[edk2-devel] [PATCH v2 1/1] CryptoPkg: Need to enable crypto functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 V2: Update Readme and CryptoPkg.dsc to reflect changes and be in sync. V1: Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Update Readme.md Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/CryptoPkg.dsc | 8 +++- CryptoPkg/Readme.md | 12 ++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index 3b245979c34c..4676193e8953 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -2,7 +2,7 @@ # Cryptographic Library Package for UEFI Security Implementation. # PEIM, DXE Driver, and SMM Driver with all crypto services enabled. # -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. # Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved. # Copyright (c) 2022, Loongson Technology Corporation Limited. All rights reserved. # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -239,6 +239,11 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif # @@ -278,6 +283,7 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Encrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Services.Decrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif ### diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md index cb072db72397..284a16f299fd 100644 --- a/CryptoPkg/Readme.md +++ b/CryptoPkg/Readme.md @@ -207,15 +207,15 @@ also configured. | Sha512 | N | N | C | C | C | C |C| | X509| N | N | | | C | C |C| | Tdes| Y | Y | | | | | | -| Aes.GetContextSize | N | N | | | C | C |C| -| Aes.Init| N | N | | | C | C |C| +| Aes.GetContextSize | N | N | | C | C | C |C| +| Aes.Init| N | N | | C | C | C |C| | Aes.EcbEncrypt | Y | Y | | | | | | | Aes.EcbDecrypt | Y | Y | | | | | | -| Aes.CbcEncrypt | N | N | | | C | C |C| -| Aes.CbcDecrypt | N | N | | | C | C |C| +| Aes.CbcEncrypt | N | N | | C | C | C |C| +| Aes.CbcDecrypt | N | N | | C | C | C |C| | Arc4| Y | Y | | | | | | | Sm3 | N | N | | C | C | C |C| -| Hkdf
[edk2-devel] [PATCH v2 0/1] Enable AES and HKDF
https://bugzilla.tianocore.org/show_bug.cgi?id=3992 Enable Aes services in PEI based on PCD_CRYPTO_SERVICE_ENABLE_FAMILY. Enable Hkdf in SMM based on PCD_CRYPTO_SERVICE_ENABLE_FAMILY. Update Readme table reflect these changes. Judah Vang (1): CryptoPkg: Need to enable crypto functions CryptoPkg/CryptoPkg.dsc | 8 +++- CryptoPkg/Readme.md | 12 ++-- 2 files changed, 13 insertions(+), 7 deletions(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#97651): https://edk2.groups.io/g/devel/message/97651 Mute This Topic: https://groups.io/mt/95800087/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] SecurityPkg: deprecate RpmcLib and VariableKeyLib
I reviewed it and it looks good to me. Judah -Original Message- From: Yao, Jiewen Sent: Wednesday, December 14, 2022 7:11 PM To: Wang, Jian J ; devel@edk2.groups.io Cc: Kinney, Michael D ; Mistry, Nishant C ; Vang, Judah Subject: RE: [PATCH] SecurityPkg: deprecate RpmcLib and VariableKeyLib Agree. Reviewed-by: Jiewen Yao I will wait for 1 work week to see if there is any objection. If anyone has concern, please let us know as soon as possible. Thank you Yao, Jiewen > -Original Message- > From: Wang, Jian J > Sent: Thursday, December 15, 2022 11:02 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Kinney, Michael D > ; Mistry, Nishant C > ; Vang, Judah > Subject: [PATCH] SecurityPkg: deprecate RpmcLib and VariableKeyLib > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 > > There's no real usage of these two libraries. They're deprecated. > > Cc: Jiewen Yao > Cc: Michael D Kinney > Cc: Nishant C Mistry > Cc: Judah Vang > Signed-off-by: Jian J Wang > --- > SecurityPkg/Include/Library/RpmcLib.h | 42 > SecurityPkg/Include/Library/VariableKeyLib.h | 59 - > SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 46 - > .../Library/RpmcLibNull/RpmcLibNull.inf | 33 -- > .../VariableKeyLibNull/VariableKeyLibNull.c | 66 --- > .../VariableKeyLibNull/VariableKeyLibNull.inf | 33 -- > SecurityPkg/SecurityPkg.dec | 8 --- > SecurityPkg/SecurityPkg.dsc | 4 -- > 8 files changed, 291 deletions(-) > delete mode 100644 SecurityPkg/Include/Library/RpmcLib.h > delete mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h > delete mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c > delete mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > delete mode 100644 > SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c > delete mode 100644 > SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf > > diff --git a/SecurityPkg/Include/Library/RpmcLib.h > b/SecurityPkg/Include/Library/RpmcLib.h > deleted file mode 100644 > index df4ba34ba8..00 > --- a/SecurityPkg/Include/Library/RpmcLib.h > +++ /dev/null > @@ -1,42 +0,0 @@ > -/** @file > > - Public definitions for the Replay Protected Monotonic Counter > (RPMC) Library. > > - > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > > -SPDX-License-Identifier: BSD-2-Clause-Patent > > - > > -**/ > > - > > -#ifndef _RPMC_LIB_H_ > > -#define _RPMC_LIB_H_ > > - > > -#include > > - > > -/** > > - Requests the monotonic counter from the designated RPMC counter. > > - > > - @param[out] CounterValueA pointer to a buffer to store the > RPMC > value. > > - > > - @retval EFI_SUCCESS The operation completed successfully. > > - @retval EFI_DEVICE_ERRORA device error occurred while > attempting to update the counter. > > - @retval EFI_UNSUPPORTED The operation is un-supported. > > -**/ > > -EFI_STATUS > > -EFIAPI > > -RequestMonotonicCounter ( > > - OUT UINT32 *CounterValue > > - ); > > - > > -/** > > - Increments the monotonic counter in the SPI flash device by 1. > > - > > - @retval EFI_SUCCESS The operation completed successfully. > > - @retval EFI_DEVICE_ERRORA device error occurred while > attempting to update the counter. > > - @retval EFI_UNSUPPORTED The operation is un-supported. > > -**/ > > -EFI_STATUS > > -EFIAPI > > -IncrementMonotonicCounter ( > > - VOID > > - ); > > - > > -#endif > > diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h > b/SecurityPkg/Include/Library/VariableKeyLib.h > deleted file mode 100644 > index 561ebad09d..00 > --- a/SecurityPkg/Include/Library/VariableKeyLib.h > +++ /dev/null > @@ -1,59 +0,0 @@ > -/** @file > > - Public definitions for Variable Key Library. > > - > > -Copyright (c) 2020, Intel Corporation. All rights reserved. > > -SPDX-License-Identifier: BSD-2-Clause-Patent > > - > > -**/ > > - > > -#ifndef _VARIABLE_KEY_LIB_H_ > > -#define _VARIABLE_KEY_LIB_H_ > > - > > -#include > > - > > -/** > > - Retrieves the key for integrity and/or confidentiality of variables. > > - > > - @param[out] VariableKey A pointer to pointer for the variable > key > buffer. > > - @param[in,out]
Re: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable crypto functions
The readme was updated, however, I did miss the .dsc. Will submit another patch to address the .dsc file Judah -Original Message- From: Yao, Jiewen Sent: Monday, December 19, 2022 6:52 PM To: Kinney, Michael D ; devel@edk2.groups.io; Vang, Judah Cc: Wang, Jian J ; Xiaoyu Lu ; Jiang, Guomin ; Mistry, Nishant C Subject: RE: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable crypto functions Hi Mike You are right. I missed that part. Hi Judah Would you please file another patch to update DSC file, to make it align with readme? Thank you Yao, Jiewen > -Original Message- > From: Kinney, Michael D > Sent: Tuesday, December 20, 2022 9:55 AM > To: devel@edk2.groups.io; Yao, Jiewen ; Vang, > Judah > Cc: Wang, Jian J ; Xiaoyu Lu > ; Jiang, Guomin ; > Mistry, Nishant C ; Kinney, Michael D > > Subject: RE: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable > crypto functions > > Hi Jiewen, > > I noticed that this patch is missing the update to the table in > ReadMe.md to show the new PEI and SMM crypto services enabled by > default in *CryptLib library instances. > > https://github.com/tianocore/edk2/tree/master/CryptoPkg#supported- > cryptographic-families-and-services > > It did update the recommended PCD settings at the end of the ReadMe, > but missed the update to CryptoPkg.dsc file to actually enable the PEI > and SMM services in the Crypto Drivers. > > Mike > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of Yao, > Jiewen > > Sent: Monday, December 19, 2022 5:40 PM > > To: Vang, Judah ; devel@edk2.groups.io > > Cc: Wang, Jian J ; Xiaoyu Lu > ; Jiang, Guomin ; > > Mistry, Nishant C > > Subject: Re: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable > > crypto > functions > > > > Just merged - https://github.com/tianocore/edk2/pull/3796 > > > > > > > -Original Message- > > > From: Vang, Judah > > > Sent: Tuesday, December 20, 2022 8:44 AM > > > To: devel@edk2.groups.io; Vang, Judah > > > Cc: Yao, Jiewen ; Wang, Jian J > > > ; Xiaoyu Lu ; Jiang, > Guomin > > > ; Mistry, Nishant C > > > > Subject: RE: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable > crypto > > > functions > > > > > > Hi Jiewen, > > > > > > Has this patch been merged? > > > This is an important change for the UEFI Protected Variable feature. > > > > > > Judah > > > > > > -Original Message- > > > From: devel@edk2.groups.io On Behalf Of > Judah > > > Vang > > > Sent: Monday, November 7, 2022 2:16 PM > > > To: devel@edk2.groups.io > > > Cc: Yao, Jiewen ; Wang, Jian J > > > ; Xiaoyu Lu ; Jiang, > Guomin > > > ; Mistry, Nishant C > > > > Subject: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable > > > crypto functions > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 > > > > > > V1: Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. > > > Update Readme.md > > > > > > Cc: Jiewen Yao > > > Cc: Jian J Wang > > > Cc: Xiaoyu Lu > > > Cc: Guomin Jiang > > > Cc: Nishant C Mistry > > > Signed-off-by: Jian J Wang > > > Signed-off-by: Nishant C Mistry > > > Signed-off-by: Judah Vang > > > --- > > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- > > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- > > > CryptoPkg/Readme.md| 27 +++- > > > 3 files changed, 17 insertions(+), 14 deletions(-) > > > > > > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > > index b1629647f9c6..ee5f3cd5d4b6 100644 > > > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf > > > @@ -43,7 +43,7 @@ [Sources] > > >Hash/CryptParallelHashNull.c > > >Hmac/CryptHmac.c > > >Kdf/CryptHkdf.c > > > - Cipher/CryptAesNull.c > > > + Cipher/CryptAes.c > > >Cipher/CryptAeadAesGcmNull.c > > >Pk/CryptRsaBasic.c > > >Pk/CryptRsaExtNull.c > > > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > > index 0af7a3f96e8f..cc5a53ca92cd 100644 > > > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf > > &g
Re: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable crypto functions
Hi Jiewen, Has this patch been merged? This is an important change for the UEFI Protected Variable feature. Judah -Original Message- From: devel@edk2.groups.io On Behalf Of Judah Vang Sent: Monday, November 7, 2022 2:16 PM To: devel@edk2.groups.io Cc: Yao, Jiewen ; Wang, Jian J ; Xiaoyu Lu ; Jiang, Guomin ; Mistry, Nishant C Subject: [edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable crypto functions REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 V1: Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Update Readme.md Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- CryptoPkg/Readme.md| 27 +++- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index b1629647f9c6..ee5f3cd5d4b6 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptParallelHashNull.c Hmac/CryptHmac.c Kdf/CryptHkdf.c - Cipher/CryptAesNull.c + Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 0af7a3f96e8f..cc5a53ca92cd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmac.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md index 067465b8eb7d..cb072db72397 100644 --- a/CryptoPkg/Readme.md +++ b/CryptoPkg/Readme.md @@ -447,18 +447,20 @@ and CryptoSmm modules. Common PEI PcdCryptoServiceFamilyEnable Settings ``` - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE
[edk2-devel] [PATCH v1 0/1] Enable AES and HKDF
https://bugzilla.tianocore.org/show_bug.cgi?id=3992 Need crypto AES to be supported for PEI phase and need crypto KDF to be supported for SMM phase. Update Readme to show AES and HKDF defaults. Judah Vang (1): CryptoPkg: Need to enable crypto functions CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- CryptoPkg/Readme.md| 27 +++- 3 files changed, 17 insertions(+), 14 deletions(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96052): https://edk2.groups.io/g/devel/message/96052 Mute This Topic: https://groups.io/mt/94878580/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v1 1/1] CryptoPkg: Need to enable crypto functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 V1: Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Update Readme.md Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- CryptoPkg/Readme.md| 27 +++- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index b1629647f9c6..ee5f3cd5d4b6 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptParallelHashNull.c Hmac/CryptHmac.c Kdf/CryptHkdf.c - Cipher/CryptAesNull.c + Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 0af7a3f96e8f..cc5a53ca92cd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmac.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md index 067465b8eb7d..cb072db72397 100644 --- a/CryptoPkg/Readme.md +++ b/CryptoPkg/Readme.md @@ -447,18 +447,20 @@ and CryptoSmm modules. Common PEI PcdCryptoServiceFamilyEnable Settings ``` - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Services.Sha256ExtractAndExpand | TRUE ``` Common DXE and SMM PcdCryptoServiceFamilyEnable Settings @@ -466,6 +468,7 @@ and CryptoSmm modules
[edk2-devel] [PATCH v3 0/1] CryptoPkg bug fix
https://bugzilla.tianocore.org/show_bug.cgi?id=3991 There is a #define to deprecate Sha1 functions but not all the Sha1 function are wrapped around this #define causing a build error. The fix is to wrap all Sha1 functions with the #define. Judah Vang (1): CryptoPkg: Sha1 functions causing build errors CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +- 1 file changed, 13 insertions(+), 1 deletion(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96050): https://edk2.groups.io/g/devel/message/96050 Mute This Topic: https://groups.io/mt/94875514/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 1/1] CryptoPkg: Sha1 functions causing build errors
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3991
Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b215865..ede9fa8c09ec 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -6,7 +6,7 @@
This API, when called, will calculate the Hash using the
hashing algorithm specified by PcdHashApiLibPolicy.
- Copyright (c) 2020, Intel Corporation. All rights reserved.
+ Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256GetContextSize ();
@@ -75,9 +77,11 @@ HashApiInit (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Init (HashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Init (HashContext);
@@ -119,9 +123,11 @@ HashApiDuplicate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Duplicate (HashContext, NewHashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Duplicate (HashContext, NewHashContext);
@@ -165,9 +171,11 @@ HashApiUpdate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Update (HashContext, DataToHash, DataToHashLen);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Update (HashContext, DataToHash, DataToHashLen);
@@ -209,9 +217,11 @@ HashApiFinal (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Final (HashContext, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Final (HashContext, Digest);
@@ -255,9 +265,11 @@ HashApiHashAll (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1HashAll (DataToHash, DataToHashLen, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256HashAll (DataToHash, DataToHashLen, Digest);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96049): https://edk2.groups.io/g/devel/message/96049
Mute This Topic: https://groups.io/mt/94875513/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes
Jiewen, Thanks. Running the CI now. https://github.com/tianocore/edk2/pull/3609 Judah -Original Message- From: Yao, Jiewen Sent: Monday, November 7, 2022 10:48 AM To: Vang, Judah ; devel@edk2.groups.io Subject: RE: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes Also, please ensure your patch can pass tiano CI. I cannot find the PR to CI for those features. Would you please point to me? Thank you Yao Jiewen > -Original Message- > From: Vang, Judah > Sent: Tuesday, November 8, 2022 2:45 AM > To: Yao, Jiewen ; devel@edk2.groups.io > Subject: RE: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes > > Sure, I can do that. I will resubmit as separate patches. > > -Original Message- > From: Yao, Jiewen > Sent: Monday, November 7, 2022 10:42 AM > To: devel@edk2.groups.io; Vang, Judah > Subject: RE: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes > > Hey > Would you please split this patch set to two different one? They are > two different HSDs. > > Please aware that we are in software freeze phase now. > > I suggest we include 3991 in this release, because it is an important bug fix. > > I suggest we defer 3992 to next release, because it is feature enhancement. > > Comment is welcome! > > Thank you > Yao, Jiewen > > > > -Original Message- > > From: devel@edk2.groups.io On Behalf Of Judah > > Vang > > Sent: Tuesday, November 8, 2022 2:37 AM > > To: devel@edk2.groups.io > > Subject: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes > > > > https://bugzilla.tianocore.org/show_bug.cgi?id=3991 > > https://bugzilla.tianocore.org/show_bug.cgi?id=3992 > > > > There is a #define to deprecate Sha1 functions but not all the Sha1 > > function are wrapped around this #define causing a build error. The > > fix is to wrap all Sha1 functions with the #define. > > > > Need crypto AES to be supported for PEI phase and need crypto KDF to > > be supported for SMM phase. Update Readme to show AES and HKDF > > defaults. > > > > Judah Vang (2): > > CryptoPkg: Sha1 functions causing build errors > > CryptoPkg: Need to enable crypto functions > > > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- > > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- > > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 ++- > > CryptoPkg/Readme.md | 26 +++- > > 4 files changed, 29 insertions(+), 15 deletions(-) > > > > -- > > 2.35.1.windows.2 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96047): https://edk2.groups.io/g/devel/message/96047 Mute This Topic: https://groups.io/mt/94873522/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes
Sure, I can do that. I will resubmit as separate patches. -Original Message- From: Yao, Jiewen Sent: Monday, November 7, 2022 10:42 AM To: devel@edk2.groups.io; Vang, Judah Subject: RE: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes Hey Would you please split this patch set to two different one? They are two different HSDs. Please aware that we are in software freeze phase now. I suggest we include 3991 in this release, because it is an important bug fix. I suggest we defer 3992 to next release, because it is feature enhancement. Comment is welcome! Thank you Yao, Jiewen > -Original Message- > From: devel@edk2.groups.io On Behalf Of Judah > Vang > Sent: Tuesday, November 8, 2022 2:37 AM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes > > https://bugzilla.tianocore.org/show_bug.cgi?id=3991 > https://bugzilla.tianocore.org/show_bug.cgi?id=3992 > > There is a #define to deprecate Sha1 functions but not all the Sha1 > function are wrapped around this #define causing a build error. The > fix is to wrap all Sha1 functions with the #define. > > Need crypto AES to be supported for PEI phase and need crypto KDF to > be supported for SMM phase. Update Readme to show AES and HKDF > defaults. > > Judah Vang (2): > CryptoPkg: Sha1 functions causing build errors > CryptoPkg: Need to enable crypto functions > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 ++- > CryptoPkg/Readme.md | 26 +++- > 4 files changed, 29 insertions(+), 15 deletions(-) > > -- > 2.35.1.windows.2 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96045): https://edk2.groups.io/g/devel/message/96045 Mute This Topic: https://groups.io/mt/94873522/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
Hi all, I resubmitted the patches with an update to the CryptoPkg/Readme. The CryptoPkg.dsc has already been updated with the AES and KDF feature changes. Thanks! Judah -Original Message- From: Kinney, Michael D Sent: Monday, October 24, 2022 10:22 AM To: devel@edk2.groups.io; Vang, Judah ; Kinney, Michael D Subject: RE: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes Hi Judah, There was an update to CryptoPkg pushed yesterday. 1) There is a CryptoPkg/Readme.md with tables and DSC content for services that are enabled in each phase. I think that needs updates too for the AES and KDF features. 2) The CryptoPkg.dsc file has recommended settings for PEI, DXE, SMM. I think they need to be updated for the AES and KDF features. 3) It looks like the SHA1 disable caused a build break. I would like to see the standard package builds for EDK II CI be updated to cover the failure case so we know that this case is covered in the future. It looks like the default is for SHA1 enabled and the build break is when define for SHA1 disabled is asserted. 4) There is an overlap between the defines to deprecate MD5 and SH1 and the structured PCD that allows those services to be disabled in the Crypto Protocol/PPI. The defines to deprecate MD5 and SH1 extend into the BaseCryptLib instance implementations such that a call to those services when static linking will generate a build error instead of a runtime ASSERT(). Which behavior do you prefer? Best regards, Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of Judah > Vang > Sent: Monday, October 24, 2022 9:42 AM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes > > https://bugzilla.tianocore.org/show_bug.cgi?id=3991 > https://bugzilla.tianocore.org/show_bug.cgi?id=3992 > > There is a #define to deprecate Sha1 functions but not all the Sha1 > function are wrapped around this #define causing a build error. The > fix is to wrap all Sha1 functions with the #define. > > Need crypto AES to be supported for PEI phase and need crypto KDF to > be supported for SMM phase. > > Judah Vang (2): > CryptoPkg: Sha1 functions causing build errors > CryptoPkg: Need to enable crypto functions > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +- > 3 files changed, 15 insertions(+), 3 deletions(-) > > -- > 2.35.1.windows.2 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96044): https://edk2.groups.io/g/devel/message/96044 Mute This Topic: https://groups.io/mt/94539162/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 2/2] CryptoPkg: Need to enable crypto functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 V2: Update Readme.md V1: Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- CryptoPkg/Readme.md| 26 +++- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index b1629647f9c6..ee5f3cd5d4b6 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptParallelHashNull.c Hmac/CryptHmac.c Kdf/CryptHkdf.c - Cipher/CryptAesNull.c + Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 0af7a3f96e8f..cc5a53ca92cd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmac.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md index 067465b8eb7d..fe8fc5e03684 100644 --- a/CryptoPkg/Readme.md +++ b/CryptoPkg/Readme.md @@ -447,18 +447,20 @@ and CryptoSmm modules. Common PEI PcdCryptoServiceFamilyEnable Settings ``` - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Pkcs1Verify | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.New | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.Free | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Services.SetKey | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Services.Sha256ExtractAndExpand | TRUE ``` Common DXE and SMM PcdCryptoServiceFamilyEnable Settings -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io
[edk2-devel] [PATCH v2 0/2] CryptoPkg bug fixes
https://bugzilla.tianocore.org/show_bug.cgi?id=3991 https://bugzilla.tianocore.org/show_bug.cgi?id=3992 There is a #define to deprecate Sha1 functions but not all the Sha1 function are wrapped around this #define causing a build error. The fix is to wrap all Sha1 functions with the #define. Need crypto AES to be supported for PEI phase and need crypto KDF to be supported for SMM phase. Update Readme to show AES and HKDF defaults. Judah Vang (2): CryptoPkg: Sha1 functions causing build errors CryptoPkg: Need to enable crypto functions CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 ++- CryptoPkg/Readme.md | 26 +++- 4 files changed, 29 insertions(+), 15 deletions(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#96040): https://edk2.groups.io/g/devel/message/96040 Mute This Topic: https://groups.io/mt/94873522/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 1/2] CryptoPkg: Sha1 functions causing build errors
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3991
Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b215865..ede9fa8c09ec 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -6,7 +6,7 @@
This API, when called, will calculate the Hash using the
hashing algorithm specified by PcdHashApiLibPolicy.
- Copyright (c) 2020, Intel Corporation. All rights reserved.
+ Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256GetContextSize ();
@@ -75,9 +77,11 @@ HashApiInit (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Init (HashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Init (HashContext);
@@ -119,9 +123,11 @@ HashApiDuplicate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Duplicate (HashContext, NewHashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Duplicate (HashContext, NewHashContext);
@@ -165,9 +171,11 @@ HashApiUpdate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Update (HashContext, DataToHash, DataToHashLen);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Update (HashContext, DataToHash, DataToHashLen);
@@ -209,9 +217,11 @@ HashApiFinal (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Final (HashContext, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Final (HashContext, Digest);
@@ -255,9 +265,11 @@ HashApiHashAll (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1HashAll (DataToHash, DataToHashLen, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256HashAll (DataToHash, DataToHashLen, Digest);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#96041): https://edk2.groups.io/g/devel/message/96041
Mute This Topic: https://groups.io/mt/94873523/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 02/19] MdeModulePkg: Update AUTH_VARIABLE_INFO struct
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Added NameSize and State to AUTH_VARIABLE_INFO struct.
The size of the name and state is needed when creating
the variable digest.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Include/Library/AuthVariableLib.h
b/MdeModulePkg/Include/Library/AuthVariableLib.h
index 37aceba699e6..32391bbf2b61 100644
--- a/MdeModulePkg/Include/Library/AuthVariableLib.h
+++ b/MdeModulePkg/Include/Library/AuthVariableLib.h
@@ -1,7 +1,7 @@
/** @file
Provides services to initialize and process authenticated variables.
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -25,9 +25,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID,
CertData)))
typedef struct {
+ UINTN NameSize;
CHAR16 *VariableName;
EFI_GUID*VendorGuid;
UINT32 Attributes;
+ UINT8 State;
UINTN DataSize;
VOID*Data;
UINT32 PubKeyIndex;
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95982): https://edk2.groups.io/g/devel/message/95982
Mute This Topic: https://groups.io/mt/94840818/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 17/19] SecurityPkg: Add EncryptionVariable lib with AES
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Change AllocateZeroPool() with AllocatePages() and FreePool()
with FreePages(). FreePool() is not supported in PEI phase so this was
causing a memory leak. Reverse the order of the FreePages() call.
V1: Add encryption/decryption of protected variable functionality.
Add functions to get/set cipher data of a protected variable.
This is use for supporting confidentiality for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Min Xu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734
3 files changed, 826 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
new file mode 100644
index ..7ece52f2fb58
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
@@ -0,0 +1,43 @@
+## @file
+# Provides variable encryption/decryption services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = EncryptionVariableLib
+ FILE_GUID = 459E2CB0-AF4B-4415-B6A1-335E71FD8B85
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+ EncryptionVariable.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+
+[Guids]
+ gEfiVariableGuid
+ gEfiAuthenticatedVariableGuid
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
new file mode 100644
index ..f35f9f9e3ad7
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
@@ -0,0 +1,49 @@
+/** @file
+ Definitions used by this library implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_H_
+#define ENCRYPTION_VARIABLE_H_
+
+#define ENC_KEY_SEPL":"
+#define ENC_KEY_SEP_SIZE 2
+#define ENC_KEY_NAME L"VAR_ENC_KEY"
+#define ENC_KEY_NAME_SIZE 22
+
+#define ENC_KEY_SIZE(256/8)
+#define ENC_BLOCK_SIZE AES_BLOCK_SIZE
+#define ENC_IVEC_SIZE ENC_BLOCK_SIZE
+
+#define ENC_PADDING_BYTE 0x0F
+
+//
+// PKCS#5 padding
+//
+// #define AES_CIPHER_DATA_SIZE(PlainDataSize)
+// (AES_BLOCK_SIZE + (PlainDataSize)) & (~(AES_BLOCK_SIZE - 1))
+//
+#define AES_CIPHER_DATA_SIZE(PlainDataSize) ALIGN_VALUE (PlainDataSize,
AES_BLOCK_SIZE)
+
+#define FREE_POOL(Address) \
+if ((Address) != NULL) {\
+ FreePool (Address); \
+ (Address) = NULL; \
+}
+
+#pragma pack(1)
+
+typedef struct {
+ UINT32DataType; // SYM_TYPE_AES
+ UINT32HeaderSize; // sizeof(VARIABLE_ENCRYPTION_HEADER)
+ UINT32PlainDataSize;// Plain data size
+ UINT32CipherDataSize; // Cipher data size
+ UINT8 KeyIvec[ENC_IVEC_SIZE];
+} VARIABLE_ENCRYPTION_HEADER;
+
+#pragma pack()
+
+#endif // _ENCRYPTION_VARIABLE_H_
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
new file mode 100644
index ..d128b32f93e0
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
@@ -0,0 +1,734 @@
+/** @file
+ Implementation of EncryptionVariableLib with AES algorithm support.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "EncryptionVariable.h"
+
+/**
+ Derive encryption key for given variable from variable root key.
