Amol: This is new feature. Please submit BZ (https://bugzilla.tianocore.org/) to track it. If this feature catches edk2 2020 Q1 stable tag, I will add it into edk2 feature planning.
Thanks Liming -----Original Message----- From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wang, Jian J Sent: 2020年1月15日 11:14 To: Sukerkar, Amol N <amol.n.suker...@intel.com>; devel@edk2.groups.io Cc: Kinney, Michael D <michael.d.kin...@intel.com>; Yao, Jiewen <jiewen....@intel.com>; Agrawal, Sachin <sachin.agra...@intel.com>; Musti, Srinivas <srinivas.mu...@intel.com> Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified Hash Calculation API Amol, 1. Your patch doesn't support hashing more than one algorithm at the same time. Is this on purpose? Sorry I don't remember the conclusion in last discussion. 2. There're trailing spaces in BaseHashLibCommon.c and BashHashLibCommon.h. You can use BaseTools\Scripts\PatchCheck.py to check it before sending patch. See my other comments below. > -----Original Message----- > From: Sukerkar, Amol N <amol.n.suker...@intel.com> > Sent: Tuesday, January 14, 2020 11:41 PM > To: devel@edk2.groups.io > Cc: Kinney, Michael D <michael.d.kin...@intel.com>; Yao, Jiewen > <jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com>; Agrawal, > Sachin <sachin.agra...@intel.com>; Musti, Srinivas > <srinivas.mu...@intel.com> > Subject: [PATCH v2 1/1] SecurityPkg/BaseHashLib: Implement Unified > Hash Calculation API > > This commit introduces a Unified Hash API to calculate hash using a > hashing algorithm specified by the PCD, PcdSystemHashPolicy. This > library interfaces with the various hashing API, such as, MD4, MD5, > SHA1, SHA256, > SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate > the desired hash by setting PcdSystemHashPolicy to appropriate value. > > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Michael D Kinney <michael.d.kin...@intel.com> > Signed-off-by: Sukerkar, Amol N <amol.n.suker...@intel.com> > --- > > Notes: > v2: > - Fixed the commit message format > > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 > ++++++++++++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++ > SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++ > SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++ > SecurityPkg/SecurityPkg.dec | 23 +- > SecurityPkg/SecurityPkg.dsc | 10 +- > SecurityPkg/SecurityPkg.uni | 15 +- > 12 files changed, 833 insertions(+), 3 deletions(-) > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > new file mode 100644 > index 000000000000..f8742e55b5f7 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c > @@ -0,0 +1,252 @@ > +/** @file > > + Implement image verification services for secure boot service > > + > > + Caution: This file requires additional review when modified. > > + This library will have external input - PE/COFF image. > > + This external input must be validated carefully to avoid security > + issue like > > + buffer overflow, integer overflow. > > + > > + DxeImageVerificationLibImageRead() function will make sure the > + PE/COFF > image content > > + read is within the image buffer. > > + > > + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept > > + untrusted PE/COFF image and validate its data structure within this > + image > buffer before use. > > + > > +Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> > > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> > > +This program and the accompanying materials > > +are licensed and made available under the terms and conditions of the > +BSD > License > > +which accompanies this distribution. The full text of the license > +may be found > at > > +http://opensource.org/licenses/bsd-license.php > > + > > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > > + > > +**/ > > + > > +#include <Library/BaseLib.h> > > +#include <Library/BaseMemoryLib.h> > > +#include <Library/MemoryAllocationLib.h> > > +#include <Library/BaseCryptLib.h> > > +#include <Library/DebugLib.h> > > +#include <Library/PcdLib.h> > > +#include <Library/BaseHashLib.h> > > + > > +/** > > + Init hash sequence with Hash Algorithm specified by