From nobody Wed Apr 24 10:09:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+53200+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+53200+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1578944386; cv=none; d=zohomail.com; s=zohoarc; b=OpHVAB5rDIhcHknybHBHO2THtJSIs4T+QW0KNp+fR5+ZIKWhXQgz6edHlx5NDIeKN4/TywmIUaEqnANIGgrVaHxySO4Snzmp+dc2ex+VQTHPGdooFde3Ao/IROVHazUN1eqPNoiZImx6cu/JQh9KI5cOXkyB6pp/7ESbc8F/o6A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1578944386; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=2OebMnINTRT4/jFmOOqk5erSf8JBZ0aNRk2O650ieh4=; b=QdZJm5F4A6nTd3SgzTCbrlFwGhJj/6Q4469e+TRcwztZ3Adq5oSLs2TalJZlfBXiiRON8u+s/xYGCAxVP73CBlIF0OoJt4tBP6Q58OqcNyqOGGqDzZm1/tyflq0/WXfM+sX/XhZG8sO0a6QEyPkdtzemlMQ2wkf45716N8/s7YQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+53200+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1578944386160268.5608847086439; Mon, 13 Jan 2020 11:39:46 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 0YexYY1788612xZSPDHBOfqd; Mon, 13 Jan 2020 11:39:43 -0800 X-Received: from mga07.intel.com (mga07.intel.com []) by mx.groups.io with SMTP id smtpd.web12.43871.1578944379031444961 for ; Mon, 13 Jan 2020 11:39:43 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jan 2020 11:39:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,430,1571727600"; d="scan'208";a="219378712" X-Received: from ansukerk-mobl1.amr.corp.intel.com ([10.251.21.8]) by fmsmga008.fm.intel.com with ESMTP; 13 Jan 2020 11:39:41 -0800 From: "Sukerkar, Amol N" To: devel@edk2.groups.io Cc: sachin.agrawal@intel.com, srinivas.musti@intel.com, "Sukerkar, Amol N" , Jiewen Yao , Jian J Wang , Michael D Kinney , Sukerkar Subject: [edk2-devel] [PATCH v1 1/1] SecurityPkg: BaseHashLib: Implement Unified Hash API-for- Date: Mon, 13 Jan 2020 12:39:32 -0700 Message-Id: <20200113193932.2167-2-amol.n.sukerkar@intel.com> In-Reply-To: <20200113193932.2167-1-amol.n.sukerkar@intel.com> References: <20200113193932.2167-1-amol.n.sukerkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,amol.n.sukerkar@intel.com X-Gm-Message-State: 03eM5gG2Tu6NvR74BI6iQGhVx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1578944383; bh=v8rnDp+MpTazh1fBslB2eCoCyb2edQcyKG9AQsDCEoM=; h=Cc:Date:From:Reply-To:Subject:To; b=TaEr7JG3Z+D2EV7R3T5RdGk4zCK4HABOsdlsOhe0aIvDXPAGIgAIQbeab+npnvw1ns5 fn8vnf3SXvGOtbE7vIn51hden2f6gvaL2yo1ja5MjAGWWPQuJ6pbIWOUDCyuxc3kZBCus BSTP3hnVSljKdC1+G2J0aCvC96yfxdLBJ4k= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: "Sukerkar, Amol N" This commit introduces a Unified Hash API to calculate hash using a hashing algorithm specified by the PCD, PcdSystemHashPolicy. This library interfaces with the various hashing API, such as, MD4, MD5, SHA1, SHA256, SHA512 and SM3_256 implemented in CryptoPkg. The user can calculate the desired hash by setting PcdSystemHashPolicy to appropriate value. Cc: Jiewen Yao Cc: Jian J Wang Cc: Michael D Kinney Signed-off-by: Sukerkar, Amol N --- SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c | 252 ++++++++++++++++= ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c | 122 ++++++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c | 125 ++++++++++ SecurityPkg/Include/Library/BaseHashLib.h | 84 +++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h | 71 ++++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf | 47 ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni | 18 ++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf | 52 ++++ SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni | 17 ++ SecurityPkg/SecurityPkg.dec | 23 +- SecurityPkg/SecurityPkg.dsc | 10 +- SecurityPkg/SecurityPkg.uni | 15 +- 12 files changed, 833 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c b/Security= Pkg/Library/BaseHashLib/BaseHashLibCommon.c new file mode 100644 index 000000000000..f8742e55b5f7 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.c @@ -0,0 +1,252 @@ +/** @file + Implement image verification services for secure boot service + + Caution: This file requires additional review when modified. + This library will have external input - PE/COFF image. + This external input must be validated carefully to avoid security issue = like + buffer overflow, integer overflow. + + DxeImageVerificationLibImageRead() function will make sure the PE/COFF i= mage content + read is within the image buffer. + + DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() functi= on will accept + untrusted PE/COFF image and validate its data structure within this imag= e buffer before use. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+(C) Copyright 2016 Hewlett Packard Enterprise Development LP
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#include +#include +#include +#include +#include +#include +#include + +/** + Init hash sequence with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashInitInternal ( + IN UINT8 HashPolicy,=20 + OUT HASH_HANDLE *HashHandle + ) +{ + BOOLEAN Status; + VOID *HashCtx; + UINTN CtxSize; + + switch (HashPolicy) { + case HASH_MD4: + CtxSize =3D Md4GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Md4Init (HashCtx); + break; + + case HASH_MD5: + CtxSize =3D Md5GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Md5Init (HashCtx); + break; + + case HASH_SHA1: + CtxSize =3D Sha1GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Sha1Init (HashCtx); + break; + =20 + case HASH_SHA256: + CtxSize =3D Sha256GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Sha256Init (HashCtx); + break; + + case HASH_SHA384: + CtxSize =3D Sha384GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Sha384Init (HashCtx); + break; + + case HASH_SHA512: + CtxSize =3D Sha512GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Sha512Init (HashCtx); + break; + + case HASH_SM3_256: + CtxSize =3D Sm3GetContextSize (); + HashCtx =3D AllocatePool (CtxSize); + ASSERT (HashCtx !=3D NULL); + + Status =3D Sm3Init (HashCtx); + break; + + default: + ASSERT (FALSE); + break; + } + + *HashHandle =3D (HASH_HANDLE)HashCtx; + + return Status; +} + +/** + Update hash data with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashUpdateInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ) +{ + BOOLEAN Status; + VOID *HashCtx; + + HashCtx =3D (VOID *)HashHandle; + + switch (HashPolicy) { + case HASH_MD4: + Status =3D Md4Update (HashCtx, DataToHash, DataToHashLen); + break; + + case HASH_MD5: + Status =3D Md5Update (HashCtx, DataToHash, DataToHashLen); + break; + + case HASH_SHA1: + Status =3D Sha1Update (HashCtx, DataToHash, DataToHashLen); + break; + =20 + case HASH_SHA256: + Status =3D Sha256Update (HashCtx, DataToHash, DataToHashLen); + break; + + case HASH_SHA384: + Status =3D Sha384Update (HashCtx, DataToHash, DataToHashLen); + break; + + case HASH_SHA512: + Status =3D Sha512Update (HashCtx, DataToHash, DataToHashLen); + break; + + case HASH_SM3_256: + Status =3D Sm3Update (HashCtx, DataToHash, DataToHashLen); + break; + + default: + ASSERT (FALSE); + break; + } + + return Status; +} + +/** + Hash complete with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashFinalInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ) +{ + BOOLEAN Status; + VOID *HashCtx; + UINT8 DigestData[SHA512_DIGEST_SIZE]; + + HashCtx =3D (VOID *)HashHandle; + + switch (HashPolicy) { + case HASH_MD4: + Status =3D Md4Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, MD4_DIGEST_SIZE); + break; + + case HASH_MD5: + Status =3D Md5Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, MD5_DIGEST_SIZE); + break; + + case HASH_SHA1: + Status =3D Sha1Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, SHA1_DIGEST_SIZE); + break; + =20 + case HASH_SHA256: + Status =3D Sha256Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, SHA256_DIGEST_SIZE); + break; + + case HASH_SHA384: + Status =3D Sha384Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, SHA384_DIGEST_SIZE); + break; + + case HASH_SHA512: + Status =3D Sha512Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, SHA512_DIGEST_SIZE); + break; + + case HASH_SM3_256: + Status =3D Sm3Final (HashCtx, DigestData); + CopyMem (*Digest, DigestData, SM3_256_DIGEST_SIZE); + break; + + default: + ASSERT (FALSE); + break; + } + + FreePool (HashCtx); + + return Status; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibDxe.c new file mode 100644 index 000000000000..ea22cfe16e2f --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.c @@ -0,0 +1,122 @@ +/** @file + This library is Unified Hash API. It will redirect hash request to + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256, + SHA384 and SM3... + +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#include +#include +#include +#include +#include +#include + +#include "BaseHashLibCommon.h" + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + HASH_HANDLE Handle; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashInitInternal (HashPolicy, &Handle); + + *HashHandle =3D Handle; + + return Status; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataT= oHashLen); + + return Status; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashFinalInternal (HashPolicy, &HashHandle, &Digest); + + return Status; +} + +/** + The constructor function of BaseHashLib Dxe. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiDxeConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiDxeConstructor.. \n")); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c b/SecurityPkg= /Library/BaseHashLib/BaseHashLibPei.c new file mode 100644 index 000000000000..580ac21fc1d9 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.c @@ -0,0 +1,125 @@ +/** @file + This library is Unified Hash API. It will redirect hash request to + the hash handler specified by PcdSystemHashPolicy such as SHA1, SHA256, + SHA384 and SM3... + +Copyright (c) 2013 - 2020, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include "BaseHashLibCommon.h" + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + HASH_HANDLE Handle; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashInitInternal (HashPolicy, &Handle); + + *HashHandle =3D Handle; + + return Status; +} + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashUpdateInternal (HashPolicy, HashHandle, DataToHash, DataT= oHashLen); + + return Status; +} + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +) +{ + BOOLEAN Status; + UINT8 HashPolicy; + + HashPolicy =3D PcdGet8 (PcdSystemHashPolicy); + + Status =3D HashFinalInternal (HashPolicy, HashHandle, &Digest); + + return Status; +} + +/** + The constructor function of BaseHashLib Pei. + + @param FileHandle The handle of FFS header the loaded driver. + @param PeiServices The pointer to the PEI services. + + @retval EFI_SUCCESS The constructor executes successfully. + @retval EFI_OUT_OF_RESOURCES There is no enough resource for the constr= uctor. + +**/ +EFI_STATUS +EFIAPI +BaseHashLibApiPeiConstructor ( + IN EFI_PEI_FILE_HANDLE FileHandle, + IN CONST EFI_PEI_SERVICES **PeiServices + ) +{ + DEBUG ((DEBUG_INFO,"Calling BaseHashLibApiPeiConstructor.. \n")); + + return EFI_SUCCESS; +} \ No newline at end of file diff --git a/SecurityPkg/Include/Library/BaseHashLib.h b/SecurityPkg/Includ= e/Library/BaseHashLib.h new file mode 100644 index 000000000000..e1883fe7ce41 --- /dev/null +++ b/SecurityPkg/Include/Library/BaseHashLib.h @@ -0,0 +1,84 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_H_ +#define __BASEHASHLIB_H_ + +#include +#include +#include + +// +// Hash Algorithms +// +#define HASH_DEFAULT 0x00000000 +#define HASH_MD4 0x00000001 +#define HASH_MD5 0x00000002 +#define HASH_SHA1 0x00000003 +#define HASH_SHA256 0x00000004 +#define HASH_SHA384 0x00000005 +#define HASH_SHA512 0x00000006 +#define HASH_SM3_256 0x00000007 + + +/** + Init hash sequence. + + @param HashHandle Hash handle. + + @retval TRUE Hash start and HashHandle returned. + @retval FALSE Hash Init unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiInit ( + OUT HASH_HANDLE *HashHandle +); + +/** + Update hash data. + + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiUpdate ( + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen +); + +/** + Hash complete. + + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashApiFinal ( + IN HASH_HANDLE HashHandle, + OUT UINT8 *Digest +); + +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h b/Security= Pkg/Library/BaseHashLib/BaseHashLibCommon.h new file mode 100644 index 000000000000..776b74ad753b --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibCommon.h @@ -0,0 +1,71 @@ +/** @file + The internal header file includes the common header files, defines + internal structure and functions used by ImageVerificationLib. + +Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#ifndef __BASEHASHLIB_COMMON_H_ +#define __BASEHASHLIB_COMMON_H_ + +/** + Init hash sequence with Hash Algorithm specified by HashPolicy. + + @param HashHandle Hash handle. + + @retval EFI_SUCCESS Hash start and HashHandle returned. + @retval EFI_UNSUPPORTED System has no HASH library registered. +**/ +BOOLEAN +EFIAPI +HashInitInternal ( + IN UINT8 HashPolicy,=20 + OUT HASH_HANDLE *HashHandle + ); + +/** + Hash complete with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param Digest Hash Digest. + + @retval TRUE Hash complete and Digest is returned. + @retval FALSE Hash complete unsuccessful. +**/ +BOOLEAN +EFIAPI +HashUpdateInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + IN VOID *DataToHash, + IN UINTN DataToHashLen + ); + +/** + Update hash data with Hash Algorithm specified by HashPolicy. + + @param HashPolicy Hash Algorithm Policy. + @param HashHandle Hash handle. + @param DataToHash Data to be hashed. + @param DataToHashLen Data size. + + @retval TRUE Hash updated. + @retval FALSE Hash updated unsuccessful. +**/ +BOOLEAN +EFIAPI +HashFinalInternal ( + IN UINT8 HashPolicy, + IN HASH_HANDLE HashHandle, + OUT UINT8 **Digest + ); +#endif \ No newline at end of file diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.inf new file mode 100644 index 000000000000..f97bda06108f --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf @@ -0,0 +1,47 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is Base Hash Lib. It will redirect hash request to each in= dividual +# hash handler registered, such as SHA1, SHA256, SHA384, SM3.=20 +# +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D BaseHashLibDxe + MODULE_UNI_FILE =3D BaseHashLibDxe.uni + FILE_GUID =3D 158DC712-F15A-44dc-93BB-1675045BE066 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BaseHashLib|DXE_DRIVER DXE_RUNTIME_DR= IVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER + CONSTRUCTOR =3D BaseHashLibApiDxeConstructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + BaseHashLibCommon.h + BaseHashLibCommon.c + BaseHashLibDxe.c + +[Packages] + MdePkg/MdePkg.dec + CryptoPkg/CryptoPkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + PcdLib + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibDxe.uni new file mode 100644 index 000000000000..1865773b4a25 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.uni @@ -0,0 +1,18 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is Unified Hash API. It will redirect hash request to each= individual +// hash handler registered, such as SHA1, SHA256. Platform can use PcdTpm2= HashMask to +// mask some hash engines. +// +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by specified hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is U= nified Hash API. It will redirect hash request to the hash handler specifie= d by PcdSystemHashPolicy." + diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.inf new file mode 100644 index 000000000000..4d36030744bd --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf @@ -0,0 +1,52 @@ +## @file +# Provides hash service by registered hash handler +# +# This library is BaseCrypto router. It will redirect hash request to eac= h individual +# hash handler registered, such as SHA1, SHA256.=20 +# +# Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D BaseHashLibPei + MODULE_UNI_FILE =3D BaseHashLibPei.uni + FILE_GUID =3D DDCBCFBA-8EEB-488a-96D6-097831A6E50B + MODULE_TYPE =3D PEIM + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D BaseHashLib|PEIM + CONSTRUCTOR =3D BaseHashLibApiPeiConstructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + BaseHashLibCommon.h + BaseHashLibCommon.c + BaseHashLibPei.c + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + PcdLib + +[Guids] + ## SOMETIMES_CONSUMES ## GUID + gZeroGuid + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy ## CONSUMES diff --git a/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni b/SecurityP= kg/Library/BaseHashLib/BaseHashLibPei.uni new file mode 100644 index 000000000000..2131b61bd235 --- /dev/null +++ b/SecurityPkg/Library/BaseHashLib/BaseHashLibPei.uni @@ -0,0 +1,17 @@ +// /** @file +// Provides hash service by registered hash handler +// +// This library is Unified Hash API. It will redirect hash request to each= individual +// hash handler registered, such as SHA1, SHA256. +// +// Copyright (c) 2018 - 2020, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides hash ser= vice by specified hash handler" + +#string STR_MODULE_DESCRIPTION #language en-US "This library is U= nified Hash API. It will redirect hash request to the hash handler specifie= d by PcdSystemHashPolicy." + diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index cac36caf0a0d..e0e144124ddd 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -5,7 +5,7 @@ # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and lib= rary classes) # and libraries instances, which are used for those features. # -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# Copyright (c) 2017, Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent @@ -27,6 +27,10 @@ [LibraryClasses] # HashLib|Include/Library/HashLib.h =20 + ## @libraryclass Provides hash interfaces from different implementatio= ns. + # + BaseHashLib|Include/Library/HashLib.h + ## @libraryclass Provides a platform specific interface to detect phys= ically present user. # PlatformSecureLib|Include/Library/PlatformSecureLib.h @@ -496,5 +500,22 @@ [PcdsDynamic, PcdsDynamicEx] # @Prompt Tpm2AcpiTableLasa LASA field in TPM2 ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableLasa|0|UINT64|0x00010023 =20 +[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] + ## This PCD indicates the HASH algorithm to verify unsigned PE/COFF image + # Based on the value set, the required algorithm is chosen to verify + # the unsigned image during Secure Boot.
+ # The hashing algorithm selected must match the hashing algorithm used = to + # hash the image to be added to DB using tools such as KeyEnroll.
+ # 0x00000001 - MD4.
+ # 0x00000002 - MD5.
+ # 0x00000003 - SHA1.
+ # 0x00000004 - SHA256.
+ # 0x00000005 - SHA384.
+ # 0x00000006 - SHA512.
+ # 0x00000007 - SM3_256.
+ # @Prompt Set policy for hashing unsigned image for Secure Boot. + # @ValidRange 0x80000001 | 0x00000001 - 0x00000007 + gEfiSecurityPkgTokenSpaceGuid.PcdSystemHashPolicy|0x04|UINT8|0x00010024 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2eeadda7a7e..86a5847e2509 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file # Security Module Package for All Architectures. # -# Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -95,6 +95,7 @@ [LibraryClasses.common.PEIM] Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf =20 [LibraryClasses.common.DXE_DRIVER] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -110,6 +111,7 @@ [LibraryClasses.common.DXE_DRIVER] Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + BaseHashLib|SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf =20 [LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIV= ER, LibraryClasses.common.DXE_SAL_DRIVER,] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf @@ -211,6 +213,12 @@ [Components] =20 SecurityPkg/Library/HashLibTpm2/HashLibTpm2.inf =20 + # + # Unified Hash API + # + SecurityPkg/Library/BaseHashLib/BaseHashLibDxe.inf + SecurityPkg/Library/BaseHashLib/BaseHashLibPei.inf + # # TCG Storage. # diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni index 68587304d779..32ef97f81461 100644 --- a/SecurityPkg/SecurityPkg.uni +++ b/SecurityPkg/SecurityPkg.uni @@ -5,7 +5,7 @@ // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and lib= rary classes) // and libraries instances, which are used for those features. // -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
// // SPDX-License-Identifier: BSD-2-Clause-Patent // @@ -295,3 +295,16 @@ =20 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableLasa_HELP #lang= uage en-US "This PCD defines LASA of TPM2 ACPI table\n\n" = "0 means this field is unsupported\n" + =20 + #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPoli= cy_PROMPT #language en-US "HASH algorithm to verify unsigned PE/COFF image" + +#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdSystemHashPolicy_HELP #langu= age en-US "This PCD indicates the HASH algorithm used by Unified Hash API.<= BR>
\n" + = "Based on the value set, the required algorithm is chosen to = calculate\n" + = "the hash desired.
\n" + = "0x00000001 - MD4.
\n" + = "0x00000002 - MD5.
\n" + = "0x00000003 - SHA1.
\n" + = "0x00000004 - SHA256.
\n" + = "0x00000005 - SHA384.
\n" + = "0x00000006 - SHA512.
\n" + = "0x00000007 - SM3.
" --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#53200): https://edk2.groups.io/g/devel/message/53200 Mute This Topic: https://groups.io/mt/69676706/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-