+
+ The derivation algorithm is depicted below
+
+HKDF_Expand(SHA256, RootKey, Name||':'||Guid||':'||Attr||"VAR_ENC_KEY")
+
+ @param[in]VarEncInfoPointer to structure containing detailed
+ information about a variable.
+ @param[in]EncKeySizeSize of key requested.
+ @param[out] EncKeyBuffer of key.
+
+ @retval TRUEThe key was derived su
[edk2-devel] [PATCH v5 19/19] SecurityPkg: Add references to new *.inf files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add references to the different *ProtectedVariableLib.inf. Also add references to VariableKeyLibNull.inf, EncryptionVariableLibNull.inf, ProtectedVariableNull.inf. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/SecurityPkg.dsc | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 6bf53c565882..3134b103ff53 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file # Security Module Package for All Architectures. # -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP # Copyright (c) 2022, Loongson Technology Corporation Limited. All rights reserved. # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -67,8 +67,11 @@ [LibraryClasses] TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf + + # These should be Null by default VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + EncryptionVariableLib|SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -261,9 +264,17 @@ [Components] # # Variable Confidentiality & Integrity # + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf + SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf # # Other -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95999): https://edk2.groups.io/g/devel/message/95999 Mute This Topic: https://groups.io/mt/94840835/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 16/19] SecurityPkg: Add VariableKey library function
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V5: Applied code review comments. Add PEIM to library class
V1: Provide function that retrieves the key for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59
2 files changed, 95 insertions(+)
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
new file mode 100644
index ..a9f7bb5afefd
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
@@ -0,0 +1,36 @@
+## @file
+# Provides default implementation of VariableKeyLib.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = VariableKeyLib
+ FILE_GUID = 7DF5A0BA-1DBB-4E67-A9F7-9FCCB1F9D250
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VariableKeyLib|PEIM
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
+#
+
+[Sources]
+ VariableKeyLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
+[PpiS]
+ gKeyServicePpiGuid ## CONSUMES
+
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
new file mode 100644
index ..31b22782cb0c
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
@@ -0,0 +1,59 @@
+/** @file
+ VariableKeyLib implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+
+#include
+
+#define VAR_KEY_SALT L"Key for RPMC Variable"
+#define VAR_KEY_SALT_SIZE sizeof (VAR_KEY_SALT)
+
+/**
+ Retrieves the key for integrity and/or confidentiality of variables.
+
+ @param[out] VariableKey A pointer to pointer for the variable
key buffer.
+ @param[in] VariableKeySize The size in bytes of the variable key.
+
+ @retval EFI_SUCCESS The variable key was returned.
+ @retval EFI_DEVICE_ERRORAn error occurred while attempting to
get the variable key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking
the key interface.
+ @retval EFI_UNSUPPORTED The variable key is not supported in
the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableKey (
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
+ )
+{
+ EFI_STATUS Status;
+ KEY_SERVICE_PPI *KeyService;
+
+ Status = PeiServicesLocatePpi (
+ &gKeyServicePpiGuid,
+ 0,
+ NULL,
+ (void **)&KeyService
+ );
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+return Status;
+ }
+
+ Status = KeyService->GenerateKey (
+ (UINT8 *)VAR_KEY_SALT,
+ VAR_KEY_SALT_SIZE,
+ VariableKey,
+ VariableKeySize
+ );
+ return Status;
+}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95996): https://edk2.groups.io/g/devel/message/95996
Mute This Topic: https://groups.io/mt/94840832/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 12/19] SecurityPkg: Add new variable types and functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add new variable encryption/decryption function prototypes. Add new variable digest structure. Add new Protected variable function prototypes. Update RPMC APIs to Add an index because there is could more than one counter. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/Include/Library/RpmcLib.h| 15 +--- SecurityPkg/Include/Library/VariableKeyLib.h | 37 +++- 2 files changed, 16 insertions(+), 36 deletions(-) diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h index df4ba34ba8cf..cb71dfcd7e4d 100644 --- a/SecurityPkg/Include/Library/RpmcLib.h +++ b/SecurityPkg/Include/Library/RpmcLib.h @@ -1,19 +1,23 @@ /** @file Public definitions for the Replay Protected Monotonic Counter (RPMC) Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _RPMC_LIB_H_ -#define _RPMC_LIB_H_ +#ifndef RPMC_LIB_H_ +#define RPMC_LIB_H_ #include +#define RPMC_COUNTER_1 0 +#define RPMC_COUNTER_2 1 + /** Requests the monotonic counter from the designated RPMC counter. + @param[in]CounterIndexThe RPMC index @param[out] CounterValueA pointer to a buffer to store the RPMC value. @retval EFI_SUCCESS The operation completed successfully. @@ -23,12 +27,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI RequestMonotonicCounter ( + IN UINT8 CounterIndex, OUT UINT32 *CounterValue ); /** Increments the monotonic counter in the SPI flash device by 1. + @param[in]CounterIndexThe RPMC index + @retval EFI_SUCCESS The operation completed successfully. @retval EFI_DEVICE_ERRORA device error occurred while attempting to update the counter. @retval EFI_UNSUPPORTED The operation is un-supported. @@ -36,7 +43,7 @@ RequestMonotonicCounter ( EFI_STATUS EFIAPI IncrementMonotonicCounter ( - VOID + IN UINT8 CounterIndex ); #endif diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h index 561ebad09da2..6076c4d4731b 100644 --- a/SecurityPkg/Include/Library/VariableKeyLib.h +++ b/SecurityPkg/Include/Library/VariableKeyLib.h @@ -1,13 +1,13 @@ /** @file Public definitions for Variable Key Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _VARIABLE_KEY_LIB_H_ -#define _VARIABLE_KEY_LIB_H_ +#ifndef VARIABLE_KEY_LIB_H_ +#define VARIABLE_KEY_LIB_H_ #include @@ -25,35 +25,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI GetVariableKey ( - OUT VOID **VariableKey, - IN OUT UINTN *VariableKeySize - ); - -/** - Regenerates the variable key. - - @retval EFI_SUCCESS The variable key was regenerated successfully. - @retval EFI_DEVICE_ERRORAn error occurred while attempting to regenerate the key. - @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface. - @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration. -**/ -EFI_STATUS -EFIAPI -RegenerateVariableKey ( - VOID - ); - -/** - Locks the regenerate key interface. - - @retval EFI_SUCCESS The key interface was locked successfully. - @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration. - @retval Others An error occurred while attempting to lock the key interface. -**/ -EFI_STATUS -EFIAPI -LockVariableKeyInterface ( - VOID + OUT VOID *VariableKey, + IN UINTN VariableKeySize ); #endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95992): https://edk2.groups.io/g/devel/message/95992 Mute This Topic: https://groups.io/mt/94840828/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 14/19] SecurityPkg: Fix GetVariableKey API
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review - function comments need to match
function prototype.
