* [Patch v10 0/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
@ 2020-02-03 23:35 Michael D Kinney
2020-02-03 23:35 ` [Patch v10 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Michael D Kinney
2020-02-03 23:35 ` [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
0 siblings, 2 replies; 20+ messages in thread
From: Michael D Kinney @ 2020-02-03 23:35 UTC (permalink / raw)
To: devel
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
Currently, the UEFI drivers using the SHA/SM3 hashing algorithms use hard-coded
API to calculate the hash, for instance, sha_256(...), etc. Since SHA384 and/or
SM3_256 are being increasingly adopted for robustness, it becomes cumbersome to
modify each driver that calls into hash calculating API.
To better achieve this, we are proposing a Unified API, which can be used by UEFI
drivers, that provides the drivers with flexibility to use the desired hashing
algorithm based on the required robnustness.
Alternatively, the design document is also attached to Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
Cc: Jiewen Yao jiewen.yao@intel.com
Cc: Jian J Wang jian.j.wang@intel.com
Cc: Michael D Kinney michael.d.kinney@intel.com
Signed-off-by: Amol N Sukerkar amol.n.sukerkar@intel.com
Amol N Sukerkar (2):
CryptoPkg: Add CryptoPkg Token Space GUID
CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
CryptoPkg/CryptoPkg.dec | 26 +-
CryptoPkg/CryptoPkg.dsc | 4 +-
CryptoPkg/CryptoPkg.uni | 18 +-
CryptoPkg/Include/Library/HashApiLib.h | 122 +++++++
.../Library/BaseHashApiLib/BaseHashApiLib.c | 330 ++++++++++++++++++
.../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 +++
.../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 +
7 files changed, 558 insertions(+), 3 deletions(-)
create mode 100644 CryptoPkg/Include/Library/HashApiLib.h
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
--
2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* [Patch v10 1/2] CryptoPkg: Add CryptoPkg Token Space GUID
2020-02-03 23:35 [Patch v10 0/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
@ 2020-02-03 23:35 ` Michael D Kinney
2020-02-03 23:35 ` [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
1 sibling, 0 replies; 20+ messages in thread
From: Michael D Kinney @ 2020-02-03 23:35 UTC (permalink / raw)
To: devel; +Cc: Amol N Sukerkar, Jiewen Yao, Jian J Wang
From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
Added CryptoPkg Token Space GUID to be able to define PCDs.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
---
CryptoPkg/CryptoPkg.dec | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index 08bedd57da..41af6e879e 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -4,7 +4,7 @@
# This Package provides cryptographic-related libraries for UEFI security modules.
# It also provides a test application to test libraries.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -33,5 +33,9 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+[Guids]
+ ## Crypto package token space guid.
+ gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97, 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-03 23:35 [Patch v10 0/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
2020-02-03 23:35 ` [Patch v10 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Michael D Kinney
@ 2020-02-03 23:35 ` Michael D Kinney
2020-02-04 2:53 ` Yao, Jiewen
2020-02-05 11:00 ` [edk2-devel] " Laszlo Ersek
1 sibling, 2 replies; 20+ messages in thread
From: Michael D Kinney @ 2020-02-03 23:35 UTC (permalink / raw)
To: devel; +Cc: Amol N Sukerkar, Jiewen Yao, Jian J Wang
From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2151
This commit introduces a Unified Hash API to calculate hash using a
hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
the desired hash by setting PcdHashApiLibPolicy to appropriate value.
This feature is documented in the Bugzilla,
https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
---
CryptoPkg/CryptoPkg.dec | 20 ++
CryptoPkg/CryptoPkg.dsc | 4 +-
CryptoPkg/CryptoPkg.uni | 18 +-
CryptoPkg/Include/Library/HashApiLib.h | 122 +++++++
.../Library/BaseHashApiLib/BaseHashApiLib.c | 330 ++++++++++++++++++
.../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 +++
.../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 +
7 files changed, 553 insertions(+), 2 deletions(-)
create mode 100644 CryptoPkg/Include/Library/HashApiLib.h
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
index 41af6e879e..8ad0fb5d61 100644
--- a/CryptoPkg/CryptoPkg.dec
+++ b/CryptoPkg/CryptoPkg.dec
@@ -33,9 +33,29 @@ [LibraryClasses]
##
TlsLib|Include/Library/TlsLib.h
+ ## @libraryclass Provides Unified API for different hash implementations.
+ #
+ HashApiLib|Include/Library/HashApiLib.h
+
[Guids]
## Crypto package token space guid.
gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97, 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+ ## This PCD indicates the HASH algorithm to calculate hash of data
+ # Based on the value set, the required algorithm is chosen to calculate
+ # the hash of data.<BR>
+ # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
+ # 0x00000001 - MD4.<BR>
+ # 0x00000002 - MD5.<BR>
+ # 0x00000003 - SHA1.<BR>
+ # 0x00000004 - SHA256.<BR>
+ # 0x00000005 - SHA384.<BR>
+ # 0x00000006 - SHA512.<BR>
+ # 0x00000007 - SM3_256.<BR>
+ # @Prompt Set policy for hashing unsigned image for Secure Boot.
+ # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
+ gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
+
[UserExtensions.TianoCore."ExtraFiles"]
CryptoPkgExtra.uni
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index ec43c1f0a4..9656a73b3c 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -1,7 +1,7 @@
## @file
# Cryptographic Library Package for UEFI Security Implementation.
#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -44,6 +44,7 @@ [LibraryClasses]
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
[LibraryClasses.ARM, LibraryClasses.AARCH64]
#
@@ -120,6 +121,7 @@ [Components]
CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
CryptoPkg/Library/OpensslLib/OpensslLib.inf
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
[Components.IA32, Components.X64]
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
index beb0036ef5..0dae4c4045 100644
--- a/CryptoPkg/CryptoPkg.uni
+++ b/CryptoPkg/CryptoPkg.uni
@@ -4,7 +4,7 @@
// This Package provides cryptographic-related libraries for UEFI security modules.
// It also provides a test application to test libraries.
//
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
@@ -17,3 +17,19 @@
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PROMPT #language en-US "HASH algorithm to calculate hash"
+
+#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to calculate hash of data.<BR><BR>\n"
+ "Based on the value set, the required algorithm is chosen to calculate\n"
+ "the hash of data.<BR>\n"
+ "The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>\n"
+ "0x00000001 - MD4.<BR>\n"
+ "0x00000002 - MD5.<BR>\n"
+ "0x00000003 - SHA1.<BR>\n"
+ "0x00000004 - SHA256.<BR>\n"
+ "0x00000005 - SHA384.<BR>\n"
+ "0x00000006 - SHA512.<BR>\n"
+ "0x00000007 - SM3.<BR>"
+
+
+
diff --git a/CryptoPkg/Include/Library/HashApiLib.h b/CryptoPkg/Include/Library/HashApiLib.h
new file mode 100644
index 0000000000..22068e5a17
--- /dev/null
+++ b/CryptoPkg/Include/Library/HashApiLib.h
@@ -0,0 +1,122 @@
+/** @file
+ Unified Hash API Defines
+
+ This API when called will calculate the Hash using the
+ hashing algorithm specified by PcdHashApiLibPolicy.
+
+ Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __BASEHASHAPILIB_H_
+#define __BASEHASHAPILIB_H_
+
+typedef VOID *HASH_API_CONTEXT;
+
+//
+// Hash Algorithms
+//
+#define HASH_API_ALGO_INVALID 0x00000000
+#define HASH_API_ALGO_MD4 0x00000001
+#define HASH_API_ALGO_MD5 0x00000002
+#define HASH_API_ALGO_SHA1 0x00000003
+#define HASH_API_ALGO_SHA256 0x00000004
+#define HASH_API_ALGO_SHA384 0x00000005
+#define HASH_API_ALGO_SHA512 0x00000006
+#define HASH_API_ALGO_SM3_256 0x00000007
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+ @return The size, in bytes, of the context buffer required for hash operations.
+**/
+UINTN
+EFIAPI
+HashApiGetContextSize (
+ VOID
+ );
+
+/**
+ Init hash sequence.
+
+ @param[out] HashContext Hash context.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_API_CONTEXT HashContext
+ );
+
+/**
+ Makes a copy of an existing hash context.
+
+ @param[in] HashContext Hash context.
+ @param[out] NewHashContext New copy of hash context.
+
+ @retval TRUE Hash context copy succeeded.
+ @retval FALSE Hash context copy failed.
+**/
+BOOLEAN
+EFIAPI
+HashApiDuplicate (
+ IN HASH_API_CONTEXT HashContext,
+ OUT HASH_API_CONTEXT NewHashContext
+ );
+
+/**
+ Update hash data.
+
+ @param[in] HashContext Hash context.
+ @param[in] DataToHash Data to be hashed.
+ @param[in] DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_API_CONTEXT HashContext,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ );
+
+/**
+ Hash complete.
+
+ @param[in] HashContext Hash context.
+ @param[out] Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_API_CONTEXT HashContext,
+ OUT UINT8 *Digest
+ );
+
+/**
+ Computes hash message digest of a input data buffer.
+
+ @param[in] DataToHash Data to be hashed.
+ @param[in] DataToHashLen Data size.
+ @param[out] Digest Hash Digest.
+
+ @retval TRUE Hash digest computation succeeded.
+ @retval FALSE Hash digest computation failed.
+**/
+BOOLEAN
+EFIAPI
+HashApiHashAll (
+ IN CONST VOID *DataToHash,
+ IN UINTN DataToHashLen,
+ OUT UINT8 *Digest
+ );
+
+#endif
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
new file mode 100644
index 0000000000..277ef9f0b4
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -0,0 +1,330 @@
+/** @file
+ Unified Hash API Implementation
+
+ This file implements the Unified Hash API.
+
+ This API, when called, will calculate the Hash using the
+ hashing algorithm specified by PcdHashApiLibPolicy.
+
+ Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Base.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/DebugLib.h>
+#include <Library/PcdLib.h>
+#include <Library/HashApiLib.h>
+
+/**
+ Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+ @return The size, in bytes, of the context buffer required for hash operations.
+**/
+UINTN
+EFIAPI
+HashApiGetContextSize (
+ VOID
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512GetContextSize ();
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3GetContextSize ();
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return 0;
+ break;
+ }
+}
+
+/**
+ Init hash sequence.
+
+ @param[out] HashContext Hash context.
+
+ @retval TRUE Hash start and HashHandle returned.
+ @retval FALSE Hash Init unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiInit (
+ OUT HASH_API_CONTEXT HashContext
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512Init (HashContext);
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3Init (HashContext);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return FALSE;
+ break;
+ }
+}
+
+/**
+ Makes a copy of an existing hash context.
+
+ @param[in] HashContext Hash context.
+ @param[out] NewHashContext New copy of hash context.
+
+ @retval TRUE Hash context copy succeeded.
+ @retval FALSE Hash context copy failed.
+**/
+BOOLEAN
+EFIAPI
+HashApiDuplicate (
+ IN HASH_API_CONTEXT HashContext,
+ OUT HASH_API_CONTEXT NewHashContext
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512Duplicate (HashContext, NewHashContext);
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3Duplicate (HashContext, NewHashContext);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return FALSE;
+ break;
+ }
+}
+
+/**
+ Update hash data.
+
+ @param[in] HashContext Hash context.
+ @param[in] DataToHash Data to be hashed.
+ @param[in] DataToHashLen Data size.
+
+ @retval TRUE Hash updated.
+ @retval FALSE Hash updated unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiUpdate (
+ IN HASH_API_CONTEXT HashContext,
+ IN VOID *DataToHash,
+ IN UINTN DataToHashLen
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3Update (HashContext, DataToHash, DataToHashLen);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return FALSE;
+ break;
+ }
+}
+
+/**
+ Hash complete.
+
+ @param[in] HashContext Hash context.
+ @param[out] Digest Hash Digest.
+
+ @retval TRUE Hash complete and Digest is returned.
+ @retval FALSE Hash complete unsuccessful.
+**/
+BOOLEAN
+EFIAPI
+HashApiFinal (
+ IN HASH_API_CONTEXT HashContext,
+ OUT UINT8 *Digest
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512Final (HashContext, Digest);
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3Final (HashContext, Digest);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return FALSE;
+ break;
+ }
+}
+
+/**
+ Computes hash message digest of a input data buffer.
+
+ @param[in] DataToHash Data to be hashed.
+ @param[in] DataToHashLen Data size.
+ @param[out] Digest Hash Digest.
+
+ @retval TRUE Hash digest computation succeeded.
+ @retval FALSE Hash digest computation failed.
+**/
+BOOLEAN
+EFIAPI
+HashApiHashAll (
+ IN CONST VOID *DataToHash,
+ IN UINTN DataToHashLen,
+ OUT UINT8 *Digest
+ )
+{
+ switch (PcdGet8 (PcdHashApiLibPolicy)) {
+ case HASH_API_ALGO_MD4:
+ return Md4HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_MD5:
+ return Md5HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA1:
+ return Sha1HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA256:
+ return Sha256HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA384:
+ return Sha384HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_SHA512:
+ return Sha512HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ case HASH_API_ALGO_SM3_256:
+ return Sm3HashAll (DataToHash, DataToHashLen, Digest);
+ break;
+
+ default:
+ ASSERT (FALSE);
+ return FALSE;
+ break;
+ }
+}
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
new file mode 100644
index 0000000000..b4d8675ddd
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
@@ -0,0 +1,44 @@
+## @file
+# Provides Unified API for Hash Calculation
+#
+# This library is BaseHashApiLib. It will redirect hash request to
+# each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
+# on hashing algorithm specified by PcdHashApiLibPolicy.
+#
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = BaseHashApiLib
+ MODULE_UNI_FILE = BaseHashApiLib.uni
+ FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = BaseHashApiLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ BaseHashApiLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PcdLib
+
+[Pcd]
+ gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
new file mode 100644
index 0000000000..49ba82e86f
--- /dev/null
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides Unified API for Hash Calculation
+//
+// This library is BaseHashApiLib. It will redirect hash request to
+// each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
+// on hashing algorithm specified by PcdHashApiLibPolicy.
+//
+// Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by specified hash handler"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This library is Unified Hash API. It will redirect hash request to the hash handler specified by PcdHashApiLibPolicy."
--
2.21.0.windows.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-03 23:35 ` [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
@ 2020-02-04 2:53 ` Yao, Jiewen
2020-02-04 5:24 ` [edk2-devel] " Zhang, Chao B
2020-02-04 16:26 ` Michael D Kinney
2020-02-05 11:00 ` [edk2-devel] " Laszlo Ersek
1 sibling, 2 replies; 20+ messages in thread
From: Yao, Jiewen @ 2020-02-04 2:53 UTC (permalink / raw)
To: Kinney, Michael D, devel@edk2.groups.io; +Cc: Sukerkar, Amol N, Wang, Jian J
Thanks Mike, to cover us during Chinese New Year holiday.
I am just back from vocation. A minor comment:
The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit 0x00000004.
There are couple of ways to enhance:
1) Define UINT8, and use 8bit style 0x04.
2) Define UINT32, and use 32bit style 0x00000004.
3) Define UINT16 (match TCG definition), and use TCG defined value. (Tpm20.h)
#define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
#define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
#define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
#define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
#define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
MD4 and MD5 are known as insecure and deprecated. I doubt if we want to add such support. (I strong recommend NO).
If we can remove MD4 and MD5, I think we can use #3.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Tuesday, February 4, 2020 7:36 AM
> To: devel@edk2.groups.io
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
> the desired hash by setting PcdHashApiLibPolicy to appropriate value.
>
> This feature is documented in the Bugzilla,
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
> ---
> CryptoPkg/CryptoPkg.dec | 20 ++
> CryptoPkg/CryptoPkg.dsc | 4 +-
> CryptoPkg/CryptoPkg.uni | 18 +-
> CryptoPkg/Include/Library/HashApiLib.h | 122 +++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.c | 330 ++++++++++++++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 +++
> .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 +
> 7 files changed, 553 insertions(+), 2 deletions(-)
> create mode 100644 CryptoPkg/Include/Library/HashApiLib.h
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
>
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index 41af6e879e..8ad0fb5d61 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -33,9 +33,29 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> + ## @libraryclass Provides Unified API for different hash implementations.
> + #
> + HashApiLib|Include/Library/HashApiLib.h
> +
> [Guids]
> ## Crypto package token space guid.
> gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97,
> 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to calculate hash of data
> + # Based on the value set, the required algorithm is chosen to calculate
> + # the hash of data.<BR>
> + # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index ec43c1f0a4..9656a73b3c 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
> # Cryptographic Library Package for UEFI Security Implementation.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -44,6 +44,7 @@ [LibraryClasses]
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [LibraryClasses.ARM, LibraryClasses.AARCH64]
> #
> @@ -120,6 +121,7 @@ [Components]
> CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> + CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [Components.IA32, Components.X64]
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
> index beb0036ef5..0dae4c4045 100644
> --- a/CryptoPkg/CryptoPkg.uni
> +++ b/CryptoPkg/CryptoPkg.uni
> @@ -4,7 +4,7 @@
> // This Package provides cryptographic-related libraries for UEFI security
> modules.
> // It also provides a test application to test libraries.
> //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -17,3 +17,19 @@
>
>
>
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PROMPT
> #language en-US "HASH algorithm to calculate hash"
> +
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm to calculate hash of
> data.<BR><BR>\n"
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
> + "the hash of data.<BR>\n"
> + "The default hashing algorithm
> for BaseHashApiLib is set to SHA256.<BR>\n"
> + "0x00000001 - MD4.<BR>\n"
> + "0x00000002 - MD5.<BR>\n"
> + "0x00000003 - SHA1.<BR>\n"
> + "0x00000004 -
> SHA256.<BR>\n"
> + "0x00000005 -
> SHA384.<BR>\n"
> + "0x00000006 -
> SHA512.<BR>\n"
> + "0x00000007 - SM3.<BR>"
> +
> +
> +
> diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> b/CryptoPkg/Include/Library/HashApiLib.h
> new file mode 100644
> index 0000000000..22068e5a17
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/HashApiLib.h
> @@ -0,0 +1,122 @@
> +/** @file
> + Unified Hash API Defines
> +
> + This API when called will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __BASEHASHAPILIB_H_
> +#define __BASEHASHAPILIB_H_
> +
> +typedef VOID *HASH_API_CONTEXT;
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_API_ALGO_INVALID 0x00000000
> +#define HASH_API_ALGO_MD4 0x00000001
> +#define HASH_API_ALGO_MD5 0x00000002
> +#define HASH_API_ALGO_SHA1 0x00000003
> +#define HASH_API_ALGO_SHA256 0x00000004
> +#define HASH_API_ALGO_SHA384 0x00000005
> +#define HASH_API_ALGO_SHA512 0x00000006
> +#define HASH_API_ALGO_SM3_256 0x00000007
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + );
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + );
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + );
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + );
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + );
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> new file mode 100644
> index 0000000000..277ef9f0b4
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> @@ -0,0 +1,330 @@
> +/** @file
> + Unified Hash API Implementation
> +
> + This file implements the Unified Hash API.
> +
> + This API, when called, will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Base.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/HashApiLib.h>
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3GetContextSize ();
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return 0;
> + break;
> + }
> +}
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Init (HashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Duplicate (HashContext, NewHashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Final (HashContext, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> new file mode 100644
> index 0000000000..b4d8675ddd
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> @@ -0,0 +1,44 @@
> +## @file
> +# Provides Unified API for Hash Calculation
> +#
> +# This library is BaseHashApiLib. It will redirect hash request to
> +# each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +# on hashing algorithm specified by PcdHashApiLibPolicy.
> +#
> +# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashApiLib
> + MODULE_UNI_FILE = BaseHashApiLib.uni
> + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
> + MODULE_TYPE = BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashApiLib
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashApiLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> new file mode 100644
> index 0000000000..49ba82e86f
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides Unified API for Hash Calculation
> +//
> +// This library is BaseHashApiLib. It will redirect hash request to
> +// each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +// on hashing algorithm specified by PcdHashApiLibPolicy.
> +//
> +// Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdHashApiLibPolicy."
> --
> 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 2:53 ` Yao, Jiewen
@ 2020-02-04 5:24 ` Zhang, Chao B
2020-02-04 16:29 ` Michael D Kinney
2020-02-04 16:26 ` Michael D Kinney
1 sibling, 1 reply; 20+ messages in thread
From: Zhang, Chao B @ 2020-02-04 5:24 UTC (permalink / raw)
To: devel@edk2.groups.io, Yao, Jiewen, Kinney, Michael D
Cc: Sukerkar, Amol N, Wang, Jian J
[-- Attachment #1: Type: text/plain, Size: 23756 bytes --]
Comply with gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask is better.
We can append new definition after existing one.
#define HASH_ALG_SHA1 0x00000001
#define HASH_ALG_SHA256 0x00000002
#define HASH_ALG_SHA384 0x00000004
#define HASH_ALG_SHA512 0x00000008
#define HASH_ALG_SM3_256 0x00000010
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
Sent: Tuesday, February 4, 2020 10:54 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Subject: Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Thanks Mike, to cover us during Chinese New Year holiday.
I am just back from vocation. A minor comment:
The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit 0x00000004.
There are couple of ways to enhance:
1) Define UINT8, and use 8bit style 0x04.
2) Define UINT32, and use 32bit style 0x00000004.
3) Define UINT16 (match TCG definition), and use TCG defined value. (Tpm20.h)
#define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
#define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
#define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
#define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
#define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
MD4 and MD5 are known as insecure and deprecated. I doubt if we want to add such support. (I strong recommend NO).
If we can remove MD4 and MD5, I think we can use #3.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Sent: Tuesday, February 4, 2020 7:36 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>; Yao, Jiewen
> <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> From: Amol N Sukerkar <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
> the desired hash by setting PcdHashApiLibPolicy to appropriate value.
>
> This feature is documented in the Bugzilla,
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>
> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> ---
> CryptoPkg/CryptoPkg.dec | 20 ++
> CryptoPkg/CryptoPkg.dsc | 4 +-
> CryptoPkg/CryptoPkg.uni | 18 +-
> CryptoPkg/Include/Library/HashApiLib.h | 122 +++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.c | 330 ++++++++++++++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 +++
> .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 +
> 7 files changed, 553 insertions(+), 2 deletions(-)
> create mode 100644 CryptoPkg/Include/Library/HashApiLib.h
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
>
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index 41af6e879e..8ad0fb5d61 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -33,9 +33,29 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> + ## @libraryclass Provides Unified API for different hash implementations.
> + #
> + HashApiLib|Include/Library/HashApiLib.h
> +
> [Guids]
> ## Crypto package token space guid.
> gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97,
> 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to calculate hash of data
> + # Based on the value set, the required algorithm is chosen to calculate
> + # the hash of data.<BR>
> + # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index ec43c1f0a4..9656a73b3c 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
> # Cryptographic Library Package for UEFI Security Implementation.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -44,6 +44,7 @@ [LibraryClasses]
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [LibraryClasses.ARM, LibraryClasses.AARCH64]
> #
> @@ -120,6 +121,7 @@ [Components]
> CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> + CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [Components.IA32, Components.X64]
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
> index beb0036ef5..0dae4c4045 100644
> --- a/CryptoPkg/CryptoPkg.uni
> +++ b/CryptoPkg/CryptoPkg.uni
> @@ -4,7 +4,7 @@
> // This Package provides cryptographic-related libraries for UEFI security
> modules.
> // It also provides a test application to test libraries.
> //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -17,3 +17,19 @@
>
>
>
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PROMPT
> #language en-US "HASH algorithm to calculate hash"
> +
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm to calculate hash of
> data.<BR><BR>\n"
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
> + "the hash of data.<BR>\n"
> + "The default hashing algorithm
> for BaseHashApiLib is set to SHA256.<BR>\n"
> + "0x00000001 - MD4.<BR>\n"
> + "0x00000002 - MD5.<BR>\n"
> + "0x00000003 - SHA1.<BR>\n"
> + "0x00000004 -
> SHA256.<BR>\n"
> + "0x00000005 -
> SHA384.<BR>\n"
> + "0x00000006 -
> SHA512.<BR>\n"
> + "0x00000007 - SM3.<BR>"
> +
> +
> +
> diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> b/CryptoPkg/Include/Library/HashApiLib.h
> new file mode 100644
> index 0000000000..22068e5a17
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/HashApiLib.h
> @@ -0,0 +1,122 @@
> +/** @file
> + Unified Hash API Defines
> +
> + This API when called will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __BASEHASHAPILIB_H_
> +#define __BASEHASHAPILIB_H_
> +
> +typedef VOID *HASH_API_CONTEXT;
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_API_ALGO_INVALID 0x00000000
> +#define HASH_API_ALGO_MD4 0x00000001
> +#define HASH_API_ALGO_MD5 0x00000002
> +#define HASH_API_ALGO_SHA1 0x00000003
> +#define HASH_API_ALGO_SHA256 0x00000004
> +#define HASH_API_ALGO_SHA384 0x00000005
> +#define HASH_API_ALGO_SHA512 0x00000006
> +#define HASH_API_ALGO_SM3_256 0x00000007
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + );
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + );
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + );
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + );
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + );
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> new file mode 100644
> index 0000000000..277ef9f0b4
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> @@ -0,0 +1,330 @@
> +/** @file
> + Unified Hash API Implementation
> +
> + This file implements the Unified Hash API.
> +
> + This API, when called, will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Base.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/HashApiLib.h>
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3GetContextSize ();
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return 0;
> + break;
> + }
> +}
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Init (HashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Duplicate (HashContext, NewHashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Final (HashContext, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> new file mode 100644
> index 0000000000..b4d8675ddd
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> @@ -0,0 +1,44 @@
> +## @file
> +# Provides Unified API for Hash Calculation
> +#
> +# This library is BaseHashApiLib. It will redirect hash request to
> +# each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +# on hashing algorithm specified by PcdHashApiLibPolicy.
> +#
> +# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashApiLib
> + MODULE_UNI_FILE = BaseHashApiLib.uni
> + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
> + MODULE_TYPE = BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashApiLib
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashApiLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> new file mode 100644
> index 0000000000..49ba82e86f
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides Unified API for Hash Calculation
> +//
> +// This library is BaseHashApiLib. It will redirect hash request to
> +// each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +// on hashing algorithm specified by PcdHashApiLibPolicy.
> +//
> +// Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdHashApiLibPolicy."
> --
> 2.21.0.windows.1
[-- Attachment #2: Type: text/html, Size: 85216 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 2:53 ` Yao, Jiewen
2020-02-04 5:24 ` [edk2-devel] " Zhang, Chao B
@ 2020-02-04 16:26 ` Michael D Kinney
2020-02-04 17:10 ` Sukerkar, Amol N
2020-02-04 22:54 ` Yao, Jiewen
1 sibling, 2 replies; 20+ messages in thread
From: Michael D Kinney @ 2020-02-04 16:26 UTC (permalink / raw)
To: Yao, Jiewen, devel@edk2.groups.io, Kinney, Michael D,
Sukerkar, Amol N
Cc: Wang, Jian J
Jiewen,
I think UINT8 is fine. We can change default to 0x04 in DEC file.
I will let Amol comment on why MD4 and MD5 are included. If
they are not required, then I agree they should be removed.
I do not see a reason to align with TCG spec. The HashApiLib
is a layer on top of BaseCryptLib and the use of hash algorithms
is not limited to TCG related content. The BaseCryptLib
could potentially adopt hash algorithms that are not defined
in the TCG specification. We also do not want CryptoPkg to
depend on the SecurityPkg.
Thanks,
Mike
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, February 3, 2020 6:54 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>;
> devel@edk2.groups.io
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash Calculation API
>
> Thanks Mike, to cover us during Chinese New Year
> holiday.
>
> I am just back from vocation. A minor comment:
>
> The PcdHashApiLibPolicy is UINT8, but the value is
> shown as 32bit 0x00000004.
>
> There are couple of ways to enhance:
> 1) Define UINT8, and use 8bit style 0x04.
> 2) Define UINT32, and use 32bit style 0x00000004.
> 3) Define UINT16 (match TCG definition), and use TCG
> defined value. (Tpm20.h)
> #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
>
> MD4 and MD5 are known as insecure and deprecated. I
> doubt if we want to add such support. (I strong
> recommend NO).
>
> If we can remove MD4 and MD5, I think we can use #3.
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Tuesday, February 4, 2020 7:36 AM
> > To: devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash
> > Calculation API
> >
> > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> >
> > This commit introduces a Unified Hash API to
> calculate hash using a
> > hashing algorithm specified by the PCD,
> PcdHashApiLibPolicy. This library
> > interfaces with the various hashing API, such as,
> MD4, MD5, SHA1, SHA256,
> > SHA512 and SM3_256 implemented in BaseCryptLib. The
> user can calculate
> > the desired hash by setting PcdHashApiLibPolicy to
> appropriate value.
> >
> > This feature is documented in the Bugzilla,
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Signed-off-by: Amol N Sukerkar
> <amol.n.sukerkar@intel.com>
> > Reviewed-by: Michael D Kinney
> <michael.d.kinney@intel.com>
> > ---
> > CryptoPkg/CryptoPkg.dec | 20
> ++
> > CryptoPkg/CryptoPkg.dsc | 4
> +-
> > CryptoPkg/CryptoPkg.uni | 18
> +-
> > CryptoPkg/Include/Library/HashApiLib.h | 122
> +++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> ++++++++++++++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> +++
> > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> +
> > 7 files changed, 553 insertions(+), 2 deletions(-)
> > create mode 100644
> CryptoPkg/Include/Library/HashApiLib.h
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> >
> > diff --git a/CryptoPkg/CryptoPkg.dec
> b/CryptoPkg/CryptoPkg.dec
> > index 41af6e879e..8ad0fb5d61 100644
> > --- a/CryptoPkg/CryptoPkg.dec
> > +++ b/CryptoPkg/CryptoPkg.dec
> > @@ -33,9 +33,29 @@ [LibraryClasses]
> > ##
> > TlsLib|Include/Library/TlsLib.h
> >
> > + ## @libraryclass Provides Unified API for
> different hash implementations.
> > + #
> > + HashApiLib|Include/Library/HashApiLib.h
> > +
> > [Guids]
> > ## Crypto package token space guid.
> > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> 0x9ef7, 0x4899, { 0x97,
> > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> >
> > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> PcdsDynamic, PcdsDynamicEx]
> > + ## This PCD indicates the HASH algorithm to
> calculate hash of data
> > + # Based on the value set, the required algorithm
> is chosen to calculate
> > + # the hash of data.<BR>
> > + # The default hashing algorithm for
> BaseHashApiLib is set to SHA256.<BR>
> > + # 0x00000001 - MD4.<BR>
> > + # 0x00000002 - MD5.<BR>
> > + # 0x00000003 - SHA1.<BR>
> > + # 0x00000004 - SHA256.<BR>
> > + # 0x00000005 - SHA384.<BR>
> > + # 0x00000006 - SHA512.<BR>
> > + # 0x00000007 - SM3_256.<BR>
> > + # @Prompt Set policy for hashing unsigned image
> for Secure Boot.
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > +
> >
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> NT8|0x00000001
> > +
> > [UserExtensions.TianoCore."ExtraFiles"]
> > CryptoPkgExtra.uni
> > diff --git a/CryptoPkg/CryptoPkg.dsc
> b/CryptoPkg/CryptoPkg.dsc
> > index ec43c1f0a4..9656a73b3c 100644
> > --- a/CryptoPkg/CryptoPkg.dsc
> > +++ b/CryptoPkg/CryptoPkg.dsc
> > @@ -1,7 +1,7 @@
> > ## @file
> > # Cryptographic Library Package for UEFI Security
> Implementation.
> > #
> > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > #
> > ##
> > @@ -44,6 +44,7 @@ [LibraryClasses]
> >
> >
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> b.inf
> >
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +
> HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> Lib.inf
> >
> > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > #
> > @@ -120,6 +121,7 @@ [Components]
> > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > +
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> >
> > [Components.IA32, Components.X64]
> > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > diff --git a/CryptoPkg/CryptoPkg.uni
> b/CryptoPkg/CryptoPkg.uni
> > index beb0036ef5..0dae4c4045 100644
> > --- a/CryptoPkg/CryptoPkg.uni
> > +++ b/CryptoPkg/CryptoPkg.uni
> > @@ -4,7 +4,7 @@
> > // This Package provides cryptographic-related
> libraries for UEFI security
> > modules.
> > // It also provides a test application to test
> libraries.
> > //
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > //
> > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > //
> > @@ -17,3 +17,19 @@
> >
> >
> >
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> MPT
> > #language en-US "HASH algorithm to calculate hash"
> > +
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> P
> > #language en-US "This PCD indicates the HASH
> algorithm to calculate hash of
> > data.<BR><BR>\n"
> > +
> "Based on the value set, the
> > required algorithm is chosen to calculate\n"
> > +
> "the hash of data.<BR>\n"
> > +
> "The default hashing algorithm
> > for BaseHashApiLib is set to SHA256.<BR>\n"
> > +
> "0x00000001 - MD4.<BR>\n"
> > +
> "0x00000002 - MD5.<BR>\n"
> > +
> "0x00000003 - SHA1.<BR>\n"
> > +
> "0x00000004 -
> > SHA256.<BR>\n"
> > +
> "0x00000005 -
> > SHA384.<BR>\n"
> > +
> "0x00000006 -
> > SHA512.<BR>\n"
> > +
> "0x00000007 - SM3.<BR>"
> > +
> > +
> > +
> > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > b/CryptoPkg/Include/Library/HashApiLib.h
> > new file mode 100644
> > index 0000000000..22068e5a17
> > --- /dev/null
> > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > @@ -0,0 +1,122 @@
> > +/** @file
> > + Unified Hash API Defines
> > +
> > + This API when called will calculate the Hash using
> the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHAPILIB_H_
> > +#define __BASEHASHAPILIB_H_
> > +
> > +typedef VOID *HASH_API_CONTEXT;
> > +
> > +//
> > +// Hash Algorithms
> > +//
> > +#define HASH_API_ALGO_INVALID 0x00000000
> > +#define HASH_API_ALGO_MD4 0x00000001
> > +#define HASH_API_ALGO_MD5 0x00000002
> > +#define HASH_API_ALGO_SHA1 0x00000003
> > +#define HASH_API_ALGO_SHA256 0x00000004
> > +#define HASH_API_ALGO_SHA384 0x00000005
> > +#define HASH_API_ALGO_SHA512 0x00000006
> > +#define HASH_API_ALGO_SM3_256 0x00000007
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + );
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + );
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + );
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + );
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +#endif
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > new file mode 100644
> > index 0000000000..277ef9f0b4
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > @@ -0,0 +1,330 @@
> > +/** @file
> > + Unified Hash API Implementation
> > +
> > + This file implements the Unified Hash API.
> > +
> > + This API, when called, will calculate the Hash
> using the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include <Base.h>
> > +#include <Library/BaseLib.h>
> > +#include <Library/BaseMemoryLib.h>
> > +#include <Library/MemoryAllocationLib.h>
> > +#include <Library/BaseCryptLib.h>
> > +#include <Library/DebugLib.h>
> > +#include <Library/PcdLib.h>
> > +#include <Library/HashApiLib.h>
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3GetContextSize ();
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return 0;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Init (HashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Final (HashContext, Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > new file mode 100644
> > index 0000000000..b4d8675ddd
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > @@ -0,0 +1,44 @@
> > +## @file
> > +# Provides Unified API for Hash Calculation
> > +#
> > +# This library is BaseHashApiLib. It will redirect
> hash request to
> > +# each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +# on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +#
> > +# Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > +#
> > +##
> > +
> > +[Defines]
> > + INF_VERSION = 0x00010005
> > + BASE_NAME = BaseHashApiLib
> > + MODULE_UNI_FILE =
> BaseHashApiLib.uni
> > + FILE_GUID = B1E566DD-DE7C-
> 4F04-BDA0-B1295D3BE927
> > + MODULE_TYPE = BASE
> > + VERSION_STRING = 1.0
> > + LIBRARY_CLASS = BaseHashApiLib
> > +
> > +#
> > +# The following information is for reference only
> and not required by the build
> > tools.
> > +#
> > +# VALID_ARCHITECTURES = IA32 X64
> > +#
> > +
> > +[Sources]
> > + BaseHashApiLib.c
> > +
> > +[Packages]
> > + MdePkg/MdePkg.dec
> > + CryptoPkg/CryptoPkg.dec
> > +
> > +[LibraryClasses]
> > + BaseLib
> > + BaseMemoryLib
> > + DebugLib
> > + MemoryAllocationLib
> > + BaseCryptLib
> > + PcdLib
> > +
> > +[Pcd]
> > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> ## CONSUMES
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > new file mode 100644
> > index 0000000000..49ba82e86f
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > @@ -0,0 +1,17 @@
> > +// /** @file
> > +// Provides Unified API for Hash Calculation
> > +//
> > +// This library is BaseHashApiLib. It will redirect
> hash request to
> > +// each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +// on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +//
> > +// Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +//
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > +//
> > +// **/
> > +
> > +
> > +#string STR_MODULE_ABSTRACT #language
> en-US "Provides hash
> > service by specified hash handler"
> > +
> > +#string STR_MODULE_DESCRIPTION #language
> en-US "This library is
> > Unified Hash API. It will redirect hash request to
> the hash handler specified by
> > PcdHashApiLibPolicy."
> > --
> > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 5:24 ` [edk2-devel] " Zhang, Chao B
@ 2020-02-04 16:29 ` Michael D Kinney
0 siblings, 0 replies; 20+ messages in thread
From: Michael D Kinney @ 2020-02-04 16:29 UTC (permalink / raw)
To: Zhang, Chao B, devel@edk2.groups.io, Yao, Jiewen,
Kinney, Michael D
Cc: Sukerkar, Amol N, Wang, Jian J
[-- Attachment #1: Type: text/plain, Size: 24737 bytes --]
Hi Chao,
I do not think the HashApiLib in CryptoPkg should depend on a PCD in SecurityPkg and have
a dependency on TPM related concepts. The HashApiLib is a layer on top of BaseCryptLib
that may support algorithms not supported by TPM.
If the TCG/TPM specs have defined support for more algorithms, then I agree that the
SecurityPkg can be updated to align with the latest specs.
Mike
From: Zhang, Chao B <chao.b.zhang@intel.com>
Sent: Monday, February 3, 2020 9:25 PM
To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Comply with gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask is better.
We can append new definition after existing one.
#define HASH_ALG_SHA1 0x00000001
#define HASH_ALG_SHA256 0x00000002
#define HASH_ALG_SHA384 0x00000004
#define HASH_ALG_SHA512 0x00000008
#define HASH_ALG_SM3_256 0x00000010
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Yao, Jiewen
Sent: Tuesday, February 4, 2020 10:54 AM
To: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
Subject: Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Thanks Mike, to cover us during Chinese New Year holiday.
I am just back from vocation. A minor comment:
The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit 0x00000004.
There are couple of ways to enhance:
1) Define UINT8, and use 8bit style 0x04.
2) Define UINT32, and use 32bit style 0x00000004.
3) Define UINT16 (match TCG definition), and use TCG defined value. (Tpm20.h)
#define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
#define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
#define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
#define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
#define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
MD4 and MD5 are known as insecure and deprecated. I doubt if we want to add such support. (I strong recommend NO).
If we can remove MD4 and MD5, I think we can use #3.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Sent: Tuesday, February 4, 2020 7:36 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>; Yao, Jiewen
> <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> From: Amol N Sukerkar <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151
>
> This commit introduces a Unified Hash API to calculate hash using a
> hashing algorithm specified by the PCD, PcdHashApiLibPolicy. This library
> interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256,
> SHA512 and SM3_256 implemented in BaseCryptLib. The user can calculate
> the desired hash by setting PcdHashApiLibPolicy to appropriate value.
>
> This feature is documented in the Bugzilla,
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Signed-off-by: Amol N Sukerkar <amol.n.sukerkar@intel.com<mailto:amol.n.sukerkar@intel.com>>
> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> ---
> CryptoPkg/CryptoPkg.dec | 20 ++
> CryptoPkg/CryptoPkg.dsc | 4 +-
> CryptoPkg/CryptoPkg.uni | 18 +-
> CryptoPkg/Include/Library/HashApiLib.h | 122 +++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.c | 330 ++++++++++++++++++
> .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44 +++
> .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17 +
> 7 files changed, 553 insertions(+), 2 deletions(-)
> create mode 100644 CryptoPkg/Include/Library/HashApiLib.h
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> create mode 100644 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
>
> diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec
> index 41af6e879e..8ad0fb5d61 100644
> --- a/CryptoPkg/CryptoPkg.dec
> +++ b/CryptoPkg/CryptoPkg.dec
> @@ -33,9 +33,29 @@ [LibraryClasses]
> ##
> TlsLib|Include/Library/TlsLib.h
>
> + ## @libraryclass Provides Unified API for different hash implementations.
> + #
> + HashApiLib|Include/Library/HashApiLib.h
> +
> [Guids]
> ## Crypto package token space guid.
> gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60, 0x9ef7, 0x4899, { 0x97,
> 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
>
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to calculate hash of data
> + # Based on the value set, the required algorithm is chosen to calculate
> + # the hash of data.<BR>
> + # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
> +
> [UserExtensions.TianoCore."ExtraFiles"]
> CryptoPkgExtra.uni
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index ec43c1f0a4..9656a73b3c 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -1,7 +1,7 @@
> ## @file
> # Cryptographic Library Package for UEFI Security Implementation.
> #
> -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> ##
> @@ -44,6 +44,7 @@ [LibraryClasses]
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [LibraryClasses.ARM, LibraryClasses.AARCH64]
> #
> @@ -120,6 +121,7 @@ [Components]
> CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> CryptoPkg/Library/OpensslLib/OpensslLib.inf
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> + CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
>
> [Components.IA32, Components.X64]
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> diff --git a/CryptoPkg/CryptoPkg.uni b/CryptoPkg/CryptoPkg.uni
> index beb0036ef5..0dae4c4045 100644
> --- a/CryptoPkg/CryptoPkg.uni
> +++ b/CryptoPkg/CryptoPkg.uni
> @@ -4,7 +4,7 @@
> // This Package provides cryptographic-related libraries for UEFI security
> modules.
> // It also provides a test application to test libraries.
> //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> //
> // SPDX-License-Identifier: BSD-2-Clause-Patent
> //
> @@ -17,3 +17,19 @@
>
>
>
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PROMPT
> #language en-US "HASH algorithm to calculate hash"
> +
> +#string STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HELP
> #language en-US "This PCD indicates the HASH algorithm to calculate hash of
> data.<BR><BR>\n"
> + "Based on the value set, the
> required algorithm is chosen to calculate\n"
> + "the hash of data.<BR>\n"
> + "The default hashing algorithm
> for BaseHashApiLib is set to SHA256.<BR>\n"
> + "0x00000001 - MD4.<BR>\n"
> + "0x00000002 - MD5.<BR>\n"
> + "0x00000003 - SHA1.<BR>\n"
> + "0x00000004 -
> SHA256.<BR>\n"
> + "0x00000005 -
> SHA384.<BR>\n"
> + "0x00000006 -
> SHA512.<BR>\n"
> + "0x00000007 - SM3.<BR>"
> +
> +
> +
> diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> b/CryptoPkg/Include/Library/HashApiLib.h
> new file mode 100644
> index 0000000000..22068e5a17
> --- /dev/null
> +++ b/CryptoPkg/Include/Library/HashApiLib.h
> @@ -0,0 +1,122 @@
> +/** @file
> + Unified Hash API Defines
> +
> + This API when called will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __BASEHASHAPILIB_H_
> +#define __BASEHASHAPILIB_H_
> +
> +typedef VOID *HASH_API_CONTEXT;
> +
> +//
> +// Hash Algorithms
> +//
> +#define HASH_API_ALGO_INVALID 0x00000000
> +#define HASH_API_ALGO_MD4 0x00000001
> +#define HASH_API_ALGO_MD5 0x00000002
> +#define HASH_API_ALGO_SHA1 0x00000003
> +#define HASH_API_ALGO_SHA256 0x00000004
> +#define HASH_API_ALGO_SHA384 0x00000005
> +#define HASH_API_ALGO_SHA512 0x00000006
> +#define HASH_API_ALGO_SM3_256 0x00000007
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + );
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + );
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + );
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + );
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + );
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + );
> +
> +#endif
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> new file mode 100644
> index 0000000000..277ef9f0b4
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> @@ -0,0 +1,330 @@
> +/** @file
> + Unified Hash API Implementation
> +
> + This file implements the Unified Hash API.
> +
> + This API, when called, will calculate the Hash using the
> + hashing algorithm specified by PcdHashApiLibPolicy.
> +
> + Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Base.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/PcdLib.h>
> +#include <Library/HashApiLib.h>
> +
> +/**
> + Retrieves the size, in bytes, of the context buffer required for hash operations.
> +
> + @return The size, in bytes, of the context buffer required for hash operations.
> +**/
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512GetContextSize ();
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3GetContextSize ();
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return 0;
> + break;
> + }
> +}
> +
> +/**
> + Init hash sequence.
> +
> + @param[out] HashContext Hash context.
> +
> + @retval TRUE Hash start and HashHandle returned.
> + @retval FALSE Hash Init unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiInit (
> + OUT HASH_API_CONTEXT HashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Init (HashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Init (HashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Makes a copy of an existing hash context.
> +
> + @param[in] HashContext Hash context.
> + @param[out] NewHashContext New copy of hash context.
> +
> + @retval TRUE Hash context copy succeeded.
> + @retval FALSE Hash context copy failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiDuplicate (
> + IN HASH_API_CONTEXT HashContext,
> + OUT HASH_API_CONTEXT NewHashContext
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Duplicate (HashContext, NewHashContext);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Duplicate (HashContext, NewHashContext);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Update hash data.
> +
> + @param[in] HashContext Hash context.
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> +
> + @retval TRUE Hash updated.
> + @retval FALSE Hash updated unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiUpdate (
> + IN HASH_API_CONTEXT HashContext,
> + IN VOID *DataToHash,
> + IN UINTN DataToHashLen
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Update (HashContext, DataToHash, DataToHashLen);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Hash complete.
> +
> + @param[in] HashContext Hash context.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash complete and Digest is returned.
> + @retval FALSE Hash complete unsuccessful.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiFinal (
> + IN HASH_API_CONTEXT HashContext,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512Final (HashContext, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3Final (HashContext, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> +
> +/**
> + Computes hash message digest of a input data buffer.
> +
> + @param[in] DataToHash Data to be hashed.
> + @param[in] DataToHashLen Data size.
> + @param[out] Digest Hash Digest.
> +
> + @retval TRUE Hash digest computation succeeded.
> + @retval FALSE Hash digest computation failed.
> +**/
> +BOOLEAN
> +EFIAPI
> +HashApiHashAll (
> + IN CONST VOID *DataToHash,
> + IN UINTN DataToHashLen,
> + OUT UINT8 *Digest
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_MD5:
> + return Md5HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA1:
> + return Sha1HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA256:
> + return Sha256HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA384:
> + return Sha384HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SHA512:
> + return Sha512HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + case HASH_API_ALGO_SM3_256:
> + return Sm3HashAll (DataToHash, DataToHashLen, Digest);
> + break;
> +
> + default:
> + ASSERT (FALSE);
> + return FALSE;
> + break;
> + }
> +}
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> new file mode 100644
> index 0000000000..b4d8675ddd
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> @@ -0,0 +1,44 @@
> +## @file
> +# Provides Unified API for Hash Calculation
> +#
> +# This library is BaseHashApiLib. It will redirect hash request to
> +# each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +# on hashing algorithm specified by PcdHashApiLibPolicy.
> +#
> +# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashApiLib
> + MODULE_UNI_FILE = BaseHashApiLib.uni
> + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
> + MODULE_TYPE = BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashApiLib
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64
> +#
> +
> +[Sources]
> + BaseHashApiLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + PcdLib
> +
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
> diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> new file mode 100644
> index 0000000000..49ba82e86f
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides Unified API for Hash Calculation
> +//
> +// This library is BaseHashApiLib. It will redirect hash request to
> +// each individual hash API, such as SHA1, SHA256, SHA384, SM3 based
> +// on hashing algorithm specified by PcdHashApiLibPolicy.
> +//
> +// Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides hash
> service by specified hash handler"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This library is
> Unified Hash API. It will redirect hash request to the hash handler specified by
> PcdHashApiLibPolicy."
> --
> 2.21.0.windows.1
[-- Attachment #2: Type: text/html, Size: 124781 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 16:26 ` Michael D Kinney
@ 2020-02-04 17:10 ` Sukerkar, Amol N
2020-02-04 18:30 ` Sukerkar, Amol N
2020-02-04 23:06 ` Yao, Jiewen
2020-02-04 22:54 ` Yao, Jiewen
1 sibling, 2 replies; 20+ messages in thread
From: Sukerkar, Amol N @ 2020-02-04 17:10 UTC (permalink / raw)
To: Kinney, Michael D, Yao, Jiewen, devel@edk2.groups.io
Cc: Wang, Jian J, Sukerkar, Amol N
Hi Jiewen and Mike,
I agree with general statement that MD4 and MD5 are deprecated. However, Although not MD4, UEFI spec 2.8 still mentions MD5 (and does not mention that it is deprecated). That is the reason MD4 and MD5 were included.
If there is going to be an update to UEFI spec deprecating MD5 as well, we can definitely go ahead and remove MD5 (and MD4). I believe the decision is should we wait until the change to UEFI spec or make the change right now. Let me know which approach we should be following.
Thanks,
Amol
-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@intel.com>
Sent: Tuesday, February 04, 2020 9:26 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Jiewen,
I think UINT8 is fine. We can change default to 0x04 in DEC file.
I will let Amol comment on why MD4 and MD5 are included. If they are not required, then I agree they should be removed.
I do not see a reason to align with TCG spec. The HashApiLib is a layer on top of BaseCryptLib and the use of hash algorithms is not limited to TCG related content. The BaseCryptLib could potentially adopt hash algorithms that are not defined in the TCG specification. We also do not want CryptoPkg to depend on the SecurityPkg.