HashPolicy. > > + > > + @param HashPolicy Hash Algorithm Policy. > > + @param HashHandle Hash handle. > > + > > + @retval TRUE Hash start and HashHandle returned. > > + @retval FALSE Hash Init unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashInitInternal ( > > + IN UINT8 HashPolicy, > > + OUT HASH_HANDLE *HashHandle > > + ) > > +{ > > + BOOLEAN Status; > > + VOID *HashCtx; > > + UINTN CtxSize; > > + > > + switch (HashPolicy) { > > + case HASH_MD4: > > + CtxSize = Md4GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Md4Init (HashCtx); > > + break; > > + > > + case HASH_MD5: > > + CtxSize = Md5GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Md5Init (HashCtx); > > + break; > > + > > + case HASH_SHA1: > > + CtxSize = Sha1GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Sha1Init (HashCtx); > > + break; > > + > > + case HASH_SHA256: > > + CtxSize = Sha256GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Sha256Init (HashCtx); > > + break; > > + > > + case HASH_SHA384: > > + CtxSize = Sha384GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Sha384Init (HashCtx); > > + break; > > + > > + case HASH_SHA512: > > + CtxSize = Sha512GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Sha512Init (HashCtx); > > + break; > > + > > + case HASH_SM3_256: > > + CtxSize = Sm3GetContextSize (); > > + HashCtx = AllocatePool (CtxSize); > > + ASSERT (HashCtx != NULL); > > + > > + Status = Sm3Init (HashCtx); > > + break; > > + > > + default: > > + ASSERT (FALSE); > > + break; > > + } > > + 3. Instead of switch..case, using a global array to defines all supported interfaces would be more efficient, since you can value of PcdSystemHashPolicy to index them directly. > > + *HashHandle = (HASH_HANDLE)HashCtx; > > + > > + return Status; > > +} > > + > > +/** > > + Update hash data with Hash Algorithm specified by HashPolicy. > > + > > + @param HashPolicy Hash Algorithm Policy. > > + @param HashHandle Hash handle. > > + @param DataToHash Data to be hashed. > > + @param DataToHashLen Data size. > > + > > + @retval TRUE Hash updated. > > + @retval FALSE Hash updated unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashUpdateInternal ( > > + IN UINT8 HashPolicy, > > + IN HASH_HANDLE HashHandle, > > + IN VOID *DataToHash, > > + IN UINTN DataToHashLen > > + ) > > +{ > > + BOOLEAN Status; > > + VOID *HashCtx; > > + > > + HashCtx = (VOID *)HashHandle; > > + > > + switch (HashPolicy) { > > + case HASH_MD4: > > + Status = Md4Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_MD5: > > + Status = Md5Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_SHA1: > > + Status = Sha1Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_SHA256: > > + Status = Sha256Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_SHA384: > > + Status = Sha384Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_SHA512: > > + Status = Sha512Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + case HASH_SM3_256: > > + Status = Sm3Update (HashCtx, DataToHash, DataToHashLen); > > + break; > > + > > + default: > > + ASSERT (FALSE); > > + break; > > + } > 4. The same as 3 > + > > + return Status; > > +} > > + > > +/** > > + Hash complete with Hash Algorithm specified by HashPolicy. > > + > > + @param HashPolicy Hash Algorithm Policy. > > + @param HashHandle Hash handle. > > + @param Digest Hash Digest. > > + > > + @retval TRUE Hash complete and Digest is returned. > > + @retval FALSE Hash complete unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashFinalInternal ( > > + IN UINT8 HashPolicy, > > + IN HASH_HANDLE HashHandle, > > + OUT UINT8 **Digest > > + ) > > +{ > > + BOOLEAN Status; > > + VOID *HashCtx; > > + UINT8 DigestData[SHA512_DIGEST_SIZE]; > > + > > + HashCtx = (VOID *)HashHandle; > > + > > + switch (HashPolicy) { > > + case HASH_MD4: > > + Status = Md4Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); > > + break; > > + > > + case HASH_MD5: > > + Status = Md5Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); > > + break; > > + > > + case HASH_SHA1: > > + Status = Sha1Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); > > + break; > > + > > + case HASH_SHA256: > > + Status = Sha256Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); > > + break; > > + > > + case HASH_SHA384: > > + Status = Sha384Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); > > + break; > > + > > + case HASH_SHA512: > > + Status = Sha512Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); > > + break; > > + > > + case HASH_SM3_256: > > + Status = Sm3Final (HashCtx, DigestData); > > + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); > > + break; > > + > > + default: > > + ASSERT (FALSE); > > + break; > 5. The same as 3 > + } > > + > > + FreePool (HashCtx); > > + > > + return Status; > > +} > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > new file mode 100644 > index 000000000000..ea22cfe16e2f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c > @@ -0,0 +1,122 @@ > +/** @file > > + This library is Unified Hash API. It will redirect hash request to > > + the hash handler specified by PcdSystemHashPolicy such as SHA1, > + SHA256, > > + SHA384 and SM3... > > + > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. > +<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > + > > +#include <Library/BaseLib.h> > > +#include <Library/BaseMemoryLib.h> > > +#include <Library/MemoryAllocationLib.h> > > +#include <Library/DebugLib.h> > > +#include <Library/PcdLib.h> > > +#include <Library/BaseHashLib.h> > > + > > +#include "BaseHashLibCommon.h" > > + > > +/** > > + Init hash sequence. > > + > > + @param HashHandle Hash handle. > > + > > + @retval TRUE Hash start and HashHandle returned. > > + @retval FALSE Hash Init unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiInit ( > > + OUT HASH_HANDLE *HashHandle > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + HASH_HANDLE Handle; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashInitInternal (HashPolicy, &Handle); > > + > > + *HashHandle = Handle; > > + > > + return Status; > > +} > > + > > +/** > > + Update hash data. > > + > > + @param HashHandle Hash handle. > > + @param DataToHash Data to be hashed. > > + @param DataToHashLen Data size. > > + > > + @retval TRUE Hash updated. > > + @retval FALSE Hash updated unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiUpdate ( > > + IN HASH_HANDLE HashHandle, > > + IN VOID *DataToHash, > > + IN UINTN DataToHashLen > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > > + > > + return Status; > > +} > > + > > +/** > > + Hash complete. > > + > > + @param HashHandle Hash handle. > > + @param Digest Hash Digest. > > + > > + @retval TRUE Hash complete and Digest is returned. > > + @retval FALSE Hash complete unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiFinal ( > > + IN HASH_HANDLE HashHandle, > > + OUT UINT8 *Digest > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashFinalInternal (HashPolicy, &HashHandle, &Digest); > > + > > + return Status; > > +} > > + > > +/** > > + The constructor function of BaseHashLib Dxe. > > + > > + @param FileHandle The handle of FFS header the loaded driver. > > + @param PeiServices The pointer to the PEI services. > > + > > + @retval EFI_SUCCESS The constructor executes successfully. > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. > > + > > +**/ > > +EFI_STATUS > > +EFIAPI > > +BaseHashLibApiDxeConstructor ( > > + IN EFI_HANDLE ImageHandle, > > + IN EFI_SYSTEM_TABLE *SystemTable > > + ) > > +{ > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n")); > > + > > + return EFI_SUCCESS; > > +} 6. Constructor is not necessary if you don't have anything to do with it. You can remove it from inf file and here. > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > new file mode 100644 > index 000000000000..580ac21fc1d9 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c > @@ -0,0 +1,125 @@ > +/** @file > > + This library is Unified Hash API. It will redirect hash request to > > + the hash handler specified by PcdSystemHashPolicy such as SHA1, > + SHA256, > > + SHA384 and SM3... > > + > > +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved. > +<BR> > > +SPDX-License-Identifier: BSD-2-Clause-Patent > > + > > +**/ > > + > > + > > +#include <Library/BaseLib.h> > > +#include <Library/BaseMemoryLib.h> > > +#include <Library/MemoryAllocationLib.h> > > +#include <Library/DebugLib.h> > > +#include <Library/PcdLib.h> > > +#include <Library/HashLib.h> > > +#include <Library/HobLib.h> > > +#include <Guid/ZeroGuid.h> > > + > > +#include <Library/BaseHashLib.h> > > +#include "BaseHashLibCommon.h" > > + > > +/** > > + Init hash sequence. > > + > > + @param HashHandle Hash handle. > > + > > + @retval TRUE Hash start and HashHandle returned. > > + @retval FALSE Hash Init unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiInit ( > > + OUT HASH_HANDLE *HashHandle > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + HASH_HANDLE Handle; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashInitInternal (HashPolicy, &Handle); > > + > > + *HashHandle = Handle; > > + > > + return Status; > > +} > > + > > +/** > > + Update hash data. > > + > > + @param HashHandle Hash handle. > > + @param DataToHash Data to be hashed. > > + @param DataToHashLen Data size. > > + > > + @retval TRUE Hash updated. > > + @retval FALSE Hash updated unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiUpdate ( > > + IN HASH_HANDLE HashHandle, > > + IN VOID *DataToHash, > > + IN UINTN DataToHashLen > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashUpdateInternal (HashPolicy, HashHandle, DataToHash, > DataToHashLen); > > + > > + return Status; > > +} > > + > > +/** > > + Hash complete. > > + > > + @param HashHandle Hash handle. > > + @param Digest Hash Digest. > > + > > + @retval TRUE Hash complete and Digest is returned. > > + @retval FALSE Hash complete unsuccessful. > > +**/ > > +BOOLEAN > > +EFIAPI > > +HashApiFinal ( > > + IN HASH_HANDLE HashHandle, > > + OUT UINT8 *Digest > > +) > > +{ > > + BOOLEAN Status; > > + UINT8 HashPolicy; > > + > > + HashPolicy = PcdGet8 (PcdSystemHashPolicy); > > + > > + Status = HashFinalInternal (HashPolicy, HashHandle, &Digest); > > + > > + return Status; > > +} > > + > > +/** > > + The constructor function of BaseHashLib Pei. > > + > > + @param FileHandle The handle of FFS header the loaded driver. > > + @param PeiServices The pointer to the PEI services. > > + > > + @retval EFI_SUCCESS The constructor executes successfully. > > + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the > constructor. > > + > > +**/ > > +EFI_STATUS > > +EFIAPI > > +BaseHashLibApiPeiConstructor ( > > + IN EFI_PEI_FILE_HANDLE FileHandle, > > + IN CONST EFI_PEI_SERVICES **PeiServices > > + ) > > +{ > > + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); > > + > > + return EFI_SUCCESS; > > +} 7. The same as 6 > \ No newline at end of file > diff --git a/SecurityPkg/Include/Library/BaseHashLib.h > b/SecurityPkg/Include/Library/BaseHashLib.h > new file mode 100644 > index 000000000000..e1883fe7ce41 > --- /dev/null > +++ b/SecurityPkg/Include/Library/BaseHashLib.h > @@ -0,0 +1,84 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> This program and the accompanying materials are > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_H_ > +#define __BASEHASHLIB_H_ > + > +#include <Uefi.h> > +#include <Protocol/Hash.h> > +#include <Library/HashLib.h> > + > +// > +// Hash Algorithms > +// > +#define HASH_DEFAULT 0x00000000 > +#define HASH_MD4 0x00000001 > +#define HASH_MD5 0x00000002 > +#define HASH_SHA1 0x00000003 > +#define HASH_SHA256 0x00000004 > +#define HASH_SHA384 0x00000005 > +#define HASH_SHA512 0x00000006 > +#define HASH_SM3_256 0x00000007 > + > + > +/** > + Init hash sequence. > + > + @param HashHandle Hash handle. > + > + @retval TRUE Hash start and HashHandle returned. > + @retval FALSE Hash Init unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiInit ( > + OUT HASH_HANDLE *HashHandle > +); > + > +/** > + Update hash data. > + > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiUpdate ( > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > +); > + > +/** > + Hash complete. > + > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashApiFinal ( > + IN HASH_HANDLE HashHandle, > + OUT UINT8 *Digest > +); > + > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > new file mode 100644 > index 000000000000..776b74ad753b > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h > @@ -0,0 +1,71 @@ > +/** @file > + The internal header file includes the common header files, defines > + internal structure and functions used by ImageVerificationLib. > + > +Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> This program and the accompanying materials are > +licensed and made available under the terms and conditions of the BSD > License > +which accompanies this distribution. The full text of the license > +may be found > at > +http://opensource.org/licenses/bsd-license.php > + > +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, > +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS > OR IMPLIED. > + > +**/ > + > +#ifndef __BASEHASHLIB_COMMON_H_ > +#define __BASEHASHLIB_COMMON_H_ > + > +/** > + Init hash sequence with Hash Algorithm specified by HashPolicy. > + > + @param HashHandle Hash handle. > + > + @retval EFI_SUCCESS Hash start and HashHandle returned. > + @retval EFI_UNSUPPORTED System has no HASH library registered. > +**/ > +BOOLEAN > +EFIAPI > +HashInitInternal ( > + IN UINT8 HashPolicy, > + OUT HASH_HANDLE *HashHandle > + ); > + > +/** > + Hash complete with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param Digest Hash Digest. > + > + @retval TRUE Hash complete and Digest is returned. > + @retval FALSE Hash complete unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashUpdateInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + IN VOID *DataToHash, > + IN UINTN DataToHashLen > + ); > + > +/** > + Update hash data with Hash Algorithm specified by HashPolicy. > + > + @param HashPolicy Hash Algorithm Policy. > + @param HashHandle Hash handle. > + @param DataToHash Data to be hashed. > + @param DataToHashLen Data size. > + > + @retval TRUE Hash updated. > + @retval FALSE Hash updated unsuccessful. > +**/ > +BOOLEAN > +EFIAPI > +HashFinalInternal ( > + IN UINT8 HashPolicy, > + IN HASH_HANDLE HashHandle, > + OUT UINT8 **Digest > + ); > +#endif > \ No newline at end of file > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > new file mode 100644 > index 000000000000..f97bda06108f > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > @@ -0,0 +1,47 @@ > +## @file > > +# Provides hash service by registered hash handler > > +# > > +# This library is Base Hash Lib. It will redirect hash request to > +each individual > > +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. > > +# > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights > +reserved.<BR> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent > > +# > > +## > > + > > +[Defines] > > + INF_VERSION = 0x00010005 > > + BASE_NAME = BaseHashLibDxe > > + MODULE_UNI_FILE = BaseHashLibDxe.uni > > + FILE_GUID = 158DC712-F15A-44dc-93BB-1675045BE066 > > + MODULE_TYPE = DXE_DRIVER > > + VERSION_STRING = 1.0 > > + LIBRARY_CLASS = BaseHashLib|DXE_DRIVER DXE_RUNTIME_DRIVER > DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER > > + CONSTRUCTOR = BaseHashLibApiDxeConstructor 8. Since the above function is actually empty, you can remove above line and function in c file. > > + > > +# > > +# The following information is for reference only and not required by > +the build > tools. > > +# > > +# VALID_ARCHITECTURES = IA32 X64 > > +# > > + > > +[Sources] > > + BaseHashLibCommon.h > > + BaseHashLibCommon.c > > + BaseHashLibDxe.c > > + > > +[Packages] > > + MdePkg/MdePkg.dec > > + CryptoPkg/CryptoPkg.dec > > + SecurityPkg/SecurityPkg.dec > > + > > +[LibraryClasses] > > + BaseLib > > + BaseMemoryLib > > + DebugLib > > + MemoryAllocationLib > > + BaseCryptLib > > + PcdLib > > + > > +[Pcd] > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > new file mode 100644 > index 000000000000..1865773b4a25 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni > @@ -0,0 +1,18 @@ > +// /** @file > > +// Provides hash service by registered hash handler > > +// > > +// This library is Unified Hash API. It will redirect hash request to > +each individual > > +// hash handler registered, such as SHA1, SHA256. Platform can use > PcdTpm2HashMask to > > +// mask some hash engines. > > +// > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights > +reserved.<BR> > > +// > > +// SPDX-License-Identifier: BSD-2-Clause-Patent > > +// > > +// **/ > > + > > + > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > > + > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler > specified by PcdSystemHashPolicy." > > + > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > new file mode 100644 > index 000000000000..4d36030744bd > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > @@ -0,0 +1,52 @@ > +## @file > > +# Provides hash service by registered hash handler > > +# > > +# This library is BaseCrypto router. It will redirect hash request > +to each > individual > > +# hash handler registered, such as SHA1, SHA256. > > +# > > +# Copyright (c) 2018 - 2020, Intel Corporation. All rights > +reserved.<BR> > > +# SPDX-License-Identifier: BSD-2-Clause-Patent > > +# > > +## > > + > > +[Defines] > > + INF_VERSION = 0x00010005 > > + BASE_NAME = BaseHashLibPei > > + MODULE_UNI_FILE = BaseHashLibPei.uni > > + FILE_GUID = DDCBCFBA-8EEB-488a-96D6-097831A6E50B > > + MODULE_TYPE = PEIM > > + VERSION_STRING = 1.0 > > + LIBRARY_CLASS = BaseHashLib|PEIM > > + CONSTRUCTOR = BaseHashLibApiPeiConstructor > 9. The same as 8 > + > > +# > > +# The following information is for reference only and not required by > +the build > tools. > > +# > > +# VALID_ARCHITECTURES = IA32 X64 > > +# > > + > > +[Sources] > > + BaseHashLibCommon.h > > + BaseHashLibCommon.c > > + BaseHashLibPei.c > > + > > +[Packages] > > + MdePkg/MdePkg.dec > > + SecurityPkg/SecurityPkg.dec > > + CryptoPkg/CryptoPkg.dec > > + MdeModulePkg/MdeModulePkg.dec > > + > > +[LibraryClasses] > > + BaseLib > > + BaseMemoryLib > > + DebugLib > > + MemoryAllocationLib > > + BaseCryptLib > > + PcdLib > > + > > +[Guids] > > + ## SOMETIMES_CONSUMES ## GUID > > + gZeroGuid > > + > > +[Pcd] > > + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES > > diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > new file mode 100644 > index 000000000000..2131b61bd235 > --- /dev/null > +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni > @@ -0,0 +1,17 @@ > +// /** @file > > +// Provides hash service by registered hash handler > > +// > > +// This library is Unified Hash API. It will redirect hash request to > +each individual > > +// hash handler registered, such as SHA1, SHA256. > > +// > > +// Copyright (c) 2018 - 2020, Intel Corporation. All rights > +reserved.<BR> > > +// > > +// SPDX-License-Identifier: BSD-2-Clause-Patent > > +// > > +// **/ > > + > > + > > +#string STR_MODULE_ABSTRACT #language en-US "Provides hash > service by specified hash handler" > > + > > +#string STR_MODULE_DESCRIPTION #language en-US "This library is > Unified Hash API. It will redirect hash request to the hash handler > specified by PcdSystemHashPolicy." > > + > > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index cac36caf0a0d..e0e144124ddd 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -5,7 +5,7 @@ > # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs > and library > classes) > > # and libraries instances, which are used for those features. > > # > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights > reserved.<BR> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR> > > # Copyright (c) 2017, Microsoft Corporation. All rights reserved. > <BR> > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > @@ -27,6 +27,10 @@ [LibraryClasses] > # > > HashLib|Include/Library/HashLib.h > > > > + ## @libraryclass Provides hash interfaces from different implementations. > > + # > > + BaseHashLib|Include/Library/HashLib.h > > + > > ## @libraryclass Provides a platform specific interface to detect > physically present user. > > # > > PlatformSecureLib|Include/Library/PlatformSecureLib.h > > @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx] > # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. > > > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 > > > > +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] > > + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF > + image > > + # Based on the value set, the required algorithm is chosen to > + verify > > + # the unsigned image during Secure Boot.<BR> > > + # The hashing algorithm selected must match the hashing algorithm > + used to > > + # hash the image to be added to DB using tools such as > + KeyEnroll.<BR> > > + # 0x00000001 - MD4.<BR> > > + # 0x00000002 - MD5.<BR> > > + # 0x00000003 - SHA1.<BR> > > + # 0x00000004 - SHA256.<BR> > > + # 0x00000005 - SHA384.<BR> > > + # 0x00000006 - SHA512.<BR> > > + # 0x00000007 - SM3_256.<BR> > > + # @Prompt Set policy for hashing unsigned image for Secure Boot. > > + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 > > + > gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x0001002 > 4 > > + > > [UserExtensions.TianoCore."ExtraFiles"] > > SecurityPkgExtra.uni > > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index a2eeadda7a7e..86a5847e2509 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -1,7 +1,7 @@ > ## @file > > # Security Module Package for All Architectures. > > # > > -# Copyright (c) 2009 - 2019, Intel Corporation. All rights > reserved.<BR> > > +# Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> > > # (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR> > > # SPDX-License-Identifier: BSD-2-Clause-Patent > > # > > @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm. > inf > > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib > Tcg2PhysicalPresenceLib|/PeiTc > g2PhysicalPresenceLib.inf > > RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > > > > [LibraryClasses.common.DXE_DRIVER] > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf > > @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] > > Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg > Tpm12DeviceLib|.i > nf > > > Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2. > Tpm2DeviceLib|in > f > > > FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.i > nf > > + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > > > > [LibraryClasses.common.UEFI_DRIVER, > LibraryClasses.common.DXE_RUNTIME_DRIVER, > LibraryClasses.common.DXE_SAL_DRIVER,] > > HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf > > @@ -211,6 +213,12 @@ [Components] > > > SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf > > > > + # > > + # Unified Hash API > > + # > > + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf > > + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf > > + > > # > > # TCG Storage. > > # > > diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni > index 68587304d779..32ef97f81461 100644 > --- a/SecurityPkg/SecurityPkg.uni > +++ b/SecurityPkg/SecurityPkg.uni > @@ -5,7 +5,7 @@ > // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs > and library > classes) > > // and libraries instances, which are used for those features. > > // > > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights > reserved.<BR> > > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights > +reserved.<BR> > > // > > // SPDX-License-Identifier: BSD-2-Clause-Patent > > // > > @@ -295,3 +295,16 @@ > > > #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP > #language en-US "This PCD defines LASA of TPM2 ACPI table\n\n" > > > > "0 means this field is unsupported\n" > > + > > > + > #string > STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT > #language en-US "HASH algorithm to verify unsigned PE/COFF image" > > + > > +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP > #language en-US "This PCD indicates the HASH algorithm used by Unified > Hash API.<BR><BR>\n" > > + > + "Based on the value set, the > required algorithm is chosen to calculate\n" > > + > "the hash desired.<BR>\n" > > + > "0x00000001 - MD4.<BR>\n" > > + > "0x00000002 - MD5.<BR>\n" > > + > "0x00000003 - SHA1.<BR>\n" > > + > + "0x00000004 - > SHA256.<BR>\n" > > + > + "0x00000005 - > SHA384.<BR>\n" > > + > + "0x00000006 - > SHA512.<BR>\n" > > + > "0x00000007 - SM3.<BR>" > > -- > 2.16.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#53258): https://edk2.groups.io/g/devel/message/53258 Mute This Topic: https://groups.io/mt/69695418/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