V1: Fix GetVariableKey API to match changes in header files.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
index a08def767b5f..2cf4b3cbf9f6 100644
--- a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
@@ -1,7 +1,7 @@
/** @file
Null version of VariableKeyLib for build purpose. Don't use it in real
product.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -12,7 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
Retrieves the key for integrity and/or confidentiality of variables.
@param[out] VariableKey A pointer to pointer for the variable
key buffer.
- @param[in,out] VariableKeySize The size in bytes of the variable key.
+ @param[in] VariableKeySize The size in bytes of the variable key.
@retval EFI_SUCCESS The variable key was returned.
@retval EFI_DEVICE_ERRORAn error occurred while attempting to
get the variable key.
@@ -22,8 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
GetVariableKey (
- OUT VOID **VariableKey,
- IN OUT UINTN *VariableKeySize
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95994): https://edk2.groups.io/g/devel/message/95994
Mute This Topic: https://groups.io/mt/94840830/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 07/19] MdeModulePkg: Add new Variable functionality
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V5: Add PEI Variable Protection into a new directory and leave the
existing PEI Variable unchanged.
V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
and SafeUint64ToUint32().
V1: Provide new APIs for retrieving variable information.
Add new function stubs for retrieving Protected
variable information.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Hao A Wu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Acked-by: Hao A Wu
---
MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf | 79 ++
MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h | 225 +
MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h| 309
+++
MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h | 116 +++
MdeModulePkg/Universal/Variable/Protected/Pei/Variable.c | 628
+
MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.c| 941
MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.c | 307
+++
MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariable.uni | 16 +
MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariableExtra.uni | 14 +
9 files changed, 2635 insertions(+)
diff --git a/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
new file mode 100644
index ..953a7c6b884f
--- /dev/null
+++ b/MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
@@ -0,0 +1,79 @@
+## @file
+# Implements ReadOnly Variable Services required by PEIM and installs PEI
ReadOnly Varaiable2 PPI.
+#
+# This module implements ReadOnly Variable Services required by PEIM and
installs PEI ReadOnly Varaiable2 PPI.
+#
+# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = PeiVariable
+ MODULE_UNI_FILE= PeiVariable.uni
+ FILE_GUID = 8D104D19-593B-4DDF-81CF-8168A9EDE9C7
+ MODULE_TYPE= PEIM
+ VERSION_STRING = 1.0
+ ENTRY_POINT= PeimInitializeVariableServices
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 EBC
+#
+
+[Sources]
+ Variable.c
+ Variable.h
+ VariableStore.c
+ VariableStore.h
+ VariableParsing.c
+ VariableParsing.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseMemoryLib
+ PcdLib
+ HobLib
+ PeimEntryPoint
+ DebugLib
+ PeiServicesTablePointerLib
+ PeiServicesLib
+ SafeIntLib
+ VariableFlashInfoLib
+ ProtectedVariableLib
+
+[Guids]
+ ## CONSUMES ## GUID # Variable store header
+ ## SOMETIMES_CONSUMES ## HOB
+ gEfiAuthenticatedVariableGuid
+ ## SOMETIMES_CONSUMES ## GUID # Variable store header
+ ## SOMETIMES_CONSUMES ## HOB
+ gEfiVariableGuid
+ ## SOMETIMES_PRODUCES ## HOB
+ ## SOMETIMES_CONSUMES ## HOB
+ gEfiVariableIndexTableGuid
+ gEfiSystemNvDataFvGuid## SOMETIMES_CONSUMES ## GUID
+ ## SOMETIMES_CONSUMES ## HOB
+ ## CONSUMES ## GUID # Dependence
+ gEdkiiFaultTolerantWriteGuid
+
+[Ppis]
+ gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
+ gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
+
+[Pcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ##
SOMETIMES_CONSUMES
+
+[Depex]
+ gEdkiiFaultTolerantWriteGuid
+
+# [BootMode]
+# RECOVERY_FULL ## SOMETIMES_CONSUMES
+
+[UserExtensions.TianoCore."ExtraFiles"]
+ PeiVariableExtra.uni
diff --git a/MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h
b/MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h
new file mode 100644
index ..1bdbdd2b807b
--- /dev/null
+++ b/MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h
@@ -0,0 +1,225 @@
+/** @file
+ The internal header file includes the common header files, defines
+ internal structure and functions used by PeiVariable module.
+
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PEI_VARIABLE_H_
+#define PEI_VARIABLE_H_
+
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+
+typedef enum {
+ VariableStoreTypeHob,
+ VariableStoreTypeNv,
+ VariableStoreTypeMax
+} VARIABLE_STORE_TYPE;
+
+typedef struct {
+ VARIABLE_STORE_HEADER *VariableStoreHeader;
+ VARIABLE_INDEX_TABLE*IndexTable;
+ //
+ // If it is not NULL, it means there may be an inconsecutive variable whose
+ // partial
[edk2-devel] [PATCH v5 15/19] SecurityPkg: Add null encryption variable libs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review - Remove empty Guids section
from .inf file. Update description in *.c. Remove *.uni file
and reference to it.
