SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic

Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be
measured.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
This commit is contained in:
Zhang, Chao B 2017-01-18 11:27:19 +08:00
parent 44175ee77f
commit 5b196b06b2
1 changed files with 7 additions and 3 deletions

View File

@ -12,7 +12,7 @@
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
untrusted PE/COFF image and validate its data structure within this image buffer before use. untrusted PE/COFF image and validate its data structure within this image buffer before use.
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase (
// Find the signature in database. // Find the signature in database.
// //
IsFound = TRUE; IsFound = TRUE;
//
// Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured
//
if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert); SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
}
break; break;
} }
@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
mImageDigestSize mImageDigestSize
); );
if (IsForbidden) { if (IsForbidden) {
SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n")); DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));
goto Done; goto Done;
} }