From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web10.868.1579119213006887272 for ; Wed, 15 Jan 2020 12:13:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=KAQcNWAN; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: amol.n.sukerkar@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jan 2020 12:13:32 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,323,1574150400"; d="scan'208";a="273748582" Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by FMSMGA003.fm.intel.com with ESMTP; 15 Jan 2020 12:13:31 -0800 Received: from orsmsx116.amr.corp.intel.com (10.22.240.14) by ORSMSX105.amr.corp.intel.com (10.22.225.132) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 12:13:31 -0800 Received: from ORSEDG002.ED.cps.intel.com (10.7.248.5) by ORSMSX116.amr.corp.intel.com (10.22.240.14) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 12:13:31 -0800 Received: from NAM04-BN3-obe.outbound.protection.outlook.com (104.47.46.54) by edgegateway.intel.com (134.134.137.101) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 15 Jan 2020 12:13:31 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kln0mfynOeeHdDiX93jkepOk44bTp0vl+TPxKPQfyO1Z8gDtC3xnGI1e9Mjkw2P1iTwzizDTb8uqIgpA6bqQ87cbewHgAybsPliTp7xWc6kyJDmuVr3IoM9WKbXktXx7MNBaUx2B1fH5odsQbg/35OBa5obvZCriQbXVPy3kSkDgRoreWj8lO/P75xV07R4k1qMh5s1OSP+M+rAhNLvKqdzvnJmN+jh7kI7RoSHDmwvP6wkx/ErXD8vg17u9IR0e3+YB7XrkC988xeow4EeU3lPhelDQGKtbFP1LLiRevP3QLXdiaLWUQlUmphkXP71nm/g3OckKFe8+trFO9mCAvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RqKJmjh0+FaJWa/t9+mf9BisdXzWJOX/4rglviHFRfQ=; b=baXsYCOuq13YAp4ier6hC9vCywwrDaiKD2J8QG/VDP7ulucSBQzsot7pv1evWfPTRICROZm45sjqYxEZAygRthkUoqWBE0qiOjpBxDLC1Fm+bsDNzJzu4cKbZhKR9dSVHaK7QZXbv6oE5lHRR2TqnSFL5tx+AY+DdNFOd0N2shmc0b97C7KcMhp3Ko6+f7um0HH+eCtd1ibYxIn4h5MRA/jX2FJbhZs1pLJE9ATYUoUYanpNZ9mKCBlMtiSe6uBUKXYi1dj0kk5roAMRLzH0BWNnRA+lxGsBCeP3+bGvSS4FiH9huKdBHUqwxL7iLKSYkXML6ZLj/X4PxW00yEEhjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RqKJmjh0+FaJWa/t9+mf9BisdXzWJOX/4rglviHFRfQ=; b=KAQcNWANSDHFW4wUnZWmJaJLaR6xsT9mLRuvP7/hQi/GkTTqJbRrB3j97mAJVfTr0B2TTzMiaWH4mz2J+ymRhFNEBBgBifx+fftajMDMfaadffBvcOkRVJfJgDhTiXbED0whQcKpjnns6rHWYeixkSVA5Cb1yzIM5OpATkxRzRE= Received: from MWHPR11MB0064.namprd11.prod.outlook.com (10.164.192.146) by MWHPR11MB1856.namprd11.prod.outlook.com (10.175.53.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.18; Wed, 15 Jan 2020 20:13:28 +0000 Received: from MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549]) by MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549%5]) with mapi id 15.20.2623.015; Wed, 15 Jan 2020 20:13:28 +0000 From: "Sukerkar, Amol N" To: "Wang, Jian J" , "devel@edk2.groups.io" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Agrawal, Sachin" , "Musti, Srinivas" , "Sukerkar, Amol N" Subject: Re: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Topic: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Index: AQHVyvETJsClZTDraE6d24/5UbWyCKfrCD2ggAEhZWA= Date: Wed, 15 Jan 2020 20:13:28 +0000 Message-ID: References: <20200114154107.655-1-amol.n.sukerkar@intel.com> <20200114154107.655-2-amol.n.sukerkar@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows authentication-results: spf=none (sender IP is ) smtp.mailfrom=amol.n.sukerkar@intel.com; x-originating-ip: [192.55.52.202] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c18361ab-a22b-4e17-c363-08d799f762c1 x-ms-traffictypediagnostic: MWHPR11MB1856: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 02830F0362 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(199004)(189003)(8676002)(55016002)(81156014)(8936002)(9686003)(7696005)(53546011)(6506007)(52536014)(33656002)(498600001)(81166006)(15650500001)(26005)(45080400002)(2906002)(54906003)(110136005)(30864003)(86362001)(66556008)(19627235002)(107886003)(71200400001)(5660300002)(15188155005)(66446008)(16799955002)(64756008)(66476007)(4326008)(76116006)(66946007)(66574012)(186003)(559001)(579004)(569006);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR11MB1856;H:MWHPR11MB0064.namprd11.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: UqEtyZonRpD9ZXyxl4WtuDU2czXvuXplB5mP3KSupZgy0vloTGGaO+AW55UDbQPsJ9dJAmv75BkykULlO8iYVfZBdB07I66n+fOAcYs0fs8W865xl0ilvAAh+lA6NdR/3U8do17RVgS0FiRpLRRTPO/RqyLUJijzmJPVX3NvDePkmm8LWYmZ9P61jHm7947/RruoXDYzW9QQsnxCZBRI8iplracvfGhvjoToaeHrnO+quRWH5loFXhyMCxs8BNW058hbhJaVQdlQyjt0s2AI66+VjRtQA2iixTL0jxnMyinspWCm2R3lQaq8yJrdfgXNYTIECnI4EAFP5a4CQPnHUUT4f8PHTMw4ICfhart4M8YybpnKZDO6Ohsn/JMFHow6fzpKf1Gp9+YQaEf+ezduykuIzqOCn/5IwqtLJttt/8wy0uXrmj6dFrZzN2ay4qjjH2gNpOeB/U6du+xDvJbbMPLY3lutV23HPiIv4YBh28T0Ztbz738P4FzBnLFVZ+UTMIfvbMbOVCp/TjvAzaAhOA== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: c18361ab-a22b-4e17-c363-08d799f762c1 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2020 20:13:28.7832 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Bua9Jjx8bOs/S4xMUq4LTLOZKW66zAxmPgULwlYOBiI0wCA/13ranks48HgH1hQ44DwuQoDGrNsaVkXgeiPaN20x61YRwRW/7JeoLJbkjVM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1856 Return-Path: amol.n.sukerkar@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks, Jian! Please find my answer below. ~ Amol -----Original Message----- From: Wang, Jian J =20 Sent: Tuesday, January 14, 2020 8:14 PM To: Sukerkar, Amol N ; devel@edk2.groups.io Cc: Kinney, Michael D ; Yao, Jiewen ; Agrawal, Sachin ; Musti, Srinivas Subject: RE: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash= Calculation API Amol, 1. Your patch doesn't support hashing more than one algorithm at the same t= ime. Is this on purpose? Sorry I don't remember the conclusion in last discus= sion. [ANS] This feature supports only one hashing algorithm at a given time as p= er our last discussion. The PcdSystemHashPolicy can be overridden at platfo= rm level DSC. 