Commit Graph

255 Commits

Author SHA1 Message Date
Yao, Jiewen 967eaccaaa Add TPM2 commands which might be used in field upgrade.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Dong, Guo" <guo.dong@intel.com>
Reviewed-by: "Long, Qin" <qin.long@intel.com>



git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16505 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-12 04:34:19 +00:00
Dong Guo 5789fe3587 correct a data type error.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Dong Eric <eric.dong@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16498 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-11 06:34:57 +00:00
Chao Zhang 61959fa9ba Fix potential NULL pointer dereference issue in TcgDxe & TreeDxe.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16494 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-10 08:21:05 +00:00
Dong Guo 213cc1000e Add failed image Name in the Image Execution Information Table.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16493 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-10 08:09:20 +00:00
Qin Long 7e0699c06e Code clean-up to eliminate potential "dereferenced pointer" warning.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Guo Dong <guo.dong@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16468 6f19259b-4bc3-4df7-8a09-765794883524
2014-12-03 07:40:32 +00:00
Qin Long 2bf41ed7dc Correct the alignment calculation of PE/COFF attribute certificate entry.
This is to resolve the possible certificate entry retrieving issue caused by un-aligned (8-bytes) VirtualAddress in some PE/COFF image, which may break secure boot.

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16449 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-26 08:21:54 +00:00
Star Zeng eb774e2ef5 MdeModulePkg/SecurityPkg VariablePei: Fix VS2013 build failure.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16406 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-19 07:13:35 +00:00
Laszlo Ersek d547f31c32 SecurityPkg: VariableServiceSetVariable(): fix dbt <-> GUID association
SVN r16380 ("UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp
Verification support for Secure Boot") broke the "dbt" variable's
association with its expected namespace GUID.

According to "MdePkg/Include/Guid/ImageAuthentication.h", *all* of the
"db", "dbx", and "dbt" (== EFI_IMAGE_SECURITY_DATABASE2) variables have
their special meanings in the EFI_IMAGE_SECURITY_DATABASE_GUID namespace.

However, the above commit introduced the following expression in
VariableServiceSetVariable():

> -  } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
> -          ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))) {
> +  } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
> +          ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))
> +           || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2)) == 0) {

Simply replacing the individual expressions with the predicates
"GuidMatch", "DbMatch", "DbxMatch", and "DbtMatch", the above
transformation becomes:

> -  } else if (GuidMatch &&
> -          ((DbMatch) || (DbxMatch))) {
> +  } else if (GuidMatch &&
> +          ((DbMatch) || (DbxMatch))
> +           || DbtMatch) {

In shorter form, we change

  GuidMatch && (DbMatch || DbxMatch)

into

  GuidMatch && (DbMatch || DbxMatch) || DbtMatch

which is incorrect, because this way "dbt" will match outside of the
intended namespace / GUID.

The error was caught by gcc:

> SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c: In function
> 'VariableServiceSetVariable':
>
> SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c:3188:71: error:
> suggest parentheses around '&&' within '||' [-Werror=parentheses]
>
>    } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
>                                                                        ^
> cc1: all warnings being treated as errors

Fix the parentheses.

This change may have security implications.

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Qin Long <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16389 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-14 13:47:14 +00:00
Qin Long 20333c6d56 UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp Verification support for Secure Boot
Main ChangeLogs includes:
1. Introduce the new GUID and structure definitions for certificate hash and timestamp support;
2. Update Image Verification Library to support DBT signature checking;
3. Update the related SecureBoot Configuration Pages;

Contributed-under: TianoCore Contribution Agreement 1.0

Signed-off-by: Qin Long <qin.long@intel.com> 
Reviewed-by: Guo Dong <guo.dong@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16380 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-14 08:41:12 +00:00
Chao Zhang 33985e3b52 Fix execution status & DEBUG message level mismatch. EFI_D_ERROR is used only when failure/case can’t be resolved by code.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16320 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-10 05:01:15 +00:00
Jordan Justen 26830e8579 EDK II Contributions.txt: Update patch format information
Update to show what the patch looks like in email form.

NOTE: This does not modify the wording of the "TianoCore Contribution
      Agreement 1.0" section

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16297 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-31 22:05:50 +00:00
Chao Zhang f7fe68db7d Remove redundant ASSERT in TcgDxe & TreeDxe. Some asserts are removed directly, some are replaced by debug output.
ASSERT for SetupEventLog is kept. It is the foundation of TcgProtocol and TrEEProtocol

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16281 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-31 10:59:25 +00:00
Star Zeng 6ebffb67c8 MdeModulePkg/SecurityPkg Variable: Add boundary check for while (IsValidVariableHeader (Variable)).
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16280 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-31 10:26:54 +00:00
Chao, Zhang 36bdec3cd9 Add comments to clarify mPubKeyStore buffer MemCopy. There is no memory overflow issue.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao, Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao, Jiewen <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16227 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-22 07:30:22 +00:00
Eric Dong 79e1ffbdd4 Clean up the code. Action statement should not have text two opcode.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>



git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16221 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-21 05:48:00 +00:00
Chao, Zhang 8c83d0c0b9 Add PubKey index check before touching PubKey cache. Internal PubKey Variable PubkeyIndex is always 0, causing Index – 1 overflow. Update corresponding comments.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao, Zhang <chao.b.zhang@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Fu, Siyuan <siyuan.fu@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16220 6f19259b-4bc3-4df7-8a09-765794883524
2014-10-21 00:35:49 +00:00
Dong, Guo 365614e21e Roll back the dependency change in MOR driver.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Yao, Jiewen <jiewen.yao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16179 6f19259b-4bc3-4df7-8a09-765794883524
2014-09-26 03:24:56 +00:00
Dong, Guo 7c064c3189 SecurityPkg VariableRuntimeDxe: Bug fix and and refine debug message.
Correct NV variable base address for flash memory attribute set to EFI_MEMORY_RUNTIME.
Refine the debug error message.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zeng, Star <star.zeng@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16055 6f19259b-4bc3-4df7-8a09-765794883524
2014-09-03 09:19:30 +00:00
Gao, Liming 4cfde6dea6 SecurityPkg: Convert non DOS format files to DOS format
Module UNI and Package UNI files are not DOS format. Convert them to DOS format.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16050 6f19259b-4bc3-4df7-8a09-765794883524
2014-09-03 08:51:17 +00:00
Dong, Guo 8fcdb5d4ae Update SecurityPkg package version to 0.94.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16032 6f19259b-4bc3-4df7-8a09-765794883524
2014-09-02 07:05:34 +00:00
Dong, Guo 72b1863ebf SecurityPkg: INF/DEC file updates to EDK II packages
2. Add MODULE_UNI_FILE file that contains the localized Abstract and Description of a module.
a. Addresses an information gap between INF files and the UEFI Distribution Packaging Specification XML schema
b. There will be an associated update to UPT in BaseTools to consume MODULE_UNI_FILE and associated UNI file during UDP creation that performs the INF -> XML conversion.
c. There will be an associated update to UPT in BaseTools to produce MODULE_UNI_FILE and associated UNI file during UDP installation that performs the XML -> INF conversion.

3. Add Module Extra UNI file that provides the localized Name of a module.
a. [UserExtensions.TianoCore."ExtraFiles"] provides an easy method for a module to specify extra files not listed in [Sources] or [Binaries] sections to be added to a UDP without having to list the files in the UPT package information data file.
b. There will be an associated update to UPT in BaseTools to package up files listed in [UserExtensions.TianoCore."ExtraFiles"] during UDP creation.
c. UNI file contains localized name of a module to go along with the localized Abstract and Description from the MODULE_UNI_FILE.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15959 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-28 06:17:17 +00:00
Dong, Guo 4ce12df36c SecurityPkg: INF/DEC file updates to EDK II packages
5. Add PACKAGE_UNI_FILE UNI file that contains the localized Abstract and Description of a package and localized strings associated with PCDs. 
a. Addresses an information gap between DEC files and the UEFI Distribution Packaging Specification XML schema
b. There will be an associated update to UPT in BaseTools to consume PACKAGE_UNI_FILE and associated UNI file during UDP creation that performs the DEC -> XML conversion.
c. There will be an associated update to UPT in BaseTools to produce PACKAGE_UNI_FILE and associated UNI file during UDP installation that performs the XML -> DEC conversion.

