mirror of https://github.com/acidanthera/audk.git
SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic
Update PCR[7] measure logic according to TCG PC Client PFP 00.37. Only entries in DB that is used for image authentication need to be measured. http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf Cc: Star Zeng <star.zeng@intel.com> Cc: Yao Jiewen <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
This commit is contained in:
parent
44175ee77f
commit
5b196b06b2
|
@ -12,7 +12,7 @@
|
||||||
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
|
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept
|
||||||
untrusted PE/COFF image and validate its data structure within this image buffer before use.
|
untrusted PE/COFF image and validate its data structure within this image buffer before use.
|
||||||
|
|
||||||
Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
|
Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
|
||||||
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
|
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
|
||||||
This program and the accompanying materials
|
This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
|
@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase (
|
||||||
// Find the signature in database.
|
// Find the signature in database.
|
||||||
//
|
//
|
||||||
IsFound = TRUE;
|
IsFound = TRUE;
|
||||||
|
//
|
||||||
|
// Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured
|
||||||
|
//
|
||||||
|
if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
|
||||||
SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
|
SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
|
||||||
mImageDigestSize
|
mImageDigestSize
|
||||||
);
|
);
|
||||||
if (IsForbidden) {
|
if (IsForbidden) {
|
||||||
SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);
|
|
||||||
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));
|
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));
|
||||||
goto Done;
|
goto Done;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue