> + IN HASH_HANDLE HashHandle,
> + OUT UINT8 **Digest
> + );
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> new file mode 100644
> index 000000000000..f97bda06108f
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> @@ -0,0 +1,47 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is Base Hash Lib. It will redirect hash request to
> +each individual
>
> +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibDxe
>
> + MODULE_UNI_FILE = BaseHashLibDxe.uni
>
> + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
>
> + MODULE_TYPE = DXE_DRIVER
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
>
> + CONSTRUCTOR = BaseHashLibApiDxeConstructor
8. Since the above function is actually empty, you can remove above line and
function in c file.
>
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibDxe.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> new file mode 100644
> index 000000000000..1865773b4a25
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> @@ -0,0 +1,18 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256. Platform can use
> PcdTpm2HashMask to
>
> +// mask some hash engines.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> new file mode 100644
> index 000000000000..4d36030744bd
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> @@ -0,0 +1,52 @@
> +## @file
>
> +# Provides hash service by registered hash handler
>
> +#
>
> +# This library is BaseCrypto router. It will redirect hash request
> +to each
> individual
>
> +# hash handler registered, such as SHA1, SHA256.
>
> +#
>
> +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> + INF_VERSION = 0x00010005
>
> + BASE_NAME = BaseHashLibPei
>
> + MODULE_UNI_FILE = BaseHashLibPei.uni
>
> + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
>
> + MODULE_TYPE = PEIM
>
> + VERSION_STRING = 1.0
>
> + LIBRARY_CLASS = BaseHashLib|PEIM
>
> + CONSTRUCTOR = BaseHashLibApiPeiConstructor
>
9. The same as 8
> +
>
> +#
>
> +# The following information is for reference only and not required by
> +the build
> tools.
>
> +#
>
> +# VALID_ARCHITECTURES = IA32 X64
>
> +#
>
> +
>
> +[Sources]
>
> + BaseHashLibCommon.h
>
> + BaseHashLibCommon.c
>
> + BaseHashLibPei.c
>
> +
>
> +[Packages]
>
> + MdePkg/MdePkg.dec
>
> + SecurityPkg/SecurityPkg.dec
>
> + CryptoPkg/CryptoPkg.dec
>
> + MdeModulePkg/MdeModulePkg.dec
>
> +
>
> +[LibraryClasses]
>
> + BaseLib
>
> + BaseMemoryLib
>
> + DebugLib
>
> + MemoryAllocationLib
>
> + BaseCryptLib
>
> + PcdLib
>
> +
>
> +[Guids]
>
> + ## SOMETIMES_CONSUMES ## GUID
>
> + gZeroGuid
>
> +
>
> +[Pcd]
>
> + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
>
> diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> new file mode 100644
> index 000000000000..2131b61bd235
> --- /dev/null
> +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> @@ -0,0 +1,17 @@
> +// /** @file
>
> +// Provides hash service by registered hash handler
>
> +//
>
> +// This library is Unified Hash API. It will redirect hash request to
> +each individual
>
> +// hash handler registered, such as SHA1, SHA256.
>
> +//
>
> +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> +//
>
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +//
>
> +// **/
>
> +
>
> +
>
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
>
> +
>
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler
> specified by PcdSystemHashPolicy."
>
> +
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index cac36caf0a0d..e0e144124ddd 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
> # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> # and libraries instances, which are used for those features.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
>
> # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> <BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -27,6 +27,10 @@ [LibraryClasses]
> #
>
> HashLib|Include/Library/HashLib.h
>
>
>
> + ## @libraryclass Provides hash interfaces from different implementations.
>
> + #
>
> + BaseHashLib|Include/Library/HashLib.h
>
> +
>
> ## @libraryclass Provides a platform specific interface to detect
> physically present user.
>
> #
>
> PlatformSecureLib|Include/Library/PlatformSecureLib.h
>
> @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
>
>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
>
>
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
>
> + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
> + image
>
> + # Based on the value set, the required algorithm is chosen to
> + verify
>
> + # the unsigned image during Secure Boot.<BR>
>
> + # The hashing algorithm selected must match the hashing algorithm
> + used to
>
> + # hash the image to be added to DB using tools such as
> + KeyEnroll.<BR>
>
> + # 0x00000001 - MD4.<BR>
>
> + # 0x00000002 - MD5.<BR>
>
> + # 0x00000003 - SHA1.<BR>
>
> + # 0x00000004 - SHA256.<BR>
>
> + # 0x00000005 - SHA384.<BR>
>
> + # 0x00000006 - SHA512.<BR>
>
> + # 0x00000007 - SM3_256.<BR>
>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
>
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
>
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> 4
>
> +
>
> [UserExtensions.TianoCore."ExtraFiles"]
>
> SecurityPkgExtra.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index a2eeadda7a7e..86a5847e2509 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
>
> # Security Module Package for All Architectures.
>
> #
>
> -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> reserved.<BR>
>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #
>
> @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib
> Tcg2PhysicalPresenceLib|/PeiTc
> g2PhysicalPresenceLib.inf
>
> RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
>
> Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg
> Tpm12DeviceLib|.i
> nf
>
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> Tpm2DeviceLib|in
> f
>
>
> FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i
> nf
>
> + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
>
>
> [LibraryClasses.common.UEFI_DRIVER,
> LibraryClasses.common.DXE_RUNTIME_DRIVER,
> LibraryClasses.common.DXE_SAL_DRIVER,]
>
> HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
>
> @@ -211,6 +213,12 @@ [Components]
>
>
> SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
>
>
>
> + #
>
> + # Unified Hash API
>
> + #
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
>
> + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
>
> +
>
> #
>
> # TCG Storage.
>
> #
>
> diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> index 68587304d779..32ef97f81461 100644
> --- a/SecurityPkg/SecurityPkg.uni
> +++ b/SecurityPkg/SecurityPkg.uni
> @@ -5,7 +5,7 @@
> // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> and library
> classes)
>
> // and libraries instances, which are used for those features.
>
> //
>
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> reserved.<BR>
>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> +reserved.<BR>
>
> //
>
> // SPDX-License-Identifier: BSD-2-Clause-Patent
>
> //
>
> @@ -295,3 +295,16 @@
>
>
> #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
>
>
> "0 means this field is unsupported\n"
>
> +
>
>
> +
> #string
> STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> #language en-US "HASH algorithm to verify unsigned PE/COFF image"
>
> +
>
> +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm used by Unified
> Hash API.<BR><BR>\n"
>
> +
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
>
> + "the hash desired.<BR>\n"
>
> + "0x00000001 - MD4.<BR>\n"
>
> + "0x00000002 - MD5.<BR>\n"
>
> + "0x00000003 - SHA1.<BR>\n"
>
> +
> + "0x00000004 -
> SHA256.<BR>\n"
>
> +
> + "0x00000005 -
> SHA384.<BR>\n"
>
> +
> + "0x00000006 -
> SHA512.<BR>\n"
>
> + "0x00000007 - SM3.<BR>"
>
> --
> 2.16.2.windows.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-15 23:01 ` Sukerkar, Amol N
@ 2020-01-16 3:38 ` Liming Gao
2020-01-16 4:27 ` Sukerkar, Amol N
0 siblings, 1 reply; 12+ messages in thread
From: Liming Gao @ 2020-01-16 3:38 UTC (permalink / raw)
To: Sukerkar, Amol N, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas
Yes. Does it catch EDK2 2020 Q1 stable tag?
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 7:02 AM
> To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin
> <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> Hi Liming,
>
> We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Gao, Liming <liming.gao@intel.com>
> Sent: Tuesday, January 14, 2020 8:47 PM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin
> <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> Amol:
> This is new feature. Please submit BZ (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will
> add it into edk2 feature planning.
>
> Thanks
> Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang, Jian J
> Sent: 2020年1月15日 11:14
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin
> <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> Amol,
>
> 1. Your patch doesn't support hashing more than one algorithm at the same time.
> Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
>
> See my other comments below.
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Tuesday, January 14, 2020 11:41 PM
> > To: devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Agrawal,
> > Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > <srinivas.musti@intel.com>
> > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > Hash Calculation API
> >
> > This commit introduces a Unified Hash API to calculate hash using a
> > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> > library interfaces with the various hashing API, such as, MD4, MD5,
> > SHA1, SHA256,
> > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> > the desired hash by setting PcdSystemHashPolicy to appropriate value.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > ---
> >
> > Notes:
> > v2:
> > - Fixed the commit message format
> >
> > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > ++++++++++++++++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > SecurityPkg/SecurityPkg.dec | 23 +-
> > SecurityPkg/SecurityPkg.dsc | 10 +-
> > SecurityPkg/SecurityPkg.uni | 15 +-
> > 12 files changed, 833 insertions(+), 3 deletions(-)
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > new file mode 100644
> > index 000000000000..f8742e55b5f7
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > @@ -0,0 +1,252 @@
> > +/** @file
> >
> > + Implement image verification services for secure boot service
> >
> > +
> >
> > + Caution: This file requires additional review when modified.
> >
> > + This library will have external input - PE/COFF image.
> >
> > + This external input must be validated carefully to avoid security
> > + issue like
> >
> > + buffer overflow, integer overflow.
> >
> > +
> >
> > + DxeImageVerificationLibImageRead() function will make sure the
> > + PE/COFF
> > image content
> >
> > + read is within the image buffer.
> >
> > +
> >
> > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> > function will accept
> >
> > + untrusted PE/COFF image and validate its data structure within this
> > + image
> > buffer before use.
> >
> > +
> >
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> >
> > +This program and the accompanying materials
> >
> > +are licensed and made available under the terms and conditions of the
> > +BSD
> > License
> >
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> >
> > +http://opensource.org/licenses/bsd-license.php
> >
> > +
> >
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> >
> > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > OR IMPLIED.
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/BaseCryptLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashInitInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > + UINTN CtxSize;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + CtxSize = Md4GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Md4Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + CtxSize = Md5GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Md5Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + CtxSize = Sha1GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha1Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + CtxSize = Sha256GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha256Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + CtxSize = Sha384GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha384Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + CtxSize = Sha512GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha512Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + CtxSize = Sm3GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sm3Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
> > + }
> >
> > +
>
> 3. Instead of switch..case, using a global array to defines all supported interfaces would be more efficient, since you can value of
> PcdSystemHashPolicy to index them directly.
>
> >
> > + *HashHandle = (HASH_HANDLE)HashCtx;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashUpdateInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > +
> >
> > + HashCtx = (VOID *)HashHandle;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
> > + }
> >
>
> 4. The same as 3
>
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashFinalInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 **Digest
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> >
> > +
> >
> > + HashCtx = (VOID *)HashHandle;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + Status = Md4Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + Status = Md5Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + Status = Sha1Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + Status = Sha256Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + Status = Sha384Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + Status = Sha512Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + Status = Sm3Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
>
> 5. The same as 3
>
> > + }
> >
> > +
> >
> > + FreePool (HashCtx);
> >
> > +
> >
> > + return Status;
> >
> > +}
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > new file mode 100644
> > index 000000000000..ea22cfe16e2f
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > @@ -0,0 +1,122 @@
> > +/** @file
> >
> > + This library is Unified Hash API. It will redirect hash request to
> >
> > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > + SHA256,
> >
> > + SHA384 and SM3...
> >
> > +
> >
> > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > +<BR>
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +
> >
> > +#include "BaseHashLibCommon.h"
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiInit (
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > + HASH_HANDLE Handle;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashInitInternal (HashPolicy, &Handle);
> >
> > +
> >
> > + *HashHandle = Handle;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiUpdate (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > DataToHashLen);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiFinal (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 *Digest
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + The constructor function of BaseHashLib Dxe.
> >
> > +
> >
> > + @param FileHandle The handle of FFS header the loaded driver.
> >
> > + @param PeiServices The pointer to the PEI services.
> >
> > +
> >
> > + @retval EFI_SUCCESS The constructor executes successfully.
> >
> > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > constructor.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +BaseHashLibApiDxeConstructor (
> >
> > + IN EFI_HANDLE ImageHandle,
> >
> > + IN EFI_SYSTEM_TABLE *SystemTable
> >
> > + )
> >
> > +{
> >
> > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
>
> 6. Constructor is not necessary if you don't have anything to do with it.
> You can remove it from inf file and here.
>
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > new file mode 100644
> > index 000000000000..580ac21fc1d9
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > @@ -0,0 +1,125 @@
> > +/** @file
> >
> > + This library is Unified Hash API. It will redirect hash request to
> >
> > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > + SHA256,
> >
> > + SHA384 and SM3...
> >
> > +
> >
> > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > +<BR>
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/HashLib.h>
> >
> > +#include <Library/HobLib.h>
> >
> > +#include <Guid/ZeroGuid.h>
> >
> > +
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +#include "BaseHashLibCommon.h"
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiInit (
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > + HASH_HANDLE Handle;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashInitInternal (HashPolicy, &Handle);
> >
> > +
> >
> > + *HashHandle = Handle;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiUpdate (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > DataToHashLen);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiFinal (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 *Digest
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + The constructor function of BaseHashLib Pei.
> >
> > +
> >
> > + @param FileHandle The handle of FFS header the loaded driver.
> >
> > + @param PeiServices The pointer to the PEI services.
> >
> > +
> >
> > + @retval EFI_SUCCESS The constructor executes successfully.
> >
> > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > constructor.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +BaseHashLibApiPeiConstructor (
> >
> > + IN EFI_PEI_FILE_HANDLE FileHandle,
> >
> > + IN CONST EFI_PEI_SERVICES **PeiServices
> >
> > + )
> >
> > +{
> >
> > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
>
> 7. The same as 6
>
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > b/SecurityPkg/Include/Library/BaseHashLib.h
> > new file mode 100644
> > index 000000000000..e1883fe7ce41
> > --- /dev/null
> > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > @@ -0,0 +1,84 @@
> > +/** @file
> > + The internal header file includes the common header files, defines
> > + internal structure and functions used by ImageVerificationLib.