Thanks,
Mike
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, February 3, 2020 6:54 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>;
> devel@edk2.groups.io
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash Calculation API
>
> Thanks Mike, to cover us during Chinese New Year holiday.
>
> I am just back from vocation. A minor comment:
>
> The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> 0x00000004.
>
> There are couple of ways to enhance:
> 1) Define UINT8, and use 8bit style 0x04.
> 2) Define UINT32, and use 32bit style 0x00000004.
> 3) Define UINT16 (match TCG definition), and use TCG defined value.
> (Tpm20.h)
> #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
>
> MD4 and MD5 are known as insecure and deprecated. I doubt if we want
> to add such support. (I strong recommend NO).
>
> If we can remove MD4 and MD5, I think we can use #3.
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Tuesday, February 4, 2020 7:36 AM
> > To: devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash
> > Calculation API
> >
> > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> >
> > This commit introduces a Unified Hash API to
> calculate hash using a
> > hashing algorithm specified by the PCD,
> PcdHashApiLibPolicy. This library
> > interfaces with the various hashing API, such as,
> MD4, MD5, SHA1, SHA256,
> > SHA512 and SM3_256 implemented in BaseCryptLib. The
> user can calculate
> > the desired hash by setting PcdHashApiLibPolicy to
> appropriate value.
> >
> > This feature is documented in the Bugzilla,
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Signed-off-by: Amol N Sukerkar
> <amol.n.sukerkar@intel.com>
> > Reviewed-by: Michael D Kinney
> <michael.d.kinney@intel.com>
> > ---
> > CryptoPkg/CryptoPkg.dec | 20
> ++
> > CryptoPkg/CryptoPkg.dsc | 4
> +-
> > CryptoPkg/CryptoPkg.uni | 18
> +-
> > CryptoPkg/Include/Library/HashApiLib.h | 122
> +++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> ++++++++++++++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> +++
> > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> +
> > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > 100644
> CryptoPkg/Include/Library/HashApiLib.h
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> >
> > diff --git a/CryptoPkg/CryptoPkg.dec
> b/CryptoPkg/CryptoPkg.dec
> > index 41af6e879e..8ad0fb5d61 100644
> > --- a/CryptoPkg/CryptoPkg.dec
> > +++ b/CryptoPkg/CryptoPkg.dec
> > @@ -33,9 +33,29 @@ [LibraryClasses]
> > ##
> > TlsLib|Include/Library/TlsLib.h
> >
> > + ## @libraryclass Provides Unified API for
> different hash implementations.
> > + #
> > + HashApiLib|Include/Library/HashApiLib.h
> > +
> > [Guids]
> > ## Crypto package token space guid.
> > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> 0x9ef7, 0x4899, { 0x97,
> > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> >
> > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> PcdsDynamic, PcdsDynamicEx]
> > + ## This PCD indicates the HASH algorithm to
> calculate hash of data
> > + # Based on the value set, the required algorithm
> is chosen to calculate
> > + # the hash of data.<BR>
> > + # The default hashing algorithm for
> BaseHashApiLib is set to SHA256.<BR>
> > + # 0x00000001 - MD4.<BR>
> > + # 0x00000002 - MD5.<BR>
> > + # 0x00000003 - SHA1.<BR>
> > + # 0x00000004 - SHA256.<BR>
> > + # 0x00000005 - SHA384.<BR>
> > + # 0x00000006 - SHA512.<BR>
> > + # 0x00000007 - SM3_256.<BR>
> > + # @Prompt Set policy for hashing unsigned image
> for Secure Boot.
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > +
> >
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> NT8|0x00000001
> > +
> > [UserExtensions.TianoCore."ExtraFiles"]
> > CryptoPkgExtra.uni
> > diff --git a/CryptoPkg/CryptoPkg.dsc
> b/CryptoPkg/CryptoPkg.dsc
> > index ec43c1f0a4..9656a73b3c 100644
> > --- a/CryptoPkg/CryptoPkg.dsc
> > +++ b/CryptoPkg/CryptoPkg.dsc
> > @@ -1,7 +1,7 @@
> > ## @file
> > # Cryptographic Library Package for UEFI Security
> Implementation.
> > #
> > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > +44,7 @@ [LibraryClasses]
> >
> >
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> b.inf
> >
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +
> HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> Lib.inf
> >
> > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > #
> > @@ -120,6 +121,7 @@ [Components]
> > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > +
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> >
> > [Components.IA32, Components.X64]
> > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > diff --git a/CryptoPkg/CryptoPkg.uni
> b/CryptoPkg/CryptoPkg.uni
> > index beb0036ef5..0dae4c4045 100644
> > --- a/CryptoPkg/CryptoPkg.uni
> > +++ b/CryptoPkg/CryptoPkg.uni
> > @@ -4,7 +4,7 @@
> > // This Package provides cryptographic-related
> libraries for UEFI security
> > modules.
> > // It also provides a test application to test
> libraries.
> > //
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > //
> > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3 +17,19
> > @@
> >
> >
> >
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> MPT
> > #language en-US "HASH algorithm to calculate hash"
> > +
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> P
> > #language en-US "This PCD indicates the HASH
> algorithm to calculate hash of
> > data.<BR><BR>\n"
> > +
> "Based on the value set, the
> > required algorithm is chosen to calculate\n"
> > +
> "the hash of data.<BR>\n"
> > +
> "The default hashing algorithm
> > for BaseHashApiLib is set to SHA256.<BR>\n"
> > +
> "0x00000001 - MD4.<BR>\n"
> > +
> "0x00000002 - MD5.<BR>\n"
> > +
> "0x00000003 - SHA1.<BR>\n"
> > +
> "0x00000004 -
> > SHA256.<BR>\n"
> > +
> "0x00000005 -
> > SHA384.<BR>\n"
> > +
> "0x00000006 -
> > SHA512.<BR>\n"
> > +
> "0x00000007 - SM3.<BR>"
> > +
> > +
> > +
> > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > b/CryptoPkg/Include/Library/HashApiLib.h
> > new file mode 100644
> > index 0000000000..22068e5a17
> > --- /dev/null
> > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > @@ -0,0 +1,122 @@
> > +/** @file
> > + Unified Hash API Defines
> > +
> > + This API when called will calculate the Hash using
> the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHAPILIB_H_
> > +#define __BASEHASHAPILIB_H_
> > +
> > +typedef VOID *HASH_API_CONTEXT;
> > +
> > +//
> > +// Hash Algorithms
> > +//
> > +#define HASH_API_ALGO_INVALID 0x00000000
> > +#define HASH_API_ALGO_MD4 0x00000001
> > +#define HASH_API_ALGO_MD5 0x00000002
> > +#define HASH_API_ALGO_SHA1 0x00000003
> > +#define HASH_API_ALGO_SHA256 0x00000004
> > +#define HASH_API_ALGO_SHA384 0x00000005
> > +#define HASH_API_ALGO_SHA512 0x00000006
> > +#define HASH_API_ALGO_SM3_256 0x00000007
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + );
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + );
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + );
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + );
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +#endif
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > new file mode 100644
> > index 0000000000..277ef9f0b4
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > @@ -0,0 +1,330 @@
> > +/** @file
> > + Unified Hash API Implementation
> > +
> > + This file implements the Unified Hash API.
> > +
> > + This API, when called, will calculate the Hash
> using the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include <Base.h>
> > +#include <Library/BaseLib.h>
> > +#include <Library/BaseMemoryLib.h>
> > +#include <Library/MemoryAllocationLib.h> #include
> > +<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
> > +<Library/PcdLib.h> #include <Library/HashApiLib.h>
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3GetContextSize ();
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return 0;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Init (HashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Final (HashContext, Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > new file mode 100644
> > index 0000000000..b4d8675ddd
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > @@ -0,0 +1,44 @@
> > +## @file
> > +# Provides Unified API for Hash Calculation # # This library is
> > +BaseHashApiLib. It will redirect
> hash request to
> > +# each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +# on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +#
> > +# Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > +
> > +[Defines]
> > + INF_VERSION = 0x00010005
> > + BASE_NAME = BaseHashApiLib
> > + MODULE_UNI_FILE =
> BaseHashApiLib.uni
> > + FILE_GUID = B1E566DD-DE7C-
> 4F04-BDA0-B1295D3BE927
> > + MODULE_TYPE = BASE
> > + VERSION_STRING = 1.0
> > + LIBRARY_CLASS = BaseHashApiLib
> > +
> > +#
> > +# The following information is for reference only
> and not required by the build
> > tools.
> > +#
> > +# VALID_ARCHITECTURES = IA32 X64
> > +#
> > +
> > +[Sources]
> > + BaseHashApiLib.c
> > +
> > +[Packages]
> > + MdePkg/MdePkg.dec
> > + CryptoPkg/CryptoPkg.dec
> > +
> > +[LibraryClasses]
> > + BaseLib
> > + BaseMemoryLib
> > + DebugLib
> > + MemoryAllocationLib
> > + BaseCryptLib
> > + PcdLib
> > +
> > +[Pcd]
> > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> ## CONSUMES
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > new file mode 100644
> > index 0000000000..49ba82e86f
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > @@ -0,0 +1,17 @@
> > +// /** @file
> > +// Provides Unified API for Hash Calculation // // This library is
> > +BaseHashApiLib. It will redirect
> hash request to
> > +// each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +// on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +//
> > +// Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +//
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > +
> > +
> > +#string STR_MODULE_ABSTRACT #language
> en-US "Provides hash
> > service by specified hash handler"
> > +
> > +#string STR_MODULE_DESCRIPTION #language
> en-US "This library is
> > Unified Hash API. It will redirect hash request to
> the hash handler specified by
> > PcdHashApiLibPolicy."
> > --
> > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 17:10 ` Sukerkar, Amol N
@ 2020-02-04 18:30 ` Sukerkar, Amol N
2020-02-04 23:06 ` Yao, Jiewen
1 sibling, 0 replies; 20+ messages in thread
From: Sukerkar, Amol N @ 2020-02-04 18:30 UTC (permalink / raw)
To: Kinney, Michael D, Yao, Jiewen, devel@edk2.groups.io
Cc: Wang, Jian J, Sukerkar, Amol N
Hi Mike, Jiewen and Jian,
Do I need to follow any crypto review guidelines for this patch? I am not enabling any new crypto. Need your input.
Thanks,
Amol
-----Original Message-----
From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Sent: Tuesday, February 04, 2020 10:10 AM
To: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Hi Jiewen and Mike,
I agree with general statement that MD4 and MD5 are deprecated. However, Although not MD4, UEFI spec 2.8 still mentions MD5 (and does not mention that it is deprecated). That is the reason MD4 and MD5 were included.
If there is going to be an update to UEFI spec deprecating MD5 as well, we can definitely go ahead and remove MD5 (and MD4). I believe the decision is should we wait until the change to UEFI spec or make the change right now. Let me know which approach we should be following.
Thanks,
Amol
-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@intel.com>
Sent: Tuesday, February 04, 2020 9:26 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N <amol.n.sukerkar@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Jiewen,
I think UINT8 is fine. We can change default to 0x04 in DEC file.
I will let Amol comment on why MD4 and MD5 are included. If they are not required, then I agree they should be removed.
I do not see a reason to align with TCG spec. The HashApiLib is a layer on top of BaseCryptLib and the use of hash algorithms is not limited to TCG related content. The BaseCryptLib could potentially adopt hash algorithms that are not defined in the TCG specification. We also do not want CryptoPkg to depend on the SecurityPkg.
Thanks,
Mike
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, February 3, 2020 6:54 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>;
> devel@edk2.groups.io
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash Calculation API
>
> Thanks Mike, to cover us during Chinese New Year holiday.
>
> I am just back from vocation. A minor comment:
>
> The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> 0x00000004.
>
> There are couple of ways to enhance:
> 1) Define UINT8, and use 8bit style 0x04.
> 2) Define UINT32, and use 32bit style 0x00000004.
> 3) Define UINT16 (match TCG definition), and use TCG defined value.
> (Tpm20.h)
> #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
>
> MD4 and MD5 are known as insecure and deprecated. I doubt if we want
> to add such support. (I strong recommend NO).
>
> If we can remove MD4 and MD5, I think we can use #3.
>
> Thank you
> Yao Jiewen
>
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Tuesday, February 4, 2020 7:36 AM
> > To: devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash
> > Calculation API
> >
> > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> >
> > This commit introduces a Unified Hash API to
> calculate hash using a
> > hashing algorithm specified by the PCD,
> PcdHashApiLibPolicy. This library
> > interfaces with the various hashing API, such as,
> MD4, MD5, SHA1, SHA256,
> > SHA512 and SM3_256 implemented in BaseCryptLib. The
> user can calculate
> > the desired hash by setting PcdHashApiLibPolicy to
> appropriate value.
> >
> > This feature is documented in the Bugzilla,
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Signed-off-by: Amol N Sukerkar
> <amol.n.sukerkar@intel.com>
> > Reviewed-by: Michael D Kinney
> <michael.d.kinney@intel.com>
> > ---
> > CryptoPkg/CryptoPkg.dec | 20
> ++
> > CryptoPkg/CryptoPkg.dsc | 4
> +-
> > CryptoPkg/CryptoPkg.uni | 18
> +-
> > CryptoPkg/Include/Library/HashApiLib.h | 122
> +++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> ++++++++++++++++++
> > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> +++
> > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> +
> > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > 100644
> CryptoPkg/Include/Library/HashApiLib.h
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > create mode 100644
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> >
> > diff --git a/CryptoPkg/CryptoPkg.dec
> b/CryptoPkg/CryptoPkg.dec
> > index 41af6e879e..8ad0fb5d61 100644
> > --- a/CryptoPkg/CryptoPkg.dec
> > +++ b/CryptoPkg/CryptoPkg.dec
> > @@ -33,9 +33,29 @@ [LibraryClasses]
> > ##
> > TlsLib|Include/Library/TlsLib.h
> >
> > + ## @libraryclass Provides Unified API for
> different hash implementations.
> > + #
> > + HashApiLib|Include/Library/HashApiLib.h
> > +
> > [Guids]
> > ## Crypto package token space guid.
> > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> 0x9ef7, 0x4899, { 0x97,
> > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> >
> > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> PcdsDynamic, PcdsDynamicEx]
> > + ## This PCD indicates the HASH algorithm to
> calculate hash of data
> > + # Based on the value set, the required algorithm
> is chosen to calculate
> > + # the hash of data.<BR>
> > + # The default hashing algorithm for
> BaseHashApiLib is set to SHA256.<BR>
> > + # 0x00000001 - MD4.<BR>
> > + # 0x00000002 - MD5.<BR>
> > + # 0x00000003 - SHA1.<BR>
> > + # 0x00000004 - SHA256.<BR>
> > + # 0x00000005 - SHA384.<BR>
> > + # 0x00000006 - SHA512.<BR>
> > + # 0x00000007 - SM3_256.<BR>
> > + # @Prompt Set policy for hashing unsigned image
> for Secure Boot.
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > +
> >
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> NT8|0x00000001
> > +
> > [UserExtensions.TianoCore."ExtraFiles"]
> > CryptoPkgExtra.uni
> > diff --git a/CryptoPkg/CryptoPkg.dsc
> b/CryptoPkg/CryptoPkg.dsc
> > index ec43c1f0a4..9656a73b3c 100644
> > --- a/CryptoPkg/CryptoPkg.dsc
> > +++ b/CryptoPkg/CryptoPkg.dsc
> > @@ -1,7 +1,7 @@
> > ## @file
> > # Cryptographic Library Package for UEFI Security
> Implementation.
> > #
> > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > +44,7 @@ [LibraryClasses]
> >
> >
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> b.inf
> >
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > +
> HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> Lib.inf
> >
> > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > #
> > @@ -120,6 +121,7 @@ [Components]
> > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > +
> CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> >
> > [Components.IA32, Components.X64]
> > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > diff --git a/CryptoPkg/CryptoPkg.uni
> b/CryptoPkg/CryptoPkg.uni
> > index beb0036ef5..0dae4c4045 100644
> > --- a/CryptoPkg/CryptoPkg.uni
> > +++ b/CryptoPkg/CryptoPkg.uni
> > @@ -4,7 +4,7 @@
> > // This Package provides cryptographic-related
> libraries for UEFI security
> > modules.
> > // It also provides a test application to test
> libraries.
> > //
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> rights reserved.<BR>
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> rights reserved.<BR>
> > //
> > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3 +17,19
> > @@
> >
> >
> >
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> MPT
> > #language en-US "HASH algorithm to calculate hash"
> > +
> > +#string
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> P
> > #language en-US "This PCD indicates the HASH
> algorithm to calculate hash of
> > data.<BR><BR>\n"
> > +
> "Based on the value set, the
> > required algorithm is chosen to calculate\n"
> > +
> "the hash of data.<BR>\n"
> > +
> "The default hashing algorithm
> > for BaseHashApiLib is set to SHA256.<BR>\n"
> > +
> "0x00000001 - MD4.<BR>\n"
> > +
> "0x00000002 - MD5.<BR>\n"
> > +
> "0x00000003 - SHA1.<BR>\n"
> > +
> "0x00000004 -
> > SHA256.<BR>\n"
> > +
> "0x00000005 -
> > SHA384.<BR>\n"
> > +
> "0x00000006 -
> > SHA512.<BR>\n"
> > +
> "0x00000007 - SM3.<BR>"
> > +
> > +
> > +
> > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > b/CryptoPkg/Include/Library/HashApiLib.h
> > new file mode 100644
> > index 0000000000..22068e5a17
> > --- /dev/null
> > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > @@ -0,0 +1,122 @@
> > +/** @file
> > + Unified Hash API Defines
> > +
> > + This API when called will calculate the Hash using
> the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#ifndef __BASEHASHAPILIB_H_
> > +#define __BASEHASHAPILIB_H_
> > +
> > +typedef VOID *HASH_API_CONTEXT;
> > +
> > +//
> > +// Hash Algorithms
> > +//
> > +#define HASH_API_ALGO_INVALID 0x00000000
> > +#define HASH_API_ALGO_MD4 0x00000001
> > +#define HASH_API_ALGO_MD5 0x00000002
> > +#define HASH_API_ALGO_SHA1 0x00000003
> > +#define HASH_API_ALGO_SHA256 0x00000004
> > +#define HASH_API_ALGO_SHA384 0x00000005
> > +#define HASH_API_ALGO_SHA512 0x00000006
> > +#define HASH_API_ALGO_SM3_256 0x00000007
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + );
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + );
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + );
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + );
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + );
> > +
> > +#endif
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > new file mode 100644
> > index 0000000000..277ef9f0b4
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > @@ -0,0 +1,330 @@
> > +/** @file
> > + Unified Hash API Implementation
> > +
> > + This file implements the Unified Hash API.
> > +
> > + This API, when called, will calculate the Hash
> using the
> > + hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +
> > + Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include <Base.h>
> > +#include <Library/BaseLib.h>
> > +#include <Library/BaseMemoryLib.h>
> > +#include <Library/MemoryAllocationLib.h> #include
> > +<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
> > +<Library/PcdLib.h> #include <Library/HashApiLib.h>
> > +
> > +/**
> > + Retrieves the size, in bytes, of the context
> buffer required for hash operations.
> > +
> > + @return The size, in bytes, of the context buffer
> required for hash operations.
> > +**/
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512GetContextSize ();
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3GetContextSize ();
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return 0;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Init hash sequence.
> > +
> > + @param[out] HashContext Hash context.
> > +
> > + @retval TRUE Hash start and HashHandle
> returned.
> > + @retval FALSE Hash Init unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiInit (
> > + OUT HASH_API_CONTEXT HashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Init (HashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Init (HashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Makes a copy of an existing hash context.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] NewHashContext New copy of hash
> context.
> > +
> > + @retval TRUE Hash context copy succeeded.
> > + @retval FALSE Hash context copy failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiDuplicate (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT HASH_API_CONTEXT NewHashContext
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Duplicate (HashContext,
> NewHashContext);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Update hash data.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > +
> > + @retval TRUE Hash updated.
> > + @retval FALSE Hash updated unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiUpdate (
> > + IN HASH_API_CONTEXT HashContext,
> > + IN VOID *DataToHash,
> > + IN UINTN DataToHashLen
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Update (HashContext, DataToHash,
> DataToHashLen);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Hash complete.
> > +
> > + @param[in] HashContext Hash context.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash complete and Digest is
> returned.
> > + @retval FALSE Hash complete unsuccessful.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiFinal (
> > + IN HASH_API_CONTEXT HashContext,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512Final (HashContext, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3Final (HashContext, Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > +
> > +/**
> > + Computes hash message digest of a input data
> buffer.
> > +
> > + @param[in] DataToHash Data to be hashed.
> > + @param[in] DataToHashLen Data size.
> > + @param[out] Digest Hash Digest.
> > +
> > + @retval TRUE Hash digest computation succeeded.
> > + @retval FALSE Hash digest computation failed.
> > +**/
> > +BOOLEAN
> > +EFIAPI
> > +HashApiHashAll (
> > + IN CONST VOID *DataToHash,
> > + IN UINTN DataToHashLen,
> > + OUT UINT8 *Digest
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_MD5:
> > + return Md5HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA1:
> > + return Sha1HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA256:
> > + return Sha256HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA384:
> > + return Sha384HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SHA512:
> > + return Sha512HashAll (DataToHash,
> DataToHashLen, Digest);
> > + break;
> > +
> > + case HASH_API_ALGO_SM3_256:
> > + return Sm3HashAll (DataToHash, DataToHashLen,
> Digest);
> > + break;
> > +
> > + default:
> > + ASSERT (FALSE);
> > + return FALSE;
> > + break;
> > + }
> > +}
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > new file mode 100644
> > index 0000000000..b4d8675ddd
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > @@ -0,0 +1,44 @@
> > +## @file
> > +# Provides Unified API for Hash Calculation # # This library is
> > +BaseHashApiLib. It will redirect
> hash request to
> > +# each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +# on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +#
> > +# Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > +
> > +[Defines]
> > + INF_VERSION = 0x00010005
> > + BASE_NAME = BaseHashApiLib
> > + MODULE_UNI_FILE =
> BaseHashApiLib.uni
> > + FILE_GUID = B1E566DD-DE7C-
> 4F04-BDA0-B1295D3BE927
> > + MODULE_TYPE = BASE
> > + VERSION_STRING = 1.0
> > + LIBRARY_CLASS = BaseHashApiLib
> > +
> > +#
> > +# The following information is for reference only
> and not required by the build
> > tools.
> > +#
> > +# VALID_ARCHITECTURES = IA32 X64
> > +#
> > +
> > +[Sources]
> > + BaseHashApiLib.c
> > +
> > +[Packages]
> > + MdePkg/MdePkg.dec
> > + CryptoPkg/CryptoPkg.dec
> > +
> > +[LibraryClasses]
> > + BaseLib
> > + BaseMemoryLib
> > + DebugLib
> > + MemoryAllocationLib
> > + BaseCryptLib
> > + PcdLib
> > +
> > +[Pcd]
> > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> ## CONSUMES
> > diff --git
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > new file mode 100644
> > index 0000000000..49ba82e86f
> > --- /dev/null
> > +++
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > @@ -0,0 +1,17 @@
> > +// /** @file
> > +// Provides Unified API for Hash Calculation // // This library is
> > +BaseHashApiLib. It will redirect
> hash request to
> > +// each individual hash API, such as SHA1, SHA256,
> SHA384, SM3 based
> > +// on hashing algorithm specified by
> PcdHashApiLibPolicy.
> > +//
> > +// Copyright (c) 2020, Intel Corporation. All rights
> reserved.<BR>
> > +//
> > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > +
> > +
> > +#string STR_MODULE_ABSTRACT #language
> en-US "Provides hash
> > service by specified hash handler"
> > +
> > +#string STR_MODULE_DESCRIPTION #language
> en-US "This library is
> > Unified Hash API. It will redirect hash request to
> the hash handler specified by
> > PcdHashApiLibPolicy."
> > --
> > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 16:26 ` Michael D Kinney
2020-02-04 17:10 ` Sukerkar, Amol N
@ 2020-02-04 22:54 ` Yao, Jiewen
2020-02-05 1:04 ` Michael D Kinney
1 sibling, 1 reply; 20+ messages in thread
From: Yao, Jiewen @ 2020-02-04 22:54 UTC (permalink / raw)
To: Kinney, Michael D, devel@edk2.groups.io, Sukerkar, Amol N; +Cc: Wang, Jian J
Mike
The problem of defining a set of algo ID is that I have to remember the ID.
I feel frustrated whenever I need match one ID to the other ID.
Currently, UEFI secure boot and TCG trusted boot are important feature. If we can align to one of them, it is easier. I believe if we have a consistent ID mapping, it will be much better for developer.
Current TPM20.h is defined in MdePkg (not in SecurityPkg) and is considered as an industry standard. I do not see any dependency issue.
We can define a new set - not a technical problem. I am just not sure why we have to. Or we can define it with the same value as TPM. See below list. I believe it will cover majority of current usage and current standard.
