From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52376+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52376+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707400; cv=none; d=zohomail.com; s=zohoarc; b=MKX/ShVXuMEurP6OZchCbuD4RJG66exI2hqKP++LX7IgiJtulZCxFvm3eRxl+Ays28WpfqHu1r3o2A0i60h+AtnldfSyQ5d77Kl9ipY3srmGV+2RODJ0167gdek/JqlvtCvH1DHrf9AHVsy6bWiht5AY0ad5rfaLiIeFA3sN1fs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707400; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=1bc2BQE4mtUYx0uzt3NbyVfBxHI7WKnTVkV9j7YRRD4=; b=ToflVQS9NgjFKTcbVh4e9rWbpy6lUekPCkA/Ue2nOYGtHchntwm0bD7drR3m/f0SPA4IST7FHv+ffUtxT9BMJRiC4ggVpPEEj+At7jAs/yKg5K7nlYlhMV0xT2v7gYUI9coR+zk9jCfZvyyoHDhEnZgla6pL4N+Z3JgN4YBeH9I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52376+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 157670740031564.58912644362158; Wed, 18 Dec 2019 14:16:40 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Fqh1YY1788612xXtex3nQHSw; Wed, 18 Dec 2019 14:16:38 -0800 X-Received: from mga14.intel.com (mga14.intel.com []) by mx.groups.io with SMTP id smtpd.web10.1987.1576705847293132972 for ; Wed, 18 Dec 2019 13:50:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:46 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930675" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:47 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self Subject: [edk2-devel] [PATCH v1 1/6] SecurityPkg/BaseHashLib: Implement a unified API for Hash Calculation Date: Wed, 18 Dec 2019 14:50:32 -0700 Message-Id: <20191218215037.1630-2-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: uElwiH7xppwt2hMaNWS1qY3rx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707398; bh=+WKR3Cg5gY3A/ARhWYMaRJkE3l4nycAQWFgyqknzH+0=; h=Cc:Date:From:Reply-To:Subject:To; b=pzkhhDEzjQKe5hZZv9mnSABClytrB/Au69GF9svzpeM1c1/A39GlNM3V2J7BLIW9TiY x3KiZKvGPvbMJyIFPkgPyVj+WXXZb+r9iv5n6NE3noYtEn+6fKDW4nhdltWNisHEtEMk6 vZjZb7V6c8WemAuq/Wox29jRfO0AQLDd2Gc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This implementation eliminates the need to use hard-coded API to calculate = hash by PEI and DXE drivers by introducing a common and unified API for hash calculation. The common API will execute the hash algorithm specified by the PCD, PcdSystemHashPolicy. Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 +++++++++++++++++= +++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 62 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 62 +++++ SecurityPkg/Include/Library/HashLib.h | 83 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 49 ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 50 +++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 18 ++ SecurityPkg/SecurityPkg.dec | 28 +++ SecurityPkg/SecurityPkg.dsc | 4 + SecurityPkg/SecurityPkg.uni | 23 ++ 12 files changed, 718 insertions(+) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.c new file mode 100644 index 000000000000..2ad83387799d --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.c @@ -0,0 +1,236 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue = like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#include +#include +#include +#include +#include +#include + +//#include "BaseHashLib.h" + +typedef struct { + EFI_GUID Guid; + UINT32 Mask; +} HASH_MASK; + +HASH_MASK mHashMask[] =3D { + {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, + {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, + {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, + {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, +}; + +HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] =3D {{{0}, NULL, NULL, NUL= L}}; + +UINTN mHashInterfaceCount =3D 0; +UINT32 mCurrentHashMask =3D 0; + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index =3D 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index+= +) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx !=3D NULL); + + for (Index =3D 0; Index < mHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { + mHashOps[Index].HashInit (HashCtx); + } + } + + *HashHandle =3D (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < mHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { + mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); + } + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + + if (mHashInterfaceCount =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < mHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && + (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { + mHashOps[Index].HashFinal (HashCtx[0], &Digest); + } + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfu= lly. + @retval EFI_UNSUPPORTED System does not support register this inter= face. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT32 HashMask; + + // + // Check Allow + // + HashMask =3D GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + // check if Hash Mask is supported + if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + if (mHashInterfaceCount >=3D sizeof(mHashOps)/sizeof(mHashOps[0])) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index =3D 0; Index < mHashInterfaceCount; Index++) { + if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid))= { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &H= ashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + mCurrentHashMask =3D PcdGet32 (PcdHashAlgorithmBitmap) | HashMask; + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask); + ASSERT_EFI_ERROR (Status); + + CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInte= rface)); + mHashInterfaceCount ++; + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibDxe.c new file mode 100644 index 000000000000..5de94d80fad5 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -0,0 +1,62 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue = like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#include +#include +#include +#include +#include +#include + +#include "BaseHashLib.h" + +/** + The constructor function of BaseHashLib Dxe. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiPeiConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. + // + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibPei.c new file mode 100644 index 000000000000..8ffe356b60e7 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -0,0 +1,62 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue = like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#include +#include +#include +#include +#include +#include + +#include "BaseHashLib.h" + +/** + The constructor function of BaseHashLib Pei. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiPeiConstructor ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + EFI_STATUS Status; + + // + // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. + // + Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Li= brary/HashLib.h index 6ad960ad70ee..740cb8188e51 100644 --- a/SecurityPkg/Include/Library/HashLib.h +++ b/SecurityPkg/Include/Library/HashLib.h @@ -87,6 +87,53 @@ HashAndExtend ( OUT TPML_DIGEST_VALUES *DigestList ); =20 +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +); + /** Start hash sequence. =20 @@ -133,6 +180,21 @@ EFI_STATUS OUT TPML_DIGEST_VALUES *DigestList ); =20 +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +typedef +EFI_STATUS +(EFIAPI *HASH_FINAL_EX) ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); + #define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID #define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID #define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID @@ -149,6 +211,13 @@ typedef struct { HASH_FINAL HashFinal; } HASH_INTERFACE; =20 +typedef struct { + EFI_GUID HashGuid; + HASH_INIT HashInit; + HASH_UPDATE HashUpdate; + HASH_FINAL_EX HashFinal; +} HASH_INTERFACE_UNIFIED_API; + /** This service register Hash. =20 @@ -164,4 +233,18 @@ RegisterHashInterfaceLib ( IN HASH_INTERFACE *HashInterface ); =20 +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfu= lly. + @retval EFI_UNSUPPORTED System does not support register this inter= face. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface +); #endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.h new file mode 100644 index 000000000000..70676c1716c3 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLib.h @@ -0,0 +1,85 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#define HASH_ALGO_COUNT 7 + +// +// Hash Algorithms +// +#define HASH_ALG_SHA1 0x00000001 +#define HASH_ALG_SHA256 0x00000002 +#define HASH_ALG_SHA384 0x00000004 +#define HASH_ALG_SHA512 0x00000008 +#define HASH_ALG_SM3_256 0x00000010 +#if 0 +typedef=20 +UINTN +(EFIAPI *GET_HASH_CTX_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_INIT) ( + OUT VOID *ShaContext + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_DUPLICATE) ( + IN CONST VOID *ShaContext, + OUT VOID *NewShaContext + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_UPDATE) ( + IN OUT VOID *ShaContext, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *_HASH_FINAL) ( + IN OUT VOID *ShaContext, + OUT UINT8 *HashValue + ); + +HASH_ALGO_IDX +GetHashAlgoIndex ( + VOID +); + +typedef struct { + HASH_ALGO_IDX HashAlgo; + GET_HASH_CTX_SIZE GetHashCtxSize; + _HASH_INIT HashInit; + _HASH_DUPLICATE HashDuplicate; + _HASH_UPDATE HashUpdate; + _HASH_FINAL HashFinal; +} HASH_OPERATIONS; + + +EFI_STATUS +EFIAPI +RegisterHashLib ( + IN HASH_OPERATIONS *HashInterface +); +#endif +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.inf new file mode 100644 index 000000000000..f5dcbedb2cd9 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -0,0 +1,49 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is Base Hash Lib. It will redirect hash request to each in= dividual +# hash handler registered, such as SHA1, SHA256, SHA384, SM3. Platform ca= n use +# PcdTpm2HashMask to register hash engines. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D BaseHashLibDxe + MODULE_UNI_FILE =3D BaseHashLibDxe.uni + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE066 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_DR= IVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + BaseHashLib.h + BaseHashLibDxe.c + BaseHashLib.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PcdLib + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni @@ -0,0 +1,18 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is BaseCrypto router. It will redirect hash request to eac= h individual +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to +// mask some hash engines. +// +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by registered hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is B= aseCrypto router. It will redirect hash request to each individual hash han= dler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to = mask some hash engines." + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.inf new file mode 100644 index 000000000000..07e95a5a9c0f --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -0,0 +1,50 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is BaseCrypto router. It will redirect hash request to eac= h individual +# hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to +# mask some hash engines. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D BaseHashLibPei + MODULE_UNI_FILE =3D BaseHashLibPei.uni + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50B + MODULE_TYPE =3D PEIM + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BaseHashLib|PEIM + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + BaseHashLib.h + BaseHashLibPei.c + BaseHashLib.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PcdLib + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.uni new file mode 100644 index 000000000000..d8b03ea4da63 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni @@ -0,0 +1,18 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is BaseCrypto router. It will redirect hash request to eac= h individual +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to +// mask some hash engines. +// +// Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by registered hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is B= aseCrypto router. It will redirect hash request to each individual hash han= dler registered, such as SHA1, SHA256. Platform can use PcdTpm2HashMask to = mask some hash engines." + diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..b03677a5411c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -27,6 +27,10 @@ [LibraryClasses] # HashLib|Include/Library/HashLib.h =20 + ## @libraryclass Provides hash interfaces from different implementatio= ns. + # + BaseHashLib|Include/Library/HashLib.h + ## @libraryclass Provides a platform specific interface to detect phys= ically present user. # PlatformSecureLib|Include/Library/PlatformSecureLib.h @@ -496,5 +500,29 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 =20 + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image + # Based on the value set, the required algorithm is chosen to verify + # the unsigned image during Secure Boot.