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h. You can use BaseTools\Scripts\PatchCheck.py to check it before sending p= atch. [ANS] OK. I will run the tool before uploading the next version with the ch= anges suggested below. See my other comments below. > -----Original Message----- > From: Sukerkar, Amol N > Sent: Tuesday, January 14, 2020 11:41 PM > To: devel@edk2.groups.io > Cc: Kinney, Michael D ; Yao, Jiewen=20 > ; Wang, Jian J ; Agrawal,=20 > Sachin ; Musti, Srinivas=20 > > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified=20 > Hash Calculation API >=20 > This commit introduces a Unified Hash API to calculate hash using a=20 > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This=20 > library interfaces with the various hashing API, such as, MD4, MD5,=20 > SHA1, SHA256, > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate=20 > the desired hash by setting PcdSystemHashPolicy to appropriate value. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Michael D Kinney > Signed-off-by: Sukerkar, Amol N > --- >=20 > Notes: > v2: > - Fixed the commit message format >=20 > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 > ++++++++++++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++ > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++ =20 > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++ =20 > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ =20 > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++ =20 > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++ > SecurityPkg/SecurityPkg.dec | 23 +- > SecurityPkg/SecurityPkg.dsc | 10 +- > SecurityPkg/SecurityPkg.uni | 15 +- > 12 files changed, 833 insertions(+), 3 deletions(-) >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..f8742e55b5f7 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,252 @@ > +/** @file >=20 > + Implement image verification services for secure boot service >=20 > + >=20 > + Caution: This file requires additional review when modified. >=20 > + This library will have external input - PE/COFF image. >=20 > + This external input must be validated carefully to avoid security=20 > + issue like >=20 > + buffer overflow, integer overflow. >=20 > + >=20 > + DxeImageVerificationLibImageRead() function will make sure the=20 > + PE/COFF > image content >=20 > + read is within the image buffer. >=20 > + >=20 > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept >=20 > + untrusted PE/COFF image and validate its data structure within this=20 > + image > buffer before use. >=20 > + >=20 > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
>=20 > +This program and the accompanying materials >=20 > +are licensed and made available under the terms and conditions of the=20 > +BSD > License >=20 > +which accompanies this distribution. The full text of the license=20 > +may be found > at >=20 > +http://opensource.org/licenses/bsd-license.php >=20 > + >=20 > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, >=20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. >=20 > + >=20 > +**/ >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +/** >=20 > + Init hash sequence with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashInitInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + OUT HASH_HANDLE *HashHandle >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINTN CtxSize; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + CtxSize =3D Md4GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md4Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + CtxSize =3D Md5GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Md5Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + CtxSize =3D Sha1GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha1Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + CtxSize =3D Sha256GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha256Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + CtxSize =3D Sha384GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha384Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + CtxSize =3D Sha512GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sha512Init (HashCtx); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + CtxSize =3D Sm3GetContextSize (); >=20 > + HashCtx =3D AllocatePool (CtxSize); >=20 > + ASSERT (HashCtx !=3D NULL); >=20 > + >=20 > + Status =3D Sm3Init (HashCtx); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 > + 3. Instead of switch..case, using a global array to defines all supported i= nterfaces would be more efficient, since you can value of PcdSystemHashPoli= cy to index them directly. >=20 > + *HashHandle =3D (HASH_HANDLE)HashCtx; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashUpdateInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 > + } >=20 4. The same as 3 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete with Hash Algorithm specified by HashPolicy. >=20 > + >=20 > + @param HashPolicy Hash Algorithm Policy. >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashFinalInternal ( >=20 > + IN UINT8 HashPolicy, >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 **Digest >=20 > + ) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + VOID *HashCtx; >=20 > + UINT8 DigestData[SHA512_DIGEST_SIZE]; >=20 > + >=20 > + HashCtx =3D (VOID *)HashHandle; >=20 > + >=20 > + switch (HashPolicy) { >=20 > + case HASH_MD4: >=20 > + Status =3D Md4Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_MD5: >=20 > + Status =3D Md5Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA1: >=20 > + Status =3D Sha1Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA256: >=20 > + Status =3D Sha256Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA384: >=20 > + Status =3D Sha384Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SHA512: >=20 > + Status =3D Sha512Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + case HASH_SM3_256: >=20 > + Status =3D Sm3Final (HashCtx, DigestData); >=20 > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); >=20 > + break; >=20 > + >=20 > + default: >=20 > + ASSERT (FALSE); >=20 > + break; >=20 5. The same as 3 > + } >=20 > + >=20 > + FreePool (HashCtx); >=20 > + >=20 > + return Status; >=20 > +} > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..ea22cfe16e2f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,122 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > + SHA256, >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Dxe. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiDxeConstructor ( >=20 > + IN EFI_HANDLE ImageHandle, >=20 > + IN EFI_SYSTEM_TABLE *SystemTable >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 6. Constructor is not necessary if you don't have anything to do with it. You can remove it from inf file and here. > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..580ac21fc1d9 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,125 @@ > +/** @file >=20 > + This library is Unified Hash API. It will redirect hash request to >=20 > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > + SHA256, >=20 > + SHA384 and SM3... >=20 > + >=20 > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
>=20 > +SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > + >=20 > +**/ >=20 > + >=20 > + >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > +#include >=20 > + >=20 > +#include >=20 > +#include "BaseHashLibCommon.h" >=20 > + >=20 > +/** >=20 > + Init hash sequence. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + >=20 > + @retval TRUE Hash start and HashHandle returned. >=20 > + @retval FALSE Hash Init unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiInit ( >=20 > + OUT HASH_HANDLE *HashHandle >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + HASH_HANDLE Handle; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashInitInternal (HashPolicy, &Handle); >=20 > + >=20 > + *HashHandle =3D Handle; >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Update hash data. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param DataToHash Data to be hashed. >=20 > + @param DataToHashLen Data size. >=20 > + >=20 > + @retval TRUE Hash updated. >=20 > + @retval FALSE Hash updated unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiUpdate ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + IN VOID *DataToHash, >=20 > + IN UINTN DataToHashLen >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + Hash complete. >=20 > + >=20 > + @param HashHandle Hash handle. >=20 > + @param Digest Hash Digest. >=20 > + >=20 > + @retval TRUE Hash complete and Digest is returned. >=20 > + @retval FALSE Hash complete unsuccessful. >=20 > +**/ >=20 > +BOOLEAN >=20 > +EFIAPI >=20 > +HashApiFinal ( >=20 > + IN HASH_HANDLE HashHandle, >=20 > + OUT UINT8 *Digest >=20 > +) >=20 > +{ >=20 > + BOOLEAN Status; >=20 > + UINT8 HashPolicy; >=20 > + >=20 > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); >=20 > + >=20 > + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); >=20 > + >=20 > + return Status; >=20 > +} >=20 > + >=20 > +/** >=20 > + The constructor function of BaseHashLib Pei. >=20 > + >=20 > + @param FileHandle The handle of FFS header the loaded driver. >=20 > + @param PeiServices The pointer to the PEI services. >=20 > + >=20 > + @retval EFI_SUCCESS The constructor executes successfully. >=20 > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. >=20 > + >=20 > +**/ >=20 > +EFI_STATUS >=20 > +EFIAPI >=20 > +BaseHashLibApiPeiConstructor ( >=20 > + IN EFI_PEI_FILE_HANDLE FileHandle, >=20 > + IN CONST EFI_PEI_SERVICES **PeiServices >=20 > + ) >=20 > +{ >=20 > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); >=20 > + >=20 > + return EFI_SUCCESS; >=20 > +} 7. The same as 6 > \ No newline at end of file > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h > b/SecurityPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..e1883fe7ce41 > --- /dev/null > +++ b/SecurityPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,84 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include > +#include > +#include > + > +// > +// Hash Algorithms > +// > +#define