From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.9058.1579793106221130833 for ; Thu, 23 Jan 2020 07:25:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=l8+c0C2o; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: amol.n.sukerkar@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Jan 2020 07:25:05 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,354,1574150400"; d="scan'208";a="400365499" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga005.jf.intel.com with ESMTP; 23 Jan 2020 07:25:05 -0800 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 23 Jan 2020 07:24:44 -0800 Received: from FMSEDG002.ED.cps.intel.com (10.1.192.134) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 23 Jan 2020 07:24:44 -0800 Received: from NAM02-BL2-obe.outbound.protection.outlook.com (104.47.38.56) by edgegateway.intel.com (192.55.55.69) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 23 Jan 2020 07:24:44 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BiSVfhdsApf36xoj6hBjSOvNoBHKhwe7dYy8CbOjc0xNgxw4W76Dagzq2eZJeKrqLFQNiPbUEQ851b6dTBbo4qyptbVdPwzP/ADpVL88ti9svHxGkynkmeg3n2cpF305oikxMXHpoQ77ylxVqq9PmBtb4PoZjpVJsDMbh8g0e9SdUpMCdSKvT2pDPLPmaL/woWmPtiCjyrO7xDsYW2vXLic48cNWRU5H4+BoVfzDPpQaApfweS2VOphQbiu2M0kLp1rxRxTM3cUSBkC4mm4OYxZdtv1zBDFQtoBOknDVxQ/amNuOpd9knFgDZ3OykX4I7NW9xgy26uJzzGr/nBmcVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwcMNOJxKBwi/Kj3ll83MttPqccBBavGeVDFZStWsew=; b=RLhLLEjKcDkAYtZz1eJNTaXq6H3M1o0Z5FdBnBa+MDr/w/xQk2TD1ywwlOnAIedqVBLt3BIP0A+NJ2ael05aVtOoTEcHuA69YzngaNvd2fZHQvSIyjFnk5coJIa0GSJPnzBw3xcRQbFf6UfH7FJnr3ONYAjR/vlAthbM0nuu94NePMsJtXmJmzFJixBuye/G69NR6nf8SX6m5TWbWCCRcozYE4yaZu+KJwkEUNQpbaWzB7LTtCDT5Vv8HDJ7pvGoUQ/zlYCyOPZsIYiutGoMmosKjCaHtiRiO7tVbie/bz9Ale5CVLaa54STDQjEzhA5bQOH9d7x32VLQxA7EPB7mQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BwcMNOJxKBwi/Kj3ll83MttPqccBBavGeVDFZStWsew=; b=l8+c0C2ovrBOZvM0q/hu2d7GXrQKbWGHaRCpRRtnV1lcFKM0yAWTzT6IXsezg3xX4JrUO5TEeJnktHCzMQDXgoZLD8hGm/JFSzkWF3+Hr6UkrM4lEGRSe/XNuMoZr9ofvzu9tPLCsv8Y3NNuz8+orF3fH/uohKwMAIXUHRllt9U= Received: from MWHPR11MB0064.namprd11.prod.outlook.com (10.164.192.146) by MWHPR11MB1983.namprd11.prod.outlook.com (10.175.55.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.24; Thu, 23 Jan 2020 15:24:42 +0000 Received: from MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549]) by MWHPR11MB0064.namprd11.prod.outlook.com ([fe80::6921:1be9:8a98:4549%5]) with mapi id 15.20.2644.027; Thu, 23 Jan 2020 15:24:42 +0000 From: "Sukerkar, Amol N" To: "Wang, Jian J" , "devel@edk2.groups.io" CC: "Kinney, Michael D" , "Yao, Jiewen" , "Agrawal, Sachin" , "Musti, Srinivas" , "Lakkimsetti, Subash" , "Sukerkar, Amol N" Subject: Re: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Topic: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement Unified Hash Calculation API Thread-Index: AQHVz7Vv/QXveCHw3UGhJjh5974a76f4XmBA Date: Thu, 23 Jan 2020 15:24:41 +0000 Message-ID: References: <20200117223200.20504-1-amol.n.sukerkar@intel.com> <20200117223200.20504-3-amol.n.sukerkar@intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-reaction: no-action dlp-version: 11.2.0.6 dlp-product: dlpe-windows authentication-results: spf=none (sender IP is ) smtp.mailfrom=amol.n.sukerkar@intel.com; x-originating-ip: [192.55.52.202] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 939a34b4-05f7-4bb6-fcb7-08d7a0185e6d x-ms-traffictypediagnostic: MWHPR11MB1983: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4502; x-forefront-prvs: 029174C036 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(136003)(396003)(376002)(39860400002)(366004)(199004)(189003)(71200400001)(966005)(26005)(86362001)(30864003)(8676002)(81156014)(81166006)(5660300002)(7696005)(55016002)(66574012)(316002)(6506007)(53546011)(110136005)(54906003)(107886003)(186003)(66476007)(2906002)(478600001)(4326008)(15188155005)(9686003)(66946007)(8936002)(64756008)(66446008)(33656002)(66556008)(52536014)(16799955002)(76116006)(19627235002)(579004)(569006);DIR:OUT;SFP:1102;SCL:1;SRVR:MWHPR11MB1983;H:MWHPR11MB0064.namprd11.