A gEfiCallerIdGuid needs to be introduced in the BaseHashLibPei method to save the hash mask of registered API instances of hashing algorithms.
gEfiCallerIdGuid saves the last registered hash mask as a HOB that can be modified or updated with the subsequent registration of API instances of hashing algorithms based on PcdSystemHashPolicy. Signed-off-by: Sukerkar, Amol N <amol.n.suker...@intel.com> --- SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 ------------- SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 210 +++++++++++- SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 348 +++++++++++++++++++- SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 2 +- SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 2 +- SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 2 +- SecurityPkg/Include/Library/BaseHashLib.h | 153 +++++++++ SecurityPkg/Include/Library/HashLib.h | 83 ----- SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 ----- SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 35 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 2 - SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 4 +- SecurityPkg/SecurityPkg.dec | 9 - SecurityPkg/SecurityPkg.uni | 9 - 14 files changed, 733 insertions(+), 447 deletions(-) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c deleted file mode 100644 index 2ad83387799d..000000000000 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c +++ /dev/null @@ -1,236 +0,0 @@ -/** @file - Implement image verification services for secure boot service - - Caution: This file requires additional review when modified. - This library will have external input - PE/COFF image. - This external input must be validated carefully to avoid security issue like - buffer overflow, integer overflow. - - DxeImageVerificationLibImageRead() function will make sure the PE/COFF image content - read is within the image buffer. - - DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept - untrusted PE/COFF image and validate its data structure within this image buffer before use. - -Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> -(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include <Library/BaseLib.h> -#include <Library/BaseMemoryLib.h> -#include <Library/MemoryAllocationLib.h> -#include <Library/DebugLib.h> -#include <Library/PcdLib.h> -#include <Library/HashLib.h> - -//#include "BaseHashLib.h" - -typedef struct { - EFI_GUID Guid; - UINT32 Mask; -} HASH_MASK; - -HASH_MASK mHashMask[] = { - {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, - {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, - {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, - {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, -}; - -HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] = {{{0}, NULL, NULL, NULL}}; - -UINTN mHashInterfaceCount = 0; -UINT32 mCurrentHashMask = 0; - -UINT32 -EFIAPI -GetApiHashMaskFromAlgo ( - IN EFI_GUID *HashGuid - ) -{ - UINTN Index; - - for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) { - if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { - return mHashMask[Index].Mask; - } - } - return 0; -} - -/** - Init hash sequence. - - @param HashHandle Hash handle. - - @retval EFI_SUCCESS Hash start and HashHandle returned. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiInit ( - OUT HASH_HANDLE *HashHandle -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount == 0) { - return EFI_UNSUPPORTED; - } - - HashCtx = AllocatePool (sizeof(*HashCtx)); - ASSERT (HashCtx != NULL); - - for (Index = 0; Index < mHashInterfaceCount; Index++) { - HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { - mHashOps[Index].HashInit (HashCtx); - } - } - - *HashHandle = (HASH_HANDLE)HashCtx; - - return EFI_SUCCESS; -} - -/** - Update hash data. - - @param HashHandle Hash handle. - @param DataToHash Data to be hashed. - @param DataToHashLen Data size. - - @retval EFI_SUCCESS Hash updated. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiUpdate ( - IN HASH_HANDLE HashHandle, - IN VOID *DataToHash, - IN UINTN DataToHashLen -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount == 0) { - return EFI_UNSUPPORTED; - } - - HashCtx = (HASH_HANDLE *)HashHandle; - - for (Index = 0; Index < mHashInterfaceCount; Index++) { - HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { - mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); - } - } - - return EFI_SUCCESS; -} - -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -EFI_STATUS -EFIAPI -HashApiFinal ( - IN HASH_HANDLE HashHandle, - OUT UINT8 *Digest -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount == 0) { - return EFI_UNSUPPORTED; - } - - HashCtx = (HASH_HANDLE *)HashHandle; - - for (Index = 0; Index < mHashInterfaceCount; Index++) { - HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) != 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) != 0) { - mHashOps[Index].HashFinal (HashCtx[0], &Digest); - } - } - - return EFI_SUCCESS; -} - -/** - This service registers Hash Interface. - - @param HashInterface Hash interface - - @retval EFI_SUCCESS This hash interface is registered successfully. - @retval EFI_UNSUPPORTED System does not support register this interface. - @retval EFI_ALREADY_STARTED System already register this interface. -**/ -EFI_STATUS -EFIAPI -RegisterHashApiLib ( - IN HASH_INTERFACE_UNIFIED_API *HashInterface - ) -{ - EFI_STATUS Status; - UINTN Index; - UINT32 HashMask; - - // - // Check Allow - // - HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid); - - // check if Hash Mask is supported - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) { - return EFI_UNSUPPORTED; - } - - if (mHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Check duplication - // - for (Index = 0; Index < mHashInterfaceCount; Index++) { - if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) { - DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &HashInterface->HashGuid)); - return EFI_ALREADY_STARTED; - } - } - - // - // Register the Hash Algo. - // - mCurrentHashMask = PcdGet32 (PcdHashAlgorithmBitmap) | HashMask; - Status = PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask); - ASSERT_EFI_ERROR (Status); - - CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInterface)); - mHashInterfaceCount ++; - - return EFI_SUCCESS; -} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c index 5de94d80fad5..f292558e3e40 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -29,9 +29,204 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <Library/MemoryAllocationLib.h> #include <Library/DebugLib.h> #include <Library/PcdLib.h> -#include <Library/HashLib.h> +#include <Library/BaseHashLib.h> -#include "BaseHashLib.h" +#include "BaseHashLibCommon.h" + + +HASH_INTERFACE_UNIFIED_API mHashOps[HASH_ALGO_COUNT] = {{{0}, NULL, NULL, NULL}}; + +UINTN mBaseHashInterfaceCount = 0; +UINT32 mCurrentHashMask = 0; + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) { + return EFI_UNSUPPORTED; + } + + HashCtx = AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx != NULL); + + for (Index = 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) != 0) { + mHashOps[Index].HashInit (HashCtx); + break; + } + } + + *HashHandle = (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) { + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) != 0) { + mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); + break; + } + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount == 0) || !(mCurrentHashMask & HashPolicy)) { + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) != 0) { + mHashOps[Index].HashFinal (HashCtx[0], &Digest); + break; + } + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ + UINTN Index; + UINT32 HashMask; + + // + // Check Allow + // + HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + + if (mBaseHashInterfaceCount >= sizeof(mHashOps)/sizeof(mHashOps[0])) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index = 0; Index < mBaseHashInterfaceCount; Index++) { + if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid)) { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has already been registered\n", &HashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + mCurrentHashMask = mCurrentHashMask | HashMask; + + CopyMem (&mHashOps[mBaseHashInterfaceCount], HashInterface, sizeof(*HashInterface)); + mBaseHashInterfaceCount ++; + + DEBUG ((DEBUG_INFO,"RegisterHashApiLib: mBaseHashInterfaceCount update to 0x%x \n", mBaseHashInterfaceCount)); + + return EFI_SUCCESS; +} /** The constructor function of BaseHashLib Dxe. @@ -45,18 +240,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ EFI_STATUS EFIAPI -BaseHashLibApiPeiConstructor ( +BaseHashLibApiDxeConstructor ( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable ) { - EFI_STATUS Status; - - // - // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. - // - Status = PcdSet32S (PcdHashAlgorithmBitmap, 0); - ASSERT_EFI_ERROR (Status); + mBaseHashInterfaceCount = 0; + mCurrentHashMask = 0; return EFI_SUCCESS; } \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c index 8ffe356b60e7..0fd0e2f42612 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -30,8 +30,318 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <Library/DebugLib.h> #include <Library/PcdLib.h> #include <Library/HashLib.h> +#include <Library/HobLib.h> +#include <Guid/ZeroGuid.h> -#include "BaseHashLib.h" +#include <Library/BaseHashLib.h> +#include "BaseHashLibCommon.h" + +#define BASEHASH_LIB_PEI_ROUTER_GUID \ + { 0x19ea22c7, 0xf870, 0x4b5e, { 0x98, 0x86, 0x9c, 0x29, 0xb2, 0x20, 0xf0, 0x39 } } + + +EFI_GUID mBaseHashLibPeiRouterGuid = BASEHASH_LIB_PEI_ROUTER_GUID; + +typedef struct { + // + // If gZeroGuid, SupportedHashMask is 0 for FIRST module which consumes HashLib + // or the hash algorithm bitmap of LAST module which consumes HashLib. + // HashInterfaceCount and HashInterface are all 0. + // If gEfiCallerIdGuid, HashInterfaceCount, HashInterface and SupportedHashMask + // are the hash interface information of CURRENT module which consumes HashLib. + // + EFI_GUID Identifier; + UINTN HashInterfaceCount; + HASH_INTERFACE_UNIFIED_API HashInterface[HASH_ALGO_COUNT]; + UINT32 SupportedHashMask; +} HASH_INTERFACE_HOB; + + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index++) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + This function gets hash interface hob. + + @param Identifier Identifier to get hash interface hob. + + @retval hash interface hob. +**/ +HASH_INTERFACE_HOB * +InternalGetBaseHashInterfaceHob ( + EFI_GUID *Identifier + ) +{ + EFI_PEI_HOB_POINTERS Hob; + HASH_INTERFACE_HOB *HashInterfaceHob; + + Hob.Raw = GetFirstGuidHob (&mBaseHashLibPeiRouterGuid); + while (Hob.Raw != NULL) { + HashInterfaceHob = GET_GUID_HOB_DATA (Hob); + if (CompareGuid (&HashInterfaceHob->Identifier, Identifier)) { + // + // Found the matched one. + // + return HashInterfaceHob; + } + Hob.Raw = GET_NEXT_HOB (Hob); + Hob.Raw = GetNextGuidHob (&mBaseHashLibPeiRouterGuid, Hob.Raw); + } + + return NULL; +} + +/** + This function creates hash interface hob. + + @param Identifier Identifier to create hash interface hob. + + @retval hash interface hob. +**/ +HASH_INTERFACE_HOB * +InternalCreateBaseHashInterfaceHob ( + EFI_GUID *Identifier + ) +{ + HASH_INTERFACE_HOB LocalHashInterfaceHob; + + ZeroMem (&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); + CopyGuid (&LocalHashInterfaceHob.Identifier, Identifier); + return BuildGuidDataHob (&mBaseHashLibPeiRouterGuid, &LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + HASH_INTERFACE_HOB *HashInterfaceHob; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob == NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx = AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx != NULL); + + for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid); + if ((HashMask & HashPolicy) != 0) { + HashInterfaceHob->HashInterface[Index].HashInit (HashCtx); + break; + } + } + + // Check for hash type supported + if(Index == HashInterfaceHob->HashInterfaceCount) + return EFI_UNSUPPORTED; + + *HashHandle = (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_INTERFACE_HOB *HashInterfaceHob; + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob == NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid); + if ((HashMask & HashPolicy) != 0) { + HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); + break; + } + } + + // Check for hash type supported + if(Index == HashInterfaceHob->HashInterfaceCount) { + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_INTERFACE_HOB *HashInterfaceHob; + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob == NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy = PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount == 0) || !(HashInterfaceHob->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx = (HASH_HANDLE *)HashHandle; + + for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) { + HashMask = GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[Index].HashGuid); + if (HashMask & HashPolicy) { + HashInterfaceHob->HashInterface[Index].HashFinal (HashCtx[0], &Digest); + break; + } + } + + // Check for hash type supported + if(Index == HashInterfaceHob->HashInterfaceCount){ + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ +// EFI_STATUS Status; + UINTN Index; + UINT32 HashMask; + HASH_INTERFACE_HOB *HashInterfaceHob; + + // + // Check Allow + // + HashMask = GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob == NULL) { + HashInterfaceHob = InternalCreateBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob == NULL) { + return EFI_OUT_OF_RESOURCES; + } else { + // Initialize SupportedHashMask + HashInterfaceHob->SupportedHashMask = 0; + } + } + + if (HashInterfaceHob->HashInterfaceCount >= HASH_COUNT) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index = 0; Index < HashInterfaceHob->HashInterfaceCount; Index++) { + if (CompareGuid (&HashInterfaceHob->HashInterface[Index].HashGuid, &HashInterface->HashGuid)) { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been already registered\n", &HashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + HashInterfaceHob->SupportedHashMask = HashInterfaceHob->SupportedHashMask | HashMask; + + CopyMem (&HashInterfaceHob->HashInterface[HashInterfaceHob->HashInterfaceCount], HashInterface, sizeof(*HashInterface)); + HashInterfaceHob->HashInterfaceCount ++; + + DEBUG ((DEBUG_INFO,"RegisterHashApiLib: HashInterfaceCount 0x%x SupportedHashMask 0x%x \n", HashInterfaceHob->HashInterfaceCount, HashInterfaceHob->SupportedHashMask)); + + return EFI_SUCCESS; +} /** The constructor function of BaseHashLib Pei. @@ -50,13 +360,37 @@ BaseHashLibApiPeiConstructor ( IN CONST EFI_PEI_SERVICES **PeiServices ) { - EFI_STATUS Status; +// EFI_STATUS Status; + HASH_INTERFACE_HOB *HashInterfaceHob; - // - // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. - // - Status = PcdSet32S (PcdHashAlgorithmBitmap, 0); - ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); + + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gZeroGuid); + if (HashInterfaceHob == NULL) { + // + // No HOB with gZeroGuid Identifier has been created, + // this is FIRST module which consumes HashLib. + // Create the HOB with gZeroGuid Identifier. + // + HashInterfaceHob = InternalCreateBaseHashInterfaceHob (&gZeroGuid); + if (HashInterfaceHob == NULL) { + return EFI_OUT_OF_RESOURCES; + } + } + + HashInterfaceHob = InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob != NULL) { + // + // In PEI phase, some modules may call RegisterForShadow and will be + // shadowed and executed again after memory is discovered. + // This is the second execution of this module, clear the hash interface + // information registered at its first execution. + // + ZeroMem (&HashInterfaceHob->HashInterface, sizeof (HashInterfaceHob->HashInterface)); + HashInterfaceHob->HashInterfaceCount = 0; + HashInterfaceHob->SupportedHashMask = 0; + } return EFI_SUCCESS; } \ No newline at end of file diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c index 06e88f00d70b..175499e7609c 100644 --- a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c +++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DebugLib.h> #include <Library/BaseCryptLib.h> #include <Library/MemoryAllocationLib.h> -#include <Library/HashLib.h> +#include <Library/BaseHashLib.h> /** Start hash sequence. diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c index 129d60a387fd..9222a12a3273 100644 --- a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c +++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DebugLib.h> #include <Library/BaseCryptLib.h> #include <Library/MemoryAllocationLib.h> -#include <Library/HashLib.h> +#include <Library/BaseHashLib.h> /** Start hash sequence. diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c index 0d1b8f3e877a..c23b1a567172 100644 --- a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c +++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/DebugLib.h> #include <Library/BaseCryptLib.h> #include <Library/MemoryAllocationLib.h> -#include <Library/HashLib.h> +#include <Library/BaseHashLib.h> /** Start hash sequence. diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Include/Library/BaseHashLib.h new file mode 100644 index 000000000000..36dd2912d7eb --- /dev/null +++ b/SecurityPkg/Include/Library/BaseHashLib.h @@ -0,0 +1,153 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#include <Uefi.h> +#include <Protocol/Hash.h> +#include <Library/HashLib.h> + +// +// Hash Algorithms +// +#define HASH_ALG_DEFAULT 0x00000000 +#define HASH_ALG_SHA1 0x00000001 +#define HASH_ALG_SHA256 0x00000002 +#define HASH_ALG_SHA384 0x00000004 +#define HASH_ALG_SHA512 0x00000008 +#define HASH_ALG_SM3_256 0x00000010 + + +/** + Init hash sequence. + + @param HashType Type of hash algorithm. + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + IN UINT32 HashType, + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param HashType Type of hash algorithm. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN UINT32 HashType, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param HashType Type of hash algorithm. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + IN UINT32 HashType, + OUT UINT8 *Digest +); + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle returned. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_INIT) ( + OUT HASH_HANDLE *HashHandle + ); + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_UPDATE) ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ); + +/** + Hash complete. + @param HashHandle Hash handle. + @param Digest Hash Digest. + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_FINAL_EX) ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); + +typedef struct { + EFI_GUID HashGuid; + BASE_HASH_INIT HashInit; + BASE_HASH_UPDATE HashUpdate; + BASE_HASH_FINAL_EX HashFinal; +} HASH_INTERFACE_UNIFIED_API; + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfully. + @retval EFI_UNSUPPORTED System does not support register this interface. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface +); + +#endif \ No newline at end of file diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Library/HashLib.h index 740cb8188e51..6ad960ad70ee 100644 --- a/SecurityPkg/Include/Library/HashLib.h +++ b/SecurityPkg/Include/Library/HashLib.h @@ -87,53 +87,6 @@ HashAndExtend ( OUT TPML_DIGEST_VALUES *DigestList ); -/** - Init hash sequence. - - @param HashHandle Hash handle. - - @retval EFI_SUCCESS Hash start and HashHandle returned. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiInit ( - OUT HASH_HANDLE *HashHandle -); - -/** - Update hash data. - - @param HashHandle Hash handle. - @param DataToHash Data to be hashed. - @param DataToHashLen Data size. - - @retval EFI_SUCCESS Hash updated. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiUpdate ( - IN HASH_HANDLE HashHandle, - IN VOID *DataToHash, - IN UINTN DataToHashLen -); - -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -EFI_STATUS -EFIAPI -HashApiFinal ( - IN HASH_HANDLE HashHandle, - OUT UINT8 *Digest -); - /** Start hash sequence. @@ -180,21 +133,6 @@ EFI_STATUS OUT TPML_DIGEST_VALUES *DigestList ); -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -typedef -EFI_STATUS -(EFIAPI *HASH_FINAL_EX) ( - IN HASH_HANDLE HashHandle, - OUT UINT8 **Digest - ); - #define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID #define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID #define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID @@ -211,13 +149,6 @@ typedef struct { HASH_FINAL HashFinal; } HASH_INTERFACE; -typedef struct { - EFI_GUID HashGuid; - HASH_INIT HashInit; - HASH_UPDATE HashUpdate; - HASH_FINAL_EX HashFinal; -} HASH_INTERFACE_UNIFIED_API; - /** This service register Hash. @@ -233,18 +164,4 @@ RegisterHashInterfaceLib ( IN HASH_INTERFACE *HashInterface ); -/** - This service registers Hash Interface. - - @param HashInterface Hash interface - - @retval EFI_SUCCESS This hash interface is registered successfully. - @retval EFI_UNSUPPORTED System does not support register this interface. - @retval EFI_ALREADY_STARTED System already register this interface. -**/ -EFI_STATUS -EFIAPI -RegisterHashApiLib ( - IN HASH_INTERFACE_UNIFIED_API *HashInterface -); #endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h deleted file mode 100644 index 70676c1716c3..000000000000 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h +++ /dev/null @@ -1,85 +0,0 @@ -/** @file - The internal header file includes the common header files, defines - internal structure and functions used by ImageVerificationLib. - -Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> -This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __BASEHASHLIB_H_ -#define __BASEHASHLIB_H_ - -#define HASH_ALGO_COUNT 7 - -// -// Hash Algorithms -// -#define HASH_ALG_SHA1 0x00000001 -#define HASH_ALG_SHA256 0x00000002 -#define HASH_ALG_SHA384 0x00000004 -#define HASH_ALG_SHA512 0x00000008 -#define HASH_ALG_SM3_256 0x00000010 -#if 0 -typedef -UINTN -(EFIAPI *GET_HASH_CTX_SIZE) ( - VOID - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_INIT) ( - OUT VOID *ShaContext - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_DUPLICATE) ( - IN CONST VOID *ShaContext, - OUT VOID *NewShaContext - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_UPDATE) ( - IN OUT VOID *ShaContext, - IN CONST VOID *Data, - IN UINTN DataSize - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_FINAL) ( - IN OUT VOID *ShaContext, - OUT UINT8 *HashValue - ); - -HASH_ALGO_IDX -GetHashAlgoIndex ( - VOID -); - -typedef struct { - HASH_ALGO_IDX HashAlgo; - GET_HASH_CTX_SIZE GetHashCtxSize; - _HASH_INIT HashInit; - _HASH_DUPLICATE HashDuplicate; - _HASH_UPDATE HashUpdate; - _HASH_FINAL HashFinal; -} HASH_OPERATIONS; - - -EFI_STATUS -EFIAPI -RegisterHashLib ( - IN HASH_OPERATIONS *HashInterface -); -#endif -#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h new file mode 100644 index 000000000000..dc4839d16600 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h @@ -0,0 +1,35 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR> +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef __BASEHASHLIB_COMMON_H_ +#define __BASEHASHLIB_COMMON_H_ + +#define HASH_ALGO_COUNT 5 + + +typedef struct { + EFI_GUID Guid; + UINT32 Mask; +} HASH_MASK; + +HASH_MASK mHashMask[] = { + {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, + {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, + {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, + {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, + {HASH_ALGORITHM_SM3_256_GUID, HASH_ALG_SM3_256}, +}; + +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf index f5dcbedb2cd9..a8d6c0f37570 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -43,7 +43,5 @@ [LibraryClasses] PcdLib [Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf index 07e95a5a9c0f..872989f2352d 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -44,7 +44,5 @@ [LibraryClasses] PcdLib [Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index b03677a5411c..2f31b0192fdb 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -515,14 +515,5 @@ [PcdsDynamic, PcdsDynamicEx] # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024 - ## This PCD indicated final BIOS supported Hash mask for Base Hash API. - # Bios may choose to register a subset of PcdTpm2HashMask. - # This PCD is final value of how many hash algo are registered with - # Base Hash API. - # This PCD will start with value 0 by the Base Hash API constructor and - # the value will be updated as Hash Algo are registered. - # @Prompt Hash Algorithm bitmap for Base Hash API. - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010025 - [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 2dc77279210c..c9d12535b5f4 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -309,12 +309,3 @@ "0x00000003 - SHA384.<BR>\n" "0x00000004 - SHA512.<BR>\n" "0x00000005 - SM3.<BR>" - -#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #language en-US "Hash Algorithm bitmap for Base Hash API." - -#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #language en-US "This PCD indicated final BIOS supported Hash mask for Base Hash API.\n" - "Bios may choose to register a subset of PcdTpm2HashMask.<BR>\n" - "This PCD is final value of how many hash algo are registered with\n" - "Base Hash API.<BR>\n" - "This PCD will start with value 0 by the Base Hash API constructor and\n" - "the value will be updated as Hash Algo are registered.<BR>\n" -- 2.16.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52387): https://edk2.groups.io/g/devel/message/52387 Mute This Topic: https://groups.io/mt/68808208/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