HASH_DEFAULT 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..776b74ad753b > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,71 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,=20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..f97bda06108f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,47 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is Base Hash Lib. It will redirect hash request to=20 > +each individual >=20 > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibDxe >=20 > + MODULE_UNI_FILE =3D BaseHashLibDxe.uni >=20 > + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE06= 6 >=20 > + MODULE_TYPE =3D DXE_DRIVER >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_= DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER >=20 > + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor 8. Since the above function is actually empty, you can remove above line an= d function in c file. >=20 > + >=20 > +# >=20 > +# The following information is for reference only and not required by=20 > +the build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibDxe.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..1865773b4a25 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,18 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to=20 > +each individual >=20 > +// hash handler registered, such as SHA1, SHA256. Platform can use > PcdTpm2HashMask to >=20 > +// mask some hash engines. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4d36030744bd > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,52 @@ > +## @file >=20 > +# Provides hash service by registered hash handler >=20 > +# >=20 > +# This library is BaseCrypto router. It will redirect hash request=20 > +to each > individual >=20 > +# hash handler registered, such as SHA1, SHA256. >=20 > +# >=20 > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +# SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +# >=20 > +## >=20 > + >=20 > +[Defines] >=20 > + INF_VERSION =3D 0x00010005 >=20 > + BASE_NAME =3D BaseHashLibPei >=20 > + MODULE_UNI_FILE =3D BaseHashLibPei.uni >=20 > + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50= B >=20 > + MODULE_TYPE =3D PEIM >=20 > + VERSION_STRING =3D 1.0 >=20 > + LIBRARY_CLASS =3D BaseHashLib|PEIM >=20 > + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor >=20 9. The same as 8 > + >=20 > +# >=20 > +# The following information is for reference only and not required by=20 > +the build > tools. >=20 > +# >=20 > +# VALID_ARCHITECTURES =3D IA32 X64 >=20 > +# >=20 > + >=20 > +[Sources] >=20 > + BaseHashLibCommon.h >=20 > + BaseHashLibCommon.c >=20 > + BaseHashLibPei.c >=20 > + >=20 > +[Packages] >=20 > + MdePkg/MdePkg.dec >=20 > + SecurityPkg/SecurityPkg.dec >=20 > + CryptoPkg/CryptoPkg.dec >=20 > + MdeModulePkg/MdeModulePkg.dec >=20 > + >=20 > +[LibraryClasses] >=20 > + BaseLib >=20 > + BaseMemoryLib >=20 > + DebugLib >=20 > + MemoryAllocationLib >=20 > + BaseCryptLib >=20 > + PcdLib >=20 > + >=20 > +[Guids] >=20 > + ## SOMETIMES_CONSUMES ## GUID >=20 > + gZeroGuid >=20 > + >=20 > +[Pcd] >=20 > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES >=20 > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..2131b61bd235 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,17 @@ > +// /** @file >=20 > +// Provides hash service by registered hash handler >=20 > +// >=20 > +// This library is Unified Hash API. It will redirect hash request to=20 > +each individual >=20 > +// hash handler registered, such as SHA1, SHA256. >=20 > +// >=20 > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > +// >=20 > +// SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > +// >=20 > +// **/ >=20 > + >=20 > + >=20 > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" >=20 > + >=20 > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." >=20 > + >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec=20 > index cac36caf0a0d..e0e144124ddd 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -5,7 +5,7 @@ > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs=20 > and library > classes) >=20 > # and libraries instances, which are used for those features. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights=20 > reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # Copyright (c) 2017, Microsoft Corporation. All rights reserved.=20 >
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @@ -27,6 +27,10 @@ [LibraryClasses] > # >=20 > HashLib|Include/Library/HashLib.h >=20 >=20 >=20 > + ## @libraryclass Provides hash interfaces from different implementat= ions. >=20 > + # >=20 > + BaseHashLib|Include/Library/HashLib.h >=20 > + >=20 > ## @libraryclass Provides a platform specific interface to detect=20 > physically present user. >=20 > # >=20 > PlatformSecureLib|Include/Library/PlatformSecureLib.h >=20 > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx] > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. >=20 >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 >=20 >=20 >=20 > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] >=20 > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF=20 > + image >=20 > + # Based on the value set, the required algorithm is chosen to=20 > + verify >=20 > + # the unsigned image during Secure Boot.
>=20 > + # The hashing algorithm selected must match the hashing algorithm=20 > + used to >=20 > + # hash the image to be added to DB using tools such as=20 > + KeyEnroll.
>=20 > + # 0x00000001 - MD4.
>=20 > + # 0x00000002 - MD5.
>=20 > + # 0x00000003 - SHA1.
>=20 > + # 0x00000004 - SHA256.
>=20 > + # 0x00000005 - SHA384.
>=20 > + # 0x00000006 - SHA512.
>=20 > + # 0x00000007 - SM3_256.
>=20 > + # @Prompt Set policy for hashing unsigned image for Secure Boot. >=20 > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 >=20 > + > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002 > 4 >=20 > + >=20 > [UserExtensions.TianoCore."ExtraFiles"] >=20 > SecurityPkgExtra.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc=20 > index a2eeadda7a7e..86a5847e2509 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file >=20 > # Security Module Package for All Architectures. >=20 > # >=20 > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights=20 > reserved.
>=20 > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP
>=20 > # SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > # >=20 > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm. > inf >=20 >=20 > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib > Tcg2PhysicalPresenceLib|/PeiTc > g2PhysicalPresenceLib.inf >=20 > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 >=20 >=20 > [LibraryClasses.common.DXE_DRIVER] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] >=20 > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg > Tpm12DeviceLib|.i > nf >=20 >=20 > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2. > Tpm2DeviceLib|in > f >=20 > =20 > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i > nf >=20 > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 >=20 >=20 > [LibraryClasses.common.UEFI_DRIVER, > LibraryClasses.common.DXE_RUNTIME_DRIVER, > LibraryClasses.common.DXE_SAL_DRIVER,] >=20 > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf >=20 > @@ -211,6 +213,12 @@ [Components] >=20 >=20 > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf >=20 >=20 >=20 > + # >=20 > + # Unified Hash API >=20 > + # >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > + >=20 > # >=20 > # TCG Storage. >=20 > # >=20 > diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni=20 > index 68587304d779..32ef97f81461 100644 > --- a/SecurityPkg/SecurityPkg.uni > +++ b/SecurityPkg/SecurityPkg.uni > @@ -5,7 +5,7 @@ > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs=20 > and library > classes) >=20 > // and libraries instances, which are used for those features. >=20 > // >=20 > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights=20 > reserved.
>=20 > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
>=20 > // >=20 > // SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > // >=20 > @@ -295,3 +295,16 @@ >=20 >=20 > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n" >=20 > = =20 > "0 means this field is unsupported\n" >=20 > + >=20 >=20 > + > #string > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" >=20 > + >=20 > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm used by Unified=20 > Hash API.

\n" >=20 > + = =20 > + "Based on the value set, the > required algorithm is chosen to calculate\n" >=20 > + = "the hash desired.
\n" >=20 > + = "0x00000001 - MD4.
\n" >=20 > + = "0x00000002 - MD5.
\n" >=20 > + = "0x00000003 - SHA1.
\n" >=20 > + = =20 > + "0x00000004 - > SHA256.
\n" >=20 > + = =20 > + "0x00000005 - > SHA384.
\n" >=20 > + = =20 > + "0x00000006 - > SHA512.
\n" >=20 > + = "0x00000007 - SM3.
" >=20 > -- > 2.16.2.windows.1