6. Add Package Extra UNI file that provides the localized Name of a package.
a. [UserExtensions.TianoCore."ExtraFiles"] provides an easy method for a package to specify extra files to be added to a UDP without having to list the files in the UPT package information data file.
b. There will be an associated update to UPT in BaseTools to package up files listed in [UserExtensions.TianoCore."ExtraFiles"] during UDP creation.
c. UNI file contains localized name of a package to go along with the localized Abstract and Description from the PACKAGE_UNI_FILE.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15953 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-28 05:49:39 +00:00
Dong, Guo 606d38a598 SecurityPkg: INF/DEC file updates to EDK II packages
4. PCD information in DEC file comment blocks are either incomplete or incorrect.  
This includes detailed description, @Prompt, @ValidRange, @ValidList, @Expression, and [Error.<TokenSpaceGuid>] validation error messages.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15952 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-28 05:49:11 +00:00
Dong, Guo aced95158d SecurityPkg: INF/DEC file updates to EDK II packages
2. Add MODULE_UNI_FILE file that contains the localized Abstract and Description of a module.
a. Addresses an information gap between INF files and the UEFI Distribution Packaging Specification XML schema
b. There will be an associated update to UPT in BaseTools to consume MODULE_UNI_FILE and associated UNI file during UDP creation that performs the INF -> XML conversion.
c. There will be an associated update to UPT in BaseTools to produce MODULE_UNI_FILE and associated UNI file during UDP installation that performs the XML -> INF conversion.

3. Add Module Extra UNI file that provides the localized Name of a module.
a. [UserExtensions.TianoCore."ExtraFiles"] provides an easy method for a module to specify extra files not listed in [Sources] or [Binaries] sections to be added to a UDP without having to list the files in the UPT package information data file.
b. There will be an associated update to UPT in BaseTools to package up files listed in [UserExtensions.TianoCore."ExtraFiles"] during UDP creation.
c. UNI file contains localized name of a module to go along with the localized Abstract and Description from the MODULE_UNI_FILE.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15951 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-28 05:34:23 +00:00
Dong, Guo 60c944c7d6 SecurityPkg: INF/DEC file updates to EDK II packages
1. Usage information in INF file comment blocks are either incomplete or incorrect.  
This includes usage information for Protocols/PPIs/GUIDs/PCDs/HOBs/Events/BootModes.  
The syntax for usage information in comment blocks is defined in the EDK II Module Information (INF) Specification

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15950 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-28 05:31:09 +00:00
Jordan Justen fad213a3db EDK II Contributions.txt: Note acceptable contribution licenses
We strongly prefer that contribtions be offered using the same license
as the project/module. But, we should document other acceptable
licenses for contributions.

This will allow package owners to more easily know if they can accept
a contribution under a different source license.

NOTE: This does not modify the wording of the "TianoCore Contribution
      Agreement 1.0" section

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Mark Doran <mark.doran@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15892 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-25 23:10:18 +00:00
Dong, Guo 9ece15ad80 Update TcgPei and TrEEPei driver to make gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported to be used as patchable PCD instead of Fixed PCD.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15879 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-22 05:05:22 +00:00
Dong, Guo b5412eac9e Update TcgPei and TrEEPei driver to make gEfiMdeModulePkgTokenSpaceGuid.PcdPeiCoreMaxFvSupported to be used as patchable PCD instead of Fixed PCD.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15848 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-20 09:37:26 +00:00
Dong, Guo 4ccef56102 1) Update code to use PcdFixedUsbCredentialProviderTokenFileName and PcdMaxVariableSize as patchable PCD instead of FixedAtBuild PCD.
2)      Correct a typo in file comments of Tpm12Ownership.c