> > > + # 0x0004 - SHA1.<BR>
> > > + # 0x000B - SHA256.<BR>
> > > + # 0x000C - SHA384.<BR>
> > > + # 0x000D - SHA512.<BR>
> > > + # 0x0012 - SM3_256.<BR>
> > > + # 0x0027 - SHA3_256.<BR>
> > > + # 0x0028 - SHA3_384.<BR>
> > > + # 0x0029 - SHA3_512.<BR>
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Wednesday, February 5, 2020 12:26 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney,
> Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Jiewen,
>
> I think UINT8 is fine. We can change default to 0x04 in DEC file.
>
> I will let Amol comment on why MD4 and MD5 are included. If
> they are not required, then I agree they should be removed.
>
> I do not see a reason to align with TCG spec. The HashApiLib
> is a layer on top of BaseCryptLib and the use of hash algorithms
> is not limited to TCG related content. The BaseCryptLib
> could potentially adopt hash algorithms that are not defined
> in the TCG specification. We also do not want CryptoPkg to
> depend on the SecurityPkg.
>
> Thanks,
>
> Mike
>
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Monday, February 3, 2020 6:54 PM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang,
> > Jian J <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash Calculation API
> >
> > Thanks Mike, to cover us during Chinese New Year
> > holiday.
> >
> > I am just back from vocation. A minor comment:
> >
> > The PcdHashApiLibPolicy is UINT8, but the value is
> > shown as 32bit 0x00000004.
> >
> > There are couple of ways to enhance:
> > 1) Define UINT8, and use 8bit style 0x04.
> > 2) Define UINT32, and use 32bit style 0x00000004.
> > 3) Define UINT16 (match TCG definition), and use TCG
> > defined value. (Tpm20.h)
> > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> >
> > MD4 and MD5 are known as insecure and deprecated. I
> > doubt if we want to add such support. (I strong
> > recommend NO).
> >
> > If we can remove MD4 and MD5, I think we can use #3.
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > To: devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>
> > > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash
> > > Calculation API
> > >
> > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > >
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > >
> > > This commit introduces a Unified Hash API to
> > calculate hash using a
> > > hashing algorithm specified by the PCD,
> > PcdHashApiLibPolicy. This library
> > > interfaces with the various hashing API, such as,
> > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in BaseCryptLib. The
> > user can calculate
> > > the desired hash by setting PcdHashApiLibPolicy to
> > appropriate value.
> > >
> > > This feature is documented in the Bugzilla,
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Amol N Sukerkar
> > <amol.n.sukerkar@intel.com>
> > > Reviewed-by: Michael D Kinney
> > <michael.d.kinney@intel.com>
> > > ---
> > > CryptoPkg/CryptoPkg.dec | 20
> > ++
> > > CryptoPkg/CryptoPkg.dsc | 4
> > +-
> > > CryptoPkg/CryptoPkg.uni | 18
> > +-
> > > CryptoPkg/Include/Library/HashApiLib.h | 122
> > +++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> > ++++++++++++++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> > +++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> > +
> > > 7 files changed, 553 insertions(+), 2 deletions(-)
> > > create mode 100644
> > CryptoPkg/Include/Library/HashApiLib.h
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > >
> > > diff --git a/CryptoPkg/CryptoPkg.dec
> > b/CryptoPkg/CryptoPkg.dec
> > > index 41af6e879e..8ad0fb5d61 100644
> > > --- a/CryptoPkg/CryptoPkg.dec
> > > +++ b/CryptoPkg/CryptoPkg.dec
> > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > ##
> > > TlsLib|Include/Library/TlsLib.h
> > >
> > > + ## @libraryclass Provides Unified API for
> > different hash implementations.
> > > + #
> > > + HashApiLib|Include/Library/HashApiLib.h
> > > +
> > > [Guids]
> > > ## Crypto package token space guid.
> > > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> > 0x9ef7, 0x4899, { 0x97,
> > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > PcdsDynamic, PcdsDynamicEx]
> > > + ## This PCD indicates the HASH algorithm to
> > calculate hash of data
> > > + # Based on the value set, the required algorithm
> > is chosen to calculate
> > > + # the hash of data.<BR>
> > > + # The default hashing algorithm for
> > BaseHashApiLib is set to SHA256.<BR>
> > > + # 0x00000001 - MD4.<BR>
> > > + # 0x00000002 - MD5.<BR>
> > > + # 0x00000003 - SHA1.<BR>
> > > + # 0x00000004 - SHA256.<BR>
> > > + # 0x00000005 - SHA384.<BR>
> > > + # 0x00000006 - SHA512.<BR>
> > > + # 0x00000007 - SM3_256.<BR>
> > > + # @Prompt Set policy for hashing unsigned image
> > for Secure Boot.
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > > +
> > >
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > NT8|0x00000001
> > > +
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > > CryptoPkgExtra.uni
> > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > b/CryptoPkg/CryptoPkg.dsc
> > > index ec43c1f0a4..9656a73b3c 100644
> > > --- a/CryptoPkg/CryptoPkg.dsc
> > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > > # Cryptographic Library Package for UEFI Security
> > Implementation.
> > > #
> > > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > > #
> > > ##
> > > @@ -44,6 +44,7 @@ [LibraryClasses]
> > >
> > >
> > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > b.inf
> > >
> > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > +
> > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > Lib.inf
> > >
> > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > #
> > > @@ -120,6 +121,7 @@ [Components]
> > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > +
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > >
> > > [Components.IA32, Components.X64]
> > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > diff --git a/CryptoPkg/CryptoPkg.uni
> > b/CryptoPkg/CryptoPkg.uni
> > > index beb0036ef5..0dae4c4045 100644
> > > --- a/CryptoPkg/CryptoPkg.uni
> > > +++ b/CryptoPkg/CryptoPkg.uni
> > > @@ -4,7 +4,7 @@
> > > // This Package provides cryptographic-related
> > libraries for UEFI security
> > > modules.
> > > // It also provides a test application to test
> > libraries.
> > > //
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > //
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > > //
> > > @@ -17,3 +17,19 @@
> > >
> > >
> > >
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > MPT
> > > #language en-US "HASH algorithm to calculate hash"
> > > +
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > P
> > > #language en-US "This PCD indicates the HASH
> > algorithm to calculate hash of
> > > data.<BR><BR>\n"
> > > +
> > "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > > +
> > "the hash of data.<BR>\n"
> > > +
> > "The default hashing algorithm
> > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > +
> > "0x00000001 - MD4.<BR>\n"
> > > +
> > "0x00000002 - MD5.<BR>\n"
> > > +
> > "0x00000003 - SHA1.<BR>\n"
> > > +
> > "0x00000004 -
> > > SHA256.<BR>\n"
> > > +
> > "0x00000005 -
> > > SHA384.<BR>\n"
> > > +
> > "0x00000006 -
> > > SHA512.<BR>\n"
> > > +
> > "0x00000007 - SM3.<BR>"
> > > +
> > > +
> > > +
> > > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > new file mode 100644
> > > index 0000000000..22068e5a17
> > > --- /dev/null
> > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > > + Unified Hash API Defines
> > > +
> > > + This API when called will calculate the Hash using
> > the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHAPILIB_H_
> > > +#define __BASEHASHAPILIB_H_
> > > +
> > > +typedef VOID *HASH_API_CONTEXT;
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > +#define HASH_API_ALGO_MD4 0x00000001
> > > +#define HASH_API_ALGO_MD5 0x00000002
> > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + );
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + );
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + );
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +#endif
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > new file mode 100644
> > > index 0000000000..277ef9f0b4
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > @@ -0,0 +1,330 @@
> > > +/** @file
> > > + Unified Hash API Implementation
> > > +
> > > + This file implements the Unified Hash API.
> > > +
> > > + This API, when called, will calculate the Hash
> > using the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#include <Base.h>
> > > +#include <Library/BaseLib.h>
> > > +#include <Library/BaseMemoryLib.h>
> > > +#include <Library/MemoryAllocationLib.h>
> > > +#include <Library/BaseCryptLib.h>
> > > +#include <Library/DebugLib.h>
> > > +#include <Library/PcdLib.h>
> > > +#include <Library/HashApiLib.h>
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3GetContextSize ();
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return 0;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Init (HashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Final (HashContext, Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > new file mode 100644
> > > index 0000000000..b4d8675ddd
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > @@ -0,0 +1,44 @@
> > > +## @file
> > > +# Provides Unified API for Hash Calculation
> > > +#
> > > +# This library is BaseHashApiLib. It will redirect
> > hash request to
> > > +# each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +# on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +#
> > > +# Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +#
> > > +##
> > > +
> > > +[Defines]
> > > + INF_VERSION = 0x00010005
> > > + BASE_NAME = BaseHashApiLib
> > > + MODULE_UNI_FILE =
> > BaseHashApiLib.uni
> > > + FILE_GUID = B1E566DD-DE7C-
> > 4F04-BDA0-B1295D3BE927
> > > + MODULE_TYPE = BASE
> > > + VERSION_STRING = 1.0
> > > + LIBRARY_CLASS = BaseHashApiLib
> > > +
> > > +#
> > > +# The following information is for reference only
> > and not required by the build
> > > tools.
> > > +#
> > > +# VALID_ARCHITECTURES = IA32 X64
> > > +#
> > > +
> > > +[Sources]
> > > + BaseHashApiLib.c
> > > +
> > > +[Packages]
> > > + MdePkg/MdePkg.dec
> > > + CryptoPkg/CryptoPkg.dec
> > > +
> > > +[LibraryClasses]
> > > + BaseLib
> > > + BaseMemoryLib
> > > + DebugLib
> > > + MemoryAllocationLib
> > > + BaseCryptLib
> > > + PcdLib
> > > +
> > > +[Pcd]
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > ## CONSUMES
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > new file mode 100644
> > > index 0000000000..49ba82e86f
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > > +// Provides Unified API for Hash Calculation
> > > +//
> > > +// This library is BaseHashApiLib. It will redirect
> > hash request to
> > > +// each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +// on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +//
> > > +// Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +//
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +//
> > > +// **/
> > > +
> > > +
> > > +#string STR_MODULE_ABSTRACT #language
> > en-US "Provides hash
> > > service by specified hash handler"
> > > +
> > > +#string STR_MODULE_DESCRIPTION #language
> > en-US "This library is
> > > Unified Hash API. It will redirect hash request to
> > the hash handler specified by
> > > PcdHashApiLibPolicy."
> > > --
> > > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 17:10 ` Sukerkar, Amol N
2020-02-04 18:30 ` Sukerkar, Amol N
@ 2020-02-04 23:06 ` Yao, Jiewen
2020-02-04 23:15 ` Sukerkar, Amol N
1 sibling, 1 reply; 20+ messages in thread
From: Yao, Jiewen @ 2020-02-04 23:06 UTC (permalink / raw)
To: Sukerkar, Amol N, Kinney, Michael D, devel@edk2.groups.io; +Cc: Wang, Jian J
Amol
We are in the process to deprecating SHA1.
Currently SHA256 is default one.
Some products are moving from SHA256 to SHA384.
We did crypto usage analysis before.
In the current EDKII code base, there is no code using MD4.
The only code that using MD5 is the iSCSI.
TPM1.2 has to use SHA1 - that is updated by the TPM2.
Some old certificate was using SHA1. It will be deprecated and move to SHA256.
Even UEFI spec defines MD5, but it does not mean a product has to use MD5. UEFI spec does not mandate that you must support MD5.
Do you see any MD5 usage in BIOS except iSCSI?
If no, I prefer to drop MD4/MD5 in this patch.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Wednesday, February 5, 2020 1:10 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Hi Jiewen and Mike,
>
> I agree with general statement that MD4 and MD5 are deprecated. However,
> Although not MD4, UEFI spec 2.8 still mentions MD5 (and does not mention that
> it is deprecated). That is the reason MD4 and MD5 were included.
>
> If there is going to be an update to UEFI spec deprecating MD5 as well, we can
> definitely go ahead and remove MD5 (and MD4). I believe the decision is should
> we wait until the change to UEFI spec or make the change right now. Let me
> know which approach we should be following.
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Tuesday, February 04, 2020 9:26 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney,
> Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Jiewen,
>
> I think UINT8 is fine. We can change default to 0x04 in DEC file.
>
> I will let Amol comment on why MD4 and MD5 are included. If they are not
> required, then I agree they should be removed.
>
> I do not see a reason to align with TCG spec. The HashApiLib is a layer on top of
> BaseCryptLib and the use of hash algorithms is not limited to TCG related
> content. The BaseCryptLib could potentially adopt hash algorithms that are not
> defined in the TCG specification. We also do not want CryptoPkg to depend on
> the SecurityPkg.
>
> Thanks,
>
> Mike
>
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Monday, February 3, 2020 6:54 PM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash Calculation API
> >
> > Thanks Mike, to cover us during Chinese New Year holiday.
> >
> > I am just back from vocation. A minor comment:
> >
> > The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> > 0x00000004.
> >
> > There are couple of ways to enhance:
> > 1) Define UINT8, and use 8bit style 0x04.
> > 2) Define UINT32, and use 32bit style 0x00000004.
> > 3) Define UINT16 (match TCG definition), and use TCG defined value.
> > (Tpm20.h)
> > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> >
> > MD4 and MD5 are known as insecure and deprecated. I doubt if we want
> > to add such support. (I strong recommend NO).
> >
> > If we can remove MD4 and MD5, I think we can use #3.
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > To: devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>
> > > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash
> > > Calculation API
> > >
> > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > >
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > >
> > > This commit introduces a Unified Hash API to
> > calculate hash using a
> > > hashing algorithm specified by the PCD,
> > PcdHashApiLibPolicy. This library
> > > interfaces with the various hashing API, such as,
> > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in BaseCryptLib. The
> > user can calculate
> > > the desired hash by setting PcdHashApiLibPolicy to
> > appropriate value.
> > >
> > > This feature is documented in the Bugzilla,
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Amol N Sukerkar
> > <amol.n.sukerkar@intel.com>
> > > Reviewed-by: Michael D Kinney
> > <michael.d.kinney@intel.com>
> > > ---
> > > CryptoPkg/CryptoPkg.dec | 20
> > ++
> > > CryptoPkg/CryptoPkg.dsc | 4
> > +-
> > > CryptoPkg/CryptoPkg.uni | 18
> > +-
> > > CryptoPkg/Include/Library/HashApiLib.h | 122
> > +++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> > ++++++++++++++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> > +++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> > +
> > > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > > 100644
> > CryptoPkg/Include/Library/HashApiLib.h
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > >
> > > diff --git a/CryptoPkg/CryptoPkg.dec
> > b/CryptoPkg/CryptoPkg.dec
> > > index 41af6e879e..8ad0fb5d61 100644
> > > --- a/CryptoPkg/CryptoPkg.dec
> > > +++ b/CryptoPkg/CryptoPkg.dec
> > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > ##
> > > TlsLib|Include/Library/TlsLib.h
> > >
> > > + ## @libraryclass Provides Unified API for
> > different hash implementations.
> > > + #
> > > + HashApiLib|Include/Library/HashApiLib.h
> > > +
> > > [Guids]
> > > ## Crypto package token space guid.
> > > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> > 0x9ef7, 0x4899, { 0x97,
> > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > PcdsDynamic, PcdsDynamicEx]
> > > + ## This PCD indicates the HASH algorithm to
> > calculate hash of data
> > > + # Based on the value set, the required algorithm
> > is chosen to calculate
> > > + # the hash of data.<BR>
> > > + # The default hashing algorithm for
> > BaseHashApiLib is set to SHA256.<BR>
> > > + # 0x00000001 - MD4.<BR>
> > > + # 0x00000002 - MD5.<BR>
> > > + # 0x00000003 - SHA1.<BR>
> > > + # 0x00000004 - SHA256.<BR>
> > > + # 0x00000005 - SHA384.<BR>
> > > + # 0x00000006 - SHA512.<BR>
> > > + # 0x00000007 - SM3_256.<BR>
> > > + # @Prompt Set policy for hashing unsigned image
> > for Secure Boot.
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > > +
> > >
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > NT8|0x00000001
> > > +
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > > CryptoPkgExtra.uni
> > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > b/CryptoPkg/CryptoPkg.dsc
> > > index ec43c1f0a4..9656a73b3c 100644
> > > --- a/CryptoPkg/CryptoPkg.dsc
> > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > > # Cryptographic Library Package for UEFI Security
> > Implementation.
> > > #
> > > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > > +44,7 @@ [LibraryClasses]
> > >
> > >
> > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > b.inf
> > >
> > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > +
> > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > Lib.inf
> > >
> > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > #
> > > @@ -120,6 +121,7 @@ [Components]
> > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > +
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > >
> > > [Components.IA32, Components.X64]
> > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > diff --git a/CryptoPkg/CryptoPkg.uni
> > b/CryptoPkg/CryptoPkg.uni
> > > index beb0036ef5..0dae4c4045 100644
> > > --- a/CryptoPkg/CryptoPkg.uni
> > > +++ b/CryptoPkg/CryptoPkg.uni
> > > @@ -4,7 +4,7 @@
> > > // This Package provides cryptographic-related
> > libraries for UEFI security
> > > modules.
> > > // It also provides a test application to test
> > libraries.
> > > //
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > //
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3 +17,19
> > > @@
> > >
> > >
> > >
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > MPT
> > > #language en-US "HASH algorithm to calculate hash"
> > > +
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > P
> > > #language en-US "This PCD indicates the HASH
> > algorithm to calculate hash of
> > > data.<BR><BR>\n"
> > > +
> > "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > > +
> > "the hash of data.<BR>\n"
> > > +
> > "The default hashing algorithm
> > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > +
> > "0x00000001 - MD4.<BR>\n"
> > > +
> > "0x00000002 - MD5.<BR>\n"
> > > +
> > "0x00000003 - SHA1.<BR>\n"
> > > +
> > "0x00000004 -
> > > SHA256.<BR>\n"
> > > +
> > "0x00000005 -
> > > SHA384.<BR>\n"
> > > +
> > "0x00000006 -
> > > SHA512.<BR>\n"
> > > +
> > "0x00000007 - SM3.<BR>"
> > > +
> > > +
> > > +
> > > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > new file mode 100644
> > > index 0000000000..22068e5a17
> > > --- /dev/null
> > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > > + Unified Hash API Defines
> > > +
> > > + This API when called will calculate the Hash using
> > the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHAPILIB_H_
> > > +#define __BASEHASHAPILIB_H_
> > > +
> > > +typedef VOID *HASH_API_CONTEXT;
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > +#define HASH_API_ALGO_MD4 0x00000001
> > > +#define HASH_API_ALGO_MD5 0x00000002
> > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + );
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + );
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + );
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +#endif
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > new file mode 100644
> > > index 0000000000..277ef9f0b4
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > @@ -0,0 +1,330 @@
> > > +/** @file
> > > + Unified Hash API Implementation
> > > +
> > > + This file implements the Unified Hash API.
> > > +
> > > + This API, when called, will calculate the Hash
> > using the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#include <Base.h>
> > > +#include <Library/BaseLib.h>
> > > +#include <Library/BaseMemoryLib.h>
> > > +#include <Library/MemoryAllocationLib.h> #include
> > > +<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
> > > +<Library/PcdLib.h> #include <Library/HashApiLib.h>
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3GetContextSize ();
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return 0;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Init (HashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Final (HashContext, Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > new file mode 100644
> > > index 0000000000..b4d8675ddd
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > @@ -0,0 +1,44 @@
> > > +## @file
> > > +# Provides Unified API for Hash Calculation # # This library is
> > > +BaseHashApiLib. It will redirect
> > hash request to
> > > +# each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +# on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +#
> > > +# Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > > +
> > > +[Defines]
> > > + INF_VERSION = 0x00010005
> > > + BASE_NAME = BaseHashApiLib
> > > + MODULE_UNI_FILE =
> > BaseHashApiLib.uni
> > > + FILE_GUID = B1E566DD-DE7C-
> > 4F04-BDA0-B1295D3BE927
> > > + MODULE_TYPE = BASE
> > > + VERSION_STRING = 1.0
> > > + LIBRARY_CLASS = BaseHashApiLib
> > > +
> > > +#
> > > +# The following information is for reference only
> > and not required by the build
> > > tools.
> > > +#
> > > +# VALID_ARCHITECTURES = IA32 X64
> > > +#
> > > +
> > > +[Sources]
> > > + BaseHashApiLib.c
> > > +
> > > +[Packages]
> > > + MdePkg/MdePkg.dec
> > > + CryptoPkg/CryptoPkg.dec
> > > +
> > > +[LibraryClasses]
> > > + BaseLib
> > > + BaseMemoryLib
> > > + DebugLib
> > > + MemoryAllocationLib
> > > + BaseCryptLib
> > > + PcdLib
> > > +
> > > +[Pcd]
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > ## CONSUMES
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > new file mode 100644
> > > index 0000000000..49ba82e86f
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > > +// Provides Unified API for Hash Calculation // // This library is
> > > +BaseHashApiLib. It will redirect
> > hash request to
> > > +// each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +// on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +//
> > > +// Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +//
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > > +
> > > +
> > > +#string STR_MODULE_ABSTRACT #language
> > en-US "Provides hash
> > > service by specified hash handler"
> > > +
> > > +#string STR_MODULE_DESCRIPTION #language
> > en-US "This library is
> > > Unified Hash API. It will redirect hash request to
> > the hash handler specified by
> > > PcdHashApiLibPolicy."
> > > --
> > > 2.21.0.windows.1
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 23:06 ` Yao, Jiewen
@ 2020-02-04 23:15 ` Sukerkar, Amol N
2020-02-04 23:20 ` Yao, Jiewen
0 siblings, 1 reply; 20+ messages in thread
From: Sukerkar, Amol N @ 2020-02-04 23:15 UTC (permalink / raw)
To: Yao, Jiewen, Kinney, Michael D, devel@edk2.groups.io
Cc: Wang, Jian J, Sukerkar, Amol N
Thanks for the feedback, Jiewen!
In that case, I agree we should deprecate MD4, MD5 and SHA1 in BaseHashApiLib.
If the above statement is accurate, I can start next set of patches to remove the deprecated algorithms by creating a Bugzilla ticket. Please confirm.
Thanks,
Amol
-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Tuesday, February 04, 2020 4:06 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Amol
We are in the process to deprecating SHA1.
Currently SHA256 is default one.
Some products are moving from SHA256 to SHA384.
We did crypto usage analysis before.
In the current EDKII code base, there is no code using MD4.
The only code that using MD5 is the iSCSI.
TPM1.2 has to use SHA1 - that is updated by the TPM2.
Some old certificate was using SHA1. It will be deprecated and move to SHA256.
Even UEFI spec defines MD5, but it does not mean a product has to use MD5. UEFI spec does not mandate that you must support MD5.
Do you see any MD5 usage in BIOS except iSCSI?
If no, I prefer to drop MD4/MD5 in this patch.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Wednesday, February 5, 2020 1:10 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> Unified Hash Calculation API
>
> Hi Jiewen and Mike,
>
> I agree with general statement that MD4 and MD5 are deprecated.
> However, Although not MD4, UEFI spec 2.8 still mentions MD5 (and does
> not mention that it is deprecated). That is the reason MD4 and MD5 were included.
>
> If there is going to be an update to UEFI spec deprecating MD5 as
> well, we can definitely go ahead and remove MD5 (and MD4). I believe
> the decision is should we wait until the change to UEFI spec or make
> the change right now. Let me know which approach we should be following.
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Tuesday, February 04, 2020 9:26 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney,
> Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> Unified Hash Calculation API
>
> Jiewen,
>
> I think UINT8 is fine. We can change default to 0x04 in DEC file.
>
> I will let Amol comment on why MD4 and MD5 are included. If they are
> not required, then I agree they should be removed.
>
> I do not see a reason to align with TCG spec. The HashApiLib is a
> layer on top of BaseCryptLib and the use of hash algorithms is not
> limited to TCG related content. The BaseCryptLib could potentially
> adopt hash algorithms that are not defined in the TCG specification.
> We also do not want CryptoPkg to depend on the SecurityPkg.
>
> Thanks,
>
> Mike
>
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Monday, February 3, 2020 6:54 PM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > devel@edk2.groups.io
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash Calculation API
> >
> > Thanks Mike, to cover us during Chinese New Year holiday.
> >
> > I am just back from vocation. A minor comment:
> >
> > The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> > 0x00000004.
> >
> > There are couple of ways to enhance:
> > 1) Define UINT8, and use 8bit style 0x04.
> > 2) Define UINT32, and use 32bit style 0x00000004.
> > 3) Define UINT16 (match TCG definition), and use TCG defined value.
> > (Tpm20.h)
> > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> >
> > MD4 and MD5 are known as insecure and deprecated. I doubt if we want
> > to add such support. (I strong recommend NO).
> >
> > If we can remove MD4 and MD5, I think we can use #3.
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > To: devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > Yao, Jiewen
> > > <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>
> > > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash
> > > Calculation API
> > >
> > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > >
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > >
> > > This commit introduces a Unified Hash API to
> > calculate hash using a
> > > hashing algorithm specified by the PCD,
> > PcdHashApiLibPolicy. This library
> > > interfaces with the various hashing API, such as,
> > MD4, MD5, SHA1, SHA256,
> > > SHA512 and SM3_256 implemented in BaseCryptLib. The
> > user can calculate
> > > the desired hash by setting PcdHashApiLibPolicy to
> > appropriate value.