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: KESzFOBWB7qvGJ5kqE25YxjKwoDDdzKqbxITXJgZF+b03ZhvtDpaRpl6gs9LRN+D2tf2IbOGieARauekD+AatETP9jLmCwp0OIMHfJeHuE+UKPgHKHv/ytZ4Lm5e40f4TnZEUTMpBZvtMsfTsm26076iOmSo7MzcQcFRg6EZtiCK4S10H1HP0letC3ahWcD6B+ot381U11lRgRGO5N/JAFhoeB1E4rYHX0EYy98zO/KgE2GEW6BJmN4IUzUsm0UNrbF78KS7eQZEU4HKg5SQrM1B4gw0xfvDaukSn1mmViYr59Qr5NFZBHzTwDnXKhLWhoMGio/sn6gOu/Uts4v0Qu6sI4cs4lfPdXDB37waAn1Lwib7DBqr0tiYHkshie38zQrdpnKXmnPMNi2y9STv5c56/xwGLlWyyqQqa+3eKXBnTL+zzor7DvUXelRpDJN+YdhebYXq+FFAghg7D8pyj5re4anWlEd+iU5JZfLmSbp9Xl2bz4IMC/x/tbURIfdqKYoCrhidFW8FL3akYB5HWA== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 939a34b4-05f7-4bb6-fcb7-08d7a0185e6d X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2020 15:24:41.9120 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: InqFr3LbcizQbVpBSNn+vo1Pv4S7VSNV3CD+xXz0IHTFnJmEK0+CJtokWHGDOzXeiHbLCsk08AQ6199DP6e/NmTns7Jt+E/axt5KAnpV3oo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1983 Return-Path: amol.n.sukerkar@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jian, You are correct that using local variable will link the unused libraries. = In any case, I will simplify the BaseHashLib library further based on comme= nts so far. About your comment: (3) Why do you need additional buffer here? The extra copy can be avoided = by passing the '*Digest' to XxxFinal function below. Am I missing something= here? [ANS] Initially the idea was to make sure that the buffer passed into xxxF= inal call didn't cause any buffer overflow since there is no way to detect = the size of the buffer allocated by the caller. However, you are correct. W= e cannot prevent it. Next call CopyMem will cause the same issue. It is the= responsibility of the caller to allocate enough memory for the digest base= d on the hashing algorithm used. Thanks, Amol -----Original Message----- From: Wang, Jian J =20 Sent: Monday, January 20, 2020 10:17 AM To: devel@edk2.groups.io; Sukerkar, Amol N Cc: Kinney, Michael D ; Yao, Jiewen ; Agrawal, Sachin ; Musti, Srinivas <= srinivas.musti@intel.com>; Lakkimsetti, Subash Subject: RE: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement = Unified Hash Calculation API Amol, One general comment in advance. The switch/case are using parameter HashPo= licy. Since it's a local variable not constant, I'm not sure whether or not the = compiler will optimize out not effective hash algorithm choices. Please dou= ble check the linked code. If not, you should not pass the value of PcdSyst= emHashPolicy via a parameter. Instead, you should use this PCD directly in = switch/case. See my other comments below. > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of=20 > Sukerkar, Amol N > Sent: Saturday, January 18, 2020 6:32 AM > To: devel@edk2.groups.io > Cc: Kinney, Michael D ; Yao, Jiewen=20 > ; Wang, Jian J ; Agrawal,= =20 > Sachin ; Musti, Srinivas=20 > ; Lakkimsetti, Subash=20 > > Subject: [edk2-devel] [PATCH v4 2/2] CryptoPkg/BaseHashLib: Implement=20 > Unified Hash Calculation API >=20 > This commit introduces a Unified Hash API to calculate hash using a=20 > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This=20 > library interfaces with the various hashing API, such as, MD4, MD5,=20 > SHA1, SHA256, > SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate= =20 > the desired hash by setting PcdSystemHashPolicy to appropriate value. >=20 > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Michael D Kinney > Signed-off-by: Sukerkar, Amol N > --- > CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c | 254 > ++++++++++++++++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c | 100 ++++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c | 101 ++++++++ > CryptoPkg/CryptoPkg.dec | 21 ++ > CryptoPkg/CryptoPkg.dsc | 6 +- > CryptoPkg/CryptoPkg.uni | 17 ++ > CryptoPkg/Include/Library/BaseHashLib.h | 85 +++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h | 72 ++++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 45 ++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 17 ++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf | 46 ++++ > CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni | 16 ++ > 12 files changed, 779 insertions(+), 1 deletion(-) >=20 > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..217537566796 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,254 @@ > +/** @file > + Implement image verification services for secure boot service > + > + Caution: This file requires additional review when modified. > + This library will have external input - PE/COFF image. > + This external input must be validated carefully to avoid security=20 > + issue like buffer overflow, integer overflow. > + > + DxeImageVerificationLibImageRead() function will make sure the=20 > + PE/COFF > image content > + read is within the image buffer. > + > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept > + untrusted PE/COFF image and validate its data structure within this= =20 > + image > buffer before use. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP
This= =20 > +program and the accompanying materials are licensed and made=20 > +available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,= =20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#include > +#include > +#include #include=20 > + #include #include=20 > + #include > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + UINTN CtxSize; > + > + switch (HashPolicy) { > + case HASH_MD4: > + CtxSize =3D Md4GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Md4Init (HashCtx); > + break; > + > + case HASH_MD5: > + CtxSize =3D Md5GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Md5Init (HashCtx); > + break; > + > + case HASH_SHA1: > + CtxSize =3D Sha1GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha1Init (HashCtx); > + break; > + > + case HASH_SHA256: > + CtxSize =3D Sha256GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha256Init (HashCtx); > + break; > + > + case HASH_SHA384: > + CtxSize =3D Sha384GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha384Init (HashCtx); > + break; > + > + case HASH_SHA512: > + CtxSize =3D Sha512GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sha512Init (HashCtx); > + break; > + > + case HASH_SM3_256: > + CtxSize =3D Sm3GetContextSize (); > + HashCtx =3D AllocatePool (CtxSize); > + ASSERT (HashCtx !=3D NULL); > + > + Status =3D Sm3Init (HashCtx); > + break; > + > + default: > + ASSERT (FALSE); > + break; (1) Status was not initialized before. Although there's ASSERT, still sugg= est to assign FALSE to Status for 'default' case. > + } > + > + *HashHandle =3D (HASH_HANDLE)HashCtx; > + > + return Status; > +} > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + > + HashCtx =3D (VOID *)HashHandle; > + > + switch (HashPolicy) { > + case HASH_MD4: > + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_MD5: > + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA1: > + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA256: > + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA384: > + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SHA512: > + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + case HASH_SM3_256: > + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); > + break; > + > + default: > + ASSERT (FALSE); > + break; (2) Same as (1). Suggest assigning FALSE to Status in 'default' case. > + } > + > + return Status; > +} > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ) > +{ > + BOOLEAN Status; > + VOID *HashCtx; > + UINT8 DigestData[SHA512_DIGEST_SIZE]; > + (3) Why do you need additional buffer here? The extra copy can be avoided = by passing the '*Digest' to XxxFinal function below. Am I missing something= here? > + HashCtx =3D (VOID *)HashHandle; > + > + switch (HashPolicy) { > + case HASH_MD4: > + Status =3D Md4Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); > + break; > + > + case HASH_MD5: > + Status =3D Md5Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); > + break; > + > + case HASH_SHA1: > + Status =3D Sha1Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); > + break; > + > + case HASH_SHA256: > + Status =3D Sha256Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); > + break; > + > + case HASH_SHA384: > + Status =3D Sha384Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); > + break; > + > + case HASH_SHA512: > + Status =3D Sha512Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); > + break; > + > + case HASH_SM3_256: > + Status =3D Sm3Final (HashCtx, DigestData); > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); > + break; > + > + default: > + ASSERT (FALSE); > + break; (4) Same as (1) and (2) > + } > + > + FreePool (HashCtx); > + > + return Status; > +} > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..226c2d6a4aae > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,100 @@ > +/** @file > + This library is Unified Hash API. It will redirect hash request to > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > +SHA256, > + SHA384 and SM3... > + > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