> > +
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR> This program and the accompanying materials are
> > +licensed and made available under the terms and conditions of the BSD
> > License
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> > +http://opensource.org/licenses/bsd-license.php
> > +
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > OR IMPLIED.
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHLIB_H_
> > +#define __BASEHASHLIB_H_
> > +
> > +#include <Uefi.h>
> > +#include <Protocol/Hash.h>
> > +#include <Library/HashLib.h>
> > +
> > +//
> > +// Hash Algorithms
> > +//
> > +#define HASH_DEFAULT 0x00000000
> > +#define HASH_MD4 0x00000001
> > +#define HASH_MD5 0x00000002
> > +#define HASH_SHA1 0x00000003
> > +#define HASH_SHA256 0x00000004
> > +#define HASH_SHA384 0x00000005
> > +#define HASH_SHA512 0x00000006
> > +#define HASH_SM3_256 0x00000007
> > +
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param HashHandle Hash handle.
> > +
> > + @retval TRUE Hash start and HashHandle returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_HANDLE *HashHandle
> > +);
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param HashHandle Hash handle.
> > + @param DataToHash Data to be hashed.
> > + @param DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_HANDLE HashHandle,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > +);
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param HashHandle Hash handle.
> > + @param Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_HANDLE HashHandle,
> > + OUT UINT8 *Digest
> > +);
> > +
> > +#endif
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > new file mode 100644
> > index 000000000000..776b74ad753b
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > @@ -0,0 +1,71 @@
> > +/** @file
> > + The internal header file includes the common header files, defines
> > + internal structure and functions used by ImageVerificationLib.
> > +
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR> This program and the accompanying materials are
> > +licensed and made available under the terms and conditions of the BSD
> > License
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> > +http://opensource.org/licenses/bsd-license.php
> > +
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
> > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > OR IMPLIED.
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHLIB_COMMON_H_
> > +#define __BASEHASHLIB_COMMON_H_
> > +
> > +/**
> > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashHandle Hash handle.
> > +
> > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashInitInternal (
> > + IN UINT8 HashPolicy,
> > + OUT HASH_HANDLE *HashHandle
> > + );
> > +
> > +/**
> > + Hash complete with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashPolicy Hash Algorithm Policy.
> > + @param HashHandle Hash handle.
> > + @param Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashUpdateInternal (
> > + IN UINT8 HashPolicy,
> > + IN HASH_HANDLE HashHandle,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + );
> > +
> > +/**
> > + Update hash data with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashPolicy Hash Algorithm Policy.
> > + @param HashHandle Hash handle.
> > + @param DataToHash Data to be hashed.
> > + @param DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashFinalInternal (
> > + IN UINT8 HashPolicy,
> > + IN HASH_HANDLE HashHandle,
> > + OUT UINT8 **Digest
> > + );
> > +#endif
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > new file mode 100644
> > index 000000000000..f97bda06108f
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > @@ -0,0 +1,47 @@
> > +## @file
> >
> > +# Provides hash service by registered hash handler
> >
> > +#
> >
> > +# This library is Base Hash Lib. It will redirect hash request to
> > +each individual
> >
> > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> >
> > +#
> >
> > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > + INF_VERSION = 0x00010005
> >
> > + BASE_NAME = BaseHashLibDxe
> >
> > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> >
> > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> >
> > + MODULE_TYPE = DXE_DRIVER
> >
> > + VERSION_STRING = 1.0
> >
> > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> >
> > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
>
> 8. Since the above function is actually empty, you can remove above line and
> function in c file.
>
> >
> > +
> >
> > +#
> >
> > +# The following information is for reference only and not required by
> > +the build
> > tools.
> >
> > +#
> >
> > +# VALID_ARCHITECTURES = IA32 X64
> >
> > +#
> >
> > +
> >
> > +[Sources]
> >
> > + BaseHashLibCommon.h
> >
> > + BaseHashLibCommon.c
> >
> > + BaseHashLibDxe.c
> >
> > +
> >
> > +[Packages]
> >
> > + MdePkg/MdePkg.dec
> >
> > + CryptoPkg/CryptoPkg.dec
> >
> > + SecurityPkg/SecurityPkg.dec
> >
> > +
> >
> > +[LibraryClasses]
> >
> > + BaseLib
> >
> > + BaseMemoryLib
> >
> > + DebugLib
> >
> > + MemoryAllocationLib
> >
> > + BaseCryptLib
> >
> > + PcdLib
> >
> > +
> >
> > +[Pcd]
> >
> > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > new file mode 100644
> > index 000000000000..1865773b4a25
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > @@ -0,0 +1,18 @@
> > +// /** @file
> >
> > +// Provides hash service by registered hash handler
> >
> > +//
> >
> > +// This library is Unified Hash API. It will redirect hash request to
> > +each individual
> >
> > +// hash handler registered, such as SHA1, SHA256. Platform can use
> > PcdTpm2HashMask to
> >
> > +// mask some hash engines.
> >
> > +//
> >
> > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +//
> >
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +//
> >
> > +// **/
> >
> > +
> >
> > +
> >
> > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > service by specified hash handler"
> >
> > +
> >
> > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > Unified Hash API. It will redirect hash request to the hash handler
> > specified by PcdSystemHashPolicy."
> >
> > +
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > new file mode 100644
> > index 000000000000..4d36030744bd
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > @@ -0,0 +1,52 @@
> > +## @file
> >
> > +# Provides hash service by registered hash handler
> >
> > +#
> >
> > +# This library is BaseCrypto router. It will redirect hash request
> > +to each
> > individual
> >
> > +# hash handler registered, such as SHA1, SHA256.
> >
> > +#
> >
> > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > + INF_VERSION = 0x00010005
> >
> > + BASE_NAME = BaseHashLibPei
> >
> > + MODULE_UNI_FILE = BaseHashLibPei.uni
> >
> > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> >
> > + MODULE_TYPE = PEIM
> >
> > + VERSION_STRING = 1.0
> >
> > + LIBRARY_CLASS = BaseHashLib|PEIM
> >
> > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> >
>
> 9. The same as 8
>
> > +
> >
> > +#
> >
> > +# The following information is for reference only and not required by
> > +the build
> > tools.
> >
> > +#
> >
> > +# VALID_ARCHITECTURES = IA32 X64
> >
> > +#
> >
> > +
> >
> > +[Sources]
> >
> > + BaseHashLibCommon.h
> >
> > + BaseHashLibCommon.c
> >
> > + BaseHashLibPei.c
> >
> > +
> >
> > +[Packages]
> >
> > + MdePkg/MdePkg.dec
> >
> > + SecurityPkg/SecurityPkg.dec
> >
> > + CryptoPkg/CryptoPkg.dec
> >
> > + MdeModulePkg/MdeModulePkg.dec
> >
> > +
> >
> > +[LibraryClasses]
> >
> > + BaseLib
> >
> > + BaseMemoryLib
> >
> > + DebugLib
> >
> > + MemoryAllocationLib
> >
> > + BaseCryptLib
> >
> > + PcdLib
> >
> > +
> >
> > +[Guids]
> >
> > + ## SOMETIMES_CONSUMES ## GUID
> >
> > + gZeroGuid
> >
> > +
> >
> > +[Pcd]
> >
> > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > new file mode 100644
> > index 000000000000..2131b61bd235
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > @@ -0,0 +1,17 @@
> > +// /** @file
> >
> > +// Provides hash service by registered hash handler
> >
> > +//
> >
> > +// This library is Unified Hash API. It will redirect hash request to
> > +each individual
> >
> > +// hash handler registered, such as SHA1, SHA256.
> >
> > +//
> >
> > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +//
> >
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +//
> >
> > +// **/
> >
> > +
> >
> > +
> >
> > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > service by specified hash handler"
> >
> > +
> >
> > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > Unified Hash API. It will redirect hash request to the hash handler
> > specified by PcdSystemHashPolicy."
> >
> > +
> >
> > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> > index cac36caf0a0d..e0e144124ddd 100644
> > --- a/SecurityPkg/SecurityPkg.dec
> > +++ b/SecurityPkg/SecurityPkg.dec
> > @@ -5,7 +5,7 @@
> > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > and library
> > classes)
> >
> > # and libraries instances, which are used for those features.
> >
> > #
> >
> > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
> >
> > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > <BR>
> >
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > @@ -27,6 +27,10 @@ [LibraryClasses]
> > #
> >
> > HashLib|Include/Library/HashLib.h
> >
> >
> >
> > + ## @libraryclass Provides hash interfaces from different implementations.
> >
> > + #
> >
> > + BaseHashLib|Include/Library/HashLib.h
> >
> > +
> >
> > ## @libraryclass Provides a platform specific interface to detect
> > physically present user.
> >
> > #
> >
> > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> >
> > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> >
> >
> > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023
> >
> >
> >
> > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> >
> > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF
> > + image
> >
> > + # Based on the value set, the required algorithm is chosen to
> > + verify
> >
> > + # the unsigned image during Secure Boot.<BR>
> >
> > + # The hashing algorithm selected must match the hashing algorithm
> > + used to
> >
> > + # hash the image to be added to DB using tools such as
> > + KeyEnroll.<BR>
> >
> > + # 0x00000001 - MD4.<BR>
> >
> > + # 0x00000002 - MD5.<BR>
> >
> > + # 0x00000003 - SHA1.<BR>
> >
> > + # 0x00000004 - SHA256.<BR>
> >
> > + # 0x00000005 - SHA384.<BR>
> >
> > + # 0x00000006 - SHA512.<BR>
> >
> > + # 0x00000007 - SM3_256.<BR>
> >
> > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> >
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> >
> > +
> > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002
> > 4
> >
> > +
> >
> > [UserExtensions.TianoCore."ExtraFiles"]
> >
> > SecurityPkgExtra.uni
> >
> > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> > index a2eeadda7a7e..86a5847e2509 100644
> > --- a/SecurityPkg/SecurityPkg.dsc
> > +++ b/SecurityPkg/SecurityPkg.dsc
> > @@ -1,7 +1,7 @@
> > ## @file
> >
> > # Security Module Package for All Architectures.
> >
> > #
> >
> > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
> >
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > #
> >
> > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> >
> > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > inf
> >
> >
> > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib
> > Tcg2PhysicalPresenceLib|/PeiTc
> > g2PhysicalPresenceLib.inf
> >
> > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> >
> > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> >
> >
> >
> > [LibraryClasses.common.DXE_DRIVER]
> >
> > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> >
> > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> >
> > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg
> > Tpm12DeviceLib|.i
> > nf
> >
> >
> > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > Tpm2DeviceLib|in
> > f
> >
> >
> > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i
> > nf
> >
> > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> >
> >
> >
> > [LibraryClasses.common.UEFI_DRIVER,
> > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > LibraryClasses.common.DXE_SAL_DRIVER,]
> >
> > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> >
> > @@ -211,6 +213,12 @@ [Components]
> >
> >
> > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> >
> >
> >
> > + #
> >
> > + # Unified Hash API
> >
> > + #
> >
> > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> >
> > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> >
> > +
> >
> > #
> >
> > # TCG Storage.
> >
> > #
> >
> > diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
> > index 68587304d779..32ef97f81461 100644
> > --- a/SecurityPkg/SecurityPkg.uni
> > +++ b/SecurityPkg/SecurityPkg.uni
> > @@ -5,7 +5,7 @@
> > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > and library
> > classes)
> >
> > // and libraries instances, which are used for those features.
> >
> > //
> >
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > //
> >
> > // SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > //
> >
> > @@ -295,3 +295,16 @@
> >
> >
> > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> >
> >
> > "0 means this field is unsupported\n"
> >
> > +
> >
> >
> > +
> > #string
> > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> >
> > +
> >
> > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > #language en-US "This PCD indicates the HASH algorithm used by Unified
> > Hash API.<BR><BR>\n"
> >
> > +
> > + "Based on the value set, the
> > required algorithm is chosen to calculate\n"
> >
> > + "the hash desired.<BR>\n"
> >
> > + "0x00000001 - MD4.<BR>\n"
> >
> > + "0x00000002 - MD5.<BR>\n"
> >
> > + "0x00000003 - SHA1.<BR>\n"
> >
> > +
> > + "0x00000004 -
> > SHA256.<BR>\n"
> >
> > +
> > + "0x00000005 -
> > SHA384.<BR>\n"
> >
> > +
> > + "0x00000006 -
> > SHA512.<BR>\n"
> >
> > + "0x00000007 - SM3.<BR>"
> >
> > --
> > 2.16.2.windows.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-16 3:38 ` Liming Gao
@ 2020-01-16 4:27 ` Sukerkar, Amol N
2020-01-16 4:35 ` Liming Gao
0 siblings, 1 reply; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-16 4:27 UTC (permalink / raw)
To: devel@edk2.groups.io, Gao, Liming, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Sukerkar, Amol N
Thanks, Liming! How do I find out if it catches EDK 2020 Q1 stable tag?
~ Amol
-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Liming Gao
Sent: Wednesday, January 15, 2020 8:39 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Yes. Does it catch EDK2 2020 Q1 stable tag?
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 7:02 AM
> To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Hi Liming,
>
> We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Gao, Liming <liming.gao@intel.com>
> Sent: Tuesday, January 14, 2020 8:47 PM
> To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>;
> Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Amol:
> This is new feature. Please submit BZ
> (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
>
> Thanks
> Liming
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang,
> Jian J
> Sent: 2020年1月15日 11:14
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Amol,
>
> 1. Your patch doesn't support hashing more than one algorithm at the same time.
> Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
>
> See my other comments below.
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Tuesday, January 14, 2020 11:41 PM
> > To: devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > <srinivas.musti@intel.com>
> > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > Hash Calculation API
> >
> > This commit introduces a Unified Hash API to calculate hash using a
> > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> > library interfaces with the various hashing API, such as, MD4, MD5,
> > SHA1, SHA256,
> > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> > the desired hash by setting PcdSystemHashPolicy to appropriate value.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > ---
> >
> > Notes:
> > v2:
> > - Fixed the commit message format
> >
> > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > ++++++++++++++++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > SecurityPkg/SecurityPkg.dec | 23 +-
> > SecurityPkg/SecurityPkg.dsc | 10 +-
> > SecurityPkg/SecurityPkg.uni | 15 +-
> > 12 files changed, 833 insertions(+), 3 deletions(-)
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > new file mode 100644
> > index 000000000000..f8742e55b5f7
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > @@ -0,0 +1,252 @@
> > +/** @file
> >
> > + Implement image verification services for secure boot service
> >
> > +
> >
> > + Caution: This file requires additional review when modified.
