.../SecureBootConfigDxe/SecureBootConfig.vfr | 10 +++++----- .../SecureBootConfigDxe/SecureBootConfigImpl.h | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-)
v2: update hash value in SecureBootConfig.vfr to keep
them consistent with macro definition in SecureBootConfigImpl.h
since we removed the sha-1 definition in Hash table
and related macro, but the macro definition HashAlg index
may be value 4 which is exceed the range of the Hash
table array.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
---
.../SecureBootConfigDxe/SecureBootConfig.vfr | 10 +++++-----
.../SecureBootConfigDxe/SecureBootConfigImpl.h | 12 ++++++------
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 02ddf4a..6f46d91 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -457,17 +457,17 @@ formset
oneof name = SignatureFormatInDbx,
varid = SECUREBOOT_CONFIGURATION.CertificateFormat,
prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x2, flags = DEFAULT;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x3, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x4, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x5, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;
endoneof;
- suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 5;
+ suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;
checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation,
prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),
help = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),
flags = INTERACTIVE,
endcheckbox;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index bea9470..58030c4 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -89,16 +89,16 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
#define WIN_CERT_UEFI_RSA2048_SIZE 256
//
// Support hash types
//
-#define HASHALG_SHA224 0x00000001
-#define HASHALG_SHA256 0x00000002
-#define HASHALG_SHA384 0x00000003
-#define HASHALG_SHA512 0x00000004
-#define HASHALG_RAW 0x00000005
-#define HASHALG_MAX 0x00000005
+#define HASHALG_SHA224 0x00000000
+#define HASHALG_SHA256 0x00000001
+#define HASHALG_SHA384 0x00000002
+#define HASHALG_SHA512 0x00000003
+#define HASHALG_RAW 0x00000004
+#define HASHALG_MAX 0x00000004
typedef struct {
UINTN Signature;
LIST_ENTRY Head;
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang Lubo
Sent: Wednesday, February 22, 2017 5:01 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; Long, Qin <qin.long@intel.com>
Subject: [edk2] [PATCH v2] SecurityPkg: Fix potential bug in Security Boot dxe.
v2: update hash value in SecureBootConfig.vfr to keep them consistent with macro definition in SecureBootConfigImpl.h
since we removed the sha-1 definition in Hash table and related macro, but the macro definition HashAlg index may be value 4 which is exceed the range of the Hash table array.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
---
.../SecureBootConfigDxe/SecureBootConfig.vfr | 10 +++++-----
.../SecureBootConfigDxe/SecureBootConfigImpl.h | 12 ++++++------
2 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 02ddf4a..6f46d91 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfig.vfr
@@ -457,17 +457,17 @@ formset
oneof name = SignatureFormatInDbx,
varid = SECUREBOOT_CONFIGURATION.CertificateFormat,
prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x2, flags = DEFAULT;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x3, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x4, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x5, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;
+ option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW),
+ value = 0x4, flags = 0;
endoneof;
- suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 5;
+ suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;
checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation,
prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),
help = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),
flags = INTERACTIVE,
endcheckbox;
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index bea9470..58030c4 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigImpl.h
@@ -89,16 +89,16 @@ extern EFI_IFR_GUID_LABEL *mEndLabel;
#define WIN_CERT_UEFI_RSA2048_SIZE 256
//
// Support hash types
//
-#define HASHALG_SHA224 0x00000001
-#define HASHALG_SHA256 0x00000002
-#define HASHALG_SHA384 0x00000003
-#define HASHALG_SHA512 0x00000004
-#define HASHALG_RAW 0x00000005
-#define HASHALG_MAX 0x00000005
+#define HASHALG_SHA224 0x00000000
+#define HASHALG_SHA256 0x00000001
+#define HASHALG_SHA384 0x00000002
+#define HASHALG_SHA512 0x00000003
+#define HASHALG_RAW 0x00000004
+#define HASHALG_MAX 0x00000004
typedef struct {
UINTN Signature;
LIST_ENTRY Head;
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.