> > >
> > > This feature is documented in the Bugzilla,
> > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > >
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Signed-off-by: Amol N Sukerkar
> > <amol.n.sukerkar@intel.com>
> > > Reviewed-by: Michael D Kinney
> > <michael.d.kinney@intel.com>
> > > ---
> > > CryptoPkg/CryptoPkg.dec | 20
> > ++
> > > CryptoPkg/CryptoPkg.dsc | 4
> > +-
> > > CryptoPkg/CryptoPkg.uni | 18
> > +-
> > > CryptoPkg/Include/Library/HashApiLib.h | 122
> > +++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> > ++++++++++++++++++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> > +++
> > > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> > +
> > > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > > 100644
> > CryptoPkg/Include/Library/HashApiLib.h
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > create mode 100644
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > >
> > > diff --git a/CryptoPkg/CryptoPkg.dec
> > b/CryptoPkg/CryptoPkg.dec
> > > index 41af6e879e..8ad0fb5d61 100644
> > > --- a/CryptoPkg/CryptoPkg.dec
> > > +++ b/CryptoPkg/CryptoPkg.dec
> > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > ##
> > > TlsLib|Include/Library/TlsLib.h
> > >
> > > + ## @libraryclass Provides Unified API for
> > different hash implementations.
> > > + #
> > > + HashApiLib|Include/Library/HashApiLib.h
> > > +
> > > [Guids]
> > > ## Crypto package token space guid.
> > > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> > 0x9ef7, 0x4899, { 0x97,
> > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > PcdsDynamic, PcdsDynamicEx]
> > > + ## This PCD indicates the HASH algorithm to
> > calculate hash of data
> > > + # Based on the value set, the required algorithm
> > is chosen to calculate
> > > + # the hash of data.<BR>
> > > + # The default hashing algorithm for
> > BaseHashApiLib is set to SHA256.<BR>
> > > + # 0x00000001 - MD4.<BR>
> > > + # 0x00000002 - MD5.<BR>
> > > + # 0x00000003 - SHA1.<BR>
> > > + # 0x00000004 - SHA256.<BR>
> > > + # 0x00000005 - SHA384.<BR>
> > > + # 0x00000006 - SHA512.<BR>
> > > + # 0x00000007 - SM3_256.<BR>
> > > + # @Prompt Set policy for hashing unsigned image
> > for Secure Boot.
> > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > > +
> > >
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > NT8|0x00000001
> > > +
> > > [UserExtensions.TianoCore."ExtraFiles"]
> > > CryptoPkgExtra.uni
> > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > b/CryptoPkg/CryptoPkg.dsc
> > > index ec43c1f0a4..9656a73b3c 100644
> > > --- a/CryptoPkg/CryptoPkg.dsc
> > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > @@ -1,7 +1,7 @@
> > > ## @file
> > > # Cryptographic Library Package for UEFI Security
> > Implementation.
> > > #
> > > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > > +44,7 @@ [LibraryClasses]
> > >
> > >
> > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > b.inf
> > >
> > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > +
> > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > Lib.inf
> > >
> > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > #
> > > @@ -120,6 +121,7 @@ [Components]
> > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > +
> > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > >
> > > [Components.IA32, Components.X64]
> > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > diff --git a/CryptoPkg/CryptoPkg.uni
> > b/CryptoPkg/CryptoPkg.uni
> > > index beb0036ef5..0dae4c4045 100644
> > > --- a/CryptoPkg/CryptoPkg.uni
> > > +++ b/CryptoPkg/CryptoPkg.uni
> > > @@ -4,7 +4,7 @@
> > > // This Package provides cryptographic-related
> > libraries for UEFI security
> > > modules.
> > > // It also provides a test application to test
> > libraries.
> > > //
> > > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> > rights reserved.<BR>
> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> > rights reserved.<BR>
> > > //
> > > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3
> > > +17,19 @@
> > >
> > >
> > >
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > MPT
> > > #language en-US "HASH algorithm to calculate hash"
> > > +
> > > +#string
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > P
> > > #language en-US "This PCD indicates the HASH
> > algorithm to calculate hash of
> > > data.<BR><BR>\n"
> > > +
> > "Based on the value set, the
> > > required algorithm is chosen to calculate\n"
> > > +
> > "the hash of data.<BR>\n"
> > > +
> > "The default hashing algorithm
> > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > +
> > "0x00000001 - MD4.<BR>\n"
> > > +
> > "0x00000002 - MD5.<BR>\n"
> > > +
> > "0x00000003 - SHA1.<BR>\n"
> > > +
> > "0x00000004 -
> > > SHA256.<BR>\n"
> > > +
> > "0x00000005 -
> > > SHA384.<BR>\n"
> > > +
> > "0x00000006 -
> > > SHA512.<BR>\n"
> > > +
> > "0x00000007 - SM3.<BR>"
> > > +
> > > +
> > > +
> > > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > new file mode 100644
> > > index 0000000000..22068e5a17
> > > --- /dev/null
> > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > @@ -0,0 +1,122 @@
> > > +/** @file
> > > + Unified Hash API Defines
> > > +
> > > + This API when called will calculate the Hash using
> > the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#ifndef __BASEHASHAPILIB_H_
> > > +#define __BASEHASHAPILIB_H_
> > > +
> > > +typedef VOID *HASH_API_CONTEXT;
> > > +
> > > +//
> > > +// Hash Algorithms
> > > +//
> > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > +#define HASH_API_ALGO_MD4 0x00000001
> > > +#define HASH_API_ALGO_MD5 0x00000002
> > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + );
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + );
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + );
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + );
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + );
> > > +
> > > +#endif
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > new file mode 100644
> > > index 0000000000..277ef9f0b4
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > @@ -0,0 +1,330 @@
> > > +/** @file
> > > + Unified Hash API Implementation
> > > +
> > > + This file implements the Unified Hash API.
> > > +
> > > + This API, when called, will calculate the Hash
> > using the
> > > + hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +
> > > + Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#include <Base.h>
> > > +#include <Library/BaseLib.h>
> > > +#include <Library/BaseMemoryLib.h> #include
> > > +<Library/MemoryAllocationLib.h> #include <Library/BaseCryptLib.h>
> > > +#include <Library/DebugLib.h> #include <Library/PcdLib.h>
> > > +#include <Library/HashApiLib.h>
> > > +
> > > +/**
> > > + Retrieves the size, in bytes, of the context
> > buffer required for hash operations.
> > > +
> > > + @return The size, in bytes, of the context buffer
> > required for hash operations.
> > > +**/
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512GetContextSize ();
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3GetContextSize ();
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return 0;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Init hash sequence.
> > > +
> > > + @param[out] HashContext Hash context.
> > > +
> > > + @retval TRUE Hash start and HashHandle
> > returned.
> > > + @retval FALSE Hash Init unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiInit (
> > > + OUT HASH_API_CONTEXT HashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Init (HashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Init (HashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Makes a copy of an existing hash context.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] NewHashContext New copy of hash
> > context.
> > > +
> > > + @retval TRUE Hash context copy succeeded.
> > > + @retval FALSE Hash context copy failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiDuplicate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT HASH_API_CONTEXT NewHashContext
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Duplicate (HashContext,
> > NewHashContext);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Update hash data.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > +
> > > + @retval TRUE Hash updated.
> > > + @retval FALSE Hash updated unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiUpdate (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + IN VOID *DataToHash,
> > > + IN UINTN DataToHashLen
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Update (HashContext, DataToHash,
> > DataToHashLen);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Hash complete.
> > > +
> > > + @param[in] HashContext Hash context.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash complete and Digest is
> > returned.
> > > + @retval FALSE Hash complete unsuccessful.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiFinal (
> > > + IN HASH_API_CONTEXT HashContext,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512Final (HashContext, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3Final (HashContext, Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > +
> > > +/**
> > > + Computes hash message digest of a input data
> > buffer.
> > > +
> > > + @param[in] DataToHash Data to be hashed.
> > > + @param[in] DataToHashLen Data size.
> > > + @param[out] Digest Hash Digest.
> > > +
> > > + @retval TRUE Hash digest computation succeeded.
> > > + @retval FALSE Hash digest computation failed.
> > > +**/
> > > +BOOLEAN
> > > +EFIAPI
> > > +HashApiHashAll (
> > > + IN CONST VOID *DataToHash,
> > > + IN UINTN DataToHashLen,
> > > + OUT UINT8 *Digest
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_MD5:
> > > + return Md5HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA1:
> > > + return Sha1HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA256:
> > > + return Sha256HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA384:
> > > + return Sha384HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SHA512:
> > > + return Sha512HashAll (DataToHash,
> > DataToHashLen, Digest);
> > > + break;
> > > +
> > > + case HASH_API_ALGO_SM3_256:
> > > + return Sm3HashAll (DataToHash, DataToHashLen,
> > Digest);
> > > + break;
> > > +
> > > + default:
> > > + ASSERT (FALSE);
> > > + return FALSE;
> > > + break;
> > > + }
> > > +}
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > new file mode 100644
> > > index 0000000000..b4d8675ddd
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > @@ -0,0 +1,44 @@
> > > +## @file
> > > +# Provides Unified API for Hash Calculation # # This library is
> > > +BaseHashApiLib. It will redirect
> > hash request to
> > > +# each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +# on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +#
> > > +# Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > > +
> > > +[Defines]
> > > + INF_VERSION = 0x00010005
> > > + BASE_NAME = BaseHashApiLib
> > > + MODULE_UNI_FILE =
> > BaseHashApiLib.uni
> > > + FILE_GUID = B1E566DD-DE7C-
> > 4F04-BDA0-B1295D3BE927
> > > + MODULE_TYPE = BASE
> > > + VERSION_STRING = 1.0
> > > + LIBRARY_CLASS = BaseHashApiLib
> > > +
> > > +#
> > > +# The following information is for reference only
> > and not required by the build
> > > tools.
> > > +#
> > > +# VALID_ARCHITECTURES = IA32 X64
> > > +#
> > > +
> > > +[Sources]
> > > + BaseHashApiLib.c
> > > +
> > > +[Packages]
> > > + MdePkg/MdePkg.dec
> > > + CryptoPkg/CryptoPkg.dec
> > > +
> > > +[LibraryClasses]
> > > + BaseLib
> > > + BaseMemoryLib
> > > + DebugLib
> > > + MemoryAllocationLib
> > > + BaseCryptLib
> > > + PcdLib
> > > +
> > > +[Pcd]
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > ## CONSUMES
> > > diff --git
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > new file mode 100644
> > > index 0000000000..49ba82e86f
> > > --- /dev/null
> > > +++
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > @@ -0,0 +1,17 @@
> > > +// /** @file
> > > +// Provides Unified API for Hash Calculation // // This library
> > > +is BaseHashApiLib. It will redirect
> > hash request to
> > > +// each individual hash API, such as SHA1, SHA256,
> > SHA384, SM3 based
> > > +// on hashing algorithm specified by
> > PcdHashApiLibPolicy.
> > > +//
> > > +// Copyright (c) 2020, Intel Corporation. All rights
> > reserved.<BR>
> > > +//
> > > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > > +
> > > +
> > > +#string STR_MODULE_ABSTRACT #language
> > en-US "Provides hash
> > > service by specified hash handler"
> > > +
> > > +#string STR_MODULE_DESCRIPTION #language
> > en-US "This library is
> > > Unified Hash API. It will redirect hash request to
> > the hash handler specified by
> > > PcdHashApiLibPolicy."
> > > --
> > > 2.21.0.windows.1
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 23:15 ` Sukerkar, Amol N
@ 2020-02-04 23:20 ` Yao, Jiewen
2020-02-04 23:22 ` Sukerkar, Amol N
0 siblings, 1 reply; 20+ messages in thread
From: Yao, Jiewen @ 2020-02-04 23:20 UTC (permalink / raw)
To: Sukerkar, Amol N, Kinney, Michael D, devel@edk2.groups.io; +Cc: Wang, Jian J
Thank Amol.
You may want to keep SHA1. I still feel that SHA1 is used in some special case.
It is safety to just drop MD4 and MD5 at this moment.
We may consider to drop SHA1 later, when we do not see any usage.
With this patch, I believe it will be easy for us to move from SHA256 to SHA384 later.
Good work!
Thank you
Yao Jiewen
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Wednesday, February 5, 2020 7:15 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Thanks for the feedback, Jiewen!
>
> In that case, I agree we should deprecate MD4, MD5 and SHA1 in
> BaseHashApiLib.
>
> If the above statement is accurate, I can start next set of patches to remove the
> deprecated algorithms by creating a Bugzilla ticket. Please confirm.
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Tuesday, February 04, 2020 4:06 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Amol
> We are in the process to deprecating SHA1.
> Currently SHA256 is default one.
> Some products are moving from SHA256 to SHA384.
>
> We did crypto usage analysis before.
> In the current EDKII code base, there is no code using MD4.
> The only code that using MD5 is the iSCSI.
>
> TPM1.2 has to use SHA1 - that is updated by the TPM2.
> Some old certificate was using SHA1. It will be deprecated and move to SHA256.
>
> Even UEFI spec defines MD5, but it does not mean a product has to use MD5.
> UEFI spec does not mandate that you must support MD5.
> Do you see any MD5 usage in BIOS except iSCSI?
>
> If no, I prefer to drop MD4/MD5 in this patch.
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Wednesday, February 5, 2020 1:10 AM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> > Unified Hash Calculation API
> >
> > Hi Jiewen and Mike,
> >
> > I agree with general statement that MD4 and MD5 are deprecated.
> > However, Although not MD4, UEFI spec 2.8 still mentions MD5 (and does
> > not mention that it is deprecated). That is the reason MD4 and MD5 were
> included.
> >
> > If there is going to be an update to UEFI spec deprecating MD5 as
> > well, we can definitely go ahead and remove MD5 (and MD4). I believe
> > the decision is should we wait until the change to UEFI spec or make
> > the change right now. Let me know which approach we should be following.
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Tuesday, February 04, 2020 9:26 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Kinney,
> > Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Cc: Wang, Jian J <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> > Unified Hash Calculation API
> >
> > Jiewen,
> >
> > I think UINT8 is fine. We can change default to 0x04 in DEC file.
> >
> > I will let Amol comment on why MD4 and MD5 are included. If they are
> > not required, then I agree they should be removed.
> >
> > I do not see a reason to align with TCG spec. The HashApiLib is a
> > layer on top of BaseCryptLib and the use of hash algorithms is not
> > limited to TCG related content. The BaseCryptLib could potentially
> > adopt hash algorithms that are not defined in the TCG specification.
> > We also do not want CryptoPkg to depend on the SecurityPkg.
> >
> > Thanks,
> >
> > Mike
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > Sent: Monday, February 3, 2020 6:54 PM
> > > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > > devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>
> > > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash Calculation API
> > >
> > > Thanks Mike, to cover us during Chinese New Year holiday.
> > >
> > > I am just back from vocation. A minor comment:
> > >
> > > The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> > > 0x00000004.
> > >
> > > There are couple of ways to enhance:
> > > 1) Define UINT8, and use 8bit style 0x04.
> > > 2) Define UINT32, and use 32bit style 0x00000004.
> > > 3) Define UINT16 (match TCG definition), and use TCG defined value.
> > > (Tpm20.h)
> > > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> > >
> > > MD4 and MD5 are known as insecure and deprecated. I doubt if we want
> > > to add such support. (I strong recommend NO).
> > >
> > > If we can remove MD4 and MD5, I think we can use #3.
> > >
> > > Thank you
> > > Yao Jiewen
> > >
> > > > -----Original Message-----
> > > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > > To: devel@edk2.groups.io
> > > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > > Yao, Jiewen
> > > > <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>
> > > > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash
> > > > Calculation API
> > > >
> > > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > > >
> > > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > > >
> > > > This commit introduces a Unified Hash API to
> > > calculate hash using a
> > > > hashing algorithm specified by the PCD,
> > > PcdHashApiLibPolicy. This library
> > > > interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > > SHA512 and SM3_256 implemented in BaseCryptLib. The
> > > user can calculate
> > > > the desired hash by setting PcdHashApiLibPolicy to
> > > appropriate value.
> > > >
> > > > This feature is documented in the Bugzilla,
> > > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > > >
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > Signed-off-by: Amol N Sukerkar
> > > <amol.n.sukerkar@intel.com>
> > > > Reviewed-by: Michael D Kinney
> > > <michael.d.kinney@intel.com>
> > > > ---
> > > > CryptoPkg/CryptoPkg.dec | 20
> > > ++
> > > > CryptoPkg/CryptoPkg.dsc | 4
> > > +-
> > > > CryptoPkg/CryptoPkg.uni | 18
> > > +-
> > > > CryptoPkg/Include/Library/HashApiLib.h | 122
> > > +++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> > > ++++++++++++++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> > > +++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> > > +
> > > > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > > > 100644
> > > CryptoPkg/Include/Library/HashApiLib.h
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > >
> > > > diff --git a/CryptoPkg/CryptoPkg.dec
> > > b/CryptoPkg/CryptoPkg.dec
> > > > index 41af6e879e..8ad0fb5d61 100644
> > > > --- a/CryptoPkg/CryptoPkg.dec
> > > > +++ b/CryptoPkg/CryptoPkg.dec
> > > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > > ##
> > > > TlsLib|Include/Library/TlsLib.h
> > > >
> > > > + ## @libraryclass Provides Unified API for
> > > different hash implementations.
> > > > + #
> > > > + HashApiLib|Include/Library/HashApiLib.h
> > > > +
> > > > [Guids]
> > > > ## Crypto package token space guid.
> > > > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> > > 0x9ef7, 0x4899, { 0x97,
> > > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > > >
> > > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > > PcdsDynamic, PcdsDynamicEx]
> > > > + ## This PCD indicates the HASH algorithm to
> > > calculate hash of data
> > > > + # Based on the value set, the required algorithm
> > > is chosen to calculate
> > > > + # the hash of data.<BR>
> > > > + # The default hashing algorithm for
> > > BaseHashApiLib is set to SHA256.<BR>
> > > > + # 0x00000001 - MD4.<BR>
> > > > + # 0x00000002 - MD5.<BR>
> > > > + # 0x00000003 - SHA1.<BR>
> > > > + # 0x00000004 - SHA256.<BR>
> > > > + # 0x00000005 - SHA384.<BR>
> > > > + # 0x00000006 - SHA512.<BR>
> > > > + # 0x00000007 - SM3_256.<BR>
> > > > + # @Prompt Set policy for hashing unsigned image
> > > for Secure Boot.
> > > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > > > +
> > > >
> > > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > > NT8|0x00000001
> > > > +
> > > > [UserExtensions.TianoCore."ExtraFiles"]
> > > > CryptoPkgExtra.uni
> > > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > > b/CryptoPkg/CryptoPkg.dsc
> > > > index ec43c1f0a4..9656a73b3c 100644
> > > > --- a/CryptoPkg/CryptoPkg.dsc
> > > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > > @@ -1,7 +1,7 @@
> > > > ## @file
> > > > # Cryptographic Library Package for UEFI Security
> > > Implementation.
> > > > #
> > > > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> > > rights reserved.<BR>
> > > > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> > > rights reserved.<BR>
> > > > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > > > +44,7 @@ [LibraryClasses]
> > > >
> > > >
> > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > > b.inf
> > > >
> > > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > +
> > > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > > Lib.inf
> > > >
> > > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > > #
> > > > @@ -120,6 +121,7 @@ [Components]
> > > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > > +
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > >
> > > > [Components.IA32, Components.X64]
> > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > > diff --git a/CryptoPkg/CryptoPkg.uni
> > > b/CryptoPkg/CryptoPkg.uni
> > > > index beb0036ef5..0dae4c4045 100644
> > > > --- a/CryptoPkg/CryptoPkg.uni
> > > > +++ b/CryptoPkg/CryptoPkg.uni
> > > > @@ -4,7 +4,7 @@
> > > > // This Package provides cryptographic-related
> > > libraries for UEFI security
> > > > modules.
> > > > // It also provides a test application to test
> > > libraries.
> > > > //
> > > > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> > > rights reserved.<BR>
> > > > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> > > rights reserved.<BR>
> > > > //
> > > > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3
> > > > +17,19 @@
> > > >
> > > >
> > > >
> > > > +#string
> > > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > > MPT
> > > > #language en-US "HASH algorithm to calculate hash"
> > > > +
> > > > +#string
> > > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > > P
> > > > #language en-US "This PCD indicates the HASH
> > > algorithm to calculate hash of
> > > > data.<BR><BR>\n"
> > > > +
> > > "Based on the value set, the
> > > > required algorithm is chosen to calculate\n"
> > > > +
> > > "the hash of data.<BR>\n"
> > > > +
> > > "The default hashing algorithm
> > > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > > +
> > > "0x00000001 - MD4.<BR>\n"
> > > > +
> > > "0x00000002 - MD5.<BR>\n"
> > > > +
> > > "0x00000003 - SHA1.<BR>\n"
> > > > +
> > > "0x00000004 -
> > > > SHA256.<BR>\n"
> > > > +
> > > "0x00000005 -
> > > > SHA384.<BR>\n"
> > > > +
> > > "0x00000006 -
> > > > SHA512.<BR>\n"
> > > > +
> > > "0x00000007 - SM3.<BR>"
> > > > +
> > > > +
> > > > +
> > > > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > > new file mode 100644
> > > > index 0000000000..22068e5a17
> > > > --- /dev/null
> > > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > > @@ -0,0 +1,122 @@
> > > > +/** @file
> > > > + Unified Hash API Defines
> > > > +
> > > > + This API when called will calculate the Hash using
> > > the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#ifndef __BASEHASHAPILIB_H_
> > > > +#define __BASEHASHAPILIB_H_
> > > > +
> > > > +typedef VOID *HASH_API_CONTEXT;
> > > > +
> > > > +//
> > > > +// Hash Algorithms
> > > > +//
> > > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > > +#define HASH_API_ALGO_MD4 0x00000001
> > > > +#define HASH_API_ALGO_MD5 0x00000002
> > > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + );
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + );
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest is
> > > returned.
> > > > + @retval FALSE Hash complete unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +#endif
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > new file mode 100644
> > > > index 0000000000..277ef9f0b4
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > @@ -0,0 +1,330 @@
> > > > +/** @file
> > > > + Unified Hash API Implementation
> > > > +
> > > > + This file implements the Unified Hash API.
> > > > +
> > > > + This API, when called, will calculate the Hash
> > > using the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#include <Base.h>
> > > > +#include <Library/BaseLib.h>
> > > > +#include <Library/BaseMemoryLib.h> #include
> > > > +<Library/MemoryAllocationLib.h> #include <Library/BaseCryptLib.h>
> > > > +#include <Library/DebugLib.h> #include <Library/PcdLib.h>
> > > > +#include <Library/HashApiLib.h>
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3GetContextSize ();
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return 0;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Init (HashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest is
> > > returned.
> > > > + @retval FALSE Hash complete unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > new file mode 100644
> > > > index 0000000000..b4d8675ddd
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > @@ -0,0 +1,44 @@
> > > > +## @file
> > > > +# Provides Unified API for Hash Calculation # # This library is
> > > > +BaseHashApiLib. It will redirect
> > > hash request to
> > > > +# each individual hash API, such as SHA1, SHA256,
> > > SHA384, SM3 based
> > > > +# on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +#
> > > > +# Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > > > +
> > > > +[Defines]
> > > > + INF_VERSION = 0x00010005
> > > > + BASE_NAME = BaseHashApiLib
> > > > + MODULE_UNI_FILE =
> > > BaseHashApiLib.uni
> > > > + FILE_GUID = B1E566DD-DE7C-
> > > 4F04-BDA0-B1295D3BE927
> > > > + MODULE_TYPE = BASE
> > > > + VERSION_STRING = 1.0
> > > > + LIBRARY_CLASS = BaseHashApiLib
> > > > +
> > > > +#
> > > > +# The following information is for reference only
> > > and not required by the build
> > > > tools.
> > > > +#
> > > > +# VALID_ARCHITECTURES = IA32 X64
> > > > +#
> > > > +
> > > > +[Sources]
> > > > + BaseHashApiLib.c
> > > > +
> > > > +[Packages]
> > > > + MdePkg/MdePkg.dec
> > > > + CryptoPkg/CryptoPkg.dec
> > > > +
> > > > +[LibraryClasses]
> > > > + BaseLib
> > > > + BaseMemoryLib
> > > > + DebugLib
> > > > + MemoryAllocationLib
> > > > + BaseCryptLib
> > > > + PcdLib
> > > > +
> > > > +[Pcd]
> > > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > > ## CONSUMES
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > new file mode 100644
> > > > index 0000000000..49ba82e86f
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > @@ -0,0 +1,17 @@
> > > > +// /** @file
> > > > +// Provides Unified API for Hash Calculation // // This library
> > > > +is BaseHashApiLib. It will redirect
> > > hash request to
> > > > +// each individual hash API, such as SHA1, SHA256,
> > > SHA384, SM3 based
> > > > +// on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +//
> > > > +// Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > +//
> > > > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > > > +
> > > > +
> > > > +#string STR_MODULE_ABSTRACT #language
> > > en-US "Provides hash
> > > > service by specified hash handler"
> > > > +
> > > > +#string STR_MODULE_DESCRIPTION #language
> > > en-US "This library is
> > > > Unified Hash API. It will redirect hash request to
> > > the hash handler specified by
> > > > PcdHashApiLibPolicy."