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Yao, Jiewen <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15811 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-15 08:10:55 +00:00
Michael Kinney 1a53a034ec Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney  <michael.d.kinney@intel.com>
Reviewed-by: Dong, Guo <guo.dong@intel.com>

Add support for RSA 2048 SHA 256 signing and verification encoded in a PI FFS GUIDED Encapsulation Section.  The primary use case of this feature is in support of signing and verification of encapsulated FVs for Recovery and Capsule Update, but can potentially be used for signing and verification of any content that can be stored in a PI conformant FFS file.  Signing operations are performed from python scripts that wrap OpenSsl command line utilities.  Verification operations are performed using the OpenSsl libraries in the CryptoPkg.

The guided encapsulation sections uses the UEFI 2.4 Specification defined GUID called EFI_CERT_TYPE_RSA2048_SHA256_GUID.  The data layout for the encapsulation section starts with the UEFI 2.4 Specification defined structure called EFI_CERT_BLOCK_RSA_2048_SHA256 followed immediately by the data.  The signing tool included in these patches performs encode/decode operations using this data layout.  HashType is set to the UEFI 2.4 Specification defined GUID called EFI_HASH_ALGORITHM_SHA256_GUID.

MdePkg/Include/Guid/WinCertificate.h
================================= 
//
// WIN_CERTIFICATE_UEFI_GUID.CertType
// 
#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \
  {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } }

///
/// WIN_CERTIFICATE_UEFI_GUID.CertData
/// 
typedef struct {
  EFI_GUID  HashType;
  UINT8     PublicKey[256];
  UINT8     Signature[256];
} EFI_CERT_BLOCK_RSA_2048_SHA256;

MdePkg/Include/Protocol/Hash.h
================================= 
#define EFI_HASH_ALGORITHM_SHA256_GUID \
  { \
    0x51aa59de, 0xfdf2, 0x4ea3, {0xbc, 0x63, 0x87, 0x5f, 0xb7, 0x84, 0x2e, 0xe9 } \
  }

The verification operations require the use of public key(s).  A new PCD called gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer is added to the SecurityPkg that supports one or more SHA 256 hashes of the public keys.  A SHA 256 hash is performed to minimize the FLASH overhead of storing the public keys.  When a verification operation is performed, a SHA 256 hash is performed on EFI_CERT_BLOCK_RSA_2048_SHA256.PublicKey and a check is made to see if that hash matches any of the hashes in the new PCD.  It is recommended that this PCD always be configured in the DSC file as storage type of [PcdsDynamixExVpd], so the public keys are stored in a protected read-only region.

While working on this feature, I noticed that the CRC32 signing and verification feature was incomplete.  It only supported CRC32 based verification in the DXE Phase, so the attached patches also provide support for CRC32 based verification in the PEI Phase.

I also noticed that the most common method for incorporating guided section extraction libraries was to directly link them to the DXE Core, which is not very flexible.  The attached patches also add a generic section extraction PEIM and a generic section extraction DXE driver that can each be linked against one or more section extraction libraries.  This provides a platform developer with the option of providing section extraction services with the DXE Core or providing section extraction services with these generic PEIM/DXE Drivers.

Patch Summary
==============
1)	BaseTools - Rsa2049Sha256Sign python script that can perform test signing or custom signing of PI FFS file GUIDed sections
  a.	Wrapper for a set of OpenSsl command line utility operations
  b.	OpenSsl command line tool must be installed in location that is in standard OS path or in path specified by OS environment variable called OPENSSL_PATH
  c.	Provides standard EDK II command line arguments for a tool that encodes/decodes guided encapsulation section 

Rsa2048Sha256Sign - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256Sign -e|-d [options] <input_file>

positional arguments:
  input_file            specify the input filename

optional arguments:
  -e                    encode file
  -d                    decode file
  -o filename, --output filename
                        specify the output filename
  --private-key PRIVATEKEYFILE
                        specify the private key filename. If not specified, a
                        test signing key is used.
  -v, --verbose         increase output messages
  -q, --quiet           reduce output messages
  --debug [0-9]         set debug level
  --version             display the program version and exit
  -h, --help            display this help text

2)	BaseTools - Rsa2049Sha256GenerateKeys python script that can generate new private/public key and PCD value that is SHA 256 hash of public key using OpenSsl command line utilities.
  a.	Wrapper for a set of OpenSsl command line utility operations
  b.	OpenSsl command line tool must be installed in location that is in standard path or in path specified by OS environment variable called OPENSSL_PATH

Rsa2048Sha256GenerateKeys - Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
usage: Rsa2048Sha256GenerateKeys [options]

optional arguments:
  -o [filename [filename ...]], --output [filename [filename ...]]
                        specify the output private key filename in PEM format
  -i [filename [filename ...]], --input [filename [filename ...]]
                        specify the input private key filename in PEM format
  --public-key-hash PUBLICKEYHASHFILE
                        specify the public key hash filename that is SHA 256
                        hash of 2048 bit RSA public key in binary format
  --public-key-hash-c PUBLICKEYHASHCFILE
                        specify the public key hash filename that is SHA 256
                        hash of 2048 bit RSA public key in C structure format
  -v, --verbose         increase output messages
  -q, --quiet           reduce output messages
  --debug [0-9]         set debug level
  --version             display the program version and exit
  -h, --help            display this help text

3)	BaseTools\Conf\tools_def.template
  a.	Define GUID/Tool to perform RSA 2048 SHA 256 test signing and instructions on how to use alternate private/public key
b.	GUID is EFI_CERT_TYPE_RSA2048_SHA256_GUID
  c.	Tool is Rsa2049Sha256Sign
4)	MdeModulePkg\Library\PeiCrc32GuidedSectionExtractionLib
  a.	Add peer for DxeCrc32GuidedSectionExtractionLib so both PEI and DXE phases can perform basic integrity checks of PEI and DXE components
5)	MdeModulePkg\Universal\SectionExtractionPei
  a.	Generic PEIM that can link against one or more NULL section extraction library instances to provided one or more GUIDED Section Extraction PPIs
6)	MdeModulePkg\Universal\SectionExtractionDxe
  a.	Generic DXE Driver that can link against one or more NULL section extraction library instances to provide one or more GUIDED Section Extraction Protocols.
7)	SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib
  a.	NULL library instances that performs PEI phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
  b.	Based on algorithms from SecurityPkg Authenticated Variable services
  c.	Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.
8)	SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib
  a.	NULL library instances that performs DXE phase RSA 2048 SHA 256 signature verification using OpenSsl libraries from CryptoPkg.
  b.	Based on algorithms from SecurityPkg Authenticated Variable services
  c.	Uses public key from gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer.




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15801 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-14 06:31:34 +00:00
jyao1 4e684d3ca4 Correct StrnCat length calculation.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed off by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed by: Guo Dong <guo.dong@intel.com>




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15788 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-12 03:31:47 +00:00
jyao1 58dbfc3c0f Clean up code.
Contributed-under: TianoCore Contribution Agreement 1.0

Signed off by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed by: Eric Dong <eric.dong@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15766 6f19259b-4bc3-4df7-8a09-765794883524
2014-08-07 05:03:10 +00:00
Eric Dong d4193108b5 Update code to support VS2013 tool chain.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15694 6f19259b-4bc3-4df7-8a09-765794883524
2014-07-28 07:45:49 +00:00
Star Zeng 859b0db434 SecurityPkg HashLibBaseCryptoRouterDxe/Tpm2DeviceLibRouterPei: Fixed GCC build failure after -Wno-missing-braces option in GCC removed.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15613 6f19259b-4bc3-4df7-8a09-765794883524
2014-07-02 09:02:35 +00:00
Eric Dong 1fee5304db Refine code to make it more safely.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>




git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15590 6f19259b-4bc3-4df7-8a09-765794883524
2014-06-25 06:00:49 +00:00
Dong, Guo ffccb935fa Update code to always publish EFI_IMAGE_EXECUTION_INFO_TABLE.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong, Guo <guo.dong@intel.com>
Reviewed-by: Fu, Siyuan <siyuan.fu@intel.com>
Reviewed-by: Gao, Liming <liming.gao@intel.com>
Reviewed-by: Zhang, Chao B <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15585 6f19259b-4bc3-4df7-8a09-765794883524
2014-06-25 02:02:22 +00:00
Andrew Fish 9a70350fff Fix build issues with Xcode in CryptoPkg and SecurityPkg.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Andrew Fish <afish@apple.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15561 6f19259b-4bc3-4df7-8a09-765794883524
2014-06-16 08:31:41 +00:00
Eric Dong 56dea5e177 Config Access Protocol return value not follow spec, update code to follow it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Gao, Liming <liming,gao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15490 6f19259b-4bc3-4df7-8a09-765794883524
2014-04-28 06:53:29 +00:00
Star Zeng 387208ab04 MdeModulePkg/SecurityPkg: Update TreePei to handle FvInfo2 and update FwVol of PeiCore to always install both FvInfo and FvInfo2.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15467 6f19259b-4bc3-4df7-8a09-765794883524
2014-04-15 09:19:04 +00:00
Dong Guo e3ff137e36 Add missing parameter comment in AddPubKeyInStore()
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Dong, Eric <eric.dong@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15426 6f19259b-4bc3-4df7-8a09-765794883524
2014-04-01 06:02:10 +00:00
Dong Guo cbbac2e1ef Remove unused [PcdsDynamic, PcdsDynamicEx] section.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Fan, Jeff <jeff.fan@intel.com>
Reviewed-by: Ni, Ruiyu <ruiyu.ni@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15416 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-31 01:54:51 +00:00
Eric Dong 7a1f792dcf Check the input file pointer before use it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Guo, Dong <guo.dong@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15412 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-28 05:51:51 +00:00
Star Zeng 3a4b498ee1 SecurityPkg Variable: Add NULL pointer check.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15409 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-28 02:47:46 +00:00
Dong Guo 2bc363714e Remove hide TPM support.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Ni, Ruiyu <ruiyu.ni@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15405 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-27 11:03:04 +00:00
Dong Guo 9a12e5825a Calculate enough space for 2 variables (public key and variable data) instead of directly setting them 1 by 1.
Fixed a bug in public key reclaim().

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Zeng, Star <star.zeng@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15404 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-27 10:54:23 +00:00
Star Zeng b2bd493edb MdeModulePkg/SecurityPkg Variable: Calculate enough space for PlatformLang and Lang variables and use PcdUefiVariableDefaultLangDeprecate to turn off auto update between PlatformLang and Lang variables.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Guo Dong <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15388 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-25 06:56:55 +00:00
Dong Guo 2001537d53 Comment PwdCredential driver.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15376 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-23 23:47:18 +00:00
Jiewen Yao 5437d457b9 Fix current TPM device string missing. Use efivarstore instead of varstor, remove TPM disable.
Signed-off-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Guo Dong <Guo.Dong@intel.com>
Reviewed-by: Liming Gao <Liming.Gao@intel.com>

Contributed-under: TianoCore Contribution Agreement 1.0


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15360 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-21 02:51:42 +00:00
Dong Guo 68d151bbc9 Force UID modules build error to warn user that currently it is just a sample.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15356 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-21 00:57:42 +00:00
Star Zeng 9bc5dabb10 MdeModulePkg/SecurityPkg Variable: Return error status to avoid inconsistency between PlatformLang and Lang.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15340 6f19259b-4bc3-4df7-8a09-765794883524
2014-03-20 02:07:48 +00:00