+ # The hashing algorithm selected must match the hashing algorithm used = to + # hash the image to be added to DB using tools such as KeyEnroll.
+ # 0x00000001 - SHA1.
+ # 0x00000002 - SHA256.
+ # 0x00000004 - SHA384.
+ # 0x00000008 - SHA512.
+ # 0x00000010 - SM3_256.
+ # @Prompt Set policy for hashing unsigned image for Secure Boot. + # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024 + + ## This PCD indicated final BIOS supported Hash mask for Base Hash API. + # Bios may choose to register a subset of PcdTpm2HashMask. + # This PCD is final value of how many hash algo are registered with + # Base Hash API. + # This PCD will start with value 0 by the Base Hash API constructor and + # the value will be updated as Hash Algo are registered. + # @Prompt Hash Algorithm bitmap for Base Hash API. + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0= x00010025 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..9ae134ffee53 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf =20 [LibraryClasses.common.DXE_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -170,6 +171,7 @@ [PcdsDynamicDefault.common.DEFAULT] gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|3 gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|3 + gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|3 =20 [PcdsDynamicHii.common.DEFAULT] gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L"TCG2_= VERSION"|gTcg2ConfigFormSetGuid|0x0|"1.3"|NV,BS @@ -211,6 +213,8 @@ [Components] =20 SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf =20 + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf + # # TCG Storage. # diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 68587304d779..2dc77279210c 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -295,3 +295,26 @@ =20 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #lang= uage en-US "This PCD defines LASA of TPM2 ACPI table\n\n" = "0 means this field is unsupported\n" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_PROMPT #lan= guage en-US "HASH algorithm to verify unsigned PE/COFF image" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #langu= age en-US "This PCD indicates the HASH algorithm to verify unsigned PE/COFF= image.

\n" + = "Based on the value set, the required algorithm is chosen to = verify\n" + = "the unsigned image during Secure Boot.
\n" + = "The hashing algorithm selected must match the hashing algori= thm used to\n" + = "hash the image to be added to DB using tools such as KeyEnro= ll.
\n" + = "0x00000000 - SHA1.
\n" + = "0x00000001 - SHA224.
" + = "0x00000002 - SHA256.
\n" + = "0x00000003 - SHA384.
\n" + = "0x00000004 - SHA512.
\n" + = "0x00000005 - SM3.
" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #= language en-US "Hash Algorithm bitmap for Base Hash API." + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #la= nguage en-US "This PCD indicated final BIOS supported Hash mask for Base Ha= sh API.\n" + = "Bios may choose to register a subset of PcdTpm2HashMask.
= \n" + = "This PCD is final value of how many hash algo are registered= with\n" + = "Base Hash API.
\n" + = "This PCD will start with value 0 by the Base Hash API constr= uctor and\n" + = "the value will be updated as Hash Algo are registered.
\n" --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52376): https://edk2.groups.io/g/devel/message/52376 Mute This Topic: https://groups.io/mt/68808197/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52385+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52385+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707401; cv=none; d=zohomail.com; s=zohoarc; b=I8o7CIYqnH55TtDCbmHG/zsRvJnN0q1BpcBKHUBuBRt9fkIubzOnV3TQ3zDPS+UqlkET650MjyXHOA7LAvEqTqujQhgJtty3W98gqu8vjP/W8btZMPYILsAkSzyLcHyyHu2A4QQLXYQ7eKGJ3NMIsvUB8pgTQZEh9/0lN2MvZU8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707401; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=aFN0ELvkhqwEzkH3BrQsW8JkeviW3vPyTeiMNhDW4pA=; b=Hk111EgpUVnyubloQwlfpgbP847vvp8cKBw6mpS35C1MyckZCqyf0vmEPjYVtlaEp6Ho4GutMCMSejRM/fHYcO9lBUfus6BjlBtcNJfR8vL3AQUHh40WwsQ2fKZ9eHDtFAYYB8jHwJLkAemmvJPgNMZzQMyObis2MDDk2zv6Ing= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52385+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1576707401126769.775093092828; Wed, 18 Dec 2019 14:16:41 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id RNHiYY1788612xl9w5tdSYAM; Wed, 18 Dec 2019 14:16:40 -0800 X-Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web10.1989.1576705848243615303 for ; Wed, 18 Dec 2019 13:50:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930679" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:47 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self Subject: [edk2-devel] [PATCH v1 2/6] SecurityPkg/HashApiInstanceSha1: Implement API registration mechanism for SHA1 Date: Wed, 18 Dec 2019 14:50:33 -0700 Message-Id: <20191218215037.1630-3-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: 45YxMhCVDCI6YGSzcF1acf83x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707400; bh=sg7n7upIP4MDud/nL2AkWCBC0u9DwQCgLLSX/maXqtk=; h=Cc:Date:From:Reply-To:Subject:To; b=uxSxqy/rnTPIQagcGxuBQ6DPKn+CQUH60xO10fm4Xzx9nNG4vMyQx/RD1l1N1kSt8Wx +HCMCdXMmsE3kpeM0ThXRa+EcnQQYQf3HZKMh1nm/wsYDPUHEh1HHTzWeR4+eF8X8Aphd mLVdafFhxLXunaH0MQrSl8YQwDB4fCUHpN8= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This is the HashApiInstance implementation for SHA1 which registers the SHA1 hash library in CryptoPkg with BaseHashLib based on whether a platform supp= orts SHA1 hash algorithm (provided by PcdTpm2HashMask). Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 128 ++++= ++++++++++++++++ SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf | 40 ++++= ++ SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni | 16 +++ SecurityPkg/SecurityPkg.dsc | 5 + 4 files changed, 189 insertions(+) diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c = b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c new file mode 100644 index 000000000000..06e88f00d70b --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c @@ -0,0 +1,128 @@ +/** @file + This library is BaseCrypto SHA1 hash instance. + It can be registered to BaseCrypto router, to serve as hash engine. + +Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle return= ed. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +Sha1_Init ( + OUT HASH_HANDLE *HashHandle + ) +{ + VOID *Sha1Ctx; + UINTN CtxSize; + + CtxSize =3D Sha1GetContextSize (); + Sha1Ctx =3D AllocatePool (CtxSize); + ASSERT (Sha1Ctx !=3D NULL); + + Sha1Init (Sha1Ctx); + + *HashHandle =3D (HASH_HANDLE)Sha1Ctx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +Sha1_Update ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + VOID *Sha1Ctx; + + Sha1Ctx =3D (VOID *)HashHandle; + Sha1Update (Sha1Ctx, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Complete hash sequence complete. + + @param HashHandle Hash handle. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returne= d. +**/ +EFI_STATUS +EFIAPI +Sha1_Final ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ) +{ + UINT8 Sha1Digest[SHA1_DIGEST_SIZE]; + VOID *Sha1Ctx; + + Sha1Ctx =3D (VOID *)HashHandle; + Sha1Final (Sha1Ctx, Sha1Digest); + + CopyMem (*Digest, Sha1Digest, SHA1_DIGEST_SIZE); + + FreePool (Sha1Ctx); + + return EFI_SUCCESS; +} + +HASH_INTERFACE_UNIFIED_API mSha1InternalHashApiInstance =3D { + HASH_ALGORITHM_SHA1_GUID, + Sha1_Init, + Sha1_Update, + Sha1_Final, +}; + +/** + The function register SHA1 instance. + + @retval EFI_SUCCESS SHA1 instance is registered, or system dose not su= rpport registr SHA1 instance +**/ +EFI_STATUS +EFIAPI +HashApiInstanceSha1Constructor ( + VOID + ) +{ + EFI_STATUS Status; + + Status =3D RegisterHashApiLib (&mSha1InternalHashApiInstance); + if ((Status =3D=3D EFI_SUCCESS) || (Status =3D=3D EFI_UNSUPPORTED)) { + // + // Unsupported means platform policy does not need this instance enabl= ed. + // + DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA1 is registered\n"= )); + return EFI_SUCCESS; + } + return Status; +} diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.in= f b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf new file mode 100644 index 000000000000..b59c4d883439 --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf @@ -0,0 +1,40 @@ +## @file +# Provides BaseCrypto SHA1 hash service +# +# This library can be registered to BaseCrypto router, to serve as hash e= ngine. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D HashApiInstanceSha1 + MODULE_UNI_FILE =3D HashApiInstanceSha1.uni + FILE_GUID =3D 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D NULL + CONSTRUCTOR =3D HashApiInstanceSha1Constructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + HashApiInstanceSha1.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.un= i b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni new file mode 100644 index 000000000000..716369d2fb8a --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides BaseCrypto SHA1 hash service +// +// This library can be registered to BaseCrypto router, to serve as hash e= ngine. +// +// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCryp= to SHA1 hash service API" + +#string STR_MODULE_DESCRIPTION #language en-US "This library can = be registered to Base Hash API, to serve as hash engine." + diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 9ae134ffee53..6c0832d48e88 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -241,6 +241,11 @@ [Components.IA32, Components.X64, Components.ARM, Comp= onents.AARCH64] [Components.IA32, Components.X64] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf =20 + # + # Hash API + # + SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf + # # TPM # --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52385): https://edk2.groups.io/g/devel/message/52385 Mute This Topic: https://groups.io/mt/68808206/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52377+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52377+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707399; cv=none; d=zohomail.com; s=zohoarc; b=bbHq5tyU0b5VZfp8A8hJB/Wxa+DjlZyk/vcgHfBepFzipaBuW4I/KMYXb85hZ5VerhhSWbLnjMFDGJMbTLzoeZqGXUCgIwKcvyzGEQTffXsKF0nA4SGMHoXsPS7Y51SXYjtH6li0lmaRhk7cK/iItG/eMRve4Oz3MN7/ewDBRZw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707399; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=wsdo4zaKStKa+4iSpm+1UZ/b0gSc8baictvUSAfBqE8=; b=IzPhZHLZ+ZwOy0eCUQli/CcBGJDKET7O4lDxFeZAg9m/kUAEKdRnq6abb6mdEJTxw64m+S+Uyxq2lURoXMh/JcUPuVof73RWoy4KJzQzhbyE8OEUnmBTj33eI59uADUaE/9jjUpOl/F72dUtlsk1CUh/Y/tNfxkxvM1MKHX+WTM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52377+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1576707399413115.60052413415201; Wed, 18 Dec 2019 14:16:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id Wv50YY1788612xWJShaWS8ih; Wed, 18 Dec 2019 14:16:38 -0800 X-Received: from mga14.intel.com (mga14.intel.com []) by mx.groups.io with SMTP id smtpd.web10.1987.1576705847293132972 for ; Wed, 18 Dec 2019 13:50:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930683" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:47 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self Subject: [edk2-devel] [PATCH v1 3/6] SecurityPkg/HashApiInstanceSha256: Implement API registration mechanism for SHA256 Date: Wed, 18 Dec 2019 14:50:34 -0700 Message-Id: <20191218215037.1630-4-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: cqhzIxQ4p4SmiOV2HDYlLnMex1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707398; bh=7C81u9o8KoBfrQYpO68HO0y/eOFt6kKTZyu6hQv7qDk=; h=Cc:Date:From:Reply-To:Subject:To; b=g8gXXS0+68XsgYrFbijgF508aDFkguZBDhRxMJYqz9+tOw3fo4zw+tecBAW2QMeKNcP laeUgIMXVaQTDVABbi3OLOslPWoBIqukINYt8OXyMcVyE/m7eNSA2dIR2xOfR6EFj+Wgb bqdnlXYzWtXY86jzAsaX20XWrNY4vO7FvCE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This is the HashApiInstance implementation for SHA256 which registers the SHA256 hash library in CryptoPkg with BaseHashLib based on whether a platfo= rm supports SHA256 hash algorithm (provided by PcdTpm2HashMask). Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 128 = ++++++++++++++++++++ SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf | 40 = ++++++ SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni | 16 = +++ SecurityPkg/SecurityPkg.dsc | 1 + 4 files changed, 185 insertions(+) diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha25= 6.c b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c new file mode 100644 index 000000000000..129d60a387fd --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c @@ -0,0 +1,128 @@ +/** @file + This library is BaseCrypto SHA256 hash instance. + It can be registered to BaseCrypto router, to serve as hash engine. + +Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle return= ed. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +Sha256_Init ( + OUT HASH_HANDLE *HashHandle + ) +{ + VOID *Sha256Ctx; + UINTN CtxSize; + + CtxSize =3D Sha256GetContextSize (); + Sha256Ctx =3D AllocatePool (CtxSize); + ASSERT (Sha256Ctx !=3D NULL); + + Sha256Init (Sha256Ctx); + + *HashHandle =3D (HASH_HANDLE)Sha256Ctx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +Sha256_Update ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + VOID *Sha256Ctx; + + Sha256Ctx =3D (VOID *)HashHandle; + Sha256Update (Sha256Ctx, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Complete hash sequence complete. + + @param HashHandle Hash handle. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returne= d. +**/ +EFI_STATUS +EFIAPI +Sha256_Final ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ) +{ + UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; + VOID *Sha256Ctx; + + Sha256Ctx =3D (VOID *)HashHandle; + Sha256Final (Sha256Ctx, Sha256Digest); + + CopyMem (*Digest, Sha256Digest, SHA256_DIGEST_SIZE); + + FreePool (Sha256Ctx); + + return EFI_SUCCESS; +} + +HASH_INTERFACE_UNIFIED_API mSha256InternalHashApiInstance =3D { + HASH_ALGORITHM_SHA256_GUID, + Sha256_Init, + Sha256_Update, + Sha256_Final, +}; + +/** + The function register SHA256 instance. + + @retval EFI_SUCCESS SHA256 instance is registered, or system dose not = surpport registr SHA256 instance +**/ +EFI_STATUS +EFIAPI +HashApiInstanceSha256Constructor ( + VOID + ) +{ + EFI_STATUS Status; + + Status =3D RegisterHashApiLib (&mSha256InternalHashApiInstance); + if ((Status =3D=3D EFI_SUCCESS) || (Status =3D=3D EFI_UNSUPPORTED)) { + // + // Unsupported means platform policy does not need this instance enabl= ed. + // + DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA256 is registered\= n")); + return EFI_SUCCESS; + } + return Status; +} diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha25= 6.inf b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf new file mode 100644 index 000000000000..08d802cd69f4 --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf @@ -0,0 +1,40 @@ +## @file +# Provides BaseCrypto SHA1 hash service +# +# This library can be registered to BaseCrypto router, to serve as hash e= ngine. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D HashApiInstanceSha256 + MODULE_UNI_FILE =3D HashApiInstanceSha256.uni + FILE_GUID =3D 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D NULL + CONSTRUCTOR =3D HashApiInstanceSha256Constructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + HashApiInstanceSha256.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha25= 6.uni b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni new file mode 100644 index 000000000000..b2121464c552 --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides BaseCrypto SHA256 hash service +// +// This library can be registered to BaseCrypto router, to serve as hash e= ngine. +// +// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCryp= to SHA256 hash service API" + +#string STR_MODULE_DESCRIPTION #language en-US "This library can = be registered to Base Hash API, to serve as hash engine." + diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 6c0832d48e88..95a5710735e0 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -245,6 +245,7 @@ [Components.IA32, Components.X64] # Hash API # SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf + SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf =20 # # TPM --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52377): https://edk2.groups.io/g/devel/message/52377 Mute This Topic: https://groups.io/mt/68808198/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52378+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52378+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707399; cv=none; d=zohomail.com; s=zohoarc; b=DaMZoJNv+9wLZqiE7xqEeNyNdpb7NYKkF3pOaxV7UnxhDW2SpNx8OevDH+guqJZOxVfboCbyb+x6xSkQOmpGO5OD8z1pkPgusNxTJYe9N1mCMjtRvC6JT4A2gnYv4KYa3Q/WiOi1UPgD7+qBPobyV5AUc0O8N3s8MUs1kEWr5iA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707399; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ETsZlSBhCTapY/vya9Y4nIhUNhlC1OS6VJVvQE+czK4=; b=NpvBVypBrrMoOzlIpQl//zWK4oeyVLkuOcsT7NRfsHZ/MkqV8uhTctGDSSCxa2Xn17RtAXZJFEMnhOkgb0Lv8ABQdR7RS7t4HPlBrzw/ks2hhISqikHhndJWxVi5pjFrvojCTLrWqniBqu8gO4TP4gQtlt7hjl+l0NMnxkmHgBA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52378+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1576707399839621.189396855977; Wed, 18 Dec 2019 14:16:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 9fuuYY1788612xdsjbFJ0bjl; Wed, 18 Dec 2019 14:16:38 -0800 X-Received: from mga14.intel.com (mga14.intel.com []) by mx.groups.io with SMTP id smtpd.web10.1987.1576705847293132972 for ; Wed, 18 Dec 2019 13:50:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930687" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:47 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self Subject: [edk2-devel] [PATCH v1 4/6] SecurityPkg/HashApiInstanceSha384: Implement API registration mechanism for SHA384 Date: Wed, 18 Dec 2019 14:50:35 -0700 Message-Id: <20191218215037.1630-5-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: xNb9E3zxDPmPajHwwg48S4H1x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707398; bh=xH2o2ToTntHjAgNh4L/2sEf3rzVe/eJ6Qku+Px9sEEU=; h=Cc:Date:From:Reply-To:Subject:To; b=ey6fxuh1ofWW5Ggqk1VjkkNZ7KFJD4v8OG6IJr+96dj+elOLZ3BbeaEF9NzWUwKsNJ8 bVZ9+3moXixR8eHUFoCEafT5WWlG3PdDg9bMiJyWDBwsYiSjJaXOMczKl6Wkrp7+SPqh3 PYpCFRPPCUmIeWnAihfXQvVL5KBPpK8UZpY= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This is the HashApiInstance implementation for SHA384 which registers the SHA384 hash library in CryptoPkg with BaseHashLib based on whether a platfo= rm supports SHA384 hash algorithm (provided by PcdTpm2HashMask). Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 128 = ++++++++++++++++++++ SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf | 40 = ++++++ SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni | 16 = +++ SecurityPkg/SecurityPkg.dsc | 1 + 4 files changed, 185 insertions(+) diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha38= 4.c b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c new file mode 100644 index 000000000000..0d1b8f3e877a --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c @@ -0,0 +1,128 @@ +/** @file + This library is BaseCrypto SHA384 hash instance. + It can be registered to BaseCrypto router, to serve as hash engine. + +Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle return= ed. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +Sha384_Init ( + OUT HASH_HANDLE *HashHandle + ) +{ + VOID *Sha384Ctx; + UINTN CtxSize; + + CtxSize =3D Sha384GetContextSize (); + Sha384Ctx =3D AllocatePool (CtxSize); + ASSERT (Sha384Ctx !=3D NULL); + + Sha384Init (Sha384Ctx); + + *HashHandle =3D (HASH_HANDLE)Sha384Ctx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +Sha384_Update ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + VOID *Sha384Ctx; + + Sha384Ctx =3D (VOID *)HashHandle; + Sha384Update (Sha384Ctx, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Complete hash sequence complete. + + @param HashHandle Hash handle. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returne= d. +**/ +EFI_STATUS +EFIAPI +Sha384_Final ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ) +{ + UINT8 Sha384Digest[SHA384_DIGEST_SIZE]; + VOID *Sha384Ctx; + + Sha384Ctx =3D (VOID *)HashHandle; + Sha384Final (Sha384Ctx, Sha384Digest); + + CopyMem (*Digest, Sha384Digest, SHA384_DIGEST_SIZE); + + FreePool (Sha384Ctx); + + return EFI_SUCCESS; +} + +HASH_INTERFACE_UNIFIED_API mSha384InternalHashApiInstance =3D { + HASH_ALGORITHM_SHA384_GUID, + Sha384_Init, + Sha384_Update, + Sha384_Final, +}; + +/** + The function register SHA384 instance. + + @retval EFI_SUCCESS SHA384 instance is registered, or system dose not = surpport registr SHA384 instance +**/ +EFI_STATUS +EFIAPI +HashApiInstanceSha384Constructor ( + VOID + ) +{ + EFI_STATUS Status; + + Status =3D RegisterHashApiLib (&mSha384InternalHashApiInstance); + if ((Status =3D=3D EFI_SUCCESS) || (Status =3D=3D EFI_UNSUPPORTED)) { + // + // Unsupported means platform policy does not need this instance enabl= ed. + // + DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface SHA384 is registered\= n")); + return EFI_SUCCESS; + } + return Status; +} diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha38= 4.inf b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf new file mode 100644 index 000000000000..ee36a926a8b8 --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf @@ -0,0 +1,40 @@ +## @file +# Provides BaseCrypto SHA1 hash service +# +# This library can be registered to BaseCrypto router, to serve as hash e= ngine. +# +# Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D HashApiInstanceSha384 + MODULE_UNI_FILE =3D HashApiInstanceSha384.uni + FILE_GUID =3D 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D NULL + CONSTRUCTOR =3D HashApiInstanceSha384Constructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + HashApiInstanceSha384.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha38= 4.uni b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni new file mode 100644 index 000000000000..be41375bca7a --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides BaseCrypto SHA384 hash service +// +// This library can be registered to BaseCrypto router, to serve as hash e= ngine. +// +// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCryp= to SHA384 hash service API" + +#string STR_MODULE_DESCRIPTION #language en-US "This library can = be registered to Base Hash API, to serve as hash engine." + diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 95a5710735e0..c03822872718 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -246,6 +246,7 @@ [Components.IA32, Components.X64] # SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.inf SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.inf + SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.inf =20 # # TPM --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52378): https://edk2.groups.io/g/devel/message/52378 Mute This Topic: https://groups.io/mt/68808199/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52379+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52379+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707399; cv=none; d=zohomail.com; s=zohoarc; b=ko/ENunZIG5QqdAtd+HC1Qr9mcWLM4NAJBl2M+zJLfoIcyYanXq6ALkjLCwQ5YC+w2nQM2p2iWUwd8h7IQnTdcS8dKmfFRxNcIZSi31Ac3A2sklqJGJWC4PUn9M3PqjelusMxidMAhcMJ/N6yaGxZnsefe6PB6VoMODX8+Zixe8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707399; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=DK2E9338XwhQs0uqevJ3oGbdrDouewb66QEwMRcgccY=; b=cA/dPFmpaSxMTT8AV2jH29jvID23IfvDspvwF64SyOu2nIOwbHbRaNEBh9qaVWWJbbG9Kx/Pk9ycoQBDDx1vDhUikp1PMoMS27hOpC9c2nP67IVReTXc99SCnF9h7wWlnavFs29eWzsEt789z9LlmL/8pjS6EUcl+/0EQmRzci4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52379+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1576707399929672.4090522486621; Wed, 18 Dec 2019 14:16:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id a9rcYY1788612xhX0SyN3zNU; Wed, 18 Dec 2019 14:16:38 -0800 X-Received: from mga14.intel.com (mga14.intel.com []) by mx.groups.io with SMTP id smtpd.web10.1989.1576705848243615303 for ; Wed, 18 Dec 2019 13:50:48 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930691" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:48 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self Subject: [edk2-devel] [PATCH v1 5/6] SecurityPkg/BaseHashLib: Modified the Registation Mechanism for BaseHashLib Date: Wed, 18 Dec 2019 14:50:36 -0700 Message-Id: <20191218215037.1630-6-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: 38tgdsyKtbAZxjLkjC1V8AJTx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707398; bh=bpTCPvQst6iNL/yj3VadozZasSKrvM/FPxs/IPts03o=; h=Cc:Date:From:Reply-To:Subject:To; b=LYQjKGq4tJhqQAAeo0zz6xsViAFOjgmfsyo56iER8xza69/i4+9d9Cj3v3ZdAIgzrp4 LdE3LybxkbMZy/fIsA/ODWk1owxyqRGequf4dq4byo9IPCcwORCtkdkkzVifsnQaznIzq rstj/8Vi15lpM29hh0N10/WNdKIMEiDgoXU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" A gEfiCallerIdGuid needs to be introduced in the BaseHashLibPei method to s= ave the hash mask of registered API instances of hashing algorithms. gEfiCallerIdGuid saves the last registered hash mask as a HOB that can be modified or updated with the subsequent registration of API instances of hashing algorithms based on PcdSystemHashPolicy. Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/BaseHashLib/BaseHashLib.c | 236 --= ----------- SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 210 ++= +++++++++- SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 348 ++= +++++++++++++++++- SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c | 2 +- SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c | 2 +- SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c | 2 +- SecurityPkg/Include/Library/BaseHashLib.h | 153 ++= +++++++ SecurityPkg/Include/Library/HashLib.h | 83 --= --- SecurityPkg/Library/BaseHashLib/BaseHashLib.h | 85 --= --- SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 35 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 2 - SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 4 +- SecurityPkg/SecurityPkg.dec | 9 - SecurityPkg/SecurityPkg.uni | 9 - 14 files changed, 733 insertions(+), 447 deletions(-) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.c deleted file mode 100644 index 2ad83387799d..000000000000 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.c +++ /dev/null @@ -1,236 +0,0 @@ -/** @file - Implement image verification services for secure boot service - - Caution: This file requires additional review when modified. - This library will have external input - PE/COFF image. - This external input must be validated carefully to avoid security issue = like - buffer overflow, integer overflow. - - DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content - read is within the image buffer. - - DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept - untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. - -Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
-(C) Copyright 2016 Hewlett Packard Enterprise Development LP
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD = License -which accompanies this distribution. The full text of the license may be = found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. - -**/ - -#include -#include -#include -#include -#include -#include - -//#include "BaseHashLib.h" - -typedef struct { - EFI_GUID Guid; - UINT32 Mask; -} HASH_MASK; - -HASH_MASK mHashMask[] =3D { - {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, - {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, - {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, - {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, -}; - -HASH_INTERFACE_UNIFIED_API mHashOps[HASH_COUNT] =3D {{{0}, NULL, NULL, NUL= L}}; - -UINTN mHashInterfaceCount =3D 0; -UINT32 mCurrentHashMask =3D 0; - -UINT32 -EFIAPI -GetApiHashMaskFromAlgo ( - IN EFI_GUID *HashGuid - ) -{ - UINTN Index; - - for (Index =3D 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index+= +) { - if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { - return mHashMask[Index].Mask; - } - } - return 0; -} - -/** - Init hash sequence. - - @param HashHandle Hash handle. - - @retval EFI_SUCCESS Hash start and HashHandle returned. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiInit ( - OUT HASH_HANDLE *HashHandle -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount =3D=3D 0) { - return EFI_UNSUPPORTED; - } - - HashCtx =3D AllocatePool (sizeof(*HashCtx)); - ASSERT (HashCtx !=3D NULL); - - for (Index =3D 0; Index < mHashInterfaceCount; Index++) { - HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { - mHashOps[Index].HashInit (HashCtx); - } - } - - *HashHandle =3D (HASH_HANDLE)HashCtx; - - return EFI_SUCCESS; -} - -/** - Update hash data. - - @param HashHandle Hash handle. - @param DataToHash Data to be hashed. - @param DataToHashLen Data size. - - @retval EFI_SUCCESS Hash updated. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiUpdate ( - IN HASH_HANDLE HashHandle, - IN VOID *DataToHash, - IN UINTN DataToHashLen -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount =3D=3D 0) { - return EFI_UNSUPPORTED; - } - - HashCtx =3D (HASH_HANDLE *)HashHandle; - - for (Index =3D 0; Index < mHashInterfaceCount; Index++) { - HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { - mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); - } - } - - return EFI_SUCCESS; -} - -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -EFI_STATUS -EFIAPI -HashApiFinal ( - IN HASH_HANDLE HashHandle, - OUT UINT8 *Digest -) -{ - HASH_HANDLE *HashCtx; - UINTN Index; - UINT32 HashMask; - - if (mHashInterfaceCount =3D=3D 0) { - return EFI_UNSUPPORTED; - } - - HashCtx =3D (HASH_HANDLE *)HashHandle; - - for (Index =3D 0; Index < mHashInterfaceCount; Index++) { - HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); - if ((HashMask & PcdGet32 (PcdHashAlgorithmBitmap)) !=3D 0 && - (HashMask & PcdGet32 (PcdSystemHashPolicy)) !=3D 0) { - mHashOps[Index].HashFinal (HashCtx[0], &Digest); - } - } - - return EFI_SUCCESS; -} - -/** - This service registers Hash Interface. - - @param HashInterface Hash interface - - @retval EFI_SUCCESS This hash interface is registered successfu= lly. - @retval EFI_UNSUPPORTED System does not support register this inter= face. - @retval EFI_ALREADY_STARTED System already register this interface. -**/ -EFI_STATUS -EFIAPI -RegisterHashApiLib ( - IN HASH_INTERFACE_UNIFIED_API *HashInterface - ) -{ - EFI_STATUS Status; - UINTN Index; - UINT32 HashMask; - - // - // Check Allow - // - HashMask =3D GetApiHashMaskFromAlgo (&HashInterface->HashGuid); - - // check if Hash Mask is supported - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { - return EFI_UNSUPPORTED; - } - - if (mHashInterfaceCount >=3D sizeof(mHashOps)/sizeof(mHashOps[0])) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Check duplication - // - for (Index =3D 0; Index < mHashInterfaceCount; Index++) { - if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid))= { - DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been registered\n", &H= ashInterface->HashGuid)); - return EFI_ALREADY_STARTED; - } - } - - // - // Register the Hash Algo. - // - mCurrentHashMask =3D PcdGet32 (PcdHashAlgorithmBitmap) | HashMask; - Status =3D PcdSet32S (PcdHashAlgorithmBitmap, mCurrentHashMask); - ASSERT_EFI_ERROR (Status); - - CopyMem (&mHashOps[mHashInterfaceCount], HashInterface, sizeof(*HashInte= rface)); - mHashInterfaceCount ++; - - return EFI_SUCCESS; -} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibDxe.c index 5de94d80fad5..f292558e3e40 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -29,9 +29,204 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #include #include #include -#include +#include =20 -#include "BaseHashLib.h" +#include "BaseHashLibCommon.h" + + +HASH_INTERFACE_UNIFIED_API mHashOps[HASH_ALGO_COUNT] =3D {{{0}, NULL, NULL= , NULL}}; + +UINTN mBaseHashInterfaceCount =3D 0; +UINT32 mCurrentHashMask =3D 0; + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index =3D 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index+= +) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount =3D=3D 0) || !(mCurrentHashMask & HashPolic= y)) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx !=3D NULL); + + for (Index =3D 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) !=3D 0) { + mHashOps[Index].HashInit (HashCtx); + break; + } + } + + *HashHandle =3D (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount =3D=3D 0) || !(mCurrentHashMask & HashPolic= y)) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) !=3D 0) { + mHashOps[Index].HashUpdate (HashCtx[0], DataToHash, DataToHashLen); + break; + } + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((mBaseHashInterfaceCount =3D=3D 0) || !(mCurrentHashMask & HashPolic= y)) { + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < mBaseHashInterfaceCount; Index++) { + HashMask =3D GetApiHashMaskFromAlgo (&mHashOps[Index].HashGuid); + if ((HashMask & HashPolicy) !=3D 0) { + mHashOps[Index].HashFinal (HashCtx[0], &Digest); + break; + } + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfu= lly. + @retval EFI_UNSUPPORTED System does not support register this inter= face. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ + UINTN Index; + UINT32 HashMask; + + // + // Check Allow + // + HashMask =3D GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + + if (mBaseHashInterfaceCount >=3D sizeof(mHashOps)/sizeof(mHashOps[0])) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index =3D 0; Index < mBaseHashInterfaceCount; Index++) { + if (CompareGuid (&mHashOps[Index].HashGuid, &HashInterface->HashGuid))= { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has already been registere= d\n", &HashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + mCurrentHashMask =3D mCurrentHashMask | HashMask; + + CopyMem (&mHashOps[mBaseHashInterfaceCount], HashInterface, sizeof(*Hash= Interface)); + mBaseHashInterfaceCount ++; + + DEBUG ((DEBUG_INFO,"RegisterHashApiLib: mBaseHashInterfaceCount update t= o 0x%x \n", mBaseHashInterfaceCount)); + + return EFI_SUCCESS; +} =20 /** The constructor function of BaseHashLib Dxe. @@ -45,18 +240,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EIT= HER EXPRESS OR IMPLIED. **/ EFI_STATUS EFIAPI -BaseHashLibApiPeiConstructor ( +BaseHashLibApiDxeConstructor ( IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable ) { - EFI_STATUS Status; - - // - // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. - // - Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0); - ASSERT_EFI_ERROR (Status); + mBaseHashInterfaceCount =3D 0; + mCurrentHashMask =3D 0; =20 return EFI_SUCCESS; } \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibPei.c index 8ffe356b60e7..0fd0e2f42612 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -30,8 +30,318 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #include #include #include +#include +#include =20 -#include "BaseHashLib.h" +#include +#include "BaseHashLibCommon.h" + +#define BASEHASH_LIB_PEI_ROUTER_GUID \ + { 0x19ea22c7, 0xf870, 0x4b5e, { 0x98, 0x86, 0x9c, 0x29, 0xb2, 0x20, 0xf0= , 0x39 } } + + +EFI_GUID mBaseHashLibPeiRouterGuid =3D BASEHASH_LIB_PEI_ROUTER_GUID; + +typedef struct { + // + // If gZeroGuid, SupportedHashMask is 0 for FIRST module which consumes = HashLib + // or the hash algorithm bitmap of LAST module which consumes HashLib. + // HashInterfaceCount and HashInterface are all 0. + // If gEfiCallerIdGuid, HashInterfaceCount, HashInterface and SupportedH= ashMask + // are the hash interface information of CURRENT module which consumes= HashLib. + // + EFI_GUID Identifier; + UINTN HashInterfaceCount; + HASH_INTERFACE_UNIFIED_API HashInterface[HASH_ALGO_COUNT]; + UINT32 SupportedHashMask; +} HASH_INTERFACE_HOB; + + +UINT32 +EFIAPI +GetApiHashMaskFromAlgo ( + IN EFI_GUID *HashGuid + ) +{ + UINTN Index; + + for (Index =3D 0; Index < sizeof(mHashMask)/sizeof(mHashMask[0]); Index+= +) { + if (CompareGuid (HashGuid, &mHashMask[Index].Guid)) { + return mHashMask[Index].Mask; + } + } + return 0; +} + +/** + This function gets hash interface hob. + + @param Identifier Identifier to get hash interface hob. + + @retval hash interface hob. +**/ +HASH_INTERFACE_HOB * +InternalGetBaseHashInterfaceHob ( + EFI_GUID *Identifier + ) +{ + EFI_PEI_HOB_POINTERS Hob; + HASH_INTERFACE_HOB *HashInterfaceHob; + + Hob.Raw =3D GetFirstGuidHob (&mBaseHashLibPeiRouterGuid); + while (Hob.Raw !=3D NULL) { + HashInterfaceHob =3D GET_GUID_HOB_DATA (Hob); + if (CompareGuid (&HashInterfaceHob->Identifier, Identifier)) { + // + // Found the matched one. + // + return HashInterfaceHob; + } + Hob.Raw =3D GET_NEXT_HOB (Hob); + Hob.Raw =3D GetNextGuidHob (&mBaseHashLibPeiRouterGuid, Hob.Raw); + } + + return NULL; +} + +/** + This function creates hash interface hob. + + @param Identifier Identifier to create hash interface hob. + + @retval hash interface hob. +**/ +HASH_INTERFACE_HOB * +InternalCreateBaseHashInterfaceHob ( + EFI_GUID *Identifier + ) +{ + HASH_INTERFACE_HOB LocalHashInterfaceHob; + + ZeroMem (&LocalHashInterfaceHob, sizeof(LocalHashInterfaceHob)); + CopyGuid (&LocalHashInterfaceHob.Identifier, Identifier); + return BuildGuidDataHob (&mBaseHashLibPeiRouterGuid, &LocalHashInterface= Hob, sizeof(LocalHashInterfaceHob)); +} + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + HASH_HANDLE *HashCtx; + HASH_INTERFACE_HOB *HashInterfaceHob; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount =3D=3D 0) || !(HashInterfaceHo= b->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx =3D AllocatePool (sizeof(*HashCtx)); + ASSERT (HashCtx !=3D NULL); + + for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { + HashMask =3D GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[= Index].HashGuid); + if ((HashMask & HashPolicy) !=3D 0) { + HashInterfaceHob->HashInterface[Index].HashInit (HashCtx); + break; + } + } + + // Check for hash type supported + if(Index =3D=3D HashInterfaceHob->HashInterfaceCount) + return EFI_UNSUPPORTED; + + *HashHandle =3D (HASH_HANDLE)HashCtx; + + return EFI_SUCCESS; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + HASH_INTERFACE_HOB *HashInterfaceHob; + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount =3D=3D 0) || !(HashInterfaceHo= b->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { + HashMask =3D GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[= Index].HashGuid); + if ((HashMask & HashPolicy) !=3D 0) { + HashInterfaceHob->HashInterface[Index].HashUpdate (HashCtx[0], DataT= oHash, DataToHashLen); + break; + } + } + + // Check for hash type supported + if(Index =3D=3D HashInterfaceHob->HashInterfaceCount) { + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + HASH_INTERFACE_HOB *HashInterfaceHob; + HASH_HANDLE *HashCtx; + UINTN Index; + UINT32 HashMask; + UINT32 HashPolicy; + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_UNSUPPORTED; + } + + HashPolicy =3D PcdGet32 (PcdSystemHashPolicy); + + if ((HashInterfaceHob->HashInterfaceCount =3D=3D 0) || !(HashInterfaceHo= b->SupportedHashMask & HashPolicy)) { + DEBUG ((DEBUG_INFO,"Unsupported Hash Type 0x%x \n", HashPolicy)); + return EFI_UNSUPPORTED; + } + + HashCtx =3D (HASH_HANDLE *)HashHandle; + + for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { + HashMask =3D GetApiHashMaskFromAlgo (&HashInterfaceHob->HashInterface[= Index].HashGuid); + if (HashMask & HashPolicy) { + HashInterfaceHob->HashInterface[Index].HashFinal (HashCtx[0], &Diges= t); + break; + } + } + + // Check for hash type supported + if(Index =3D=3D HashInterfaceHob->HashInterfaceCount){ + return EFI_UNSUPPORTED; + } + + return EFI_SUCCESS; +} + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfu= lly. + @retval EFI_UNSUPPORTED System does not support register this inter= face. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface + ) +{ +// EFI_STATUS Status; + UINTN Index; + UINT32 HashMask; + HASH_INTERFACE_HOB *HashInterfaceHob; + + // + // Check Allow + // + HashMask =3D GetApiHashMaskFromAlgo (&HashInterface->HashGuid); + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob =3D=3D NULL) { + HashInterfaceHob =3D InternalCreateBaseHashInterfaceHob (&gEfiCallerId= Guid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } else { + // Initialize SupportedHashMask + HashInterfaceHob->SupportedHashMask =3D 0; + } + } + + if (HashInterfaceHob->HashInterfaceCount >=3D HASH_COUNT) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Check duplication + // + for (Index =3D 0; Index < HashInterfaceHob->HashInterfaceCount; Index++)= { + if (CompareGuid (&HashInterfaceHob->HashInterface[Index].HashGuid, &Ha= shInterface->HashGuid)) { + DEBUG ((DEBUG_ERROR, "Hash Interface (%g) has been already registere= d\n", &HashInterface->HashGuid)); + return EFI_ALREADY_STARTED; + } + } + + // + // Register the Hash Algo. + // + HashInterfaceHob->SupportedHashMask =3D HashInterfaceHob->SupportedHashM= ask | HashMask; + + CopyMem (&HashInterfaceHob->HashInterface[HashInterfaceHob->HashInterfac= eCount], HashInterface, sizeof(*HashInterface)); + HashInterfaceHob->HashInterfaceCount ++; + + DEBUG ((DEBUG_INFO,"RegisterHashApiLib: HashInterfaceCount 0x%x Support= edHashMask 0x%x \n", HashInterfaceHob->HashInterfaceCount, HashInterfaceHo= b->SupportedHashMask)); + + return EFI_SUCCESS; +} =20 /** The constructor function of BaseHashLib Pei. @@ -50,13 +360,37 @@ BaseHashLibApiPeiConstructor ( IN CONST EFI_PEI_SERVICES **PeiServices ) { - EFI_STATUS Status; +// EFI_STATUS Status; + HASH_INTERFACE_HOB *HashInterfaceHob; =20 - // - // Set PcdHashAlgorithmBitmap to 0 in CONSTRUCTOR for CURRENT module. - // - Status =3D PcdSet32S (PcdHashAlgorithmBitmap, 0); - ASSERT_EFI_ERROR (Status); + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); + + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gZeroGuid); + if (HashInterfaceHob =3D=3D NULL) { + // + // No HOB with gZeroGuid Identifier has been created, + // this is FIRST module which consumes HashLib. + // Create the HOB with gZeroGuid Identifier. + // + HashInterfaceHob =3D InternalCreateBaseHashInterfaceHob (&gZeroGuid); + if (HashInterfaceHob =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + } + + HashInterfaceHob =3D InternalGetBaseHashInterfaceHob (&gEfiCallerIdGuid); + if (HashInterfaceHob !=3D NULL) { + // + // In PEI phase, some modules may call RegisterForShadow and will be + // shadowed and executed again after memory is discovered. + // This is the second execution of this module, clear the hash interfa= ce + // information registered at its first execution. + // + ZeroMem (&HashInterfaceHob->HashInterface, sizeof (HashInterfaceHob->H= ashInterface)); + HashInterfaceHob->HashInterfaceCount =3D 0; + HashInterfaceHob->SupportedHashMask =3D 0; + } =20 return EFI_SUCCESS; } \ No newline at end of file diff --git a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c = b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c index 06e88f00d70b..175499e7609c 100644 --- a/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c +++ b/SecurityPkg/Library/HashApiInstanceSha1/HashApiInstanceSha1.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include -#include +#include =20 /** Start hash sequence. diff --git a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha25= 6.c b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c index 129d60a387fd..9222a12a3273 100644 --- a/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c +++ b/SecurityPkg/Library/HashApiInstanceSha256/HashApiInstanceSha256.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include -#include +#include =20 /** Start hash sequence. diff --git a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha38= 4.c b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c index 0d1b8f3e877a..c23b1a567172 100644 --- a/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c +++ b/SecurityPkg/Library/HashApiInstanceSha384/HashApiInstanceSha384.c @@ -13,7 +13,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include -#include +#include =20 /** Start hash sequence. diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Includ= e/Library/BaseHashLib.h new file mode 100644 index 000000000000..36dd2912d7eb --- /dev/null +++ b/SecurityPkg/Include/Library/BaseHashLib.h @@ -0,0 +1,153 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#include +#include +#include + +// +// Hash Algorithms +// +#define HASH_ALG_DEFAULT 0x00000000 +#define HASH_ALG_SHA1 0x00000001 +#define HASH_ALG_SHA256 0x00000002 +#define HASH_ALG_SHA384 0x00000004 +#define HASH_ALG_SHA512 0x00000008 +#define HASH_ALG_SM3_256 0x00000010 + + +/** + Init hash sequence. + + @param HashType Type of hash algorithm. + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiInit ( + IN UINT32 HashType, + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param HashType Type of hash algorithm. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash updated. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +EFI_STATUS +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN UINT32 HashType, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param HashType Type of hash algorithm. + @param Digest Hash Digest. + + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +EFI_STATUS +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + IN UINT32 HashType, + OUT UINT8 *Digest +); + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle return= ed. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_INIT) ( + OUT HASH_HANDLE *HashHandle + ); + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_UPDATE) ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ); + +/** + Hash complete. + @param HashHandle Hash handle. + @param Digest Hash Digest. + @retval EFI_SUCCESS Hash complete and Digest is returned. +**/ +typedef +EFI_STATUS +(EFIAPI *BASE_HASH_FINAL_EX) ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); + +typedef struct { + EFI_GUID HashGuid; + BASE_HASH_INIT HashInit; + BASE_HASH_UPDATE HashUpdate; + BASE_HASH_FINAL_EX HashFinal; +} HASH_INTERFACE_UNIFIED_API; + +/** + This service registers Hash Interface. + + @param HashInterface Hash interface + + @retval EFI_SUCCESS This hash interface is registered successfu= lly. + @retval EFI_UNSUPPORTED System does not support register this inter= face. + @retval EFI_ALREADY_STARTED System already register this interface. +**/ +EFI_STATUS +EFIAPI +RegisterHashApiLib ( + IN HASH_INTERFACE_UNIFIED_API *HashInterface +); + +#endif \ No newline at end of file diff --git a/SecurityPkg/Include/Library/HashLib.h b/SecurityPkg/Include/Li= brary/HashLib.h index 740cb8188e51..6ad960ad70ee 100644 --- a/SecurityPkg/Include/Library/HashLib.h +++ b/SecurityPkg/Include/Library/HashLib.h @@ -87,53 +87,6 @@ HashAndExtend ( OUT TPML_DIGEST_VALUES *DigestList ); =20 -/** - Init hash sequence. - - @param HashHandle Hash handle. - - @retval EFI_SUCCESS Hash start and HashHandle returned. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiInit ( - OUT HASH_HANDLE *HashHandle -); - -/** - Update hash data. - - @param HashHandle Hash handle. - @param DataToHash Data to be hashed. - @param DataToHashLen Data size. - - @retval EFI_SUCCESS Hash updated. - @retval EFI_UNSUPPORTED System has no HASH library registered. -**/ -EFI_STATUS -EFIAPI -HashApiUpdate ( - IN HASH_HANDLE HashHandle, - IN VOID *DataToHash, - IN UINTN DataToHashLen -); - -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -EFI_STATUS -EFIAPI -HashApiFinal ( - IN HASH_HANDLE HashHandle, - OUT UINT8 *Digest -); - /** Start hash sequence. =20 @@ -180,21 +133,6 @@ EFI_STATUS OUT TPML_DIGEST_VALUES *DigestList ); =20 -/** - Hash complete. - - @param HashHandle Hash handle. - @param Digest Hash Digest. - - @retval EFI_SUCCESS Hash complete and Digest is returned. -**/ -typedef -EFI_STATUS -(EFIAPI *HASH_FINAL_EX) ( - IN HASH_HANDLE HashHandle, - OUT UINT8 **Digest - ); - #define HASH_ALGORITHM_SHA1_GUID EFI_HASH_ALGORITHM_SHA1_GUID #define HASH_ALGORITHM_SHA256_GUID EFI_HASH_ALGORITHM_SHA256_GUID #define HASH_ALGORITHM_SHA384_GUID EFI_HASH_ALGORITHM_SHA384_GUID @@ -211,13 +149,6 @@ typedef struct { HASH_FINAL HashFinal; } HASH_INTERFACE; =20 -typedef struct { - EFI_GUID HashGuid; - HASH_INIT HashInit; - HASH_UPDATE HashUpdate; - HASH_FINAL_EX HashFinal; -} HASH_INTERFACE_UNIFIED_API; - /** This service register Hash. =20 @@ -233,18 +164,4 @@ RegisterHashInterfaceLib ( IN HASH_INTERFACE *HashInterface ); =20 -/** - This service registers Hash Interface. - - @param HashInterface Hash interface - - @retval EFI_SUCCESS This hash interface is registered successfu= lly. - @retval EFI_UNSUPPORTED System does not support register this inter= face. - @retval EFI_ALREADY_STARTED System already register this interface. -**/ -EFI_STATUS -EFIAPI -RegisterHashApiLib ( - IN HASH_INTERFACE_UNIFIED_API *HashInterface -); #endif diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h b/SecurityPkg/Li= brary/BaseHashLib/BaseHashLib.h deleted file mode 100644 index 70676c1716c3..000000000000 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLib.h +++ /dev/null @@ -1,85 +0,0 @@ -/** @file - The internal header file includes the common header files, defines - internal structure and functions used by ImageVerificationLib. - -Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD = License -which accompanies this distribution. The full text of the license may be = found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. - -**/ - -#ifndef __BASEHASHLIB_H_ -#define __BASEHASHLIB_H_ - -#define HASH_ALGO_COUNT 7 - -// -// Hash Algorithms -// -#define HASH_ALG_SHA1 0x00000001 -#define HASH_ALG_SHA256 0x00000002 -#define HASH_ALG_SHA384 0x00000004 -#define HASH_ALG_SHA512 0x00000008 -#define HASH_ALG_SM3_256 0x00000010 -#if 0 -typedef=20 -UINTN -(EFIAPI *GET_HASH_CTX_SIZE) ( - VOID - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_INIT) ( - OUT VOID *ShaContext - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_DUPLICATE) ( - IN CONST VOID *ShaContext, - OUT VOID *NewShaContext - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_UPDATE) ( - IN OUT VOID *ShaContext, - IN CONST VOID *Data, - IN UINTN DataSize - ); - -typedef -BOOLEAN -(EFIAPI *_HASH_FINAL) ( - IN OUT VOID *ShaContext, - OUT UINT8 *HashValue - ); - -HASH_ALGO_IDX -GetHashAlgoIndex ( - VOID -); - -typedef struct { - HASH_ALGO_IDX HashAlgo; - GET_HASH_CTX_SIZE GetHashCtxSize; - _HASH_INIT HashInit; - _HASH_DUPLICATE HashDuplicate; - _HASH_UPDATE HashUpdate; - _HASH_FINAL HashFinal; -} HASH_OPERATIONS; - - -EFI_STATUS -EFIAPI -RegisterHashLib ( - IN HASH_OPERATIONS *HashInterface -); -#endif -#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/Security= Pkg/Library/BaseHashLib/BaseHashLibCommon.h new file mode 100644 index 000000000000..dc4839d16600 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h @@ -0,0 +1,35 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_COMMON_H_ +#define __BASEHASHLIB_COMMON_H_ + +#define HASH_ALGO_COUNT 5 + + +typedef struct { + EFI_GUID Guid; + UINT32 Mask; +} HASH_MASK; + +HASH_MASK mHashMask[] =3D { + {HASH_ALGORITHM_SHA1_GUID, HASH_ALG_SHA1}, + {HASH_ALGORITHM_SHA256_GUID, HASH_ALG_SHA256}, + {HASH_ALGORITHM_SHA384_GUID, HASH_ALG_SHA384}, + {HASH_ALGORITHM_SHA512_GUID, HASH_ALG_SHA512}, + {HASH_ALGORITHM_SM3_256_GUID, HASH_ALG_SM3_256}, +}; + +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.inf index f5dcbedb2cd9..a8d6c0f37570 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -43,7 +43,5 @@ [LibraryClasses] PcdLib =20 [Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES =20 diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.inf index 07e95a5a9c0f..872989f2352d 100644 --- a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -44,7 +44,5 @@ [LibraryClasses] PcdLib =20 [Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap ## CONSUMES - gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES =20 diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index b03677a5411c..2f31b0192fdb 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -515,14 +515,5 @@ [PcdsDynamic, PcdsDynamicEx] # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x02|UINT32|0x00010024 =20 - ## This PCD indicated final BIOS supported Hash mask for Base Hash API. - # Bios may choose to register a subset of PcdTpm2HashMask. - # This PCD is final value of how many hash algo are registered with - # Base Hash API. - # This PCD will start with value 0 by the Base Hash API constructor and - # the value will be updated as Hash Algo are registered. - # @Prompt Hash Algorithm bitmap for Base Hash API. - gEfiSecurityPkgTokenSpaceGuid.PcdHashAlgorithmBitmap|0xFFFFFFFF|UINT32|0= x00010025 - [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 2dc77279210c..c9d12535b5f4 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -309,12 +309,3 @@ = "0x00000003 - SHA384.
\n" = "0x00000004 - SHA512.
\n" = "0x00000005 - SM3.
" - -#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_PROMPT #= language en-US "Hash Algorithm bitmap for Base Hash API." - -#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdHashAlgorithmBitmap_HELP #la= nguage en-US "This PCD indicated final BIOS supported Hash mask for Base Ha= sh API.\n" - = "Bios may choose to register a subset of PcdTpm2HashMask.
= \n" - = "This PCD is final value of how many hash algo are registered= with\n" - = "Base Hash API.
\n" - = "This PCD will start with value 0 by the Base Hash API constr= uctor and\n" - = "the value will be updated as Hash Algo are registered.
\n" --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52379): https://edk2.groups.io/g/devel/message/52379 Mute This Topic: https://groups.io/mt/68808200/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 08:21:28 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+52380+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52380+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1576707400; cv=none; d=zohomail.com; s=zohoarc; b=Rnx8WfytQxl/Z7teTaXo7UKVvHSngh+a2iGFD++Bl56lBcJTyRG1wC2VlBr1SmYMm/iTD8gA5dOwf3FWO5e9TFciQmVkPWEhQjgwIHM8CWuQQj5mTJ3dbNhQFiK28lwm4I7ivb0wDKFMVFVWeZRmMyghdJdBQHmKr+StQBJcCIE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1576707400; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=oTabB9M5KbcXbbhLYICXH25sVsQwvorc/E/G6qarKVI=; b=P025Q408mZPqU+NrZiOuHlRrE3mO88ZTgr8ciEllkO4EraYlXF1Jj6gRMng1XE6RIE7TYUDPFDmBPmk0+tdSScR0N/BSqWkpB3w+zLCzEJU851AwfGIwJwK+NPnB/Co9oifZQuB5BDaarhWC81o+fA0jG4c1dUbmPhpoHxylilI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+52380+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1576707400447329.46232703201315; Wed, 18 Dec 2019 14:16:40 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id tgQUYY1788612xkUhHgWLsCv; Wed, 18 Dec 2019 14:16:40 -0800 X-Received: from mga14.intel.com (mga14.intel.com []) by mx.groups.io with SMTP id smtpd.web10.1987.1576705847293132972 for ; Wed, 18 Dec 2019 13:50:49 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Dec 2019 13:50:48 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,330,1571727600"; d="scan'208";a="240930696" X-Received: from ansukerk-mobl.amr.corp.intel.com ([10.78.16.174]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2019 13:50:48 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: michael.d.kinney@intel.com, sachin.agrawal@intel.com, self, Subash Lakkimsetti Subject: [edk2-devel] [PATCH v1 6/6] SecurityPkg/HashApiInstanceSM3: Implement API registration mechanism for SM3 Date: Wed, 18 Dec 2019 14:50:37 -0700 Message-Id: <20191218215037.1630-7-amol.n.sukerkar@intel.com> In-Reply-To: <20191218215037.1630-1-amol.n.sukerkar@intel.com> References: <20191218215037.1630-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: e1cSsowQkyVeNJndNdYTgP0nx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1576707400; bh=YkNlt94XSOwkUd9Qt+Ph7iFiNbXX2Ck1Kn1ZvfsrkRI=; h=Cc:Date:From:Reply-To:Subject:To; b=LyQgjiG2TEF2rT8z8CQYwl/OTsU2O6RkloXqWOUDK5YpXfGEPKO4yOELUgieJpFSFH4 Hyga0DhClemFJEIfO3Aay7EQ4F7oifb/+nxGOLfztD76+e8XGYGWAcK7ClAKWdMfI7/5F P41rhsDb32plkf4tcFg4e0+N45omb0aHrOY= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This is the HashApiInstance implementation for SM3 which registers the SM3 hash library in CryptoPkg with BaseHashLib based on whether a platform supp= orts SM3 hash algorithm. Signed-off-by: Subash Lakkimsetti Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c | 128 ++++++= ++++++++++++++ SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf | 40 ++++++ SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni | 16 +++ 3 files changed, 184 insertions(+) diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c b/= SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c new file mode 100644 index 000000000000..391f482c1520 --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.c @@ -0,0 +1,128 @@ +/** @file + This library is BaseCrypto Sm3 hash instance. + It can be registered to BaseCrypto router, to serve as hash engine. + +Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include + +/** + Start hash sequence. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash sequence start and HandleHandle return= ed. + @retval EFI_OUT_OF_RESOURCES No enough resource to start hash. +**/ +EFI_STATUS +EFIAPI +Sm3_Init ( + OUT HASH_HANDLE *HashHandle + ) +{ + VOID *Sm3Ctx; + UINTN CtxSize; + + CtxSize =3D Sm3GetContextSize (); + Sm3Ctx =3D AllocatePool (CtxSize); + ASSERT (Sm3Ctx !=3D NULL); + + Sm3Init (Sm3Ctx); + + *HashHandle =3D (HASH_HANDLE)Sm3Ctx; + + return EFI_SUCCESS; +} + +/** + Update hash sequence data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval EFI_SUCCESS Hash sequence updated. +**/ +EFI_STATUS +EFIAPI +Sm3_Update ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + VOID *Sm3Ctx; + + Sm3Ctx =3D (VOID *)HashHandle; + Sm3Update (Sm3Ctx, DataToHash, DataToHashLen); + + return EFI_SUCCESS; +} + +/** + Complete hash sequence complete. + + @param HashHandle Hash handle. + @param DigestList Digest list. + + @retval EFI_SUCCESS Hash sequence complete and DigestList is returne= d. +**/ +EFI_STATUS +EFIAPI +Sm3_Final ( + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ) +{ + UINT8 Sm3Digest[SM3_256_DIGEST_SIZE]; + VOID *Sm3Ctx; + + Sm3Ctx =3D (VOID *)HashHandle; + Sm3Final (Sm3Ctx, Sm3Digest); + + CopyMem (*Digest, Sm3Digest, SM3_256_DIGEST_SIZE); + + FreePool (Sm3Ctx); + + return EFI_SUCCESS; +} + +HASH_INTERFACE_UNIFIED_API mSm3InternalHashApiInstance =3D { + HASH_ALGORITHM_SM3_256_GUID, + Sm3_Init, + Sm3_Update, + Sm3_Final, +}; + +/** + The function register Sm3 instance. + + @retval EFI_SUCCESS Sm3 instance is registered, or system dose not sur= pport registr Sm3 instance +**/ +EFI_STATUS +EFIAPI +HashApiInstanceSm3Constructor ( + VOID + ) +{ + EFI_STATUS Status; + + Status =3D RegisterHashApiLib (&mSm3InternalHashApiInstance); + if ((Status =3D=3D EFI_SUCCESS) || (Status =3D=3D EFI_UNSUPPORTED)) { + // + // Unsupported means platform policy does not need this instance enabl= ed. + // + DEBUG ((DEBUG_ERROR, "[ansukerk]: Hash Interface Sm3 is registered\n")= ); + return EFI_SUCCESS; + } + return Status; +} diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf = b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf new file mode 100644 index 000000000000..ae328bfbf41f --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.inf @@ -0,0 +1,40 @@ +## @file +# Provides BaseCrypto SM3 hash service +# +# This library can be registered to BaseCrypto router, to serve as hash e= ngine. +# +# Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D HashApiInstanceSm3 + MODULE_UNI_FILE =3D HashApiInstanceSm3.uni + FILE_GUID =3D 9A7A6AB4-9DA6-4aa4-90CB-6D4B79EDA7B9 + MODULE_TYPE =3D BASE + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D NULL + CONSTRUCTOR =3D HashApiInstanceSm3Constructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + HashApiInstanceSm3.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib diff --git a/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni = b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni new file mode 100644 index 000000000000..8f9712b1520e --- /dev/null +++ b/SecurityPkg/Library/HashApiInstanceSm3/HashApiInstanceSm3.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides BaseCrypto SM3 hash service +// +// This library can be registered to BaseCrypto router, to serve as hash e= ngine. +// +// Copyright (c) 2019, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides BaseCryp= to SM3 hash service API" + +#string STR_MODULE_DESCRIPTION #language en-US "This library can = be registered to Base Hash API, to serve as hash engine." + --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#52380): https://edk2.groups.io/g/devel/message/52380 Mute This Topic: https://groups.io/mt/68808201/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-