> > > > --
> > > > 2.21.0.windows.1
> >
> >
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 23:20 ` Yao, Jiewen
@ 2020-02-04 23:22 ` Sukerkar, Amol N
0 siblings, 0 replies; 20+ messages in thread
From: Sukerkar, Amol N @ 2020-02-04 23:22 UTC (permalink / raw)
To: Yao, Jiewen, Kinney, Michael D, devel@edk2.groups.io
Cc: Wang, Jian J, Sukerkar, Amol N
Thanks, Jiewen! I will start the process.
~ Amol
-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Tuesday, February 04, 2020 4:20 PM
To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
Thank Amol.
You may want to keep SHA1. I still feel that SHA1 is used in some special case.
It is safety to just drop MD4 and MD5 at this moment.
We may consider to drop SHA1 later, when we do not see any usage.
With this patch, I believe it will be easy for us to move from SHA256 to SHA384 later.
Good work!
Thank you
Yao Jiewen
> -----Original Message-----
> From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> Sent: Wednesday, February 5, 2020 7:15 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> Unified Hash Calculation API
>
> Thanks for the feedback, Jiewen!
>
> In that case, I agree we should deprecate MD4, MD5 and SHA1 in
> BaseHashApiLib.
>
> If the above statement is accurate, I can start next set of patches to
> remove the deprecated algorithms by creating a Bugzilla ticket. Please confirm.
>
> Thanks,
> Amol
>
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Tuesday, February 04, 2020 4:06 PM
> To: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> Unified Hash Calculation API
>
> Amol
> We are in the process to deprecating SHA1.
> Currently SHA256 is default one.
> Some products are moving from SHA256 to SHA384.
>
> We did crypto usage analysis before.
> In the current EDKII code base, there is no code using MD4.
> The only code that using MD5 is the iSCSI.
>
> TPM1.2 has to use SHA1 - that is updated by the TPM2.
> Some old certificate was using SHA1. It will be deprecated and move to SHA256.
>
> Even UEFI spec defines MD5, but it does not mean a product has to use MD5.
> UEFI spec does not mandate that you must support MD5.
> Do you see any MD5 usage in BIOS except iSCSI?
>
> If no, I prefer to drop MD4/MD5 in this patch.
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Sukerkar, Amol N <amol.n.sukerkar@intel.com>
> > Sent: Wednesday, February 5, 2020 1:10 AM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> > Unified Hash Calculation API
> >
> > Hi Jiewen and Mike,
> >
> > I agree with general statement that MD4 and MD5 are deprecated.
> > However, Although not MD4, UEFI spec 2.8 still mentions MD5 (and
> > does not mention that it is deprecated). That is the reason MD4 and
> > MD5 were
> included.
> >
> > If there is going to be an update to UEFI spec deprecating MD5 as
> > well, we can definitely go ahead and remove MD5 (and MD4). I believe
> > the decision is should we wait until the change to UEFI spec or make
> > the change right now. Let me know which approach we should be following.
> >
> > Thanks,
> > Amol
> >
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Tuesday, February 04, 2020 9:26 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
> > Kinney, Michael D <michael.d.kinney@intel.com>; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Cc: Wang, Jian J <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> > Unified Hash Calculation API
> >
> > Jiewen,
> >
> > I think UINT8 is fine. We can change default to 0x04 in DEC file.
> >
> > I will let Amol comment on why MD4 and MD5 are included. If they
> > are not required, then I agree they should be removed.
> >
> > I do not see a reason to align with TCG spec. The HashApiLib is a
> > layer on top of BaseCryptLib and the use of hash algorithms is not
> > limited to TCG related content. The BaseCryptLib could potentially
> > adopt hash algorithms that are not defined in the TCG specification.
> > We also do not want CryptoPkg to depend on the SecurityPkg.
> >
> > Thanks,
> >
> > Mike
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > Sent: Monday, February 3, 2020 6:54 PM
> > > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > > devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>
> > > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash Calculation API
> > >
> > > Thanks Mike, to cover us during Chinese New Year holiday.
> > >
> > > I am just back from vocation. A minor comment:
> > >
> > > The PcdHashApiLibPolicy is UINT8, but the value is shown as 32bit
> > > 0x00000004.
> > >
> > > There are couple of ways to enhance:
> > > 1) Define UINT8, and use 8bit style 0x04.
> > > 2) Define UINT32, and use 32bit style 0x00000004.
> > > 3) Define UINT16 (match TCG definition), and use TCG defined value.
> > > (Tpm20.h)
> > > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> > >
> > > MD4 and MD5 are known as insecure and deprecated. I doubt if we
> > > want to add such support. (I strong recommend NO).
> > >
> > > If we can remove MD4 and MD5, I think we can use #3.
> > >
> > > Thank you
> > > Yao Jiewen
> > >
> > > > -----Original Message-----
> > > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > > To: devel@edk2.groups.io
> > > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > > Yao, Jiewen
> > > > <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>
> > > > Subject: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash
> > > > Calculation API
> > > >
> > > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > > >
> > > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > > >
> > > > This commit introduces a Unified Hash API to
> > > calculate hash using a
> > > > hashing algorithm specified by the PCD,
> > > PcdHashApiLibPolicy. This library
> > > > interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > > SHA512 and SM3_256 implemented in BaseCryptLib. The
> > > user can calculate
> > > > the desired hash by setting PcdHashApiLibPolicy to
> > > appropriate value.
> > > >
> > > > This feature is documented in the Bugzilla,
> > > > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > > >
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > Signed-off-by: Amol N Sukerkar
> > > <amol.n.sukerkar@intel.com>
> > > > Reviewed-by: Michael D Kinney
> > > <michael.d.kinney@intel.com>
> > > > ---
> > > > CryptoPkg/CryptoPkg.dec | 20
> > > ++
> > > > CryptoPkg/CryptoPkg.dsc | 4
> > > +-
> > > > CryptoPkg/CryptoPkg.uni | 18
> > > +-
> > > > CryptoPkg/Include/Library/HashApiLib.h | 122
> > > +++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.c | 330
> > > ++++++++++++++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.inf | 44
> > > +++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.uni | 17
> > > +
> > > > 7 files changed, 553 insertions(+), 2 deletions(-) create mode
> > > > 100644
> > > CryptoPkg/Include/Library/HashApiLib.h
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > >
> > > > diff --git a/CryptoPkg/CryptoPkg.dec
> > > b/CryptoPkg/CryptoPkg.dec
> > > > index 41af6e879e..8ad0fb5d61 100644
> > > > --- a/CryptoPkg/CryptoPkg.dec
> > > > +++ b/CryptoPkg/CryptoPkg.dec
> > > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > > ##
> > > > TlsLib|Include/Library/TlsLib.h
> > > >
> > > > + ## @libraryclass Provides Unified API for
> > > different hash implementations.
> > > > + #
> > > > + HashApiLib|Include/Library/HashApiLib.h
> > > > +
> > > > [Guids]
> > > > ## Crypto package token space guid.
> > > > gEfiCryptoPkgTokenSpaceGuid = { 0x6bd7de60,
> > > 0x9ef7, 0x4899, { 0x97,
> > > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > > >
> > > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > > PcdsDynamic, PcdsDynamicEx]
> > > > + ## This PCD indicates the HASH algorithm to
> > > calculate hash of data
> > > > + # Based on the value set, the required algorithm
> > > is chosen to calculate
> > > > + # the hash of data.<BR>
> > > > + # The default hashing algorithm for
> > > BaseHashApiLib is set to SHA256.<BR>
> > > > + # 0x00000001 - MD4.<BR>
> > > > + # 0x00000002 - MD5.<BR>
> > > > + # 0x00000003 - SHA1.<BR>
> > > > + # 0x00000004 - SHA256.<BR>
> > > > + # 0x00000005 - SHA384.<BR>
> > > > + # 0x00000006 - SHA512.<BR>
> > > > + # 0x00000007 - SM3_256.<BR>
> > > > + # @Prompt Set policy for hashing unsigned image
> > > for Secure Boot.
> > > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > > > +
> > > >
> > > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > > NT8|0x00000001
> > > > +
> > > > [UserExtensions.TianoCore."ExtraFiles"]
> > > > CryptoPkgExtra.uni
> > > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > > b/CryptoPkg/CryptoPkg.dsc
> > > > index ec43c1f0a4..9656a73b3c 100644
> > > > --- a/CryptoPkg/CryptoPkg.dsc
> > > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > > @@ -1,7 +1,7 @@
> > > > ## @file
> > > > # Cryptographic Library Package for UEFI Security
> > > Implementation.
> > > > #
> > > > -# Copyright (c) 2009 - 2018, Intel Corporation. All
> > > rights reserved.<BR>
> > > > +# Copyright (c) 2009 - 2020, Intel Corporation. All
> > > rights reserved.<BR>
> > > > # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -44,6
> > > > +44,7 @@ [LibraryClasses]
> > > >
> > > >
> > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > > b.inf
> > > >
> > > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > +
> > > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > > Lib.inf
> > > >
> > > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > > #
> > > > @@ -120,6 +121,7 @@ [Components]
> > > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > > +
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > >
> > > > [Components.IA32, Components.X64]
> > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > > diff --git a/CryptoPkg/CryptoPkg.uni
> > > b/CryptoPkg/CryptoPkg.uni
> > > > index beb0036ef5..0dae4c4045 100644
> > > > --- a/CryptoPkg/CryptoPkg.uni
> > > > +++ b/CryptoPkg/CryptoPkg.uni
> > > > @@ -4,7 +4,7 @@
> > > > // This Package provides cryptographic-related
> > > libraries for UEFI security
> > > > modules.
> > > > // It also provides a test application to test
> > > libraries.
> > > > //
> > > > -// Copyright (c) 2009 - 2018, Intel Corporation. All
> > > rights reserved.<BR>
> > > > +// Copyright (c) 2009 - 2020, Intel Corporation. All
> > > rights reserved.<BR>
> > > > //
> > > > // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -17,3
> > > > +17,19 @@
> > > >
> > > >
> > > >
> > > > +#string
> > > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > > MPT
> > > > #language en-US "HASH algorithm to calculate hash"
> > > > +
> > > > +#string
> > > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > > P
> > > > #language en-US "This PCD indicates the HASH
> > > algorithm to calculate hash of
> > > > data.<BR><BR>\n"
> > > > +
> > > "Based on the value set, the
> > > > required algorithm is chosen to calculate\n"
> > > > +
> > > "the hash of data.<BR>\n"
> > > > +
> > > "The default hashing algorithm
> > > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > > +
> > > "0x00000001 - MD4.<BR>\n"
> > > > +
> > > "0x00000002 - MD5.<BR>\n"
> > > > +
> > > "0x00000003 - SHA1.<BR>\n"
> > > > +
> > > "0x00000004 -
> > > > SHA256.<BR>\n"
> > > > +
> > > "0x00000005 -
> > > > SHA384.<BR>\n"
> > > > +
> > > "0x00000006 -
> > > > SHA512.<BR>\n"
> > > > +
> > > "0x00000007 - SM3.<BR>"
> > > > +
> > > > +
> > > > +
> > > > diff --git a/CryptoPkg/Include/Library/HashApiLib.h
> > > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > > new file mode 100644
> > > > index 0000000000..22068e5a17
> > > > --- /dev/null
> > > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > > @@ -0,0 +1,122 @@
> > > > +/** @file
> > > > + Unified Hash API Defines
> > > > +
> > > > + This API when called will calculate the Hash using
> > > the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#ifndef __BASEHASHAPILIB_H_
> > > > +#define __BASEHASHAPILIB_H_
> > > > +
> > > > +typedef VOID *HASH_API_CONTEXT;
> > > > +
> > > > +//
> > > > +// Hash Algorithms
> > > > +//
> > > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > > +#define HASH_API_ALGO_MD4 0x00000001
> > > > +#define HASH_API_ALGO_MD5 0x00000002
> > > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + );
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + );
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest is
> > > returned.
> > > > + @retval FALSE Hash complete unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +#endif
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > new file mode 100644
> > > > index 0000000000..277ef9f0b4
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > @@ -0,0 +1,330 @@
> > > > +/** @file
> > > > + Unified Hash API Implementation
> > > > +
> > > > + This file implements the Unified Hash API.
> > > > +
> > > > + This API, when called, will calculate the Hash
> > > using the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#include <Base.h>
> > > > +#include <Library/BaseLib.h>
> > > > +#include <Library/BaseMemoryLib.h> #include
> > > > +<Library/MemoryAllocationLib.h> #include
> > > > +<Library/BaseCryptLib.h> #include <Library/DebugLib.h> #include
> > > > +<Library/PcdLib.h> #include <Library/HashApiLib.h>
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3GetContextSize ();
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return 0;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Init (HashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest is
> > > returned.
> > > > + @retval FALSE Hash complete unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3HashAll (DataToHash, DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > new file mode 100644
> > > > index 0000000000..b4d8675ddd
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > @@ -0,0 +1,44 @@
> > > > +## @file
> > > > +# Provides Unified API for Hash Calculation # # This library
> > > > +is BaseHashApiLib. It will redirect
> > > hash request to
> > > > +# each individual hash API, such as SHA1, SHA256,
> > > SHA384, SM3 based
> > > > +# on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +#
> > > > +# Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > +# SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> > > > +
> > > > +[Defines]
> > > > + INF_VERSION = 0x00010005
> > > > + BASE_NAME = BaseHashApiLib
> > > > + MODULE_UNI_FILE =
> > > BaseHashApiLib.uni
> > > > + FILE_GUID = B1E566DD-DE7C-
> > > 4F04-BDA0-B1295D3BE927
> > > > + MODULE_TYPE = BASE
> > > > + VERSION_STRING = 1.0
> > > > + LIBRARY_CLASS = BaseHashApiLib
> > > > +
> > > > +#
> > > > +# The following information is for reference only
> > > and not required by the build
> > > > tools.
> > > > +#
> > > > +# VALID_ARCHITECTURES = IA32 X64
> > > > +#
> > > > +
> > > > +[Sources]
> > > > + BaseHashApiLib.c
> > > > +
> > > > +[Packages]
> > > > + MdePkg/MdePkg.dec
> > > > + CryptoPkg/CryptoPkg.dec
> > > > +
> > > > +[LibraryClasses]
> > > > + BaseLib
> > > > + BaseMemoryLib
> > > > + DebugLib
> > > > + MemoryAllocationLib
> > > > + BaseCryptLib
> > > > + PcdLib
> > > > +
> > > > +[Pcd]
> > > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > > ## CONSUMES
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > new file mode 100644
> > > > index 0000000000..49ba82e86f
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > @@ -0,0 +1,17 @@
> > > > +// /** @file
> > > > +// Provides Unified API for Hash Calculation // // This library
> > > > +is BaseHashApiLib. It will redirect
> > > hash request to
> > > > +// each individual hash API, such as SHA1, SHA256,
> > > SHA384, SM3 based
> > > > +// on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +//
> > > > +// Copyright (c) 2020, Intel Corporation. All rights
> > > reserved.<BR>
> > > > +//
> > > > +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> > > > +
> > > > +
> > > > +#string STR_MODULE_ABSTRACT #language
> > > en-US "Provides hash
> > > > service by specified hash handler"
> > > > +
> > > > +#string STR_MODULE_DESCRIPTION #language
> > > en-US "This library is
> > > > Unified Hash API. It will redirect hash request to
> > > the hash handler specified by
> > > > PcdHashApiLibPolicy."
> > > > --
> > > > 2.21.0.windows.1
> >
> >
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-04 22:54 ` Yao, Jiewen
@ 2020-02-05 1:04 ` Michael D Kinney
2020-02-05 1:32 ` Yao, Jiewen
0 siblings, 1 reply; 20+ messages in thread
From: Michael D Kinney @ 2020-02-05 1:04 UTC (permalink / raw)
To: Yao, Jiewen, devel@edk2.groups.io, Sukerkar, Amol N,
Kinney, Michael D
Cc: Wang, Jian J
Jiewen,
Thanks for pointing to the content in MdePkg.
I agree that we could include <IndustryStandard/Tpm20.h>
in BaseHashApiLib implementation and use the subset of
TPM_ALG_* define values for both the lib implementation
and the PCD description. This will allow us to remove
the extra #defines from the HashApiLib.h class.
Mike
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Tuesday, February 4, 2020 2:54 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>;
> devel@edk2.groups.io; Sukerkar, Amol N
> <amol.n.sukerkar@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> Implement Unified Hash Calculation API
>
> Mike
> The problem of defining a set of algo ID is that I have
> to remember the ID.
> I feel frustrated whenever I need match one ID to the
> other ID.
>
> Currently, UEFI secure boot and TCG trusted boot are
> important feature. If we can align to one of them, it
> is easier. I believe if we have a consistent ID
> mapping, it will be much better for developer.
>
> Current TPM20.h is defined in MdePkg (not in
> SecurityPkg) and is considered as an industry standard.
> I do not see any dependency issue.
>
> We can define a new set - not a technical problem. I am
> just not sure why we have to. Or we can define it with
> the same value as TPM. See below list. I believe it
> will cover majority of current usage and current
> standard.
> > > > + # 0x0004 - SHA1.<BR>
> > > > + # 0x000B - SHA256.<BR>
> > > > + # 0x000C - SHA384.<BR>
> > > > + # 0x000D - SHA512.<BR>
> > > > + # 0x0012 - SM3_256.<BR>
> > > > + # 0x0027 - SHA3_256.<BR>
> > > > + # 0x0028 - SHA3_384.<BR>
> > > > + # 0x0029 - SHA3_512.<BR>
>
>
>
>
> > -----Original Message-----
> > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > Sent: Wednesday, February 5, 2020 12:26 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>;
> devel@edk2.groups.io; Kinney,
> > Michael D <michael.d.kinney@intel.com>; Sukerkar,
> Amol N
> > <amol.n.sukerkar@intel.com>
> > Cc: Wang, Jian J <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2]
> CryptoPkg/BaseHashApiLib: Implement Unified Hash
> > Calculation API
> >
> > Jiewen,
> >
> > I think UINT8 is fine. We can change default to 0x04
> in DEC file.
> >
> > I will let Amol comment on why MD4 and MD5 are
> included. If
> > they are not required, then I agree they should be
> removed.
> >
> > I do not see a reason to align with TCG spec. The
> HashApiLib
> > is a layer on top of BaseCryptLib and the use of hash
> algorithms
> > is not limited to TCG related content. The
> BaseCryptLib
> > could potentially adopt hash algorithms that are not
> defined
> > in the TCG specification. We also do not want
> CryptoPkg to
> > depend on the SecurityPkg.
> >
> > Thanks,
> >
> > Mike
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > Sent: Monday, February 3, 2020 6:54 PM
> > > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > > devel@edk2.groups.io
> > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> Wang,
> > > Jian J <jian.j.wang@intel.com>
> > > Subject: RE: [Patch v10 2/2]
> CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash Calculation API
> > >
> > > Thanks Mike, to cover us during Chinese New Year
> > > holiday.
> > >
> > > I am just back from vocation. A minor comment:
> > >
> > > The PcdHashApiLibPolicy is UINT8, but the value is
> > > shown as 32bit 0x00000004.
> > >
> > > There are couple of ways to enhance:
> > > 1) Define UINT8, and use 8bit style 0x04.
> > > 2) Define UINT32, and use 32bit style 0x00000004.
> > > 3) Define UINT16 (match TCG definition), and use
> TCG
> > > defined value. (Tpm20.h)
> > > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> > >
> > > MD4 and MD5 are known as insecure and deprecated. I
> > > doubt if we want to add such support. (I strong
> > > recommend NO).
> > >
> > > If we can remove MD4 and MD5, I think we can use
> #3.
> > >
> > > Thank you
> > > Yao Jiewen
> > >
> > > > -----Original Message-----
> > > > From: Kinney, Michael D
> <michael.d.kinney@intel.com>
> > > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > > To: devel@edk2.groups.io
> > > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > > Yao, Jiewen
> > > > <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>
> > > > Subject: [Patch v10 2/2]
> CryptoPkg/BaseHashApiLib:
> > > Implement Unified Hash
> > > > Calculation API
> > > >
> > > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > > >
> > > >
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > > >
> > > > This commit introduces a Unified Hash API to
> > > calculate hash using a
> > > > hashing algorithm specified by the PCD,
> > > PcdHashApiLibPolicy. This library
> > > > interfaces with the various hashing API, such as,
> > > MD4, MD5, SHA1, SHA256,
> > > > SHA512 and SM3_256 implemented in BaseCryptLib.
> The
> > > user can calculate
> > > > the desired hash by setting PcdHashApiLibPolicy
> to
> > > appropriate value.
> > > >
> > > > This feature is documented in the Bugzilla,
> > > >
> https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > > >
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > Signed-off-by: Amol N Sukerkar
> > > <amol.n.sukerkar@intel.com>
> > > > Reviewed-by: Michael D Kinney
> > > <michael.d.kinney@intel.com>
> > > > ---
> > > > CryptoPkg/CryptoPkg.dec |
> 20
> > > ++
> > > > CryptoPkg/CryptoPkg.dsc |
> 4
> > > +-
> > > > CryptoPkg/CryptoPkg.uni |
> 18
> > > +-
> > > > CryptoPkg/Include/Library/HashApiLib.h |
> 122
> > > +++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.c |
> 330
> > > ++++++++++++++++++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.inf |
> 44
> > > +++
> > > > .../Library/BaseHashApiLib/BaseHashApiLib.uni |
> 17
> > > +
> > > > 7 files changed, 553 insertions(+), 2
> deletions(-)
> > > > create mode 100644
> > > CryptoPkg/Include/Library/HashApiLib.h
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > create mode 100644
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > >
> > > > diff --git a/CryptoPkg/CryptoPkg.dec
> > > b/CryptoPkg/CryptoPkg.dec
> > > > index 41af6e879e..8ad0fb5d61 100644
> > > > --- a/CryptoPkg/CryptoPkg.dec
> > > > +++ b/CryptoPkg/CryptoPkg.dec
> > > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > > ##
> > > > TlsLib|Include/Library/TlsLib.h
> > > >
> > > > + ## @libraryclass Provides Unified API for
> > > different hash implementations.
> > > > + #
> > > > + HashApiLib|Include/Library/HashApiLib.h
> > > > +
> > > > [Guids]
> > > > ## Crypto package token space guid.
> > > > gEfiCryptoPkgTokenSpaceGuid = {
> 0x6bd7de60,
> > > 0x9ef7, 0x4899, { 0x97,
> > > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > > >
> > > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > > PcdsDynamic, PcdsDynamicEx]
> > > > + ## This PCD indicates the HASH algorithm to
> > > calculate hash of data
> > > > + # Based on the value set, the required
> algorithm
> > > is chosen to calculate
> > > > + # the hash of data.<BR>
> > > > + # The default hashing algorithm for
> > > BaseHashApiLib is set to SHA256.<BR>
> > > > + # 0x00000001 - MD4.<BR>
> > > > + # 0x00000002 - MD5.<BR>
> > > > + # 0x00000003 - SHA1.<BR>
> > > > + # 0x00000004 - SHA256.<BR>
> > > > + # 0x00000005 - SHA384.<BR>
> > > > + # 0x00000006 - SHA512.<BR>
> > > > + # 0x00000007 - SM3_256.<BR>
> > > > + # @Prompt Set policy for hashing unsigned
> image
> > > for Secure Boot.
> > > > + # @ValidRange 0x80000001 | 0x00000001 -
> 0x00000007
> > > > +
> > > >
> > >
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > > NT8|0x00000001
> > > > +
> > > > [UserExtensions.TianoCore."ExtraFiles"]
> > > > CryptoPkgExtra.uni
> > > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > > b/CryptoPkg/CryptoPkg.dsc
> > > > index ec43c1f0a4..9656a73b3c 100644
> > > > --- a/CryptoPkg/CryptoPkg.dsc
> > > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > > @@ -1,7 +1,7 @@
> > > > ## @file
> > > > # Cryptographic Library Package for UEFI
> Security
> > > Implementation.
> > > > #
> > > > -# Copyright (c) 2009 - 2018, Intel Corporation.
> All
> > > rights reserved.<BR>
> > > > +# Copyright (c) 2009 - 2020, Intel Corporation.
> All
> > > rights reserved.<BR>
> > > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > #
> > > > ##
> > > > @@ -44,6 +44,7 @@ [LibraryClasses]
> > > >
> > > >
> > >
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > > b.inf
> > > >
> > >
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > +
> > >
> HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > > Lib.inf
> > > >
> > > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > > #
> > > > @@ -120,6 +121,7 @@ [Components]
> > > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > >
> CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > > +
> > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > >
> > > > [Components.IA32, Components.X64]
> > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > > diff --git a/CryptoPkg/CryptoPkg.uni
> > > b/CryptoPkg/CryptoPkg.uni
> > > > index beb0036ef5..0dae4c4045 100644
> > > > --- a/CryptoPkg/CryptoPkg.uni
> > > > +++ b/CryptoPkg/CryptoPkg.uni
> > > > @@ -4,7 +4,7 @@
> > > > // This Package provides cryptographic-related
> > > libraries for UEFI security
> > > > modules.
> > > > // It also provides a test application to test
> > > libraries.
> > > > //
> > > > -// Copyright (c) 2009 - 2018, Intel Corporation.
> All
> > > rights reserved.<BR>
> > > > +// Copyright (c) 2009 - 2020, Intel Corporation.
> All
> > > rights reserved.<BR>
> > > > //
> > > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > //
> > > > @@ -17,3 +17,19 @@
> > > >
> > > >
> > > >
> > > > +#string
> > >
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > > MPT
> > > > #language en-US "HASH algorithm to calculate
> hash"
> > > > +
> > > > +#string
> > >
> STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > > P
> > > > #language en-US "This PCD indicates the HASH
> > > algorithm to calculate hash of
> > > > data.<BR><BR>\n"
> > > > +
> > > "Based on the value set, the
> > > > required algorithm is chosen to calculate\n"
> > > > +
> > > "the hash of data.<BR>\n"
> > > > +
> > > "The default hashing algorithm
> > > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > > +
> > > "0x00000001 - MD4.<BR>\n"
> > > > +
> > > "0x00000002 - MD5.<BR>\n"
> > > > +
> > > "0x00000003 - SHA1.<BR>\n"
> > > > +
> > > "0x00000004 -
> > > > SHA256.<BR>\n"
> > > > +
> > > "0x00000005 -
> > > > SHA384.<BR>\n"
> > > > +
> > > "0x00000006 -
> > > > SHA512.<BR>\n"
> > > > +
> > > "0x00000007 - SM3.<BR>"
> > > > +
> > > > +
> > > > +
> > > > diff --git
> a/CryptoPkg/Include/Library/HashApiLib.h
> > > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > > new file mode 100644
> > > > index 0000000000..22068e5a17
> > > > --- /dev/null
> > > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > > @@ -0,0 +1,122 @@
> > > > +/** @file
> > > > + Unified Hash API Defines
> > > > +
> > > > + This API when called will calculate the Hash
> using
> > > the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All
> rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#ifndef __BASEHASHAPILIB_H_
> > > > +#define __BASEHASHAPILIB_H_
> > > > +
> > > > +typedef VOID *HASH_API_CONTEXT;
> > > > +
> > > > +//
> > > > +// Hash Algorithms
> > > > +//
> > > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > > +#define HASH_API_ALGO_MD4 0x00000001
> > > > +#define HASH_API_ALGO_MD5 0x00000002
> > > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context
> buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + );
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy
> succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + );
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated
> unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + );
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest
> is
> > > returned.
> > > > + @retval FALSE Hash complete
> unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation
> succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + );
> > > > +
> > > > +#endif
> > > > diff --git
> > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > >
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > new file mode 100644
> > > > index 0000000000..277ef9f0b4
> > > > --- /dev/null
> > > > +++
> > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > @@ -0,0 +1,330 @@
> > > > +/** @file
> > > > + Unified Hash API Implementation
> > > > +
> > > > + This file implements the Unified Hash API.
> > > > +
> > > > + This API, when called, will calculate the Hash
> > > using the
> > > > + hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +
> > > > + Copyright (c) 2020, Intel Corporation. All
> rights
> > > reserved.<BR>
> > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +#include <Base.h>
> > > > +#include <Library/BaseLib.h>
> > > > +#include <Library/BaseMemoryLib.h>
> > > > +#include <Library/MemoryAllocationLib.h>
> > > > +#include <Library/BaseCryptLib.h>
> > > > +#include <Library/DebugLib.h>
> > > > +#include <Library/PcdLib.h>
> > > > +#include <Library/HashApiLib.h>
> > > > +
> > > > +/**
> > > > + Retrieves the size, in bytes, of the context
> > > buffer required for hash operations.
> > > > +
> > > > + @return The size, in bytes, of the context
> buffer
> > > required for hash operations.
> > > > +**/
> > > > +UINTN
> > > > +EFIAPI
> > > > +HashApiGetContextSize (
> > > > + VOID
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512GetContextSize ();
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3GetContextSize ();
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return 0;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Init hash sequence.
> > > > +
> > > > + @param[out] HashContext Hash context.
> > > > +
> > > > + @retval TRUE Hash start and HashHandle
> > > returned.
> > > > + @retval FALSE Hash Init unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiInit (
> > > > + OUT HASH_API_CONTEXT HashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Init (HashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Init (HashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Makes a copy of an existing hash context.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] NewHashContext New copy of hash
> > > context.
> > > > +
> > > > + @retval TRUE Hash context copy
> succeeded.
> > > > + @retval FALSE Hash context copy failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiDuplicate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Duplicate (HashContext,
> > > NewHashContext);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Update hash data.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > +
> > > > + @retval TRUE Hash updated.
> > > > + @retval FALSE Hash updated
> unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiUpdate (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + IN VOID *DataToHash,
> > > > + IN UINTN DataToHashLen
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Update (HashContext,
> DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Update (HashContext,
> DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Update (HashContext,
> DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Update (HashContext,
> DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Update (HashContext, DataToHash,
> > > DataToHashLen);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Hash complete.
> > > > +
> > > > + @param[in] HashContext Hash context.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash complete and Digest
> is
> > > returned.
> > > > + @retval FALSE Hash complete
> unsuccessful.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiFinal (
> > > > + IN HASH_API_CONTEXT HashContext,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3Final (HashContext, Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > +
> > > > +/**
> > > > + Computes hash message digest of a input data
> > > buffer.
> > > > +
> > > > + @param[in] DataToHash Data to be hashed.
> > > > + @param[in] DataToHashLen Data size.
> > > > + @param[out] Digest Hash Digest.
> > > > +
> > > > + @retval TRUE Hash digest computation
> succeeded.
> > > > + @retval FALSE Hash digest computation failed.
> > > > +**/
> > > > +BOOLEAN
> > > > +EFIAPI
> > > > +HashApiHashAll (
> > > > + IN CONST VOID *DataToHash,
> > > > + IN UINTN DataToHashLen,
> > > > + OUT UINT8 *Digest
> > > > + )
> > > > +{
> > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > + case HASH_API_ALGO_MD4:
> > > > + return Md4HashAll (DataToHash,
> DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_MD5:
> > > > + return Md5HashAll (DataToHash,
> DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA1:
> > > > + return Sha1HashAll (DataToHash,
> DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA256:
> > > > + return Sha256HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA384:
> > > > + return Sha384HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SHA512:
> > > > + return Sha512HashAll (DataToHash,
> > > DataToHashLen, Digest);
> > > > + break;
> > > > +
> > > > + case HASH_API_ALGO_SM3_256:
> > > > + return Sm3HashAll (DataToHash,
> DataToHashLen,
> > > Digest);
> > > > + break;
> > > > +
> > > > + default:
> > > > + ASSERT (FALSE);
> > > > + return FALSE;
> > > > + break;
> > > > + }
> > > > +}
> > > > diff --git
> > >
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > >
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > new file mode 100644
> > > > index 0000000000..b4d8675ddd
> > > > --- /dev/null
> > > > +++
> > >
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > @@ -0,0 +1,44 @@
> > > > +## @file
> > > > +# Provides Unified API for Hash Calculation
> > > > +#
> > > > +# This library is BaseHashApiLib. It will
> redirect
> > > hash request to
> > > > +# each individual hash API, such as SHA1,
> SHA256,
> > > SHA384, SM3 based
> > > > +# on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +#
> > > > +# Copyright (c) 2020, Intel Corporation. All
> rights
> > > reserved.<BR>
> > > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +#
> > > > +##
> > > > +
> > > > +[Defines]
> > > > + INF_VERSION = 0x00010005
> > > > + BASE_NAME =
> BaseHashApiLib
> > > > + MODULE_UNI_FILE =
> > > BaseHashApiLib.uni
> > > > + FILE_GUID = B1E566DD-
> DE7C-
> > > 4F04-BDA0-B1295D3BE927
> > > > + MODULE_TYPE = BASE
> > > > + VERSION_STRING = 1.0
> > > > + LIBRARY_CLASS =
> BaseHashApiLib
> > > > +
> > > > +#
> > > > +# The following information is for reference
> only
> > > and not required by the build
> > > > tools.
> > > > +#
> > > > +# VALID_ARCHITECTURES = IA32 X64
> > > > +#
> > > > +
> > > > +[Sources]
> > > > + BaseHashApiLib.c
> > > > +
> > > > +[Packages]
> > > > + MdePkg/MdePkg.dec
> > > > + CryptoPkg/CryptoPkg.dec
> > > > +
> > > > +[LibraryClasses]
> > > > + BaseLib
> > > > + BaseMemoryLib
> > > > + DebugLib
> > > > + MemoryAllocationLib
> > > > + BaseCryptLib
> > > > + PcdLib
> > > > +
> > > > +[Pcd]
> > > > +
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > > ## CONSUMES
> > > > diff --git
> > >
> a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > >
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > new file mode 100644
> > > > index 0000000000..49ba82e86f
> > > > --- /dev/null
> > > > +++
> > >
> b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > @@ -0,0 +1,17 @@
> > > > +// /** @file
> > > > +// Provides Unified API for Hash Calculation
> > > > +//
> > > > +// This library is BaseHashApiLib. It will
> redirect
> > > hash request to
> > > > +// each individual hash API, such as SHA1,
> SHA256,
> > > SHA384, SM3 based
> > > > +// on hashing algorithm specified by
> > > PcdHashApiLibPolicy.
> > > > +//
> > > > +// Copyright (c) 2020, Intel Corporation. All
> rights
> > > reserved.<BR>
> > > > +//
> > > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +//
> > > > +// **/
> > > > +
> > > > +
> > > > +#string STR_MODULE_ABSTRACT
> #language
> > > en-US "Provides hash
> > > > service by specified hash handler"
> > > > +
> > > > +#string STR_MODULE_DESCRIPTION
> #language
> > > en-US "This library is
> > > > Unified Hash API. It will redirect hash request
> to
> > > the hash handler specified by
> > > > PcdHashApiLibPolicy."
> > > > --
> > > > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-05 1:04 ` Michael D Kinney
@ 2020-02-05 1:32 ` Yao, Jiewen
0 siblings, 0 replies; 20+ messages in thread
From: Yao, Jiewen @ 2020-02-05 1:32 UTC (permalink / raw)
To: Kinney, Michael D, devel@edk2.groups.io, Sukerkar, Amol N; +Cc: Wang, Jian J
Thank you Mike.
> -----Original Message-----
> From: Kinney, Michael D <michael.d.kinney@intel.com>
> Sent: Wednesday, February 5, 2020 9:04 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Sukerkar,
> Amol N <amol.n.sukerkar@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>
> Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Jiewen,
>
> Thanks for pointing to the content in MdePkg.
>
> I agree that we could include <IndustryStandard/Tpm20.h>
> in BaseHashApiLib implementation and use the subset of
> TPM_ALG_* define values for both the lib implementation
> and the PCD description. This will allow us to remove
> the extra #defines from the HashApiLib.h class.
>
> Mike
>
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Tuesday, February 4, 2020 2:54 PM
> > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > devel@edk2.groups.io; Sukerkar, Amol N
> > <amol.n.sukerkar@intel.com>
> > Cc: Wang, Jian J <jian.j.wang@intel.com>
> > Subject: RE: [Patch v10 2/2] CryptoPkg/BaseHashApiLib:
> > Implement Unified Hash Calculation API
> >
> > Mike
> > The problem of defining a set of algo ID is that I have
> > to remember the ID.
> > I feel frustrated whenever I need match one ID to the
> > other ID.
> >
> > Currently, UEFI secure boot and TCG trusted boot are
> > important feature. If we can align to one of them, it
> > is easier. I believe if we have a consistent ID
> > mapping, it will be much better for developer.
> >
> > Current TPM20.h is defined in MdePkg (not in
> > SecurityPkg) and is considered as an industry standard.
> > I do not see any dependency issue.
> >
> > We can define a new set - not a technical problem. I am
> > just not sure why we have to. Or we can define it with
> > the same value as TPM. See below list. I believe it
> > will cover majority of current usage and current
> > standard.
> > > > > + # 0x0004 - SHA1.<BR>
> > > > > + # 0x000B - SHA256.<BR>
> > > > > + # 0x000C - SHA384.<BR>
> > > > > + # 0x000D - SHA512.<BR>
> > > > > + # 0x0012 - SM3_256.<BR>
> > > > > + # 0x0027 - SHA3_256.<BR>
> > > > > + # 0x0028 - SHA3_384.<BR>
> > > > > + # 0x0029 - SHA3_512.<BR>
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Kinney, Michael D <michael.d.kinney@intel.com>
> > > Sent: Wednesday, February 5, 2020 12:26 AM
> > > To: Yao, Jiewen <jiewen.yao@intel.com>;
> > devel@edk2.groups.io; Kinney,
> > > Michael D <michael.d.kinney@intel.com>; Sukerkar,
> > Amol N
> > > <amol.n.sukerkar@intel.com>
> > > Cc: Wang, Jian J <jian.j.wang@intel.com>
> > > Subject: RE: [Patch v10 2/2]
> > CryptoPkg/BaseHashApiLib: Implement Unified Hash
> > > Calculation API
> > >
> > > Jiewen,
> > >
> > > I think UINT8 is fine. We can change default to 0x04
> > in DEC file.
> > >
> > > I will let Amol comment on why MD4 and MD5 are
> > included. If
> > > they are not required, then I agree they should be
> > removed.
> > >
> > > I do not see a reason to align with TCG spec. The
> > HashApiLib
> > > is a layer on top of BaseCryptLib and the use of hash
> > algorithms
> > > is not limited to TCG related content. The
> > BaseCryptLib
> > > could potentially adopt hash algorithms that are not
> > defined
> > > in the TCG specification. We also do not want
> > CryptoPkg to
> > > depend on the SecurityPkg.
> > >
> > > Thanks,
> > >
> > > Mike
> > >
> > > > -----Original Message-----
> > > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > > Sent: Monday, February 3, 2020 6:54 PM
> > > > To: Kinney, Michael D <michael.d.kinney@intel.com>;
> > > > devel@edk2.groups.io
> > > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > Wang,
> > > > Jian J <jian.j.wang@intel.com>
> > > > Subject: RE: [Patch v10 2/2]
> > CryptoPkg/BaseHashApiLib:
> > > > Implement Unified Hash Calculation API
> > > >
> > > > Thanks Mike, to cover us during Chinese New Year
> > > > holiday.
> > > >
> > > > I am just back from vocation. A minor comment:
> > > >
> > > > The PcdHashApiLibPolicy is UINT8, but the value is
> > > > shown as 32bit 0x00000004.
> > > >
> > > > There are couple of ways to enhance:
> > > > 1) Define UINT8, and use 8bit style 0x04.
> > > > 2) Define UINT32, and use 32bit style 0x00000004.
> > > > 3) Define UINT16 (match TCG definition), and use
> > TCG
> > > > defined value. (Tpm20.h)
> > > > #define TPM_ALG_SHA1 (TPM_ALG_ID)(0x0004)
> > > > #define TPM_ALG_SHA256 (TPM_ALG_ID)(0x000B)
> > > > #define TPM_ALG_SHA384 (TPM_ALG_ID)(0x000C)
> > > > #define TPM_ALG_SHA512 (TPM_ALG_ID)(0x000D)
> > > > #define TPM_ALG_SM3_256 (TPM_ALG_ID)(0x0012)
> > > >
> > > > MD4 and MD5 are known as insecure and deprecated. I
> > > > doubt if we want to add such support. (I strong
> > > > recommend NO).
> > > >
> > > > If we can remove MD4 and MD5, I think we can use
> > #3.
> > > >
> > > > Thank you
> > > > Yao Jiewen
> > > >
> > > > > -----Original Message-----
> > > > > From: Kinney, Michael D
> > <michael.d.kinney@intel.com>
> > > > > Sent: Tuesday, February 4, 2020 7:36 AM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> > > > Yao, Jiewen
> > > > > <jiewen.yao@intel.com>; Wang, Jian J
> > > > <jian.j.wang@intel.com>
> > > > > Subject: [Patch v10 2/2]
> > CryptoPkg/BaseHashApiLib:
> > > > Implement Unified Hash
> > > > > Calculation API
> > > > >
> > > > > From: Amol N Sukerkar <amol.n.sukerkar@intel.com>
> > > > >
> > > > >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151
> > > > >
> > > > > This commit introduces a Unified Hash API to
> > > > calculate hash using a
> > > > > hashing algorithm specified by the PCD,
> > > > PcdHashApiLibPolicy. This library
> > > > > interfaces with the various hashing API, such as,
> > > > MD4, MD5, SHA1, SHA256,
> > > > > SHA512 and SM3_256 implemented in BaseCryptLib.
> > The
> > > > user can calculate
> > > > > the desired hash by setting PcdHashApiLibPolicy
> > to
> > > > appropriate value.
> > > > >
> > > > > This feature is documented in the Bugzilla,
> > > > >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=2151.
> > > > >
> > > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > > Signed-off-by: Amol N Sukerkar
> > > > <amol.n.sukerkar@intel.com>
> > > > > Reviewed-by: Michael D Kinney
> > > > <michael.d.kinney@intel.com>
> > > > > ---
> > > > > CryptoPkg/CryptoPkg.dec |
> > 20
> > > > ++
> > > > > CryptoPkg/CryptoPkg.dsc |
> > 4
> > > > +-
> > > > > CryptoPkg/CryptoPkg.uni |
> > 18
> > > > +-
> > > > > CryptoPkg/Include/Library/HashApiLib.h |
> > 122
> > > > +++++++
> > > > > .../Library/BaseHashApiLib/BaseHashApiLib.c |
> > 330
> > > > ++++++++++++++++++
> > > > > .../Library/BaseHashApiLib/BaseHashApiLib.inf |
> > 44
> > > > +++
> > > > > .../Library/BaseHashApiLib/BaseHashApiLib.uni |
> > 17
> > > > +
> > > > > 7 files changed, 553 insertions(+), 2
> > deletions(-)
> > > > > create mode 100644
> > > > CryptoPkg/Include/Library/HashApiLib.h
> > > > > create mode 100644
> > > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > > create mode 100644
> > > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > > create mode 100644
> > > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > >
> > > > > diff --git a/CryptoPkg/CryptoPkg.dec
> > > > b/CryptoPkg/CryptoPkg.dec
> > > > > index 41af6e879e..8ad0fb5d61 100644
> > > > > --- a/CryptoPkg/CryptoPkg.dec
> > > > > +++ b/CryptoPkg/CryptoPkg.dec
> > > > > @@ -33,9 +33,29 @@ [LibraryClasses]
> > > > > ##
> > > > > TlsLib|Include/Library/TlsLib.h
> > > > >
> > > > > + ## @libraryclass Provides Unified API for
> > > > different hash implementations.
> > > > > + #
> > > > > + HashApiLib|Include/Library/HashApiLib.h
> > > > > +
> > > > > [Guids]
> > > > > ## Crypto package token space guid.
> > > > > gEfiCryptoPkgTokenSpaceGuid = {
> > 0x6bd7de60,
> > > > 0x9ef7, 0x4899, { 0x97,
> > > > > 0xd0, 0xab, 0xff, 0xfd, 0xe9, 0x70, 0xf2 } }
> > > > >
> > > > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> > > > PcdsDynamic, PcdsDynamicEx]
> > > > > + ## This PCD indicates the HASH algorithm to
> > > > calculate hash of data
> > > > > + # Based on the value set, the required
> > algorithm
> > > > is chosen to calculate
> > > > > + # the hash of data.<BR>
> > > > > + # The default hashing algorithm for
> > > > BaseHashApiLib is set to SHA256.<BR>
> > > > > + # 0x00000001 - MD4.<BR>
> > > > > + # 0x00000002 - MD5.<BR>
> > > > > + # 0x00000003 - SHA1.<BR>
> > > > > + # 0x00000004 - SHA256.<BR>
> > > > > + # 0x00000005 - SHA384.<BR>
> > > > > + # 0x00000006 - SHA512.<BR>
> > > > > + # 0x00000007 - SM3_256.<BR>
> > > > > + # @Prompt Set policy for hashing unsigned
> > image
> > > > for Secure Boot.
> > > > > + # @ValidRange 0x80000001 | 0x00000001 -
> > 0x00000007
> > > > > +
> > > > >
> > > >
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> > > > NT8|0x00000001
> > > > > +
> > > > > [UserExtensions.TianoCore."ExtraFiles"]
> > > > > CryptoPkgExtra.uni
> > > > > diff --git a/CryptoPkg/CryptoPkg.dsc
> > > > b/CryptoPkg/CryptoPkg.dsc
> > > > > index ec43c1f0a4..9656a73b3c 100644
> > > > > --- a/CryptoPkg/CryptoPkg.dsc
> > > > > +++ b/CryptoPkg/CryptoPkg.dsc
> > > > > @@ -1,7 +1,7 @@
> > > > > ## @file
> > > > > # Cryptographic Library Package for UEFI
> > Security
> > > > Implementation.
> > > > > #
> > > > > -# Copyright (c) 2009 - 2018, Intel Corporation.
> > All
> > > > rights reserved.<BR>
> > > > > +# Copyright (c) 2009 - 2020, Intel Corporation.
> > All
> > > > rights reserved.<BR>
> > > > > # SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > #
> > > > > ##
> > > > > @@ -44,6 +44,7 @@ [LibraryClasses]
> > > > >
> > > > >
> > > >
> > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLi
> > > > b.inf
> > > > >
> > > >
> > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > > +
> > > >
> > HashApiLib|CryptoPkg/Library/BaseHashApiLib/BaseHashApi
> > > > Lib.inf
> > > > >
> > > > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > > > > #
> > > > > @@ -120,6 +121,7 @@ [Components]
> > > > > CryptoPkg/Library/TlsLibNull/TlsLibNull.inf
> > > > > CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > > > >
> > CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> > > > > +
> > > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > >
> > > > > [Components.IA32, Components.X64]
> > > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > > > > diff --git a/CryptoPkg/CryptoPkg.uni
> > > > b/CryptoPkg/CryptoPkg.uni
> > > > > index beb0036ef5..0dae4c4045 100644
> > > > > --- a/CryptoPkg/CryptoPkg.uni
> > > > > +++ b/CryptoPkg/CryptoPkg.uni
> > > > > @@ -4,7 +4,7 @@
> > > > > // This Package provides cryptographic-related
> > > > libraries for UEFI security
> > > > > modules.
> > > > > // It also provides a test application to test
> > > > libraries.
> > > > > //
> > > > > -// Copyright (c) 2009 - 2018, Intel Corporation.
> > All
> > > > rights reserved.<BR>
> > > > > +// Copyright (c) 2009 - 2020, Intel Corporation.
> > All
> > > > rights reserved.<BR>
> > > > > //
> > > > > // SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > //
> > > > > @@ -17,3 +17,19 @@
> > > > >
> > > > >
> > > > >
> > > > > +#string
> > > >
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_PRO
> > > > MPT
> > > > > #language en-US "HASH algorithm to calculate
> > hash"
> > > > > +
> > > > > +#string
> > > >
> > STR_gEfiCryptoPkgTokenSpaceGuid_PcdHashApiLibPolicy_HEL
> > > > P
> > > > > #language en-US "This PCD indicates the HASH
> > > > algorithm to calculate hash of
> > > > > data.<BR><BR>\n"
> > > > > +
> > > > "Based on the value set, the
> > > > > required algorithm is chosen to calculate\n"
> > > > > +
> > > > "the hash of data.<BR>\n"
> > > > > +
> > > > "The default hashing algorithm
> > > > > for BaseHashApiLib is set to SHA256.<BR>\n"
> > > > > +
> > > > "0x00000001 - MD4.<BR>\n"
> > > > > +
> > > > "0x00000002 - MD5.<BR>\n"
> > > > > +
> > > > "0x00000003 - SHA1.<BR>\n"
> > > > > +
> > > > "0x00000004 -
> > > > > SHA256.<BR>\n"
> > > > > +
> > > > "0x00000005 -
> > > > > SHA384.<BR>\n"
> > > > > +
> > > > "0x00000006 -
> > > > > SHA512.<BR>\n"
> > > > > +
> > > > "0x00000007 - SM3.<BR>"
> > > > > +
> > > > > +
> > > > > +
> > > > > diff --git
> > a/CryptoPkg/Include/Library/HashApiLib.h
> > > > > b/CryptoPkg/Include/Library/HashApiLib.h
> > > > > new file mode 100644
> > > > > index 0000000000..22068e5a17
> > > > > --- /dev/null
> > > > > +++ b/CryptoPkg/Include/Library/HashApiLib.h
> > > > > @@ -0,0 +1,122 @@
> > > > > +/** @file
> > > > > + Unified Hash API Defines
> > > > > +
> > > > > + This API when called will calculate the Hash
> > using
> > > > the
> > > > > + hashing algorithm specified by
> > > > PcdHashApiLibPolicy.
> > > > > +
> > > > > + Copyright (c) 2020, Intel Corporation. All
> > rights
> > > > reserved.<BR>
> > > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +
> > > > > +**/
> > > > > +
> > > > > +#ifndef __BASEHASHAPILIB_H_
> > > > > +#define __BASEHASHAPILIB_H_
> > > > > +
> > > > > +typedef VOID *HASH_API_CONTEXT;
> > > > > +
> > > > > +//
> > > > > +// Hash Algorithms
> > > > > +//
> > > > > +#define HASH_API_ALGO_INVALID 0x00000000
> > > > > +#define HASH_API_ALGO_MD4 0x00000001
> > > > > +#define HASH_API_ALGO_MD5 0x00000002
> > > > > +#define HASH_API_ALGO_SHA1 0x00000003
> > > > > +#define HASH_API_ALGO_SHA256 0x00000004
> > > > > +#define HASH_API_ALGO_SHA384 0x00000005
> > > > > +#define HASH_API_ALGO_SHA512 0x00000006
> > > > > +#define HASH_API_ALGO_SM3_256 0x00000007
> > > > > +
> > > > > +/**
> > > > > + Retrieves the size, in bytes, of the context
> > > > buffer required for hash operations.
> > > > > +
> > > > > + @return The size, in bytes, of the context
> > buffer
> > > > required for hash operations.
> > > > > +**/
> > > > > +UINTN
> > > > > +EFIAPI
> > > > > +HashApiGetContextSize (
> > > > > + VOID
> > > > > + );
> > > > > +
> > > > > +/**
> > > > > + Init hash sequence.
> > > > > +
> > > > > + @param[out] HashContext Hash context.
> > > > > +
> > > > > + @retval TRUE Hash start and HashHandle
> > > > returned.
> > > > > + @retval FALSE Hash Init unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiInit (
> > > > > + OUT HASH_API_CONTEXT HashContext
> > > > > + );
> > > > > +
> > > > > +/**
> > > > > + Makes a copy of an existing hash context.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[out] NewHashContext New copy of hash
> > > > context.
> > > > > +
> > > > > + @retval TRUE Hash context copy
> > succeeded.
> > > > > + @retval FALSE Hash context copy failed.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiDuplicate (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > > + );
> > > > > +
> > > > > +/**
> > > > > + Update hash data.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[in] DataToHash Data to be hashed.
> > > > > + @param[in] DataToHashLen Data size.
> > > > > +
> > > > > + @retval TRUE Hash updated.
> > > > > + @retval FALSE Hash updated
> > unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiUpdate (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + IN VOID *DataToHash,
> > > > > + IN UINTN DataToHashLen
> > > > > + );
> > > > > +
> > > > > +/**
> > > > > + Hash complete.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[out] Digest Hash Digest.
> > > > > +
> > > > > + @retval TRUE Hash complete and Digest
> > is
> > > > returned.
> > > > > + @retval FALSE Hash complete
> > unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiFinal (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + OUT UINT8 *Digest
> > > > > + );
> > > > > +
> > > > > +/**
> > > > > + Computes hash message digest of a input data
> > > > buffer.
> > > > > +
> > > > > + @param[in] DataToHash Data to be hashed.
> > > > > + @param[in] DataToHashLen Data size.
> > > > > + @param[out] Digest Hash Digest.
> > > > > +
> > > > > + @retval TRUE Hash digest computation
> > succeeded.
> > > > > + @retval FALSE Hash digest computation failed.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiHashAll (
> > > > > + IN CONST VOID *DataToHash,
> > > > > + IN UINTN DataToHashLen,
> > > > > + OUT UINT8 *Digest
> > > > > + );
> > > > > +
> > > > > +#endif
> > > > > diff --git
> > > > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > >
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > > new file mode 100644
> > > > > index 0000000000..277ef9f0b4
> > > > > --- /dev/null
> > > > > +++
> > > > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
> > > > > @@ -0,0 +1,330 @@
> > > > > +/** @file
> > > > > + Unified Hash API Implementation
> > > > > +
> > > > > + This file implements the Unified Hash API.
> > > > > +
> > > > > + This API, when called, will calculate the Hash
> > > > using the
> > > > > + hashing algorithm specified by
> > > > PcdHashApiLibPolicy.
> > > > > +
> > > > > + Copyright (c) 2020, Intel Corporation. All
> > rights
> > > > reserved.<BR>
> > > > > + SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +
> > > > > +**/
> > > > > +
> > > > > +#include <Base.h>
> > > > > +#include <Library/BaseLib.h>
> > > > > +#include <Library/BaseMemoryLib.h>
> > > > > +#include <Library/MemoryAllocationLib.h>
> > > > > +#include <Library/BaseCryptLib.h>
> > > > > +#include <Library/DebugLib.h>
> > > > > +#include <Library/PcdLib.h>
> > > > > +#include <Library/HashApiLib.h>
> > > > > +
> > > > > +/**
> > > > > + Retrieves the size, in bytes, of the context
> > > > buffer required for hash operations.
> > > > > +
> > > > > + @return The size, in bytes, of the context
> > buffer
> > > > required for hash operations.
> > > > > +**/
> > > > > +UINTN
> > > > > +EFIAPI
> > > > > +HashApiGetContextSize (
> > > > > + VOID
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3GetContextSize ();
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return 0;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + Init hash sequence.
> > > > > +
> > > > > + @param[out] HashContext Hash context.
> > > > > +
> > > > > + @retval TRUE Hash start and HashHandle
> > > > returned.
> > > > > + @retval FALSE Hash Init unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiInit (
> > > > > + OUT HASH_API_CONTEXT HashContext
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3Init (HashContext);
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return FALSE;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + Makes a copy of an existing hash context.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[out] NewHashContext New copy of hash
> > > > context.
> > > > > +
> > > > > + @retval TRUE Hash context copy
> > succeeded.
> > > > > + @retval FALSE Hash context copy failed.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiDuplicate (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + OUT HASH_API_CONTEXT NewHashContext
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3Duplicate (HashContext,
> > > > NewHashContext);
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return FALSE;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + Update hash data.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[in] DataToHash Data to be hashed.
> > > > > + @param[in] DataToHashLen Data size.
> > > > > +
> > > > > + @retval TRUE Hash updated.
> > > > > + @retval FALSE Hash updated
> > unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiUpdate (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + IN VOID *DataToHash,
> > > > > + IN UINTN DataToHashLen
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4Update (HashContext, DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5Update (HashContext, DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1Update (HashContext,
> > DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256Update (HashContext,
> > DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384Update (HashContext,
> > DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512Update (HashContext,
> > DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3Update (HashContext, DataToHash,
> > > > DataToHashLen);
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return FALSE;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + Hash complete.
> > > > > +
> > > > > + @param[in] HashContext Hash context.
> > > > > + @param[out] Digest Hash Digest.
> > > > > +
> > > > > + @retval TRUE Hash complete and Digest
> > is
> > > > returned.
> > > > > + @retval FALSE Hash complete
> > unsuccessful.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiFinal (
> > > > > + IN HASH_API_CONTEXT HashContext,
> > > > > + OUT UINT8 *Digest
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3Final (HashContext, Digest);
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return FALSE;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > +
> > > > > +/**
> > > > > + Computes hash message digest of a input data
> > > > buffer.
> > > > > +
> > > > > + @param[in] DataToHash Data to be hashed.
> > > > > + @param[in] DataToHashLen Data size.
> > > > > + @param[out] Digest Hash Digest.
> > > > > +
> > > > > + @retval TRUE Hash digest computation
> > succeeded.
> > > > > + @retval FALSE Hash digest computation failed.
> > > > > +**/
> > > > > +BOOLEAN
> > > > > +EFIAPI
> > > > > +HashApiHashAll (
> > > > > + IN CONST VOID *DataToHash,
> > > > > + IN UINTN DataToHashLen,
> > > > > + OUT UINT8 *Digest
> > > > > + )
> > > > > +{
> > > > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > > > + case HASH_API_ALGO_MD4:
> > > > > + return Md4HashAll (DataToHash,
> > DataToHashLen,
> > > > Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_MD5:
> > > > > + return Md5HashAll (DataToHash,
> > DataToHashLen,
> > > > Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA1:
> > > > > + return Sha1HashAll (DataToHash,
> > DataToHashLen,
> > > > Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA256:
> > > > > + return Sha256HashAll (DataToHash,
> > > > DataToHashLen, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA384:
> > > > > + return Sha384HashAll (DataToHash,
> > > > DataToHashLen, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SHA512:
> > > > > + return Sha512HashAll (DataToHash,
> > > > DataToHashLen, Digest);
> > > > > + break;
> > > > > +
> > > > > + case HASH_API_ALGO_SM3_256:
> > > > > + return Sm3HashAll (DataToHash,
> > DataToHashLen,
> > > > Digest);
> > > > > + break;
> > > > > +
> > > > > + default:
> > > > > + ASSERT (FALSE);
> > > > > + return FALSE;
> > > > > + break;
> > > > > + }
> > > > > +}
> > > > > diff --git
> > > >
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > >
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > > new file mode 100644
> > > > > index 0000000000..b4d8675ddd
> > > > > --- /dev/null
> > > > > +++
> > > >
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.inf
> > > > > @@ -0,0 +1,44 @@
> > > > > +## @file
> > > > > +# Provides Unified API for Hash Calculation
> > > > > +#
> > > > > +# This library is BaseHashApiLib. It will
> > redirect
> > > > hash request to
> > > > > +# each individual hash API, such as SHA1,
> > SHA256,
> > > > SHA384, SM3 based
> > > > > +# on hashing algorithm specified by
> > > > PcdHashApiLibPolicy.
> > > > > +#
> > > > > +# Copyright (c) 2020, Intel Corporation. All
> > rights
> > > > reserved.<BR>
> > > > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +#
> > > > > +##
> > > > > +
> > > > > +[Defines]
> > > > > + INF_VERSION = 0x00010005
> > > > > + BASE_NAME =
> > BaseHashApiLib
> > > > > + MODULE_UNI_FILE =
> > > > BaseHashApiLib.uni
> > > > > + FILE_GUID = B1E566DD-
> > DE7C-
> > > > 4F04-BDA0-B1295D3BE927
> > > > > + MODULE_TYPE = BASE
> > > > > + VERSION_STRING = 1.0
> > > > > + LIBRARY_CLASS =
> > BaseHashApiLib
> > > > > +
> > > > > +#
> > > > > +# The following information is for reference
> > only
> > > > and not required by the build
> > > > > tools.
> > > > > +#
> > > > > +# VALID_ARCHITECTURES = IA32 X64
> > > > > +#
> > > > > +
> > > > > +[Sources]
> > > > > + BaseHashApiLib.c
> > > > > +
> > > > > +[Packages]
> > > > > + MdePkg/MdePkg.dec
> > > > > + CryptoPkg/CryptoPkg.dec
> > > > > +
> > > > > +[LibraryClasses]
> > > > > + BaseLib
> > > > > + BaseMemoryLib
> > > > > + DebugLib
> > > > > + MemoryAllocationLib
> > > > > + BaseCryptLib
> > > > > + PcdLib
> > > > > +
> > > > > +[Pcd]
> > > > > +
> > gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> > > > ## CONSUMES
> > > > > diff --git
> > > >
> > a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > >
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > > new file mode 100644
> > > > > index 0000000000..49ba82e86f
> > > > > --- /dev/null
> > > > > +++
> > > >
> > b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.uni
> > > > > @@ -0,0 +1,17 @@
> > > > > +// /** @file
> > > > > +// Provides Unified API for Hash Calculation
> > > > > +//
> > > > > +// This library is BaseHashApiLib. It will
> > redirect
> > > > hash request to
> > > > > +// each individual hash API, such as SHA1,
> > SHA256,
> > > > SHA384, SM3 based
> > > > > +// on hashing algorithm specified by
> > > > PcdHashApiLibPolicy.
> > > > > +//
> > > > > +// Copyright (c) 2020, Intel Corporation. All
> > rights
> > > > reserved.<BR>
> > > > > +//
> > > > > +// SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +//
> > > > > +// **/
> > > > > +
> > > > > +
> > > > > +#string STR_MODULE_ABSTRACT
> > #language
> > > > en-US "Provides hash
> > > > > service by specified hash handler"
> > > > > +
> > > > > +#string STR_MODULE_DESCRIPTION
> > #language
> > > > en-US "This library is
> > > > > Unified Hash API. It will redirect hash request
> > to
> > > > the hash handler specified by
> > > > > PcdHashApiLibPolicy."
> > > > > --
> > > > > 2.21.0.windows.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-03 23:35 ` [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
2020-02-04 2:53 ` Yao, Jiewen
@ 2020-02-05 11:00 ` Laszlo Ersek
2020-02-05 13:53 ` Wang, Jian J
1 sibling, 1 reply; 20+ messages in thread
From: Laszlo Ersek @ 2020-02-05 11:00 UTC (permalink / raw)
To: devel, michael.d.kinney; +Cc: Amol N Sukerkar, Jiewen Yao, Jian J Wang
Hi,
sorry I'm late to this discussion. I'd only like to mention a potential
future improvement:
On 02/04/20 00:35, Michael D Kinney wrote:
> +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> + ## This PCD indicates the HASH algorithm to calculate hash of data
> + # Based on the value set, the required algorithm is chosen to calculate
> + # the hash of data.<BR>
> + # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
> + # 0x00000001 - MD4.<BR>
> + # 0x00000002 - MD5.<BR>
> + # 0x00000003 - SHA1.<BR>
> + # 0x00000004 - SHA256.<BR>
> + # 0x00000005 - SHA384.<BR>
> + # 0x00000006 - SHA512.<BR>
> + # 0x00000007 - SM3_256.<BR>
> + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
> +
The platform may choose to make this PCD dynamic or dynamicEx. That's
good. But:
> +UINTN
> +EFIAPI
> +HashApiGetContextSize (
> + VOID
> + )
> +{
> + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> + case HASH_API_ALGO_MD4:
> + return Md4GetContextSize ();
> + break;
we have direct PcdGet8() calls in the lib API implementations. And:
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = BaseHashApiLib
> + MODULE_UNI_FILE = BaseHashApiLib.uni
> + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
> + MODULE_TYPE = BASE
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = BaseHashApiLib
[...]
> +[Pcd]
> + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
The lib class is not restricted to any particular firmware phase, or
module type.
This suggests that the lib instance is usable in DXE runtime drivers or
SMM drivers. If the serives are called outside of the entry point
functions, the dynamic PCD fetches would be a problem, I think.
So the idea here would be to create a minimal separate INF file + C file
for runtime applications (runtime DXE and SMM drivers), and there a
constructor function could run PcdGet8(), and stash the value in a
global variable.
Alternatively, if this is overkill, we could improve safety by restricting
LIBRARY_CLASS = BaseHashApiLib|<module_type> <module_type> ...
to every module type except runtime DXE drivers and SMM drivers.
Thanks
Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-05 11:00 ` [edk2-devel] " Laszlo Ersek
@ 2020-02-05 13:53 ` Wang, Jian J
2020-02-05 16:18 ` Michael D Kinney
0 siblings, 1 reply; 20+ messages in thread
From: Wang, Jian J @ 2020-02-05 13:53 UTC (permalink / raw)
To: Laszlo Ersek, devel@edk2.groups.io, Kinney, Michael D
Cc: Sukerkar, Amol N, Yao, Jiewen
Laszlo,
According to RFC discussion, using PCD here is mainly for optimization purpose. So I
think we should limit the PCD type to just FixedAtBuild. Then there's no problem
for modules linking this library.
Regards,
Jian
> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Wednesday, February 05, 2020 7:00 PM
> To: devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement
> Unified Hash Calculation API
>
> Hi,
>
> sorry I'm late to this discussion. I'd only like to mention a potential
> future improvement:
>
> On 02/04/20 00:35, Michael D Kinney wrote:
>
> > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
> > + ## This PCD indicates the HASH algorithm to calculate hash of data
> > + # Based on the value set, the required algorithm is chosen to calculate
> > + # the hash of data.<BR>
> > + # The default hashing algorithm for BaseHashApiLib is set to SHA256.<BR>
> > + # 0x00000001 - MD4.<BR>
> > + # 0x00000002 - MD5.<BR>
> > + # 0x00000003 - SHA1.<BR>
> > + # 0x00000004 - SHA256.<BR>
> > + # 0x00000005 - SHA384.<BR>
> > + # 0x00000006 - SHA512.<BR>
> > + # 0x00000007 - SM3_256.<BR>
> > + # @Prompt Set policy for hashing unsigned image for Secure Boot.
> > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007
> > +
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UINT8|0x00000001
> > +
>
> The platform may choose to make this PCD dynamic or dynamicEx. That's
> good. But:
>
> > +UINTN
> > +EFIAPI
> > +HashApiGetContextSize (
> > + VOID
> > + )
> > +{
> > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > + case HASH_API_ALGO_MD4:
> > + return Md4GetContextSize ();
> > + break;
>
> we have direct PcdGet8() calls in the lib API implementations. And:
>
> > +[Defines]
> > + INF_VERSION = 0x00010005
> > + BASE_NAME = BaseHashApiLib
> > + MODULE_UNI_FILE = BaseHashApiLib.uni
> > + FILE_GUID = B1E566DD-DE7C-4F04-BDA0-B1295D3BE927
> > + MODULE_TYPE = BASE
> > + VERSION_STRING = 1.0
> > + LIBRARY_CLASS = BaseHashApiLib
>
> [...]
>
> > +[Pcd]
> > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy ## CONSUMES
>
> The lib class is not restricted to any particular firmware phase, or
> module type.
>
> This suggests that the lib instance is usable in DXE runtime drivers or
> SMM drivers. If the serives are called outside of the entry point
> functions, the dynamic PCD fetches would be a problem, I think.
>
> So the idea here would be to create a minimal separate INF file + C file
> for runtime applications (runtime DXE and SMM drivers), and there a
> constructor function could run PcdGet8(), and stash the value in a
> global variable.
>
> Alternatively, if this is overkill, we could improve safety by restricting
>
> LIBRARY_CLASS = BaseHashApiLib|<module_type> <module_type> ...
>
> to every module type except runtime DXE drivers and SMM drivers.
>
> Thanks
> Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-05 13:53 ` Wang, Jian J
@ 2020-02-05 16:18 ` Michael D Kinney
2020-02-05 21:23 ` Laszlo Ersek
0 siblings, 1 reply; 20+ messages in thread
From: Michael D Kinney @ 2020-02-05 16:18 UTC (permalink / raw)
To: Wang, Jian J, Laszlo Ersek, devel@edk2.groups.io,
Kinney, Michael D
Cc: Sukerkar, Amol N, Yao, Jiewen
Jian,
I agree. If the PCD type is anything but FixedAtBuild,
the compiler can not optimize away the unused BaseCryptLib
functions.
I think the best solution is to limit this PCD to only
FixedAtBuild.
Thank you for noticing this issue Laszlo!
Mike
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Wednesday, February 5, 2020 5:54 AM
> To: Laszlo Ersek <lersek@redhat.com>;
> devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>
> Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>
> Subject: RE: [edk2-devel] [Patch v10 2/2]
> CryptoPkg/BaseHashApiLib: Implement Unified Hash
> Calculation API
>
> Laszlo,
>
> According to RFC discussion, using PCD here is mainly
> for optimization purpose. So I
> think we should limit the PCD type to just
> FixedAtBuild. Then there's no problem
> for modules linking this library.
>
> Regards,
> Jian
>
> > -----Original Message-----
> > From: Laszlo Ersek <lersek@redhat.com>
> > Sent: Wednesday, February 05, 2020 7:00 PM
> > To: devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>
> > Cc: Sukerkar, Amol N <amol.n.sukerkar@intel.com>;
> Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> > Subject: Re: [edk2-devel] [Patch v10 2/2]
> CryptoPkg/BaseHashApiLib: Implement
> > Unified Hash Calculation API
> >
> > Hi,
> >
> > sorry I'm late to this discussion. I'd only like to
> mention a potential
> > future improvement:
> >
> > On 02/04/20 00:35, Michael D Kinney wrote:
> >
> > > +[PcdsFixedAtBuild, PcdsPatchableInModule,
> PcdsDynamic, PcdsDynamicEx]
> > > + ## This PCD indicates the HASH algorithm to
> calculate hash of data
> > > + # Based on the value set, the required
> algorithm is chosen to calculate
> > > + # the hash of data.<BR>
> > > + # The default hashing algorithm for
> BaseHashApiLib is set to SHA256.<BR>
> > > + # 0x00000001 - MD4.<BR>
> > > + # 0x00000002 - MD5.<BR>
> > > + # 0x00000003 - SHA1.<BR>
> > > + # 0x00000004 - SHA256.<BR>
> > > + # 0x00000005 - SHA384.<BR>
> > > + # 0x00000006 - SHA512.<BR>
> > > + # 0x00000007 - SM3_256.<BR>
> > > + # @Prompt Set policy for hashing unsigned image
> for Secure Boot.
> > > + # @ValidRange 0x80000001 | 0x00000001 -
> 0x00000007
> > > +
> >
> gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy|0x04|UI
> NT8|0x00000001
> > > +
> >
> > The platform may choose to make this PCD dynamic or
> dynamicEx. That's
> > good. But:
> >
> > > +UINTN
> > > +EFIAPI
> > > +HashApiGetContextSize (
> > > + VOID
> > > + )
> > > +{
> > > + switch (PcdGet8 (PcdHashApiLibPolicy)) {
> > > + case HASH_API_ALGO_MD4:
> > > + return Md4GetContextSize ();
> > > + break;
> >
> > we have direct PcdGet8() calls in the lib API
> implementations. And:
> >
> > > +[Defines]
> > > + INF_VERSION = 0x00010005
> > > + BASE_NAME = BaseHashApiLib
> > > + MODULE_UNI_FILE =
> BaseHashApiLib.uni
> > > + FILE_GUID = B1E566DD-DE7C-
> 4F04-BDA0-B1295D3BE927
> > > + MODULE_TYPE = BASE
> > > + VERSION_STRING = 1.0
> > > + LIBRARY_CLASS = BaseHashApiLib
> >
> > [...]
> >
> > > +[Pcd]
> > > + gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy
> ## CONSUMES
> >
> > The lib class is not restricted to any particular
> firmware phase, or
> > module type.
> >
> > This suggests that the lib instance is usable in DXE
> runtime drivers or
> > SMM drivers. If the serives are called outside of the
> entry point
> > functions, the dynamic PCD fetches would be a
> problem, I think.
> >
> > So the idea here would be to create a minimal
> separate INF file + C file
> > for runtime applications (runtime DXE and SMM
> drivers), and there a
> > constructor function could run PcdGet8(), and stash
> the value in a
> > global variable.
> >
> > Alternatively, if this is overkill, we could improve
> safety by restricting
> >
> > LIBRARY_CLASS = BaseHashApiLib|<module_type>
> <module_type> ...
> >
> > to every module type except runtime DXE drivers and
> SMM drivers.
> >
> > Thanks
> > Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [edk2-devel] [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API
2020-02-05 16:18 ` Michael D Kinney
@ 2020-02-05 21:23 ` Laszlo Ersek
0 siblings, 0 replies; 20+ messages in thread
From: Laszlo Ersek @ 2020-02-05 21:23 UTC (permalink / raw)
To: Kinney, Michael D, Wang, Jian J, devel@edk2.groups.io
Cc: Sukerkar, Amol N, Yao, Jiewen
On 02/05/20 17:18, Kinney, Michael D wrote:
> Jian,
>
> I agree. If the PCD type is anything but FixedAtBuild,
> the compiler can not optimize away the unused BaseCryptLib
> functions.
>
> I think the best solution is to limit this PCD to only
> FixedAtBuild.
I agree that that technically solves the problem, and it also seems like
a justifiable design decision.
> Thank you for noticing this issue Laszlo!
Whenever I pull from master, I tend to skim the new commits quickly in
"gitk". Nothing resembling real patch review, I just have a few
"favorite" :) areas that stand out to me on occasion (not always, of
course).
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2020-02-05 21:23 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-03 23:35 [Patch v10 0/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
2020-02-03 23:35 ` [Patch v10 1/2] CryptoPkg: Add CryptoPkg Token Space GUID Michael D Kinney
2020-02-03 23:35 ` [Patch v10 2/2] CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API Michael D Kinney
2020-02-04 2:53 ` Yao, Jiewen
2020-02-04 5:24 ` [edk2-devel] " Zhang, Chao B
2020-02-04 16:29 ` Michael D Kinney
2020-02-04 16:26 ` Michael D Kinney
2020-02-04 17:10 ` Sukerkar, Amol N
2020-02-04 18:30 ` Sukerkar, Amol N
2020-02-04 23:06 ` Yao, Jiewen
2020-02-04 23:15 ` Sukerkar, Amol N
2020-02-04 23:20 ` Yao, Jiewen
2020-02-04 23:22 ` Sukerkar, Amol N
2020-02-04 22:54 ` Yao, Jiewen
2020-02-05 1:04 ` Michael D Kinney
2020-02-05 1:32 ` Yao, Jiewen
2020-02-05 11:00 ` [edk2-devel] " Laszlo Ersek
2020-02-05 13:53 ` Wang, Jian J
2020-02-05 16:18 ` Michael D Kinney
2020-02-05 21:23 ` Laszlo Ersek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox