SecurityPkg: Fix potential bug in Security Boot dxe.

v2: update hash value in SecureBootConfig.vfr to keep
them consistent with macro definition in SecureBootConfigImpl.h

since we removed the sha-1 definition in Hash table
and related macro, but the macro definition HashAlg index
may be value 4 which is exceed the range of the Hash
table array.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

2 files changed, 11 insertions, 11 deletions

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 02ddf4ad89..6f46d91033 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -459,13 +459,13 @@ formset
           varid       = SECUREBOOT_CONFIGURATION.CertificateFormat,

           prompt      = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),

           help        = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),

-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x2, flags = DEFAULT;

-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x3, flags = 0;

-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x4, flags = 0;

-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x5, flags = 0;

+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;

+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;

+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;

+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;

     endoneof;

 

-    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 5;

+    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;

         checkbox varid  = SECUREBOOT_CONFIGURATION.AlwaysRevocation,

                prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),

                help   = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index d438d37e04..f080f667a5 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -91,12 +91,12 @@ extern  EFI_IFR_GUID_LABEL         *mEndLabel;
 //

 // Support hash types

 //

-#define HASHALG_SHA224                         0x00000001

-#define HASHALG_SHA256                         0x00000002

-#define HASHALG_SHA384                         0x00000003

-#define HASHALG_SHA512                         0x00000004

-#define HASHALG_RAW                            0x00000005

-#define HASHALG_MAX                            0x00000005

+#define HASHALG_SHA224                         0x00000000

+#define HASHALG_SHA256                         0x00000001

+#define HASHALG_SHA384                         0x00000002

+#define HASHALG_SHA512                         0x00000003

+#define HASHALG_RAW                            0x00000004

+#define HASHALG_MAX                            0x00000004

 

 

 typedef struct {