(5) This is new file. Start year should be 2020. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > + > +#include > +#include > +#include #include=20 > + #include #include=20 > + > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + HASH_HANDLE Handle; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashInitInternal (HashPolicy, &Handle); > + > + *HashHandle =3D Handle; > + > + return Status; > +} > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > + > + return Status; > +} > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); > + > + return Status; > +} > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..a9fa0d978088 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,101 @@ > +/** @file > + This library is Unified Hash API. It will redirect hash request to > + the hash handler specified by PcdSystemHashPolicy such as SHA1,=20 > +SHA256, > + SHA384 and SM3... > + > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.=20 > +
(6) This is new file. Start year should be 2020. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > + > +#include > +#include > +#include #include=20 > + #include #include=20 > + #include > + > +#include "BaseHashLibCommon.h" > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + HASH_HANDLE Handle; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashInitInternal (HashPolicy, &Handle); > + > + *HashHandle =3D Handle; > + > + return Status; > +} > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > + > + return Status; > +} > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +) > +{ > + BOOLEAN Status; > + UINT8 HashPolicy; > + > + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); > + > + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); > + > + return Status; > +} > diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index=20 > a548ec7ddc71..9288c652f8e4 100644 > --- a/CryptoPkg/CryptoPkg.dec > +++ b/CryptoPkg/CryptoPkg.dec > @@ -33,10 +33,31 @@ [LibraryClasses] > ## > TlsLib|Include/Library/TlsLib.h >=20 > + ## @libraryclass Provides Unified API for different hash implementa= tions. > + # > + BaseHashLib|Include/Library/BaseHashLib.h > + > [Guids] > ## Security package token space guid. > # Include/Guid/CryptoPkgTokenSpace.h > gEfiCryptoPkgTokenSpaceGuid =3D { 0xd3fb176, 0x9569, 0x4d51, { 0= xa3, 0xef, > 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }} >=20 > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF= =20 > +image > + # Based on the value set, the required algorithm is chosen to=20 > +verify > + # the unsigned image during Secure Boot.
> + # The hashing algorithm selected must match the hashing algorithm=20 > +used to > + # hash the image to be added to DB using tools such as KeyEnroll. > + # 0x00000001 - MD4.
> + # 0x00000002 - MD5.
> + # 0x00000003 - SHA1.
> + # 0x00000004 - SHA256.
> + # 0x00000005 - SHA384.
> + # 0x00000006 - SHA512.
> + # 0x00000007 - SM3_256.
> + # @Prompt Set policy for hashing unsigned image for Secure Boot. > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 > + > gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00000001 > + > [UserExtensions.TianoCore."ExtraFiles"] > CryptoPkgExtra.uni > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index=20 > ec43c1f0a47e..1d2956d20483 100644 > --- a/CryptoPkg/CryptoPkg.dsc > +++ b/CryptoPkg/CryptoPkg.dsc > @@ -1,7 +1,7 @@ > ## @file > # Cryptographic Library Package for UEFI Security Implementation. > # > -# Copyright (c) 2009 - 2018, Intel Corporation. All rights=20 > reserved.
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
> # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -62,9=20 > +62,11 @@ [LibraryClasses.ARM] >=20 > [LibraryClasses.common.PEIM] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > [LibraryClasses.common.DXE_DRIVER] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > + BaseHashLib|CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf >=20 > [LibraryClasses.common.DXE_RUNTIME_DRIVER] > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > @@ -120,6 +122,8 @@ [Components] > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf > CryptoPkg/Library/OpensslLib/OpensslLib.inf > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > + CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > + CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf >=20 > [Components.IA32, Components.X64] > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni index=20 > beb0036ef583..ebbebed4924d 100644 > --- a/CryptoPkg/CryptoPkg.uni > +++ b/CryptoPkg/CryptoPkg.uni > @@ -17,3 +17,20 @@ >=20 >=20 >=20 > +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" > + > +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm to verify=20 > unsigned PE/COFF image.