> >
> > + This library will have external input - PE/COFF image.
> >
> > + This external input must be validated carefully to avoid security
> > + issue like
> >
> > + buffer overflow, integer overflow.
> >
> > +
> >
> > + DxeImageVerificationLibImageRead() function will make sure the
> > + PE/COFF
> > image content
> >
> > + read is within the image buffer.
> >
> > +
> >
> > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> > function will accept
> >
> > + untrusted PE/COFF image and validate its data structure within
> > + this image
> > buffer before use.
> >
> > +
> >
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> >
> > +This program and the accompanying materials
> >
> > +are licensed and made available under the terms and conditions of
> > +the BSD
> > License
> >
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> >
> > +http://opensource.org/licenses/bsd-license.php
> >
> > +
> >
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > +BASIS,
> >
> > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > OR IMPLIED.
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/BaseCryptLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashInitInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > + UINTN CtxSize;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + CtxSize = Md4GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Md4Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + CtxSize = Md5GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Md5Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + CtxSize = Sha1GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha1Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + CtxSize = Sha256GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha256Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + CtxSize = Sha384GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha384Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + CtxSize = Sha512GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sha512Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + CtxSize = Sm3GetContextSize ();
> >
> > + HashCtx = AllocatePool (CtxSize);
> >
> > + ASSERT (HashCtx != NULL);
> >
> > +
> >
> > + Status = Sm3Init (HashCtx);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
> > + }
> >
> > +
>
> 3. Instead of switch..case, using a global array to defines all
> supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
>
> >
> > + *HashHandle = (HASH_HANDLE)HashCtx;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashUpdateInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > +
> >
> > + HashCtx = (VOID *)HashHandle;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
> > + }
> >
>
> 4. The same as 3
>
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete with Hash Algorithm specified by HashPolicy.
> >
> > +
> >
> > + @param HashPolicy Hash Algorithm Policy.
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashFinalInternal (
> >
> > + IN UINT8 HashPolicy,
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 **Digest
> >
> > + )
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + VOID *HashCtx;
> >
> > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> >
> > +
> >
> > + HashCtx = (VOID *)HashHandle;
> >
> > +
> >
> > + switch (HashPolicy) {
> >
> > + case HASH_MD4:
> >
> > + Status = Md4Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_MD5:
> >
> > + Status = Md5Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA1:
> >
> > + Status = Sha1Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA256:
> >
> > + Status = Sha256Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA384:
> >
> > + Status = Sha384Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SHA512:
> >
> > + Status = Sha512Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + case HASH_SM3_256:
> >
> > + Status = Sm3Final (HashCtx, DigestData);
> >
> > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> >
> > + break;
> >
> > +
> >
> > + default:
> >
> > + ASSERT (FALSE);
> >
> > + break;
> >
>
> 5. The same as 3
>
> > + }
> >
> > +
> >
> > + FreePool (HashCtx);
> >
> > +
> >
> > + return Status;
> >
> > +}
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > new file mode 100644
> > index 000000000000..ea22cfe16e2f
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > @@ -0,0 +1,122 @@
> > +/** @file
> >
> > + This library is Unified Hash API. It will redirect hash request
> > + to
> >
> > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > + SHA256,
> >
> > + SHA384 and SM3...
> >
> > +
> >
> > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > +<BR>
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +
> >
> > +#include "BaseHashLibCommon.h"
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiInit (
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > + HASH_HANDLE Handle;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashInitInternal (HashPolicy, &Handle);
> >
> > +
> >
> > + *HashHandle = Handle;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiUpdate (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > DataToHashLen);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiFinal (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 *Digest
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + The constructor function of BaseHashLib Dxe.
> >
> > +
> >
> > + @param FileHandle The handle of FFS header the loaded driver.
> >
> > + @param PeiServices The pointer to the PEI services.
> >
> > +
> >
> > + @retval EFI_SUCCESS The constructor executes successfully.
> >
> > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > constructor.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +BaseHashLibApiDxeConstructor (
> >
> > + IN EFI_HANDLE ImageHandle,
> >
> > + IN EFI_SYSTEM_TABLE *SystemTable
> >
> > + )
> >
> > +{
> >
> > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
>
> 6. Constructor is not necessary if you don't have anything to do with it.
> You can remove it from inf file and here.
>
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > new file mode 100644
> > index 000000000000..580ac21fc1d9
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > @@ -0,0 +1,125 @@
> > +/** @file
> >
> > + This library is Unified Hash API. It will redirect hash request
> > + to
> >
> > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > + SHA256,
> >
> > + SHA384 and SM3...
> >
> > +
> >
> > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > +<BR>
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/PcdLib.h>
> >
> > +#include <Library/HashLib.h>
> >
> > +#include <Library/HobLib.h>
> >
> > +#include <Guid/ZeroGuid.h>
> >
> > +
> >
> > +#include <Library/BaseHashLib.h>
> >
> > +#include "BaseHashLibCommon.h"
> >
> > +
> >
> > +/**
> >
> > + Init hash sequence.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > +
> >
> > + @retval TRUE Hash start and HashHandle returned.
> >
> > + @retval FALSE Hash Init unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiInit (
> >
> > + OUT HASH_HANDLE *HashHandle
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > + HASH_HANDLE Handle;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashInitInternal (HashPolicy, &Handle);
> >
> > +
> >
> > + *HashHandle = Handle;
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Update hash data.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param DataToHash Data to be hashed.
> >
> > + @param DataToHashLen Data size.
> >
> > +
> >
> > + @retval TRUE Hash updated.
> >
> > + @retval FALSE Hash updated unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiUpdate (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + IN VOID *DataToHash,
> >
> > + IN UINTN DataToHashLen
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > DataToHashLen);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + Hash complete.
> >
> > +
> >
> > + @param HashHandle Hash handle.
> >
> > + @param Digest Hash Digest.
> >
> > +
> >
> > + @retval TRUE Hash complete and Digest is returned.
> >
> > + @retval FALSE Hash complete unsuccessful.
> >
> > +**/
> >
> > +BOOLEAN
> >
> > +EFIAPI
> >
> > +HashApiFinal (
> >
> > + IN HASH_HANDLE HashHandle,
> >
> > + OUT UINT8 *Digest
> >
> > +)
> >
> > +{
> >
> > + BOOLEAN Status;
> >
> > + UINT8 HashPolicy;
> >
> > +
> >
> > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> >
> > +
> >
> > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> >
> > +
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > +/**
> >
> > + The constructor function of BaseHashLib Pei.
> >
> > +
> >
> > + @param FileHandle The handle of FFS header the loaded driver.
> >
> > + @param PeiServices The pointer to the PEI services.
> >
> > +
> >
> > + @retval EFI_SUCCESS The constructor executes successfully.
> >
> > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > constructor.
> >
> > +
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +BaseHashLibApiPeiConstructor (
> >
> > + IN EFI_PEI_FILE_HANDLE FileHandle,
> >
> > + IN CONST EFI_PEI_SERVICES **PeiServices
> >
> > + )
> >
> > +{
> >
> > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
>
> 7. The same as 6
>
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > b/SecurityPkg/Include/Library/BaseHashLib.h
> > new file mode 100644
> > index 000000000000..e1883fe7ce41
> > --- /dev/null
> > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > @@ -0,0 +1,84 @@
> > +/** @file
> > + The internal header file includes the common header files,
> > +defines
> > + internal structure and functions used by ImageVerificationLib.
> > +
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR> This program and the accompanying materials are
> > +licensed and made available under the terms and conditions of the
> > +BSD
> > License
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> > +http://opensource.org/licenses/bsd-license.php
> > +
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > +EXPRESS
> > OR IMPLIED.
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHLIB_H_
> > +#define __BASEHASHLIB_H_
> > +
> > +#include <Uefi.h>
> > +#include <Protocol/Hash.h>
> > +#include <Library/HashLib.h>
> > +
> > +//
> > +// Hash Algorithms
> > +//
> > +#define HASH_DEFAULT 0x00000000
> > +#define HASH_MD4 0x00000001
> > +#define HASH_MD5 0x00000002
> > +#define HASH_SHA1 0x00000003
> > +#define HASH_SHA256 0x00000004
> > +#define HASH_SHA384 0x00000005
> > +#define HASH_SHA512 0x00000006
> > +#define HASH_SM3_256 0x00000007
> > +
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param HashHandle Hash handle.
> > +
> > + @retval TRUE Hash start and HashHandle returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_HANDLE *HashHandle
> > +);
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param HashHandle Hash handle.
> > + @param DataToHash Data to be hashed.
> > + @param DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_HANDLE HashHandle,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > +);
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param HashHandle Hash handle.
> > + @param Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_HANDLE HashHandle,
> > + OUT UINT8 *Digest
> > +);
> > +
> > +#endif
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > new file mode 100644
> > index 000000000000..776b74ad753b
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > @@ -0,0 +1,71 @@
> > +/** @file
> > + The internal header file includes the common header files,
> > +defines
> > + internal structure and functions used by ImageVerificationLib.
> > +
> > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR> This program and the accompanying materials are
> > +licensed and made available under the terms and conditions of the
> > +BSD
> > License
> > +which accompanies this distribution. The full text of the license
> > +may be found
> > at
> > +http://opensource.org/licenses/bsd-license.php
> > +
> > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > +EXPRESS
> > OR IMPLIED.
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHLIB_COMMON_H_
> > +#define __BASEHASHLIB_COMMON_H_
> > +
> > +/**
> > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashHandle Hash handle.
> > +
> > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashInitInternal (
> > + IN UINT8 HashPolicy,
> > + OUT HASH_HANDLE *HashHandle
> > + );
> > +
> > +/**
> > + Hash complete with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashPolicy Hash Algorithm Policy.
> > + @param HashHandle Hash handle.
> > + @param Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashUpdateInternal (
> > + IN UINT8 HashPolicy,
> > + IN HASH_HANDLE HashHandle,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + );
> > +
> > +/**
> > + Update hash data with Hash Algorithm specified by HashPolicy.
> > +
> > + @param HashPolicy Hash Algorithm Policy.
> > + @param HashHandle Hash handle.
> > + @param DataToHash Data to be hashed.
> > + @param DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashFinalInternal (
> > + IN UINT8 HashPolicy,
> > + IN HASH_HANDLE HashHandle,
> > + OUT UINT8 **Digest
> > + );
> > +#endif
> > \ No newline at end of file
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > new file mode 100644
> > index 000000000000..f97bda06108f
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > @@ -0,0 +1,47 @@
> > +## @file
> >
> > +# Provides hash service by registered hash handler
> >
> > +#
> >
> > +# This library is Base Hash Lib. It will redirect hash request to
> > +each individual
> >
> > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> >
> > +#
> >
> > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > + INF_VERSION = 0x00010005
> >
> > + BASE_NAME = BaseHashLibDxe
> >
> > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> >
> > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> >
> > + MODULE_TYPE = DXE_DRIVER
> >
> > + VERSION_STRING = 1.0
> >
> > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> >
> > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
>
> 8. Since the above function is actually empty, you can remove above line and
> function in c file.
>
> >
> > +
> >
> > +#
> >
> > +# The following information is for reference only and not required
> > +by the build
> > tools.
> >
> > +#
> >
> > +# VALID_ARCHITECTURES = IA32 X64
> >
> > +#
> >
> > +
> >
> > +[Sources]
> >
> > + BaseHashLibCommon.h
> >
> > + BaseHashLibCommon.c
> >
> > + BaseHashLibDxe.c
> >
> > +
> >
> > +[Packages]
> >
> > + MdePkg/MdePkg.dec
> >
> > + CryptoPkg/CryptoPkg.dec
> >
> > + SecurityPkg/SecurityPkg.dec
> >
> > +
> >
> > +[LibraryClasses]
> >
> > + BaseLib
> >
> > + BaseMemoryLib
> >
> > + DebugLib
> >
> > + MemoryAllocationLib
> >
> > + BaseCryptLib
> >
> > + PcdLib
> >
> > +
> >
> > +[Pcd]
> >
> > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > new file mode 100644
> > index 000000000000..1865773b4a25
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > @@ -0,0 +1,18 @@
> > +// /** @file
> >
> > +// Provides hash service by registered hash handler
> >
> > +//
> >
> > +// This library is Unified Hash API. It will redirect hash request
> > +to each individual
> >
> > +// hash handler registered, such as SHA1, SHA256. Platform can use
> > PcdTpm2HashMask to
> >
> > +// mask some hash engines.
> >
> > +//
> >
> > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +//
> >
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +//
> >
> > +// **/
> >
> > +
> >
> > +
> >
> > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > service by specified hash handler"
> >
> > +
> >
> > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > Unified Hash API. It will redirect hash request to the hash handler
> > specified by PcdSystemHashPolicy."
> >
> > +
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > new file mode 100644
> > index 000000000000..4d36030744bd
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > @@ -0,0 +1,52 @@
> > +## @file
> >
> > +# Provides hash service by registered hash handler
> >
> > +#
> >
> > +# This library is BaseCrypto router. It will redirect hash request
> > +to each
> > individual
> >
> > +# hash handler registered, such as SHA1, SHA256.
> >
> > +#
> >
> > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > + INF_VERSION = 0x00010005
> >
> > + BASE_NAME = BaseHashLibPei
> >
> > + MODULE_UNI_FILE = BaseHashLibPei.uni
> >
> > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> >
> > + MODULE_TYPE = PEIM
> >
> > + VERSION_STRING = 1.0
> >
> > + LIBRARY_CLASS = BaseHashLib|PEIM
> >
> > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> >
>
> 9. The same as 8
>
> > +
> >
> > +#
> >
> > +# The following information is for reference only and not required
> > +by the build
> > tools.
> >
> > +#
> >
> > +# VALID_ARCHITECTURES = IA32 X64
> >
> > +#
> >
> > +
> >
> > +[Sources]
> >
> > + BaseHashLibCommon.h
> >
> > + BaseHashLibCommon.c
> >
> > + BaseHashLibPei.c
> >
> > +
> >
> > +[Packages]
> >
> > + MdePkg/MdePkg.dec
> >
> > + SecurityPkg/SecurityPkg.dec
> >
> > + CryptoPkg/CryptoPkg.dec
> >
> > + MdeModulePkg/MdeModulePkg.dec
> >
> > +
> >
> > +[LibraryClasses]
> >
> > + BaseLib
> >
> > + BaseMemoryLib
> >
> > + DebugLib
> >
> > + MemoryAllocationLib
> >
> > + BaseCryptLib
> >
> > + PcdLib
> >
> > +
> >
> > +[Guids]
> >
> > + ## SOMETIMES_CONSUMES ## GUID
> >
> > + gZeroGuid
> >
> > +
> >
> > +[Pcd]
> >
> > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> >
> > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > new file mode 100644
> > index 000000000000..2131b61bd235
> > --- /dev/null
> > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > @@ -0,0 +1,17 @@
> > +// /** @file
> >
> > +// Provides hash service by registered hash handler
> >
> > +//
> >
> > +// This library is Unified Hash API. It will redirect hash request
> > +to each individual
> >
> > +// hash handler registered, such as SHA1, SHA256.
> >
> > +//
> >
> > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > +//
> >
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +//
> >
> > +// **/
> >
> > +
> >
> > +
> >
> > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > service by specified hash handler"
> >
> > +
> >
> > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > Unified Hash API. It will redirect hash request to the hash handler
> > specified by PcdSystemHashPolicy."
> >
> > +
> >
> > diff --git a/SecurityPkg/SecurityPkg.dec
> > b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd
> > 100644
> > --- a/SecurityPkg/SecurityPkg.dec
> > +++ b/SecurityPkg/SecurityPkg.dec
> > @@ -5,7 +5,7 @@
> > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > and library
> > classes)
> >
> > # and libraries instances, which are used for those features.
> >
> > #
> >
> > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
> >
> > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > <BR>
> >
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > @@ -27,6 +27,10 @@ [LibraryClasses]
> > #
> >
> > HashLib|Include/Library/HashLib.h
> >
> >
> >
> > + ## @libraryclass Provides hash interfaces from different implementations.
> >
> > + #
> >
> > + BaseHashLib|Include/Library/HashLib.h
> >
> > +
> >
> > ## @libraryclass Provides a platform specific interface to
> > detect physically present user.
> >
> > #
> >
> > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> >
> > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> >
> >
> > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x000100
> > 23
> >
> >
> >
> > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,
> > +PcdsDynamicEx]
> >
> > + ## This PCD indicates the HASH algorithm to verify unsigned
> > + PE/COFF image
> >
> > + # Based on the value set, the required algorithm is chosen to
> > + verify
> >
> > + # the unsigned image during Secure Boot.<BR>
> >
> > + # The hashing algorithm selected must match the hashing
> > + algorithm used to
> >
> > + # hash the image to be added to DB using tools such as
> > + KeyEnroll.<BR>
> >
> > + # 0x00000001 - MD4.<BR>
> >
> > + # 0x00000002 - MD5.<BR>
> >
> > + # 0x00000003 - SHA1.<BR>
> >
> > + # 0x00000004 - SHA256.<BR>
> >
> > + # 0x00000005 - SHA384.<BR>
> >
> > + # 0x00000006 - SHA512.<BR>
> >
> > + # 0x00000007 - SM3_256.<BR>
> >
> > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> >
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> >
> > +
> > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00010
> > 02
> > 4
> >
> > +
> >
> > [UserExtensions.TianoCore."ExtraFiles"]
> >
> > SecurityPkgExtra.uni
> >
> > diff --git a/SecurityPkg/SecurityPkg.dsc
> > b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509
> > 100644
> > --- a/SecurityPkg/SecurityPkg.dsc
> > +++ b/SecurityPkg/SecurityPkg.dsc
> > @@ -1,7 +1,7 @@
> > ## @file
> >
> > # Security Module Package for All Architectures.
> >
> > #
> >
> > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
> >
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > #
> >
> > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> >
> > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > inf
> >
> >
> > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceL
> > Tcg2PhysicalPresenceLib|ib
> > Tcg2PhysicalPresenceLib|/PeiTc
> > g2PhysicalPresenceLib.inf
> >
> > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> >
> > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> >
> >
> >
> > [LibraryClasses.common.DXE_DRIVER]
> >
> > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> >
> > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> >
> > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibT
> > Tpm12DeviceLib|cg
> > Tpm12DeviceLib|.i
> > nf
> >
> >
> > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > Tpm2DeviceLib|in
> > f
> >
> >
> > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib
> > FileExplorerLib|.i
> > nf
> >
> > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> >
> >
> >
> > [LibraryClasses.common.UEFI_DRIVER,
> > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > LibraryClasses.common.DXE_SAL_DRIVER,]
> >
> > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> >
> > @@ -211,6 +213,12 @@ [Components]
> >
> >
> > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> >
> >
> >
> > + #
> >
> > + # Unified Hash API
> >
> > + #
> >
> > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> >
> > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> >
> > +
> >
> > #
> >
> > # TCG Storage.
> >
> > #
> >
> > diff --git a/SecurityPkg/SecurityPkg.uni
> > b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461
> > 100644
> > --- a/SecurityPkg/SecurityPkg.uni
> > +++ b/SecurityPkg/SecurityPkg.uni
> > @@ -5,7 +5,7 @@
> > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > and library
> > classes)
> >
> > // and libraries instances, which are used for those features.
> >
> > //
> >
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > reserved.<BR>
> >
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > +reserved.<BR>
> >
> > //
> >
> > // SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > //
> >
> > @@ -295,3 +295,16 @@
> >
> >
> > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> >
> >
> > "0 means this field is unsupported\n"
> >
> > +
> >
> >
> > +
> > #string
> > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> >
> > +
> >
> > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > #language en-US "This PCD indicates the HASH algorithm used by
> > Unified Hash API.<BR><BR>\n"
> >
> > +
> > + "Based on the value set, the
> > required algorithm is chosen to calculate\n"
> >
> > + "the hash desired.<BR>\n"
> >
> > + "0x00000001 - MD4.<BR>\n"
> >
> > + "0x00000002 - MD5.<BR>\n"
> >
> > + "0x00000003 - SHA1.<BR>\n"
> >
> > +
> > + "0x00000004 -
> > SHA256.<BR>\n"
> >
> > +
> > + "0x00000005 -
> > SHA384.<BR>\n"
> >
> > +
> > + "0x00000006 -
> > SHA512.<BR>\n"
> >
> > + "0x00000007 - SM3.<BR>"
> >
> > --
> > 2.16.2.windows.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-16 4:27 ` Sukerkar, Amol N
@ 2020-01-16 4:35 ` Liming Gao
2020-01-16 16:58 ` Sukerkar, Amol N
0 siblings, 1 reply; 12+ messages in thread
From: Liming Gao @ 2020-01-16 4:35 UTC (permalink / raw)
To: Sukerkar, Amol N, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas
If this change plans to catch edk2 2020 Q1 stable tag, I will add it into https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Then, you need to follow Q1 stable tag schedule to finish this change.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 12:27 PM
> To: devel@edk2.groups.io; Gao, Liming <liming.gao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin
> <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> Thanks, Liming! How do I find out if it catches EDK 2020 Q1 stable tag?
>
> ~ Amol
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Liming Gao
> Sent: Wednesday, January 15, 2020 8:39 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin
> <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
>
> Yes. Does it catch EDK2 2020 Q1 stable tag?
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Thursday, January 16, 2020 7:02 AM
> > To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang,
> > Jian J <jian.j.wang@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Hi Liming,
> >
> > We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Gao, Liming <liming.gao@intel.com>
> > Sent: Tuesday, January 14, 2020 8:47 PM
> > To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>;
> > Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol:
> > This is new feature. Please submit BZ
> > (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
> >
> > Thanks
> > Liming
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang,
> > Jian J
> > Sent: 2020年1月15日 11:14
> > To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol,
> >
> > 1. Your patch doesn't support hashing more than one algorithm at the same time.
> > Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> > 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> > You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
> >
> > See my other comments below.
> >
> > > -----Original Message-----
> > > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > Sent: Tuesday, January 14, 2020 11:41 PM
> > > To: devel@edk2.groups.io
> > > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > > Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > > <srinivas.musti@intel.com>
> > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > > Hash Calculation API
> > >
> > > This commit introduces a Unified Hash API to calculate hash using a
> > > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This
> > > library interfaces with the various hashing API, such as, MD4, MD5,
> > > SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate
> > > the desired hash by setting PcdSystemHashPolicy to appropriate value.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > ---
> > >
> > > Notes:
> > > v2:
> > > - Fixed the commit message format
> > >
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > > ++++++++++++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > > SecurityPkg/SecurityPkg.dec | 23 +-
> > > SecurityPkg/SecurityPkg.dsc | 10 +-
> > > SecurityPkg/SecurityPkg.uni | 15 +-
> > > 12 files changed, 833 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > new file mode 100644
> > > index 000000000000..f8742e55b5f7
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > @@ -0,0 +1,252 @@
> > > +/** @file
> > >
> > > + Implement image verification services for secure boot service
> > >
> > > +
> > >
> > > + Caution: This file requires additional review when modified.
> > >
> > > + This library will have external input - PE/COFF image.
> > >
> > > + This external input must be validated carefully to avoid security
> > > + issue like
> > >
> > > + buffer overflow, integer overflow.
> > >
> > > +
> > >
> > > + DxeImageVerificationLibImageRead() function will make sure the
> > > + PE/COFF
> > > image content
> > >
> > > + read is within the image buffer.
> > >
> > > +
> > >
> > > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> > > function will accept
> > >
> > > + untrusted PE/COFF image and validate its data structure within
> > > + this image
> > > buffer before use.
> > >
> > > +
> > >
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >
> > > +This program and the accompanying materials
> > >
> > > +are licensed and made available under the terms and conditions of
> > > +the BSD
> > > License
> > >
> > > +which accompanies this distribution. The full text of the license
> > > +may be found
> > > at
> > >
> > > +http://opensource.org/licenses/bsd-license.php
> > >
> > > +
> > >
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS,
> > >
> > > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > > OR IMPLIED.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/BaseCryptLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashInitInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINTN CtxSize;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + CtxSize = Md4GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md4Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + CtxSize = Md5GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md5Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + CtxSize = Sha1GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha1Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + CtxSize = Sha256GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha256Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + CtxSize = Sha384GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha384Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + CtxSize = Sha512GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha512Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + CtxSize = Sm3GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sm3Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> > > +
> >
> > 3. Instead of switch..case, using a global array to defines all
> > supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
> >
> > >
> > > + *HashHandle = (HASH_HANDLE)HashCtx;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashUpdateInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> >
> > 4. The same as 3
> >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashFinalInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 **Digest
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> >
> > 5. The same as 3
> >
> > > + }
> > >
> > > +
> > >
> > > + FreePool (HashCtx);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > new file mode 100644
> > > index 000000000000..ea22cfe16e2f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Dxe.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiDxeConstructor (
> > >
> > > + IN EFI_HANDLE ImageHandle,
> > >
> > > + IN EFI_SYSTEM_TABLE *SystemTable
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 6. Constructor is not necessary if you don't have anything to do with it.
> > You can remove it from inf file and here.
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > new file mode 100644
> > > index 000000000000..580ac21fc1d9
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > @@ -0,0 +1,125 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/HashLib.h>
> > >
> > > +#include <Library/HobLib.h>
> > >
> > > +#include <Guid/ZeroGuid.h>
> > >
> > > +
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Pei.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiPeiConstructor (
> > >
> > > + IN EFI_PEI_FILE_HANDLE FileHandle,
> > >
> > > + IN CONST EFI_PEI_SERVICES **PeiServices
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 7. The same as 6
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > > b/SecurityPkg/Include/Library/BaseHashLib.h
> > > new file mode 100644
> > > index 000000000000..e1883fe7ce41
> > > --- /dev/null
> > > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > > @@ -0,0 +1,84 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the license
> > > +may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_H_
> > > +#define __BASEHASHLIB_H_
> > > +
> > > +#include <Uefi.h>
> > > +#include <Protocol/Hash.h>
> > > +#include <Library/HashLib.h>
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_DEFAULT 0x00000000
> > > +#define HASH_MD4 0x00000001
> > > +#define HASH_MD5 0x00000002
> > > +#define HASH_SHA1 0x00000003
> > > +#define HASH_SHA256 0x00000004
> > > +#define HASH_SHA384 0x00000005
> > > +#define HASH_SHA512 0x00000006
> > > +#define HASH_SM3_256 0x00000007
> > > +
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval TRUE Hash start and HashHandle returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_HANDLE *HashHandle
> > > +);
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > +);
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 *Digest
> > > +);
> > > +
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > new file mode 100644
> > > index 000000000000..776b74ad753b
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > @@ -0,0 +1,71 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the license
> > > +may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_COMMON_H_
> > > +#define __BASEHASHLIB_COMMON_H_
> > > +
> > > +/**
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashInitInternal (
> > > + IN UINT8 HashPolicy,
> > > + OUT HASH_HANDLE *HashHandle
> > > + );
> > > +
> > > +/**
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashUpdateInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashFinalInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 **Digest
> > > + );
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > new file mode 100644
> > > index 000000000000..f97bda06108f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > @@ -0,0 +1,47 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is Base Hash Lib. It will redirect hash request to
> > > +each individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibDxe
> > >
> > > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> > >
> > > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> > >
> > > + MODULE_TYPE = DXE_DRIVER
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> > >
> > > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
> >
> > 8. Since the above function is actually empty, you can remove above line and
> > function in c file.
> >
> > >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not required
> > > +by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibDxe.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > new file mode 100644
> > > index 000000000000..1865773b4a25
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > @@ -0,0 +1,18 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash request
> > > +to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256. Platform can use
> > > PcdTpm2HashMask to
> > >
> > > +// mask some hash engines.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash handler
> > > specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > new file mode 100644
> > > index 000000000000..4d36030744bd
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > @@ -0,0 +1,52 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is BaseCrypto router. It will redirect hash request
> > > +to each
> > > individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibPei
> > >
> > > + MODULE_UNI_FILE = BaseHashLibPei.uni
> > >
> > > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> > >
> > > + MODULE_TYPE = PEIM
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|PEIM
> > >
> > > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> > >
> >
> > 9. The same as 8
> >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not required
> > > +by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibPei.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + MdeModulePkg/MdeModulePkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Guids]
> > >
> > > + ## SOMETIMES_CONSUMES ## GUID
> > >
> > > + gZeroGuid
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > new file mode 100644
> > > index 000000000000..2131b61bd235
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash request
> > > +to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash handler
> > > specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dec
> > > b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dec
> > > +++ b/SecurityPkg/SecurityPkg.dec
> > > @@ -5,7 +5,7 @@
> > > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > > and library
> > > classes)
> > >
> > > # and libraries instances, which are used for those features.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>
> > >
> > > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > > <BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > @@ -27,6 +27,10 @@ [LibraryClasses]
> > > #
> > >
> > > HashLib|Include/Library/HashLib.h
> > >
> > >
> > >
> > > + ## @libraryclass Provides hash interfaces from different implementations.
> > >
> > > + #
> > >
> > > + BaseHashLib|Include/Library/HashLib.h
> > >
> > > +
> > >
> > > ## @libraryclass Provides a platform specific interface to
> > > detect physically present user.
> > >
> > > #
> > >
> > > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> > >
> > > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> > >
> > >
> > > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x000100
> > > 23
> > >
> > >
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,
> > > +PcdsDynamicEx]
> > >
> > > + ## This PCD indicates the HASH algorithm to verify unsigned
> > > + PE/COFF image
> > >
> > > + # Based on the value set, the required algorithm is chosen to
> > > + verify
> > >
> > > + # the unsigned image during Secure Boot.<BR>
> > >
> > > + # The hashing algorithm selected must match the hashing
> > > + algorithm used to
> > >
> > > + # hash the image to be added to DB using tools such as
> > > + KeyEnroll.<BR>
> > >
> > > + # 0x00000001 - MD4.<BR>
> > >
> > > + # 0x00000002 - MD5.<BR>
> > >
> > > + # 0x00000003 - SHA1.<BR>
> > >
> > > + # 0x00000004 - SHA256.<BR>
> > >
> > > + # 0x00000005 - SHA384.<BR>
> > >
> > > + # 0x00000006 - SHA512.<BR>
> > >
> > > + # 0x00000007 - SM3_256.<BR>
> > >
> > > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> > >
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > >
> > > +
> > > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00010
> > > 02
> > > 4
> > >
> > > +
> > >
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > >
> > > SecurityPkgExtra.uni
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dsc
> > > b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dsc
> > > +++ b/SecurityPkg/SecurityPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > >
> > > # Security Module Package for All Architectures.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > #
> > >
> > > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > > inf
> > >
> > >
> > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceL
> > > Tcg2PhysicalPresenceLib|ib
> > > Tcg2PhysicalPresenceLib|/PeiTc
> > > g2PhysicalPresenceLib.inf
> > >
> > > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.DXE_DRIVER]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> > >
> > > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibT
> > > Tpm12DeviceLib|cg
> > > Tpm12DeviceLib|.i
> > > nf
> > >
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > > Tpm2DeviceLib|in
> > > f
> > >
> > >
> > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib
> > > FileExplorerLib|.i
> > > nf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.UEFI_DRIVER,
> > > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > > LibraryClasses.common.DXE_SAL_DRIVER,]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -211,6 +213,12 @@ [Components]
> > >
> > >
> > > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> > >
> > >
> > >
> > > + #
> > >
> > > + # Unified Hash API
> > >
> > > + #
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > > +
> > >
> > > #
> > >
> > > # TCG Storage.
> > >
> > > #
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.uni
> > > b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.uni
> > > +++ b/SecurityPkg/SecurityPkg.uni
> > > @@ -5,7 +5,7 @@
> > > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
> > > and library
> > > classes)
> > >
> > > // and libraries instances, which are used for those features.
> > >
> > > //
> > >
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > //
> > >
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > //
> > >
> > > @@ -295,3 +295,16 @@
> > >
> > >
> > > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> > >
> > >
> > > "0 means this field is unsupported\n"
> > >
> > > +
> > >
> > >
> > > +
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> > >
> > > +
> > >
> > > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > > #language en-US "This PCD indicates the HASH algorithm used by
> > > Unified Hash API.<BR><BR>\n"
> > >
> > > +
> > > + "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > >
> > > + "the hash desired.<BR>\n"
> > >
> > > + "0x00000001 - MD4.<BR>\n"
> > >
> > > + "0x00000002 - MD5.<BR>\n"
> > >
> > > + "0x00000003 - SHA1.<BR>\n"
> > >
> > > +
> > > + "0x00000004 -
> > > SHA256.<BR>\n"
> > >
> > > +
> > > + "0x00000005 -
> > > SHA384.<BR>\n"
> > >
> > > +
> > > + "0x00000006 -
> > > SHA512.<BR>\n"
> > >
> > > + "0x00000007 - SM3.<BR>"
> > >
> > > --
> > > 2.16.2.windows.1
> >
> >
> >
> >
> >
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-16 4:35 ` Liming Gao
@ 2020-01-16 16:58 ` Sukerkar, Amol N
2020-01-17 0:31 ` Liming Gao
0 siblings, 1 reply; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-16 16:58 UTC (permalink / raw)
To: Gao, Liming, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Sukerkar, Amol N
Sure, Liming! Please add edk2 2020 Q1 stable tag to this feature. I will follow the schedule.
Thanks,
Amol
-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Wednesday, January 15, 2020 9:36 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
If this change plans to catch edk2 2020 Q1 stable tag, I will add it into https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Then, you need to follow Q1 stable tag schedule to finish this change.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 12:27 PM
> To: devel@edk2.groups.io; Gao, Liming <liming.gao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Thanks, Liming! How do I find out if it catches EDK 2020 Q1 stable tag?
>
> ~ Amol
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Liming
> Gao
> Sent: Wednesday, January 15, 2020 8:39 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Yes. Does it catch EDK2 2020 Q1 stable tag?
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Thursday, January 16, 2020 7:02 AM
> > To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang,
> > Jian J <jian.j.wang@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Hi Liming,
> >
> > We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Gao, Liming <liming.gao@intel.com>
> > Sent: Tuesday, January 14, 2020 8:47 PM
> > To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>;
> > Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol:
> > This is new feature. Please submit BZ
> > (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
> >
> > Thanks
> > Liming
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang,
> > Jian J
> > Sent: 2020年1月15日 11:14
> > To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol,
> >
> > 1. Your patch doesn't support hashing more than one algorithm at the same time.
> > Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> > 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> > You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
> >
> > See my other comments below.
> >
> > > -----Original Message-----
> > > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > Sent: Tuesday, January 14, 2020 11:41 PM
> > > To: devel@edk2.groups.io
> > > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > > Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > > <srinivas.musti@intel.com>
> > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > > Hash Calculation API
> > >
> > > This commit introduces a Unified Hash API to calculate hash using
> > > a hashing algorithm specified by the PCD, PcdSystemHashPolicy.
> > > This library interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in CryptoPkg. The user can
> > > calculate the desired hash by setting PcdSystemHashPolicy to appropriate value.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > ---
> > >
> > > Notes:
> > > v2:
> > > - Fixed the commit message format
> > >
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > > ++++++++++++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > > SecurityPkg/SecurityPkg.dec | 23 +-
> > > SecurityPkg/SecurityPkg.dsc | 10 +-
> > > SecurityPkg/SecurityPkg.uni | 15 +-
> > > 12 files changed, 833 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > new file mode 100644
> > > index 000000000000..f8742e55b5f7
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > @@ -0,0 +1,252 @@
> > > +/** @file
> > >
> > > + Implement image verification services for secure boot service
> > >
> > > +
> > >
> > > + Caution: This file requires additional review when modified.
> > >
> > > + This library will have external input - PE/COFF image.
> > >
> > > + This external input must be validated carefully to avoid
> > > + security issue like
> > >
> > > + buffer overflow, integer overflow.
> > >
> > > +
> > >
> > > + DxeImageVerificationLibImageRead() function will make sure the
> > > + PE/COFF
> > > image content
> > >
> > > + read is within the image buffer.
> > >
> > > +
> > >
> > > + DxeImageVerificationHandler(), HashPeImageByType(),
> > > + HashPeImage()
> > > function will accept
> > >
> > > + untrusted PE/COFF image and validate its data structure within
> > > + this image
> > > buffer before use.
> > >
> > > +
> > >
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >
> > > +This program and the accompanying materials
> > >
> > > +are licensed and made available under the terms and conditions of
> > > +the BSD
> > > License
> > >
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > >
> > > +http://opensource.org/licenses/bsd-license.php
> > >
> > > +
> > >
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS,
> > >
> > > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > > OR IMPLIED.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/BaseCryptLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashInitInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINTN CtxSize;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + CtxSize = Md4GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md4Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + CtxSize = Md5GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md5Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + CtxSize = Sha1GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha1Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + CtxSize = Sha256GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha256Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + CtxSize = Sha384GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha384Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + CtxSize = Sha512GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha512Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + CtxSize = Sm3GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sm3Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> > > +
> >
> > 3. Instead of switch..case, using a global array to defines all
> > supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
> >
> > >
> > > + *HashHandle = (HASH_HANDLE)HashCtx;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashUpdateInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> >
> > 4. The same as 3
> >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashFinalInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 **Digest
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> >
> > 5. The same as 3
> >
> > > + }
> > >
> > > +
> > >
> > > + FreePool (HashCtx);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > new file mode 100644
> > > index 000000000000..ea22cfe16e2f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Dxe.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiDxeConstructor (
> > >
> > > + IN EFI_HANDLE ImageHandle,
> > >
> > > + IN EFI_SYSTEM_TABLE *SystemTable
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 6. Constructor is not necessary if you don't have anything to do with it.
> > You can remove it from inf file and here.
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > new file mode 100644
> > > index 000000000000..580ac21fc1d9
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > @@ -0,0 +1,125 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/HashLib.h>
> > >
> > > +#include <Library/HobLib.h>
> > >
> > > +#include <Guid/ZeroGuid.h>
> > >
> > > +
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Pei.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiPeiConstructor (
> > >
> > > + IN EFI_PEI_FILE_HANDLE FileHandle,
> > >
> > > + IN CONST EFI_PEI_SERVICES **PeiServices
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 7. The same as 6
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > > b/SecurityPkg/Include/Library/BaseHashLib.h
> > > new file mode 100644
> > > index 000000000000..e1883fe7ce41
> > > --- /dev/null
> > > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > > @@ -0,0 +1,84 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_H_
> > > +#define __BASEHASHLIB_H_
> > > +
> > > +#include <Uefi.h>
> > > +#include <Protocol/Hash.h>
> > > +#include <Library/HashLib.h>
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_DEFAULT 0x00000000
> > > +#define HASH_MD4 0x00000001
> > > +#define HASH_MD5 0x00000002
> > > +#define HASH_SHA1 0x00000003
> > > +#define HASH_SHA256 0x00000004
> > > +#define HASH_SHA384 0x00000005
> > > +#define HASH_SHA512 0x00000006
> > > +#define HASH_SM3_256 0x00000007
> > > +
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval TRUE Hash start and HashHandle returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_HANDLE *HashHandle
> > > +);
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > +);
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 *Digest
> > > +);
> > > +
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > new file mode 100644
> > > index 000000000000..776b74ad753b
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > @@ -0,0 +1,71 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_COMMON_H_
> > > +#define __BASEHASHLIB_COMMON_H_
> > > +
> > > +/**
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashInitInternal (
> > > + IN UINT8 HashPolicy,
> > > + OUT HASH_HANDLE *HashHandle
> > > + );
> > > +
> > > +/**
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashUpdateInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashFinalInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 **Digest
> > > + );
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > new file mode 100644
> > > index 000000000000..f97bda06108f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > @@ -0,0 +1,47 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is Base Hash Lib. It will redirect hash request
> > > +to each individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibDxe
> > >
> > > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> > >
> > > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> > >
> > > + MODULE_TYPE = DXE_DRIVER
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> > >
> > > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
> >
> > 8. Since the above function is actually empty, you can remove above line and
> > function in c file.
> >
> > >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibDxe.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > new file mode 100644
> > > index 000000000000..1865773b4a25
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > @@ -0,0 +1,18 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256. Platform can
> > > +use
> > > PcdTpm2HashMask to
> > >
> > > +// mask some hash engines.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > new file mode 100644
> > > index 000000000000..4d36030744bd
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > @@ -0,0 +1,52 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is BaseCrypto router. It will redirect hash
> > > +request to each
> > > individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibPei
> > >
> > > + MODULE_UNI_FILE = BaseHashLibPei.uni
> > >
> > > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> > >
> > > + MODULE_TYPE = PEIM
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|PEIM
> > >
> > > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> > >
> >
> > 9. The same as 8
> >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibPei.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + MdeModulePkg/MdeModulePkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Guids]
> > >
> > > + ## SOMETIMES_CONSUMES ## GUID
> > >
> > > + gZeroGuid
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > new file mode 100644
> > > index 000000000000..2131b61bd235
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dec
> > > b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dec
> > > +++ b/SecurityPkg/SecurityPkg.dec
> > > @@ -5,7 +5,7 @@
> > > # It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > # and libraries instances, which are used for those features.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
> > > <BR>
> > >
> > > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > > <BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > @@ -27,6 +27,10 @@ [LibraryClasses]
> > > #
> > >
> > > HashLib|Include/Library/HashLib.h
> > >
> > >
> > >
> > > + ## @libraryclass Provides hash interfaces from different implementations.
> > >
> > > + #
> > >
> > > + BaseHashLib|Include/Library/HashLib.h
> > >
> > > +
> > >
> > > ## @libraryclass Provides a platform specific interface to
> > > detect physically present user.
> > >
> > > #
> > >
> > > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> > >
> > > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> > >
> > >
> > > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x0001
> > > 00
> > > 23
> > >
> > >
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,
> > > +PcdsDynamicEx]
> > >
> > > + ## This PCD indicates the HASH algorithm to verify unsigned
> > > + PE/COFF image
> > >
> > > + # Based on the value set, the required algorithm is chosen to
> > > + verify
> > >
> > > + # the unsigned image during Secure Boot.<BR>
> > >
> > > + # The hashing algorithm selected must match the hashing
> > > + algorithm used to
> > >
> > > + # hash the image to be added to DB using tools such as
> > > + KeyEnroll.<BR>
> > >
> > > + # 0x00000001 - MD4.<BR>
> > >
> > > + # 0x00000002 - MD5.<BR>
> > >
> > > + # 0x00000003 - SHA1.<BR>
> > >
> > > + # 0x00000004 - SHA256.<BR>
> > >
> > > + # 0x00000005 - SHA384.<BR>
> > >
> > > + # 0x00000006 - SHA512.<BR>
> > >
> > > + # 0x00000007 - SM3_256.<BR>
> > >
> > > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> > >
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > >
> > > +
> > > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x000
> > > 10
> > > 02
> > > 4
> > >
> > > +
> > >
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > >
> > > SecurityPkgExtra.uni
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dsc
> > > b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dsc
> > > +++ b/SecurityPkg/SecurityPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > >
> > > # Security Module Package for All Architectures.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development
> > > LP<BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > #
> > >
> > > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > > inf
> > >
> > >
> > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenc
> > > Tcg2PhysicalPresenceLib|eL
> > > Tcg2PhysicalPresenceLib|ib
> > > Tcg2PhysicalPresenceLib|/PeiTc
> > > g2PhysicalPresenceLib.inf
> > >
> > > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.DXE_DRIVER]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> > >
> > > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLi
> > > Tpm12DeviceLib|bT
> > > Tpm12DeviceLib|cg
> > > Tpm12DeviceLib|.i
> > > nf
> > >
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > > Tpm2DeviceLib|in
> > > f
> > >
> > >
> > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerL
> > > FileExplorerLib|ib
> > > FileExplorerLib|.i
> > > nf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.UEFI_DRIVER,
> > > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > > LibraryClasses.common.DXE_SAL_DRIVER,]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -211,6 +213,12 @@ [Components]
> > >
> > >
> > > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> > >
> > >
> > >
> > > + #
> > >
> > > + # Unified Hash API
> > >
> > > + #
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > > +
> > >
> > > #
> > >
> > > # TCG Storage.
> > >
> > > #
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.uni
> > > b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.uni
> > > +++ b/SecurityPkg/SecurityPkg.uni
> > > @@ -5,7 +5,7 @@
> > > // It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > // and libraries instances, which are used for those features.
> > >
> > > //
> > >
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > //
> > >
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > //
> > >
> > > @@ -295,3 +295,16 @@
> > >
> > >
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> > >
> > >
> > > "0 means this field is unsupported\n"
> > >
> > > +
> > >
> > >
> > > +
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> > >
> > > +
> > >
> > > +#string
> > > +STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > > #language en-US "This PCD indicates the HASH algorithm used by
> > > Unified Hash API.<BR><BR>\n"
> > >
> > > +
> > > + "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > >
> > > + "the hash desired.<BR>\n"
> > >
> > > + "0x00000001 - MD4.<BR>\n"
> > >
> > > + "0x00000002 - MD5.<BR>\n"
> > >
> > > + "0x00000003 - SHA1.<BR>\n"
> > >
> > > +
> > > + "0x00000004 -
> > > SHA256.<BR>\n"
> > >
> > > +
> > > + "0x00000005 -
> > > SHA384.<BR>\n"
> > >
> > > +
> > > + "0x00000006 -
> > > SHA512.<BR>\n"
> > >
> > > + "0x00000007 - SM3.<BR>"
> > >
> > > --
> > > 2.16.2.windows.1
> >
> >
> >
> >
> >
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-16 16:58 ` Sukerkar, Amol N
@ 2020-01-17 0:31 ` Liming Gao
2020-01-17 3:47 ` Sukerkar, Amol N
0 siblings, 1 reply; 12+ messages in thread
From: Liming Gao @ 2020-01-17 0:31 UTC (permalink / raw)
To: Sukerkar, Amol N, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas
Amol:
I just add it into edk2 2020 Q1 stable tag feature planning.
Thanks
Liming
-----Original Message-----
From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Sent: 2020年1月17日 0:58
To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Sure, Liming! Please add edk2 2020 Q1 stable tag to this feature. I will follow the schedule.
Thanks,
Amol
-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Wednesday, January 15, 2020 9:36 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
If this change plans to catch edk2 2020 Q1 stable tag, I will add it into https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Then, you need to follow Q1 stable tag schedule to finish this change.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 12:27 PM
> To: devel@edk2.groups.io; Gao, Liming <liming.gao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Thanks, Liming! How do I find out if it catches EDK 2020 Q1 stable tag?
>
> ~ Amol
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Liming
> Gao
> Sent: Wednesday, January 15, 2020 8:39 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Yes. Does it catch EDK2 2020 Q1 stable tag?
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Thursday, January 16, 2020 7:02 AM
> > To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang,
> > Jian J <jian.j.wang@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Hi Liming,
> >
> > We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Gao, Liming <liming.gao@intel.com>
> > Sent: Tuesday, January 14, 2020 8:47 PM
> > To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>;
> > Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol:
> > This is new feature. Please submit BZ
> > (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
> >
> > Thanks
> > Liming
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang,
> > Jian J
> > Sent: 2020年1月15日 11:14
> > To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol,
> >
> > 1. Your patch doesn't support hashing more than one algorithm at the same time.
> > Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> > 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> > You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
> >
> > See my other comments below.
> >
> > > -----Original Message-----
> > > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > Sent: Tuesday, January 14, 2020 11:41 PM
> > > To: devel@edk2.groups.io
> > > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > > Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > > <srinivas.musti@intel.com>
> > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > > Hash Calculation API
> > >
> > > This commit introduces a Unified Hash API to calculate hash using
> > > a hashing algorithm specified by the PCD, PcdSystemHashPolicy.
> > > This library interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in CryptoPkg. The user can
> > > calculate the desired hash by setting PcdSystemHashPolicy to appropriate value.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > ---
> > >
> > > Notes:
> > > v2:
> > > - Fixed the commit message format
> > >
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > > ++++++++++++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > > SecurityPkg/SecurityPkg.dec | 23 +-
> > > SecurityPkg/SecurityPkg.dsc | 10 +-
> > > SecurityPkg/SecurityPkg.uni | 15 +-
> > > 12 files changed, 833 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > new file mode 100644
> > > index 000000000000..f8742e55b5f7
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > @@ -0,0 +1,252 @@
> > > +/** @file
> > >
> > > + Implement image verification services for secure boot service
> > >
> > > +
> > >
> > > + Caution: This file requires additional review when modified.
> > >
> > > + This library will have external input - PE/COFF image.
> > >
> > > + This external input must be validated carefully to avoid
> > > + security issue like
> > >
> > > + buffer overflow, integer overflow.
> > >
> > > +
> > >
> > > + DxeImageVerificationLibImageRead() function will make sure the
> > > + PE/COFF
> > > image content
> > >
> > > + read is within the image buffer.
> > >
> > > +
> > >
> > > + DxeImageVerificationHandler(), HashPeImageByType(),
> > > + HashPeImage()
> > > function will accept
> > >
> > > + untrusted PE/COFF image and validate its data structure within
> > > + this image
> > > buffer before use.
> > >
> > > +
> > >
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >
> > > +This program and the accompanying materials
> > >
> > > +are licensed and made available under the terms and conditions of
> > > +the BSD
> > > License
> > >
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > >
> > > +http://opensource.org/licenses/bsd-license.php
> > >
> > > +
> > >
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS,
> > >
> > > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > > OR IMPLIED.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/BaseCryptLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashInitInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINTN CtxSize;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + CtxSize = Md4GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md4Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + CtxSize = Md5GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md5Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + CtxSize = Sha1GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha1Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + CtxSize = Sha256GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha256Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + CtxSize = Sha384GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha384Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + CtxSize = Sha512GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha512Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + CtxSize = Sm3GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sm3Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> > > +
> >
> > 3. Instead of switch..case, using a global array to defines all
> > supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
> >
> > >
> > > + *HashHandle = (HASH_HANDLE)HashCtx;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashUpdateInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> >
> > 4. The same as 3
> >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashFinalInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 **Digest
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> >
> > 5. The same as 3
> >
> > > + }
> > >
> > > +
> > >
> > > + FreePool (HashCtx);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > new file mode 100644
> > > index 000000000000..ea22cfe16e2f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Dxe.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiDxeConstructor (
> > >
> > > + IN EFI_HANDLE ImageHandle,
> > >
> > > + IN EFI_SYSTEM_TABLE *SystemTable
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 6. Constructor is not necessary if you don't have anything to do with it.
> > You can remove it from inf file and here.
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > new file mode 100644
> > > index 000000000000..580ac21fc1d9
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > @@ -0,0 +1,125 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/HashLib.h>
> > >
> > > +#include <Library/HobLib.h>
> > >
> > > +#include <Guid/ZeroGuid.h>
> > >
> > > +
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Pei.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiPeiConstructor (
> > >
> > > + IN EFI_PEI_FILE_HANDLE FileHandle,
> > >
> > > + IN CONST EFI_PEI_SERVICES **PeiServices
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 7. The same as 6
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > > b/SecurityPkg/Include/Library/BaseHashLib.h
> > > new file mode 100644
> > > index 000000000000..e1883fe7ce41
> > > --- /dev/null
> > > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > > @@ -0,0 +1,84 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_H_
> > > +#define __BASEHASHLIB_H_
> > > +
> > > +#include <Uefi.h>
> > > +#include <Protocol/Hash.h>
> > > +#include <Library/HashLib.h>
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_DEFAULT 0x00000000
> > > +#define HASH_MD4 0x00000001
> > > +#define HASH_MD5 0x00000002
> > > +#define HASH_SHA1 0x00000003
> > > +#define HASH_SHA256 0x00000004
> > > +#define HASH_SHA384 0x00000005
> > > +#define HASH_SHA512 0x00000006
> > > +#define HASH_SM3_256 0x00000007
> > > +
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval TRUE Hash start and HashHandle returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_HANDLE *HashHandle
> > > +);
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > +);
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 *Digest
> > > +);
> > > +
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > new file mode 100644
> > > index 000000000000..776b74ad753b
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > @@ -0,0 +1,71 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_COMMON_H_
> > > +#define __BASEHASHLIB_COMMON_H_
> > > +
> > > +/**
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashInitInternal (
> > > + IN UINT8 HashPolicy,
> > > + OUT HASH_HANDLE *HashHandle
> > > + );
> > > +
> > > +/**
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashUpdateInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashFinalInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 **Digest
> > > + );
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > new file mode 100644
> > > index 000000000000..f97bda06108f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > @@ -0,0 +1,47 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is Base Hash Lib. It will redirect hash request
> > > +to each individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibDxe
> > >
> > > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> > >
> > > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> > >
> > > + MODULE_TYPE = DXE_DRIVER
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> > >
> > > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
> >
> > 8. Since the above function is actually empty, you can remove above line and
> > function in c file.
> >
> > >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibDxe.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > new file mode 100644
> > > index 000000000000..1865773b4a25
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > @@ -0,0 +1,18 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256. Platform can
> > > +use
> > > PcdTpm2HashMask to
> > >
> > > +// mask some hash engines.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > new file mode 100644
> > > index 000000000000..4d36030744bd
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > @@ -0,0 +1,52 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is BaseCrypto router. It will redirect hash
> > > +request to each
> > > individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibPei
> > >
> > > + MODULE_UNI_FILE = BaseHashLibPei.uni
> > >
> > > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> > >
> > > + MODULE_TYPE = PEIM
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|PEIM
> > >
> > > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> > >
> >
> > 9. The same as 8
> >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibPei.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + MdeModulePkg/MdeModulePkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Guids]
> > >
> > > + ## SOMETIMES_CONSUMES ## GUID
> > >
> > > + gZeroGuid
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > new file mode 100644
> > > index 000000000000..2131b61bd235
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dec
> > > b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dec
> > > +++ b/SecurityPkg/SecurityPkg.dec
> > > @@ -5,7 +5,7 @@
> > > # It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > # and libraries instances, which are used for those features.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
> > > <BR>
> > >
> > > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > > <BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > @@ -27,6 +27,10 @@ [LibraryClasses]
> > > #
> > >
> > > HashLib|Include/Library/HashLib.h
> > >
> > >
> > >
> > > + ## @libraryclass Provides hash interfaces from different implementations.
> > >
> > > + #
> > >
> > > + BaseHashLib|Include/Library/HashLib.h
> > >
> > > +
> > >
> > > ## @libraryclass Provides a platform specific interface to
> > > detect physically present user.
> > >
> > > #
> > >
> > > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> > >
> > > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> > >
> > >
> > > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x0001
> > > 00
> > > 23
> > >
> > >
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,
> > > +PcdsDynamicEx]
> > >
> > > + ## This PCD indicates the HASH algorithm to verify unsigned
> > > + PE/COFF image
> > >
> > > + # Based on the value set, the required algorithm is chosen to
> > > + verify
> > >
> > > + # the unsigned image during Secure Boot.<BR>
> > >
> > > + # The hashing algorithm selected must match the hashing
> > > + algorithm used to
> > >
> > > + # hash the image to be added to DB using tools such as
> > > + KeyEnroll.<BR>
> > >
> > > + # 0x00000001 - MD4.<BR>
> > >
> > > + # 0x00000002 - MD5.<BR>
> > >
> > > + # 0x00000003 - SHA1.<BR>
> > >
> > > + # 0x00000004 - SHA256.<BR>
> > >
> > > + # 0x00000005 - SHA384.<BR>
> > >
> > > + # 0x00000006 - SHA512.<BR>
> > >
> > > + # 0x00000007 - SM3_256.<BR>
> > >
> > > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> > >
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > >
> > > +
> > > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x000
> > > 10
> > > 02
> > > 4
> > >
> > > +
> > >
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > >
> > > SecurityPkgExtra.uni
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dsc
> > > b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dsc
> > > +++ b/SecurityPkg/SecurityPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > >
> > > # Security Module Package for All Architectures.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development
> > > LP<BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > #
> > >
> > > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > > inf
> > >
> > >
> > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenc
> > > Tcg2PhysicalPresenceLib|eL
> > > Tcg2PhysicalPresenceLib|ib
> > > Tcg2PhysicalPresenceLib|/PeiTc
> > > g2PhysicalPresenceLib.inf
> > >
> > > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.DXE_DRIVER]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> > >
> > > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLi
> > > Tpm12DeviceLib|bT
> > > Tpm12DeviceLib|cg
> > > Tpm12DeviceLib|.i
> > > nf
> > >
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > > Tpm2DeviceLib|in
> > > f
> > >
> > >
> > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerL
> > > FileExplorerLib|ib
> > > FileExplorerLib|.i
> > > nf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.UEFI_DRIVER,
> > > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > > LibraryClasses.common.DXE_SAL_DRIVER,]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -211,6 +213,12 @@ [Components]
> > >
> > >
> > > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> > >
> > >
> > >
> > > + #
> > >
> > > + # Unified Hash API
> > >
> > > + #
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > > +
> > >
> > > #
> > >
> > > # TCG Storage.
> > >
> > > #
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.uni
> > > b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.uni
> > > +++ b/SecurityPkg/SecurityPkg.uni
> > > @@ -5,7 +5,7 @@
> > > // It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > // and libraries instances, which are used for those features.
> > >
> > > //
> > >
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > //
> > >
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > //
> > >
> > > @@ -295,3 +295,16 @@
> > >
> > >
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> > >
> > >
> > > "0 means this field is unsupported\n"
> > >
> > > +
> > >
> > >
> > > +
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> > >
> > > +
> > >
> > > +#string
> > > +STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > > #language en-US "This PCD indicates the HASH algorithm used by
> > > Unified Hash API.<BR><BR>\n"
> > >
> > > +
> > > + "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > >
> > > + "the hash desired.<BR>\n"
> > >
> > > + "0x00000001 - MD4.<BR>\n"
> > >
> > > + "0x00000002 - MD5.<BR>\n"
> > >
> > > + "0x00000003 - SHA1.<BR>\n"
> > >
> > > +
> > > + "0x00000004 -
> > > SHA256.<BR>\n"
> > >
> > > +
> > > + "0x00000005 -
> > > SHA384.<BR>\n"
> > >
> > > +
> > > + "0x00000006 -
> > > SHA512.<BR>\n"
> > >
> > > + "0x00000007 - SM3.<BR>"
> > >
> > > --
> > > 2.16.2.windows.1
> >
> >
> >
> >
> >
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
2020-01-17 0:31 ` Liming Gao
@ 2020-01-17 3:47 ` Sukerkar, Amol N
0 siblings, 0 replies; 12+ messages in thread
From: Sukerkar, Amol N @ 2020-01-17 3:47 UTC (permalink / raw)
To: Gao, Liming, devel@edk2.groups.io, Wang, Jian J
Cc: Kinney, Michael D, Yao, Jiewen, Agrawal, Sachin, Musti, Srinivas,
Sukerkar, Amol N
Thanks, Liming!
~ Amol
-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Thursday, January 16, 2020 5:31 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Amol:
I just add it into edk2 2020 Q1 stable tag feature planning.
Thanks
Liming
-----Original Message-----
From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Sent: 2020年1月17日 0:58
To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
Sure, Liming! Please add edk2 2020 Q1 stable tag to this feature. I will follow the schedule.
Thanks,
Amol
-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Wednesday, January 15, 2020 9:36 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas <srinivas.musti@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API
If this change plans to catch edk2 2020 Q1 stable tag, I will add it into https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Then, you need to follow Q1 stable tag schedule to finish this change.
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Thursday, January 16, 2020 12:27 PM
> To: devel@edk2.groups.io; Gao, Liming <liming.gao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Thanks, Liming! How do I find out if it catches EDK 2020 Q1 stable tag?
>
> ~ Amol
>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Liming
> Gao
> Sent: Wednesday, January 15, 2020 8:39 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> Musti, Srinivas <srinivas.musti@intel.com>
> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> Implement Unified Hash Calculation API
>
> Yes. Does it catch EDK2 2020 Q1 stable tag?
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Thursday, January 16, 2020 7:02 AM
> > To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; Wang,
> > Jian J <jian.j.wang@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Hi Liming,
> >
> > We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org/show_bug.cgi?id=2151. Would this be sufficient?
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Gao, Liming <liming.gao@intel.com>
> > Sent: Tuesday, January 14, 2020 8:47 PM
> > To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>;
> > Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol:
> > This is new feature. Please submit BZ
> > (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
> >
> > Thanks
> > Liming
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang,
> > Jian J
> > Sent: 2020年1月15日 11:14
> > To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > devel@edk2.groups.io
> > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Agrawal, Sachin <sachin.agrawal@intel.com>;
> > Musti, Srinivas <srinivas.musti@intel.com>
> > Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib:
> > Implement Unified Hash Calculation API
> >
> > Amol,
> >
> > 1. Your patch doesn't support hashing more than one algorithm at the same time.
> > Is this on purpose? Sorry I don't remember the conclusion in last discussion.
> > 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h.
> > You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch.
> >
> > See my other comments below.
> >
> > > -----Original Message-----
> > > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > Sent: Tuesday, January 14, 2020 11:41 PM
> > > To: devel@edk2.groups.io
> > > Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> > > Agrawal, Sachin <sachin.agrawal@intel.com>; Musti, Srinivas
> > > <srinivas.musti@intel.com>
> > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified
> > > Hash Calculation API
> > >
> > > This commit introduces a Unified Hash API to calculate hash using
> > > a hashing algorithm specified by the PCD, PcdSystemHashPolicy.
> > > This library interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in CryptoPkg. The user can
> > > calculate the desired hash by setting PcdSystemHashPolicy to appropriate value.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > > ---
> > >
> > > Notes:
> > > v2:
> > > - Fixed the commit message format
> > >
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252
> > > ++++++++++++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++
> > > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++
> > > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++
> > > SecurityPkg/SecurityPkg.dec | 23 +-
> > > SecurityPkg/SecurityPkg.dsc | 10 +-
> > > SecurityPkg/SecurityPkg.uni | 15 +-
> > > 12 files changed, 833 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > new file mode 100644
> > > index 000000000000..f8742e55b5f7
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c
> > > @@ -0,0 +1,252 @@
> > > +/** @file
> > >
> > > + Implement image verification services for secure boot service
> > >
> > > +
> > >
> > > + Caution: This file requires additional review when modified.
> > >
> > > + This library will have external input - PE/COFF image.
> > >
> > > + This external input must be validated carefully to avoid
> > > + security issue like
> > >
> > > + buffer overflow, integer overflow.
> > >
> > > +
> > >
> > > + DxeImageVerificationLibImageRead() function will make sure the
> > > + PE/COFF
> > > image content
> > >
> > > + read is within the image buffer.
> > >
> > > +
> > >
> > > + DxeImageVerificationHandler(), HashPeImageByType(),
> > > + HashPeImage()
> > > function will accept
> > >
> > > + untrusted PE/COFF image and validate its data structure within
> > > + this image
> > > buffer before use.
> > >
> > > +
> > >
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >
> > > +This program and the accompanying materials
> > >
> > > +are licensed and made available under the terms and conditions of
> > > +the BSD
> > > License
> > >
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > >
> > > +http://opensource.org/licenses/bsd-license.php
> > >
> > > +
> > >
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS,
> > >
> > > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS
> > > OR IMPLIED.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/BaseCryptLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashInitInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINTN CtxSize;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + CtxSize = Md4GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md4Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + CtxSize = Md5GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Md5Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + CtxSize = Sha1GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha1Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + CtxSize = Sha256GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha256Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + CtxSize = Sha384GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha384Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + CtxSize = Sha512GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sha512Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + CtxSize = Sm3GetContextSize ();
> > >
> > > + HashCtx = AllocatePool (CtxSize);
> > >
> > > + ASSERT (HashCtx != NULL);
> > >
> > > +
> > >
> > > + Status = Sm3Init (HashCtx);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> > > +
> >
> > 3. Instead of switch..case, using a global array to defines all
> > supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly.
> >
> > >
> > > + *HashHandle = (HASH_HANDLE)HashCtx;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashUpdateInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> > > + }
> > >
> >
> > 4. The same as 3
> >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > >
> > > +
> > >
> > > + @param HashPolicy Hash Algorithm Policy.
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashFinalInternal (
> > >
> > > + IN UINT8 HashPolicy,
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 **Digest
> > >
> > > + )
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + VOID *HashCtx;
> > >
> > > + UINT8 DigestData[SHA512_DIGEST_SIZE];
> > >
> > > +
> > >
> > > + HashCtx = (VOID *)HashHandle;
> > >
> > > +
> > >
> > > + switch (HashPolicy) {
> > >
> > > + case HASH_MD4:
> > >
> > > + Status = Md4Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_MD5:
> > >
> > > + Status = Md5Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA1:
> > >
> > > + Status = Sha1Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA256:
> > >
> > > + Status = Sha256Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA384:
> > >
> > > + Status = Sha384Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SHA512:
> > >
> > > + Status = Sha512Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + case HASH_SM3_256:
> > >
> > > + Status = Sm3Final (HashCtx, DigestData);
> > >
> > > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE);
> > >
> > > + break;
> > >
> > > +
> > >
> > > + default:
> > >
> > > + ASSERT (FALSE);
> > >
> > > + break;
> > >
> >
> > 5. The same as 3
> >
> > > + }
> > >
> > > +
> > >
> > > + FreePool (HashCtx);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > new file mode 100644
> > > index 000000000000..ea22cfe16e2f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Dxe.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiDxeConstructor (
> > >
> > > + IN EFI_HANDLE ImageHandle,
> > >
> > > + IN EFI_SYSTEM_TABLE *SystemTable
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 6. Constructor is not necessary if you don't have anything to do with it.
> > You can remove it from inf file and here.
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > new file mode 100644
> > > index 000000000000..580ac21fc1d9
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c
> > > @@ -0,0 +1,125 @@
> > > +/** @file
> > >
> > > + This library is Unified Hash API. It will redirect hash request
> > > + to
> > >
> > > + the hash handler specified by PcdSystemHashPolicy such as SHA1,
> > > + SHA256,
> > >
> > > + SHA384 and SM3...
> > >
> > > +
> > >
> > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
> > > +<BR>
> > >
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +
> > >
> > > +**/
> > >
> > > +
> > >
> > > +
> > >
> > > +#include <Library/BaseLib.h>
> > >
> > > +#include <Library/BaseMemoryLib.h>
> > >
> > > +#include <Library/MemoryAllocationLib.h>
> > >
> > > +#include <Library/DebugLib.h>
> > >
> > > +#include <Library/PcdLib.h>
> > >
> > > +#include <Library/HashLib.h>
> > >
> > > +#include <Library/HobLib.h>
> > >
> > > +#include <Guid/ZeroGuid.h>
> > >
> > > +
> > >
> > > +#include <Library/BaseHashLib.h>
> > >
> > > +#include "BaseHashLibCommon.h"
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Init hash sequence.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > +
> > >
> > > + @retval TRUE Hash start and HashHandle returned.
> > >
> > > + @retval FALSE Hash Init unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiInit (
> > >
> > > + OUT HASH_HANDLE *HashHandle
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > + HASH_HANDLE Handle;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashInitInternal (HashPolicy, &Handle);
> > >
> > > +
> > >
> > > + *HashHandle = Handle;
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Update hash data.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param DataToHash Data to be hashed.
> > >
> > > + @param DataToHashLen Data size.
> > >
> > > +
> > >
> > > + @retval TRUE Hash updated.
> > >
> > > + @retval FALSE Hash updated unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiUpdate (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + IN VOID *DataToHash,
> > >
> > > + IN UINTN DataToHashLen
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashUpdateInternal (HashPolicy, HashHandle,
> > > + DataToHash,
> > > DataToHashLen);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + Hash complete.
> > >
> > > +
> > >
> > > + @param HashHandle Hash handle.
> > >
> > > + @param Digest Hash Digest.
> > >
> > > +
> > >
> > > + @retval TRUE Hash complete and Digest is returned.
> > >
> > > + @retval FALSE Hash complete unsuccessful.
> > >
> > > +**/
> > >
> > > +BOOLEAN
> > >
> > > +EFIAPI
> > >
> > > +HashApiFinal (
> > >
> > > + IN HASH_HANDLE HashHandle,
> > >
> > > + OUT UINT8 *Digest
> > >
> > > +)
> > >
> > > +{
> > >
> > > + BOOLEAN Status;
> > >
> > > + UINT8 HashPolicy;
> > >
> > > +
> > >
> > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy);
> > >
> > > +
> > >
> > > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest);
> > >
> > > +
> > >
> > > + return Status;
> > >
> > > +}
> > >
> > > +
> > >
> > > +/**
> > >
> > > + The constructor function of BaseHashLib Pei.
> > >
> > > +
> > >
> > > + @param FileHandle The handle of FFS header the loaded driver.
> > >
> > > + @param PeiServices The pointer to the PEI services.
> > >
> > > +
> > >
> > > + @retval EFI_SUCCESS The constructor executes successfully.
> > >
> > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for
> > > + the
> > > constructor.
> > >
> > > +
> > >
> > > +**/
> > >
> > > +EFI_STATUS
> > >
> > > +EFIAPI
> > >
> > > +BaseHashLibApiPeiConstructor (
> > >
> > > + IN EFI_PEI_FILE_HANDLE FileHandle,
> > >
> > > + IN CONST EFI_PEI_SERVICES **PeiServices
> > >
> > > + )
> > >
> > > +{
> > >
> > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor..
> > > + \n"));
> > >
> > > +
> > >
> > > + return EFI_SUCCESS;
> > >
> > > +}
> >
> > 7. The same as 6
> >
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h
> > > b/SecurityPkg/Include/Library/BaseHashLib.h
> > > new file mode 100644
> > > index 000000000000..e1883fe7ce41
> > > --- /dev/null
> > > +++ b/SecurityPkg/Include/Library/BaseHashLib.h
> > > @@ -0,0 +1,84 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_H_
> > > +#define __BASEHASHLIB_H_
> > > +
> > > +#include <Uefi.h>
> > > +#include <Protocol/Hash.h>
> > > +#include <Library/HashLib.h>
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_DEFAULT 0x00000000
> > > +#define HASH_MD4 0x00000001
> > > +#define HASH_MD5 0x00000002
> > > +#define HASH_SHA1 0x00000003
> > > +#define HASH_SHA256 0x00000004
> > > +#define HASH_SHA384 0x00000005
> > > +#define HASH_SHA512 0x00000006
> > > +#define HASH_SM3_256 0x00000007
> > > +
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval TRUE Hash start and HashHandle returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_HANDLE *HashHandle
> > > +);
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > +);
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 *Digest
> > > +);
> > > +
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > new file mode 100644
> > > index 000000000000..776b74ad753b
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h
> > > @@ -0,0 +1,71 @@
> > > +/** @file
> > > + The internal header file includes the common header files,
> > > +defines
> > > + internal structure and functions used by ImageVerificationLib.
> > > +
> > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR> This program and the accompanying materials are
> > > +licensed and made available under the terms and conditions of the
> > > +BSD
> > > License
> > > +which accompanies this distribution. The full text of the
> > > +license may be found
> > > at
> > > +http://opensource.org/licenses/bsd-license.php
> > > +
> > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS"
> > > +BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
> > > +EXPRESS
> > > OR IMPLIED.
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHLIB_COMMON_H_
> > > +#define __BASEHASHLIB_COMMON_H_
> > > +
> > > +/**
> > > + Init hash sequence with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashHandle Hash handle.
> > > +
> > > + @retval EFI_SUCCESS Hash start and HashHandle returned.
> > > + @retval EFI_UNSUPPORTED System has no HASH library registered.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashInitInternal (
> > > + IN UINT8 HashPolicy,
> > > + OUT HASH_HANDLE *HashHandle
> > > + );
> > > +
> > > +/**
> > > + Hash complete with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashUpdateInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Update hash data with Hash Algorithm specified by HashPolicy.
> > > +
> > > + @param HashPolicy Hash Algorithm Policy.
> > > + @param HashHandle Hash handle.
> > > + @param DataToHash Data to be hashed.
> > > + @param DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashFinalInternal (
> > > + IN UINT8 HashPolicy,
> > > + IN HASH_HANDLE HashHandle,
> > > + OUT UINT8 **Digest
> > > + );
> > > +#endif
> > > \ No newline at end of file
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > new file mode 100644
> > > index 000000000000..f97bda06108f
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > > @@ -0,0 +1,47 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is Base Hash Lib. It will redirect hash request
> > > +to each individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibDxe
> > >
> > > + MODULE_UNI_FILE = BaseHashLibDxe.uni
> > >
> > > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066
> > >
> > > + MODULE_TYPE = DXE_DRIVER
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> > > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
> > >
> > > + CONSTRUCTOR = BaseHashLibApiDxeConstructor
> >
> > 8. Since the above function is actually empty, you can remove above line and
> > function in c file.
> >
> > >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibDxe.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > new file mode 100644
> > > index 000000000000..1865773b4a25
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni
> > > @@ -0,0 +1,18 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256. Platform can
> > > +use
> > > PcdTpm2HashMask to
> > >
> > > +// mask some hash engines.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > new file mode 100644
> > > index 000000000000..4d36030744bd
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > > @@ -0,0 +1,52 @@
> > > +## @file
> > >
> > > +# Provides hash service by registered hash handler
> > >
> > > +#
> > >
> > > +# This library is BaseCrypto router. It will redirect hash
> > > +request to each
> > > individual
> > >
> > > +# hash handler registered, such as SHA1, SHA256.
> > >
> > > +#
> > >
> > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +#
> > >
> > > +##
> > >
> > > +
> > >
> > > +[Defines]
> > >
> > > + INF_VERSION = 0x00010005
> > >
> > > + BASE_NAME = BaseHashLibPei
> > >
> > > + MODULE_UNI_FILE = BaseHashLibPei.uni
> > >
> > > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B
> > >
> > > + MODULE_TYPE = PEIM
> > >
> > > + VERSION_STRING = 1.0
> > >
> > > + LIBRARY_CLASS = BaseHashLib|PEIM
> > >
> > > + CONSTRUCTOR = BaseHashLibApiPeiConstructor
> > >
> >
> > 9. The same as 8
> >
> > > +
> > >
> > > +#
> > >
> > > +# The following information is for reference only and not
> > > +required by the build
> > > tools.
> > >
> > > +#
> > >
> > > +# VALID_ARCHITECTURES = IA32 X64
> > >
> > > +#
> > >
> > > +
> > >
> > > +[Sources]
> > >
> > > + BaseHashLibCommon.h
> > >
> > > + BaseHashLibCommon.c
> > >
> > > + BaseHashLibPei.c
> > >
> > > +
> > >
> > > +[Packages]
> > >
> > > + MdePkg/MdePkg.dec
> > >
> > > + SecurityPkg/SecurityPkg.dec
> > >
> > > + CryptoPkg/CryptoPkg.dec
> > >
> > > + MdeModulePkg/MdeModulePkg.dec
> > >
> > > +
> > >
> > > +[LibraryClasses]
> > >
> > > + BaseLib
> > >
> > > + BaseMemoryLib
> > >
> > > + DebugLib
> > >
> > > + MemoryAllocationLib
> > >
> > > + BaseCryptLib
> > >
> > > + PcdLib
> > >
> > > +
> > >
> > > +[Guids]
> > >
> > > + ## SOMETIMES_CONSUMES ## GUID
> > >
> > > + gZeroGuid
> > >
> > > +
> > >
> > > +[Pcd]
> > >
> > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES
> > >
> > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > new file mode 100644
> > > index 000000000000..2131b61bd235
> > > --- /dev/null
> > > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > >
> > > +// Provides hash service by registered hash handler
> > >
> > > +//
> > >
> > > +// This library is Unified Hash API. It will redirect hash
> > > +request to each individual
> > >
> > > +// hash handler registered, such as SHA1, SHA256.
> > >
> > > +//
> > >
> > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > +//
> > >
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > +//
> > >
> > > +// **/
> > >
> > > +
> > >
> > > +
> > >
> > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> > > service by specified hash handler"
> > >
> > > +
> > >
> > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> > > Unified Hash API. It will redirect hash request to the hash
> > > handler specified by PcdSystemHashPolicy."
> > >
> > > +
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dec
> > > b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dec
> > > +++ b/SecurityPkg/SecurityPkg.dec
> > > @@ -5,7 +5,7 @@
> > > # It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > # and libraries instances, which are used for those features.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
> > > <BR>
> > >
> > > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> > > <BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > @@ -27,6 +27,10 @@ [LibraryClasses]
> > > #
> > >
> > > HashLib|Include/Library/HashLib.h
> > >
> > >
> > >
> > > + ## @libraryclass Provides hash interfaces from different implementations.
> > >
> > > + #
> > >
> > > + BaseHashLib|Include/Library/HashLib.h
> > >
> > > +
> > >
> > > ## @libraryclass Provides a platform specific interface to
> > > detect physically present user.
> > >
> > > #
> > >
> > > PlatformSecureLib|Include/Library/PlatformSecureLib.h
> > >
> > > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx]
> > > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table.
> > >
> > >
> > > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x0001
> > > 00
> > > 23
> > >
> > >
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic,
> > > +PcdsDynamicEx]
> > >
> > > + ## This PCD indicates the HASH algorithm to verify unsigned
> > > + PE/COFF image
> > >
> > > + # Based on the value set, the required algorithm is chosen to
> > > + verify
> > >
> > > + # the unsigned image during Secure Boot.<BR>
> > >
> > > + # The hashing algorithm selected must match the hashing
> > > + algorithm used to
> > >
> > > + # hash the image to be added to DB using tools such as
> > > + KeyEnroll.<BR>
> > >
> > > + # 0x00000001 - MD4.<BR>
> > >
> > > + # 0x00000002 - MD5.<BR>
> > >
> > > + # 0x00000003 - SHA1.<BR>
> > >
> > > + # 0x00000004 - SHA256.<BR>
> > >
> > > + # 0x00000005 - SHA384.<BR>
> > >
> > > + # 0x00000006 - SHA512.<BR>
> > >
> > > + # 0x00000007 - SM3_256.<BR>
> > >
> > > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> > >
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > >
> > > +
> > > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x000
> > > 10
> > > 02
> > > 4
> > >
> > > +
> > >
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > >
> > > SecurityPkgExtra.uni
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dsc
> > > b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.dsc
> > > +++ b/SecurityPkg/SecurityPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > >
> > > # Security Module Package for All Architectures.
> > >
> > > #
> > >
> > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development
> > > LP<BR>
> > >
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > #
> > >
> > > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM]
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.
> > > inf
> > >
> > >
> > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenc
> > > Tcg2PhysicalPresenceLib|eL
> > > Tcg2PhysicalPresenceLib|ib
> > > Tcg2PhysicalPresenceLib|/PeiTc
> > > g2PhysicalPresenceLib.inf
> > >
> > > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.DXE_DRIVER]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER]
> > >
> > > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLi
> > > Tpm12DeviceLib|bT
> > > Tpm12DeviceLib|cg
> > > Tpm12DeviceLib|.i
> > > nf
> > >
> > >
> > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.
> > > Tpm2DeviceLib|in
> > > f
> > >
> > >
> > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerL
> > > FileExplorerLib|ib
> > > FileExplorerLib|.i
> > > nf
> > >
> > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > >
> > >
> > > [LibraryClasses.common.UEFI_DRIVER,
> > > LibraryClasses.common.DXE_RUNTIME_DRIVER,
> > > LibraryClasses.common.DXE_SAL_DRIVER,]
> > >
> > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
> > >
> > > @@ -211,6 +213,12 @@ [Components]
> > >
> > >
> > > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf
> > >
> > >
> > >
> > > + #
> > >
> > > + # Unified Hash API
> > >
> > > + #
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf
> > >
> > > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf
> > >
> > > +
> > >
> > > #
> > >
> > > # TCG Storage.
> > >
> > > #
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.uni
> > > b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461
> > > 100644
> > > --- a/SecurityPkg/SecurityPkg.uni
> > > +++ b/SecurityPkg/SecurityPkg.uni
> > > @@ -5,7 +5,7 @@
> > > // It also provides the definitions(including
> > > PPIs/PROTOCOLs/GUIDs and library
> > > classes)
> > >
> > > // and libraries instances, which are used for those features.
> > >
> > > //
> > >
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights
> > > reserved.<BR>
> > >
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights
> > > +reserved.<BR>
> > >
> > > //
> > >
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > >
> > > //
> > >
> > > @@ -295,3 +295,16 @@
> > >
> > >
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP
> > > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n"
> > >
> > >
> > > "0 means this field is unsupported\n"
> > >
> > > +
> > >
> > >
> > > +
> > > #string
> > > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT
> > > #language en-US "HASH algorithm to verify unsigned PE/COFF image"
> > >
> > > +
> > >
> > > +#string
> > > +STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP
> > > #language en-US "This PCD indicates the HASH algorithm used by
> > > Unified Hash API.<BR><BR>\n"
> > >
> > > +
> > > + "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > >
> > > + "the hash desired.<BR>\n"
> > >
> > > + "0x00000001 - MD4.<BR>\n"
> > >
> > > + "0x00000002 - MD5.<BR>\n"
> > >
> > > + "0x00000003 - SHA1.<BR>\n"
> > >
> > > +
> > > + "0x00000004 -
> > > SHA256.<BR>\n"
> > >
> > > +
> > > + "0x00000005 -
> > > SHA384.<BR>\n"
> > >
> > > +
> > > + "0x00000006 -
> > > SHA512.<BR>\n"
> > >
> > > + "0x00000007 - SM3.<BR>"
> > >
> > > --
> > > 2.16.2.windows.1
> >
> >
> >
> >
> >
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-01-17 3:47 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-14 15:41 [PATCH v2 0/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Sukerkar, Amol N
2020-01-14 15:41 ` [PATCH v2 1/1] " Sukerkar, Amol N
2020-01-15 3:13 ` Wang, Jian J
2020-01-15 3:47 ` [edk2-devel] " Liming Gao
2020-01-15 23:01 ` Sukerkar, Amol N
2020-01-16 3:38 ` Liming Gao
2020-01-16 4:27 ` Sukerkar, Amol N
2020-01-16 4:35 ` Liming Gao
2020-01-16 16:58 ` Sukerkar, Amol N
2020-01-17 0:31 ` Liming Gao
2020-01-17 3:47 ` Sukerkar, Amol N
2020-01-15 20:13 ` Sukerkar, Amol N
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox