From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web12.358.1579129339422747181 for ; Wed, 15 Jan 2020 15:02:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=VObaCT48; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: amol.n.sukerkar@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jan 2020 15:02:18 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,323,1574150400"; d="scan'208";a="423776770" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga005.fm.intel.com with ESMTP; 15 Jan 2020 15:02:17 -0800 Received: from fmsmsx115.amr.corp.intel.com (10.18.116.19) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 15:02:17 -0800 Received: from FMSEDG001.ED.cps.intel.com (10.1.192.133) by fmsmsx115.amr.corp.intel.com (10.18.116.19) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 15:02:17 -0800 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.100) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 15:01:51 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e1A4qM9K1x6+ItO40KR7Wr79Rz8Pzo22qL41mE8g+SeRpU7RTp0D1rA+hbkyoHtPrnBKNTKXp4B70pDgk9QqZu1nj9IQ0Nw9S3ac/c8FiGhG3wIl+k39HzDNHX74x1S2r2yvcNuddCVz77h6QB1K6k8AJi3AYYrW6gTxWtJ1hjRwJZGvRpMvOfjC3WYsZflaBcRcf03P6aTTXjrQCfEbwBM9+MwvuORY7XWhtXyfZmcdsP3kbkQJn2pwMas8pBbXJe7IMlaEbTVt12hh98FMxJEOxFuq/CTScGjdEpGW/DwHD4aUqSYb0VzfZqd1zbMSfTCWwom2rsSc1J3Gej21pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E7pei6laLAudl9XiY+qgYAwUZGx71CEmUWr6ahoLXrA=; b=nku9v42uoGXlY914ZDh7RoL0GO328gjODGzumdANJmuS8x2hB63GM7/MvaMgL0I/QrkhtpyhlQ/831xPnxXgT/ODgKR9w6YBICs+ThEL1bllanuxU9S5n/RdLqTIdiX4b/XVLY4mfinWUFOCRJ1iXa8ug9fyworSagROObjYY4vqofvZEvcOkgfkbP8NgUzbH1YQfYaCw+PKxKBz7H0maKFFXJopqMHQ1w+V0STfZXe/LQRPMavNe1mhOcaMIReFEIw4X0yyb5H2k2V3yQLkXOR8lGlPK2S1ucLHRXlLdaI/gEj3WWFzVW1Xil89AoisgbUhB7MgXwrZ5y4HOdh2Ew== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E7pei6laLAudl9XiY+qgYAwUZGx71CEmUWr6ahoLXrA=; b=VObaCT48QXvZa89/rzeP9GwEZ6DasgVa5QbGMi+zqWqh5z39erUs/rlhqUFmwlBnid3xRFK0xp+1ZbA6VExwj4x/Z5qXoghO96BRdoM1fCzFtsWya4K9Z8wMZGSqkUmjdnJ2h4Cxub0FImcRAQCjfMrMTQ8/sSKY7t4xkv6vIMc= Received: from MWHPR11MB0064.namprd11.prod.outlook.com (10.164.192.146) by MWHPR11MB1615.namprd11.prod.outlook.com (10.172.54.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.13; Wed, 15 Jan 2020 23:01:44 +0000 Received: from MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549]) by MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549%5]) with mapi id 15.20.2623.018; Wed, 15 Jan 2020 23:01:43 +0000 From: "Sukerkar, Amol N" To: "Gao, Liming" , "devel@edk2.groups.io" , "Wang, Jian J" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Agrawal, Sachin" , "Musti, Srinivas" , "Sukerkar, Amol N" Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Topic: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Index: AQHVyvETJsClZTDraE6d24/5UbWyCKfrCD2ggAAO3ACAAUHXQA== Date: Wed, 15 Jan 2020 23:01:35 +0000 Message-ID: References: <20200114154107.655-1-amol.n.sukerkar@intel.com> <20200114154107.655-2-amol.n.sukerkar@intel.com> <233b34aaf0f241aa8f997c2eac4aa306@intel.com> In-Reply-To: <233b34aaf0f241aa8f997c2eac4aa306@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows authentication-results: spf=none (sender IP is ) smtp.mailfrom=amol.n.sukerkar@intel.com; x-originating-ip: [192.55.52.202] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e256b56d-5b7d-4f29-f427-08d79a0ee3e6 x-ms-traffictypediagnostic: MWHPR11MB1615: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 02830F0362 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39860400002)(136003)(396003)(376002)(366004)(346002)(199004)(189003)(53546011)(6506007)(110136005)(71200400001)(7696005)(316002)(6666004)(30864003)(45080400002)(52536014)(186003)(107886003)(5660300002)(33656002)(26005)(86362001)(19627235002)(15650500001)(15188155005)(8936002)(16799955002)(478600001)(76116006)(66946007)(8676002)(4326008)(2906002)(966005)(66574012)(81166006)(54906003)(81156014)(66476007)(64756008)(9686003)(66446008)(6636002)(66556008)(55016002)(579004)(559001)(569006);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR11MB1615;H:MWHPR11MB0064.namprd11.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9dlV35yaeneHwBSd/FDnXUlgPIELKMecGcMvUMAzHZPXIIbCiw1+DEikzsS7q/1nkLnv+FS3VL4zShBtaq6NH3NjkKYFVxvkfKXPHtoXKYjwPUcSRzGEksFELYvn3CAgSxqZBjnnf6v8VkPYTEEa9CvldziL3vQDS/+mruQyHUwknFxg9ouiOnaD+yiD1cLarrtwiwaQInoYbvU1YRDt/LVij07oqFMI+NrhRjZINTZ9vJy+gOH0M0jOsAcDk/zx5DbVH+O0+QpMDWA6uBqfdJNDyn8ZvAE5aPuC8AmZCZkrzzMqN3+9z1XmDdh9xG3YFK8fombDtMqVXGrKBjUlNrdeEnYeDsSRplyXtt8FmBUWtu4NvsTkFAEeNfSy2tdpDr/1e3LC1tCv1dbNiFcRlkC+inZgHbkSumUHrVfsyTlSaMUc+wyKZ4QqNUVJQia2YghRRsTcv0PE+frJa3DNGQg7pyPa5GpsH8GuBnnGj72o10xs8ddyawQuHVWReq4gazSY4eMtS9NAHXkekHjeIg== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: e256b56d-5b7d-4f29-f427-08d79a0ee3e6 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2020 23:01:42.9813 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iUkZGomcJGKGHe3C1ztgBLnKqyfY8n5q5oXnvi9i8karNyKI+T184PmF++Dy1XZyLvMRL8ZCoZoTdPfk3hJp/auQt0SXlvRTCkOqda9AFbY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1615 Return-Path: amol.n.sukerkar@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Hi Liming, We already have a ticket filed in Bugzilla, https://bugzilla.tianocore.org= /show_bug.cgi?id=3D2151. Would this be sufficient? Thanks, Amol -----Original Message----- From: Gao, Liming =20 Sent: Tuesday, January 14, 2020 8:47 PM To: devel@edk2.groups.io; Wang, Jian J ; Sukerkar, = Amol N Cc: Kinney, Michael D ; Yao, Jiewen ; Agrawal, Sachin ; Musti, Srinivas <= srinivas.musti@intel.com> Subject: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implemen= t Unified Hash Calculation API Amol: This is new feature. Please submit BZ (https://bugzilla.tianocore.org/) = to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it= into edk2 feature planning.=20 Thanks Liming -----Original Message----- From: devel@edk2.groups.io On Behalf Of Wang, Jian = J Sent: 2020=1B$BG/=1B(B1=1B$B7n=1B(B15=1B$BF|=1B(B 11:14 To: Sukerkar, Amol N ; devel@edk2.groups.io Cc: Kinney, Michael D ; Yao, Jiewen ; Agrawal, Sachin ; Musti, Srinivas <= srinivas.musti@intel.com> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implemen= t Unified Hash Calculation API Amol, 1. Your patch doesn't support hashing more than one algorithm at the same = time. Is this on purpose? Sorry I don't remember the conclusion in last discu= ssion. 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h= . You can use BaseTools\Scripts\PatchCheck.py to check it before sending = patch. See my other comments below. > -----Original Message----- > From: Sukerkar, Amol N > Sent: Tuesday, January 14, 2020 11:41 PM > To: devel@edk2.groups.io > Cc: Kinney, Michael D ; Yao, Jiewen=20 > ; Wang, Jian J ; Agrawal,= =20 > Sachin ; Musti, Srinivas=20 > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified=20 > Hash Calculation API >=20 > This commit introduces a Unified Hash API to calculate hash using a=20 > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This=20 > library interfaces with the various hashing API, such as, MD4, MD5,=20 > SHA1, SHA256, > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate=20 > the desired hash by setting PcdSystemHashPolicy to appropriate value. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Michael D Kinney > Signed-off-by: Sukerkar, Amol N > --- >=20 > Notes: > v2: > - Fixed the commit message format >=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 > ++++++++++++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++ > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++ > SecurityPkg/SecurityPkg.dec | 23 +- > SecurityPkg/SecurityPkg.dsc | 10 +- > SecurityPkg/SecurityPkg.uni | 15 +- > 12 files changed, 833 insertions(+), 3 deletions(-) >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..f8742e55b5f7 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,252 @@ > +/** @file >=20 > + Implement image verification services for secure boot service >=20 > + >=20 > + Caution: This file requires additional review when modified. >=20 > + This library will have external input - PE/COFF image. >=20 > + This external input must be validated carefully to avoid security=20 > + issue like >=20 > + buffer overflow, integer overflow. >=20 > + >=20 > + DxeImageVerificationLibImageRead() function will make sure the=20 > + PE/COFF > image content >=20 > + read is within the image buffer. >=20 > + >=20 > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept >=20 > + untrusted PE/COFF image and validate its data structure within this= =20 > + image > buffer before use. >=20 > + >=20 > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
>=20 > +This program and the accompanying materials >=20 > +are licensed and made available under the terms and conditions of the= =20 > +BSD > License >=20 > +which accompanies this distribution. The full text of the license=20 > +may be found > at >=20 > +http://opensource.org/licenses/bsd-license.php >=20 > + >=20 > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, >=20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. >=20 > + >=20 > +**/ >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +/** >=20 > + Init hash sequence with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashInitInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + OUT HASH_HANDLE *HashHandle >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINTN CtxSize; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + CtxSize =3D Md4GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md4Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + CtxSize =3D Md5GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md5Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + CtxSize =3D Sha1GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha1Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + CtxSize =3D Sha256GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha256Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + CtxSize =3D Sha384GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha384Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + CtxSize =3D Sha512GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha512Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + CtxSize =3D Sm3GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sm3Init (HashCtx); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 > + 3. Instead of switch..case, using a global array to defines all supported = interfaces would be more efficient, since you can value of PcdSystemHashPol= icy to index them directly. >=20 > + *HashHandle =3D (HASH_HANDLE)HashCtx; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashUpdateInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 4. The same as 3 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashFinalInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 **Digest >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINT8 DigestData[SHA512_DIGEST_SIZE]; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 5. The same as 3 > + } >=20 > + >=20 > + FreePool (HashCtx); >=20 > + >=20 > + return Status; >=20 > +} > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..ea22cfe16e2f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,122 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > + SHA256, >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Dxe. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiDxeConstructor ( >=20 > + IN EFI_HANDLE ImageHandle, >=20 > + IN EFI_SYSTEM_TABLE *SystemTable >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 6. Constructor is not necessary if you don't have anything to do with it. You can remove it from inf file and here. > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..580ac21fc1d9 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,125 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > + SHA256, >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Pei. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiPeiConstructor ( >=20 > + IN EFI_PEI_FILE_HANDLE FileHandle, >=20 > + IN CONST EFI_PEI_SERVICES **PeiServices >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 7. The same as 6 > \ No newline at end of file > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h > b/SecurityPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..e1883fe7ce41 > --- /dev/null > +++ b/SecurityPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,84 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,= =20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include > +#include > +#include > + > +// > +// Hash Algorithms > +// > +#define HASH_DEFAULT 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..776b74ad753b > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,71 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,= =20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..f97bda06108f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,47 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is Base Hash Lib. It will redirect hash request to=20 > +each individual >=20 > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibDxe >=20 > + MODULE_UNI_FILE =3D BaseHashLibDxe.uni >=20 > + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE0= 66 >=20 > + MODULE_TYPE =3D DXE_DRIVER >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME= _DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER >=20 > + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor 8. Since the above function is actually empty, you can remove above line a= nd function in c file. >=20 > + >=20 > +# >=20 > +# The following information is for reference only and not required by= =20 > +the build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibDxe.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..1865773b4a25 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,18 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to= =20 > +each individual >=20 > +// hash handler registered, such as SHA1, SHA256. Platform can use > PcdTpm2HashMask to >=20 > +// mask some hash engines. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4d36030744bd > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,52 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is BaseCrypto router. It will redirect hash request=20 > +to each > individual >=20 > +# hash handler registered, such as SHA1, SHA256. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibPei >=20 > + MODULE_UNI_FILE =3D BaseHashLibPei.uni >=20 > + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E5= 0B >=20 > + MODULE_TYPE =3D PEIM >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|PEIM >=20 > + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor >=20 9. The same as 8 > + >=20 > +# >=20 > +# The following information is for reference only and not required by= =20 > +the build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibPei.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + MdeModulePkg/MdeModulePkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Guids] >=20 > + ## SOMETIMES_CONSUMES ## GUID >=20 > + gZeroGuid >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..2131b61bd235 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,17 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to= =20 > +each individual >=20 > +// hash handler registered, such as SHA1, SHA256. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec= =20 > index cac36caf0a0d..e0e144124ddd 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -5,7 +5,7 @@ > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs=20 > and library > classes) >=20 > # and libraries instances, which are used for those features. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights=20 > reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.=20 >
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @@ -27,6 +27,10 @@ [LibraryClasses] > # >=20 > HashLib|Include/Library/HashLib.h >=20 >=20 >=20 > + ## @libraryclass Provides hash interfaces from different implementa= tions. >=20 > + # >=20 > + BaseHashLib|Include/Library/HashLib.h >=20 > + >=20 > ## @libraryclass Provides a platform specific interface to detect= =20 > physically present user. >=20 > # >=20 > PlatformSecureLib|Include/Library/PlatformSecureLib.h >=20 > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx] > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. >=20 >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 >=20 >=20 >=20 > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] >=20 > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF= =20 > + image >=20 > + # Based on the value set, the required algorithm is chosen to=20 > + verify >=20 > + # the unsigned image during Secure Boot.
>=20 > + # The hashing algorithm selected must match the hashing algorithm=20 > + used to >=20 > + # hash the image to be added to DB using tools such as=20 > + KeyEnroll.
>=20 > + # 0x00000001 - MD4.
>=20 > + # 0x00000002 - MD5.
>=20 > + # 0x00000003 - SHA1.
>=20 > + # 0x00000004 - SHA256.
>=20 > + # 0x00000005 - SHA384.
>=20 > + # 0x00000006 - SHA512.
>=20 > + # 0x00000007 - SM3_256.
>=20 > + # @Prompt Set policy for hashing unsigned image for Secure Boot. >=20 > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 >=20 > + > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002 > 4 >=20 > + >=20 > [UserExtensions.TianoCore."ExtraFiles"] >=20 > SecurityPkgExtra.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc= =20 > index a2eeadda7a7e..86a5847e2509 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file >=20 > # Security Module Package for All Architectures. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights=20 > reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > # >=20 > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm. > inf >=20 >=20 > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib > Tcg2PhysicalPresenceLib|/PeiTc > g2PhysicalPresenceLib.inf >=20 > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 >=20 >=20 > [LibraryClasses.common.DXE_DRIVER] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] >=20 > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg > Tpm12DeviceLib|.i > nf >=20 >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2. > Tpm2DeviceLib|in > f >=20 > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i > nf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 >=20 >=20 > [LibraryClasses.common.UEFI_DRIVER, > LibraryClasses.common.DXE_RUNTIME_DRIVER, > LibraryClasses.common.DXE_SAL_DRIVER,] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -211,6 +213,12 @@ [Components] >=20 >=20 > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf >=20 >=20 >=20 > + # >=20 > + # Unified Hash API >=20 > + # >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > + >=20 > # >=20 > # TCG Storage. >=20 > # >=20 > diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni= =20 > index 68587304d779..32ef97f81461 100644 > --- a/SecurityPkg/SecurityPkg.uni > +++ b/SecurityPkg/SecurityPkg.uni > @@ -5,7 +5,7 @@ > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs=20 > and library > classes) >=20 > // and libraries instances, which are used for those features. >=20 > // >=20 > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights=20 > reserved.
>=20 > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > // >=20 > // SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > // >=20 > @@ -295,3 +295,16 @@ >=20 >=20 > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n" >=20 > = =20 > "0 means this field is unsupported\n" >=20 > + >=20 >=20 > + > #string > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" >=20 > + >=20 > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm used by Unified= =20 > Hash API.

\n" >=20 > + = > + "Based on the value set, the > required algorithm is chosen to calculate\n" >=20 > + = "the hash desired.
\n" >=20 > + = "0x00000001 - MD4.
\n" >=20 > + = "0x00000002 - MD5.
\n" >=20 > + = "0x00000003 - SHA1.
\n" >=20 > + = > + "0x00000004 - > SHA256.
\n" >=20 > + = > + "0x00000005 - > SHA384.
\n" >=20 > + = > + "0x00000006 - > SHA512.
\n" >=20 > + = "0x00000007 - SM3.
" >=20 > -- > 2.16.2.windows.1