This implementation eliminates the need to use hard-coded API to calculate hash by PEI and DXE drivers by introducing a common and unified API for hash calculation.
The common API will execute the hash algorithm specified by the PCD, PcdSystemHashPolicy. Signed-off-by: Sukerkar, Amol N <amol.n.suker...@intel.com> --- SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 ++++++++++++++++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 62 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 62 +++++ SecurityPkg/Include/Library/HashLib.h | 83 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 49 ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 50 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 18 ++ SecurityPkg/SecurityPkg.dec | 28 +++ SecurityPkg/SecurityPkg.dsc | 4 + SecurityPkg/SecurityPkg.uni | 23 ++ 12 files changed, 718 insertions(+) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c new file mode 100644 index 000000000000..2ad83387799d --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c @@ -0,0 +1,236 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept + untrusted PE/COFF image and validate its data structure within this image buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Library/HashLib.h> + +//#include "BaseHashLib.h" + +typedef struct { + EFI_GUID Guid; + UINT32 Mask; +} HASH_MASK; + +HASH_MASK mHashMask[] = { + {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, + {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, + {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, + {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, +}; + +HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] = {{{0}, NULL, NULL, NULL}}; + +UINTN mHashInterfaceCount = 0; +UINT32 mCurrentHashMask = 0; + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount == 0) { + return EFI_UNSUPPORTED; + } + + HashCtx = AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx != NULL); + + for (Index = 0; Index < mHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { + mHashOps[Index].HashInit (HashCtx); + } + } + + *HashHandle = (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount == 0) { + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < mHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { + mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); + } + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount == 0) { + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < mHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { + mHashOps[Index].HashFinal (HashCtx[0], &Digest); + } + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT32 HashMask; + + // + // Check Allow + // + HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + // check if Hash Mask is supported + if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) { + return EFI_UNSUPPORTED; + } + + if (mHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index = 0; Index < mHashInterfaceCount; Index++) { + if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &HashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + mCurrentHashMask = PcdGet32 (PcdHashAlgorithmBitmap) | HashMask; + Status = PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask); + ASSERT_EFI_ERROR (Status); + + CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInterface)); + mHashInterfaceCount ++; + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c new file mode 100644 index 000000000000..5de94d80fad5 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -0,0 +1,62 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept + untrusted PE/COFF image and validate its data structure within this image buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Library/HashLib.h> + +#include "BaseHashLib.h" + +/** + The constructor function of BaseHashLib Dxe. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiPeiConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. + // + Status = PcdSet32S (PcdHashAlgorithmBitmap, 0); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c new file mode 100644 index 000000000000..8ffe356b60e7 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -0,0 +1,62 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept + untrusted PE/COFF image and validate its data structure within this image buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/DebugLib.h> +#include <Library/PcdLib.h> +#include <Library/HashLib.h> + +#include "BaseHashLib.h" + +/** + The constructor function of BaseHashLib Pei. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constructor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiPeiConstructor ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + EFI_STATUS Status; + + // + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. + // + Status = PcdSet32S (PcdHashAlgorithmBitmap, 0); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Library/HashLib.h index 6ad960ad70ee..740cb8188e51 100644 --- a/SecurityPkg/Include/Library/HashLib.h +++ b/SecurityPkg/Include/Library/HashLib.h @@ -87,6 +87,53 @@ HashAndExtend ( OUT TPML_DIGEST_VALUES *DigestList ); +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +); + /** Start hash sequence. @@ -133,6 +180,21 @@ EFI_STATUS OUT TPML_DIGEST_VALUES *DigestList ); +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +typedef +EFI_STATUS +(EFIAPI *HASH_FINAL_EX) ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); + #define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID #define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID #define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID @@ -149,6 +211,13 @@ typedef struct { HASH_FINAL HashFinal; } HASH_INTERFACE; +typedef struct { + EFI_GUID HashGuid; + HASH_INIT HashInit; + HASH_UPDATE HashUpdate; + HASH_FINAL_EX HashFinal; +} HASH_INTERFACE_UNIFIED_API; + /** This service register Hash. @@ -164,4 +233,18 @@ RegisterHashInterfaceLib ( IN HASH_INTERFACE *HashInterface ); +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface +); #endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h new file mode 100644 index 000000000000..70676c1716c3 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h @@ -0,0 +1,85 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#define HASH_ALGO_COUNT 7 + +// +// Hash Algorithms +// +#define HASH_ALG_SHA1 0x00000001 +#define HASH_ALG_SHA256 0x00000002 +#define HASH_ALG_SHA384 0x00000004 +#define HASH_ALG_SHA512 0x00000008 +#define HASH_ALG_SM3_256 0x00000010 +#if 0 +typedef +UINTN +(EFIAPI *GET_HASH_CTX_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_INIT) ( + OUT VOID *ShaContext + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_DUPLICATE) ( + IN CONST VOID *ShaContext, + OUT VOID *NewShaContext + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_UPDATE) ( + IN OUT VOID *ShaContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_FINAL) ( + IN OUT VOID *ShaContext, + OUT UINT8 *HashValue + ); + +HASH_ALGO_IDX +GetHashAlgoIndex ( + VOID +); + +typedef struct { + HASH_ALGO_IDX HashAlgo; + GET_HASH_CTX_SIZE GetHashCtxSize; + _HASH_INIT HashInit; + _HASH_DUPLICATE HashDuplicate; + _HASH_UPDATE HashUpdate; + _HASH_FINAL HashFinal; +} HASH_OPERATIONS; + + +EFI_STATUS +EFIAPI +RegisterHashLib ( + IN HASH_OPERATIONS *HashInterface +); +#endif +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf new file mode 100644 index 000000000000..f5dcbedb2cd9 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -0,0 +1,49 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is Base Hash Lib. It will redirect hash request to each individual +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. Platform can use +# PcdTpm2HashMask to register hash engines. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseHashLibDxe + MODULE_UNI_FILE = BaseHashLibDxe.uni + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER + CONSTRUCTOR = BaseHashLibApiDxeConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + BaseHashLib.h + BaseHashLibDxe.c + BaseHashLib.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PcdLib + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni @@ -0,0 +1,18 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is BaseCrypto router. It will redirect hash request to each individual +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to +// mask some hash engines. +// +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR> +// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by registered hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines." + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf new file mode 100644 index 000000000000..07e95a5a9c0f --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -0,0 +1,50 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is BaseCrypto router. It will redirect hash request to each individual +# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to +# mask some hash engines. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = BaseHashLibPei + MODULE_UNI_FILE = BaseHashLibPei.uni + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B + MODULE_TYPE = PEIM + VERSION_STRING = 1.0 + LIBRARY_CLASS = BaseHashLib|PEIM + CONSTRUCTOR = BaseHashLibApiPeiConstructor + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 +# + +[Sources] + BaseHashLib.h + BaseHashLibPei.c + BaseHashLib.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PcdLib + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni @@ -0,0 +1,18 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is BaseCrypto router. It will redirect hash request to each individual +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to +// mask some hash engines. +// +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR> +// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash service by registered hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is BaseCrypto router. It will redirect hash request to each individual hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to mask some hash engines." + diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..b03677a5411c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -27,6 +27,10 @@ [LibraryClasses] # HashLib|Include/Library/HashLib.h + ## @libraryclass Provides hash interfaces from different implementations. + # + BaseHashLib|Include/Library/HashLib.h + ## @libraryclass Provides a platform specific interface to detect physically present user. # PlatformSecureLib|Include/Library/PlatformSecureLib.h @@ -496,5 +500,29 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image + # Based on the value set, the required algorithm is chosen to verify + # the unsigned image during Secure Boot.<BR> + # The hashing algorithm selected must match the hashing algorithm used to + # hash the image to be added to DB using tools such as KeyEnroll.<BR> + # 0x00000001 - SHA1.<BR> + # 0x00000002 - SHA256.<BR> + # 0x00000004 - SHA384.<BR> + # 0x00000008 - SHA512.<BR> + # 0x00000010 - SM3_256.<BR> + # @Prompt Set policy for hashing unsigned image for Secure Boot. + # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024 + + ## This PCD indicated final BIOS supported Hash mask for Base Hash API. + # Bios may choose to register a subset of PcdTpm2HashMask. + # This PCD is final value of how many hash algo are registered with + # Base Hash API. + # This PCD will start with value 0 by the Base Hash API constructor and + # the value will be updated as Hash Algo are registered. + # @Prompt Hash Algorithm bitmap for Base Hash API. + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010025 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..9ae134ffee53 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf [LibraryClasses.common.DXE_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -170,6 +171,7 @@ [PcdsDynamicDefault.common.DEFAULT] gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3 gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3 + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|3 [PcdsDynamicHii.common.DEFAULT] gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS @@ -211,6 +213,8 @@ [Components] SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf + # # TCG Storage. # diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 68587304d779..2dc77279210c 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -295,3 +295,26 @@ #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n" "0 means this field is unsupported\n" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #language en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF image.<BR><BR>\n" + "Based on the value set, the required algorithm is chosen to verify\n" + "the unsigned image during Secure Boot.<BR>\n" + "The hashing algorithm selected must match the hashing algorithm used to\n" + "hash the image to be added to DB using tools such as KeyEnroll.<BR>\n" + "0x00000000 - SHA1.<BR>\n" + "0x00000001 - SHA224.<BR>" + "0x00000002 - SHA256.<BR>\n" + "0x00000003 - SHA384.<BR>\n" + "0x00000004 - SHA512.<BR>\n" + "0x00000005 - SM3.<BR>" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #language en-US "Hash Algorithm bitmap for Base Hash API." + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #language en-US "This PCD indicated final BIOS supported Hash mask for Base Hash API.\n" + "Bios may choose to register a subset of PcdTpm2HashMask.<BR>\n" + "This PCD is final value of how many hash algo are registered with\n" + "Base Hash API.<BR>\n" + "This PCD will start with value 0 by the Base Hash API constructor and\n" + "the value will be updated as Hash Algo are registered.<BR>\n" -- 2.16.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52386): https://edk2.groups.io/g/devel/message/52386 Mute This Topic: https://groups.io/mt/68808207/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
