diff options
| author | Zhang Lubo <lubo.zhang@intel.com> | 2017-01-05 14:58:05 +0800 |
|---|---|---|
| committer | Jiaxin Wu <jiaxin.wu@intel.com> | 2017-02-20 10:09:53 +0800 |
| commit | c035e37335ae43229d7e68de74a65f2c01ebc0af (patch) | |
| tree | ffdf5d04eae742a9f907149ffde82c2b8e0c74a2 /SecurityPkg/VariableAuthenticated | |
| parent | 80e63e846af4ac135da5faccead7450e956d6462 (diff) | |
| download | edk2-c035e37335ae43229d7e68de74a65f2c01ebc0af.tar.gz edk2-c035e37335ae43229d7e68de74a65f2c01ebc0af.tar.bz2 edk2-c035e37335ae43229d7e68de74a65f2c01ebc0af.zip | |
SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
V3: code clean up
prohibit Image SHA-1 hash option in SecureBootConfigDxe.
Timebased Auth Variable driver should ensure AuthAlgorithm
is SHA256 before further verification
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Diffstat (limited to 'SecurityPkg/VariableAuthenticated')
| -rw-r--r-- | SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 14 | ||||
| -rw-r--r-- | SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h | 8 |
2 files changed, 6 insertions, 16 deletions
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index 0d9618597b..6f587291e2 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -1,7 +1,7 @@ /** @file
HII Config Access protocol implementation of SecureBoot configuration module.
-Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -63,7 +63,6 @@ UINT8 mHashOidValue[] = { };
HASH_TABLE mHash[] = {
- { L"SHA1", 20, &mHashOidValue[8], 5, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final },
{ L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL },
{ L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final},
{ L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final},
@@ -1786,7 +1785,7 @@ HashPeImage ( SectionHeader = NULL;
Status = FALSE;
- if ((HashAlg != HASHALG_SHA1) && (HashAlg != HASHALG_SHA256)) {
+ if (HashAlg != HASHALG_SHA256) {
return FALSE;
}
@@ -1795,13 +1794,8 @@ HashPeImage ( //
ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
- if (HashAlg == HASHALG_SHA1) {
- mImageDigestSize = SHA1_DIGEST_SIZE;
- mCertType = gEfiCertSha1Guid;
- } else if (HashAlg == HASHALG_SHA256) {
- mImageDigestSize = SHA256_DIGEST_SIZE;
- mCertType = gEfiCertSha256Guid;
- }
+ mImageDigestSize = SHA256_DIGEST_SIZE;
+ mCertType = gEfiCertSha256Guid;
CtxSize = mHash[HashAlg].GetContextSize();
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h index 5055a9e9c3..bea9470eae 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h @@ -2,7 +2,7 @@ The header file of HII Config Access protocol implementation of SecureBoot
configuration module.
-Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -67,10 +67,7 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; #define MAX_CHAR 480
#define TWO_BYTE_ENCODE 0x82
-//
-// SHA-1 digest size in bytes.
-//
-#define SHA1_DIGEST_SIZE 20
+
//
// SHA-256 digest size in bytes
//
@@ -94,7 +91,6 @@ extern EFI_IFR_GUID_LABEL *mEndLabel; //
// Support hash types
//
-#define HASHALG_SHA1 0x00000000
#define HASHALG_SHA224 0x00000001
#define HASHALG_SHA256 0x00000002
#define HASHALG_SHA384 0x00000003
|