\n" > + = > + "Based on the value set, the > required algorithm is chosen to verify\n" > + = > + "the unsigned image during > Secure Boot.
\n" > + = > + "The hashing algorithm > selected must match the hashing algorithm used to\n" > + = > + "hash the image to be added > to DB using tools such as KeyEnroll.
\n" > + = "0x00000001 - MD4.
\n" > + = "0x00000002 - MD5.
\n" > + = "0x00000003 - SHA1.
\n" > + = > + "0x00000004 - > SHA256.
\n" > + = > + "0x00000005 - > SHA384.
\n" > + = > + "0x00000006 - > SHA512.
\n" > + = "0x00000007 - SM3.
" > + > + > + > diff --git a/CryptoPkg/Include/Library/BaseHashLib.h > b/CryptoPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..c07e4a9a44aa > --- /dev/null > +++ b/CryptoPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,85 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,= =20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + (7) License is not correct. Use the standard two-clause one. > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include > + > +typedef UINTN HASH_HANDLE; > + > +// > +// Hash Algorithms > +// > +#define HASH_INVALID 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > +#define HASH_MAX 0x00000008 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..b022284d1a27 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,72 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights=20 > +reserved.
This program and the accompanying materials are=20 > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license=20 > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,= =20 > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + (8) License is not correct. Use the standard two-clause one. > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > + > +#endif > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..732c8f0d1f47 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,45 @@ > +## @file > +# Provides hash service by registered hash handler # # This library= =20 > +is Base Hash Lib. It will redirect hash request to each individual # > +hash handler registered, such as SHA1, SHA256, SHA384, SM3. > +# > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
(9) This is new file. The start year should be this year. > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D BaseHashLibDxe > + MODULE_UNI_FILE =3D BaseHashLibDxe.uni > + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE0= 66 > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME= _DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > + > +# > +# The following information is for reference only and not required by= =20 > +the build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > + > +[Sources] > + BaseHashLibCommon.h > + BaseHashLibCommon.c > + BaseHashLibDxe.c > + > +[Packages] > + MdePkg/MdePkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + PcdLib > + > +[Pcd] > + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..53e025918828 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,17 @@ > +// /** @file > +// Provides hash service by registered hash handler // // This=20 > +library is Unified Hash API. It will redirect hash request to each=20 > +individual // hash handler registered, such as SHA1, SHA256. Platform= =20 > +can use > PcdTpm2HashMask to > +// mask some hash engines. > +// > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
// (10) This is new file. The start year should be this year. > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > + > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4ff23f88c1c3 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,46 @@ > +## @file > +# Provides hash service by registered hash handler # # This library= =20 > +is BaseCrypto router. It will redirect hash request to each > individual > +# hash handler registered, such as SHA1, SHA256, SM3. > +# > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
(11) This is new file. The start year should be this year. > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D BaseHashLibPei > + MODULE_UNI_FILE =3D BaseHashLibPei.uni > + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E5= 0B > + MODULE_TYPE =3D PEIM > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D BaseHashLib|PEIM > + > +# > +# The following information is for reference only and not required by= =20 > +the build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > + > +[Sources] > + BaseHashLibCommon.h > + BaseHashLibCommon.c > + BaseHashLibPei.c > + > +[Packages] > + MdePkg/MdePkg.dec > + CryptoPkg/CryptoPkg.dec > + MdeModulePkg/MdeModulePkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + PcdLib > + > +[Pcd] > + gEfiCryptoPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > diff --git a/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..a1abcc1cdfa0 > --- /dev/null > +++ b/CryptoPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,16 @@ > +// /** @file > +// Provides hash service by registered hash handler // // This=20 > +library is Unified Hash API. It will redirect hash request to each=20 > +individual // hash handler registered, such as SHA1, SHA256. > +// > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights=20 > +reserved.
(12) This is new file. The start year should be this year. > +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > + > +#string STR_MODULE_DESCRIPTION #language en-US "This library i= s > Unified Hash API. It will redirect hash request to the hash handler=20 > specified by PcdSystemHashPolicy." > -- > 2.16.2.windows.1 >=20 >=20 >=20