V1: Provide null ecryption variable libraries.
These will be used by default for platforms that don't
support protected variable encryption.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
34
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c |
92
2 files changed, 126 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
new file mode 100644
index ..185b6f9bedf7
--- /dev/null
+++
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
@@ -0,0 +1,34 @@
+## @file
+# Provides NULL version of encryption variable services.
+#
+# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = EncryptionVariableLibNull
+ FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
diff --git a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
new file mode 100644
index ..52ee8a7b5aae
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
@@ -0,0 +1,92 @@
+/** @file
+ NULL implementation of EncryptionVariableLib.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+
+/**
+ Encrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Decrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Get cipher information.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported interface.
+
+**/
+EFI_STATUS
+EFIAPI
+GetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Set cipher information for a variable.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED If this method is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+SetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95995): https://edk2.groups.io/g/devel/message/95995
Mute This Topic: https://groups.io/mt/94840831/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 10/19] SecurityPkg: Add new GUIDs for
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
The gEdkiiProtectedVariableGlobalGuid HOB contains the global
configuration data structure which is verified in PEI Phase.
The gEdkiiMetaDataHmacVariableGuid is used for saving the
meta data HMAC variable.
The gEdkiiProtectedVariableContextGuid contains the Protected
Variable context saved in PEI phase to be used later.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
SecurityPkg/SecurityPkg.dec | 43 +++-
1 file changed, 42 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 7ecf9565d98c..5e20111cceb7 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -5,7 +5,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
classes)
# and libraries instances, which are used for those features.
#
-# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -226,6 +226,18 @@ [Guids]
## GUID used to specify section with default dbt content
gDefaultdbtFileGuid= { 0x36c513ee, 0xa338, 0x4976, { 0xa0,
0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
+ ## Include/Guid/ProtectedVariable.h
+ # {8EBF379A-F18E-4728-A410-00CF9A65BE91}
+ gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4,
0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } }
+
+ ## Include/Guid/ProtectedVariable.h
+ # {e3e890ad-5b67-466e-904f-94ca7e9376bb}
+ gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90, 0x4f,
0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}}
+
+ ## Include/Guid/ProtectedVariable.h
+ # {a11a3652-875b-495a-b097-200917580b98}
+ gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0,
0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} }
+
[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
# Include/Ppi/LockPhysicalPresence.h
@@ -251,6 +263,10 @@ [Ppis]
## Include/Ppi/Tcg.h
gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca,
0xc7, 0x17, 0x6c, 0xf1 } }
+ ## Key Service Ppi
+ # Include/Ppi/KeyServicePpi.h
+ gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1,
0x36, 0x93, 0x04, 0x27}}
+
#
# [Error.gEfiSecurityPkgTokenSpaceGuid]
# 0x8001 | Invalid value provided.
@@ -334,6 +350,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032
+ ## Progress Code for variable integrity check result.
+ # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF])
+ # @Prompt Status Code for variable integiry check result
+
gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x0107|UINT32|0x00010033
+
+ ## Null-terminated Unicode string of the Platform Variable Name
+ # @Prompt known unprotected variable name
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010034
+
+ ## Guid name to identify Platform Variable Guid
+ # @Prompt known unprotected variable guid
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}|VOID*|0x00010035
+
+ ## Defines Protected Variable Integrity support.
+ # TRUE - Enable Protected Variable Integrity.
+ # FALSE - Disable Protected Variable Integrity.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEAN|0x00010036
+
+ ## Defines Protected Variable Confidentiality support.
+ # TRUE - Enable Protected Variable Confidentiality.
+ # FALSE - Disable Protected Variable Confidentiality.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableConfidentiality|FALSE|BOOLEAN|0x00010037
+
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## Image verification policy for OptionRom. Only following values are
valid:
# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and
has been removed.
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95990): https://edk2.groups.io/g/devel/message/95990
Mute This Topic: https://groups.io/mt/94840826/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 11/19] SecurityPkg: Add new KeyService types and defines
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: revert copyright date change.
V1: Add new KeyService types and defines.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
1 file changed, 57 insertions(+)
diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
b/SecurityPkg/Include/Ppi/KeyServicePpi.h
new file mode 100644
index ..8cfec04f96e5
--- /dev/null
+++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
@@ -0,0 +1,57 @@
+/** @file
+ Provides Key Services.
+
+Copyright (c) 2008 - 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@par Specification Reference:
+**/
+
+#ifndef PEI_KEY_SERVICE_PPI_H_
+#define PEI_KEY_SERVICE_PPI_H_
+///
+/// KEY SERVICE PPI GUID
+///
+extern EFI_GUID gKeyServicePpiGuid;
+
+/**
+ Generate a new key from root key.
+
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[out] NewKey Pointer to buffer to receive new key.
+ @param[in] NewKeySize Size of new key bytes to generate.
+
+ @retval EFI_SUCCESS The function completed successfully
+ @retval OTHER The function completed with failure.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *KEY_SERVICE_GEN_KEY)(
+ IN UINT8*Salt,
+ IN UINTNSaltSize,
+ OUT UINT8*NewKey,
+ IN UINTNNewKeySize
+ );
+
+#define KEY_SERVICE_PPI_REVISION 1
+#define ROOT_KEY_LEN 64
+#define SALT_SIZE_MIN_LEN 64
+#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
+
+typedef struct {
+ UINT8RootKey[ROOT_KEY_LEN];
+ UINT8PreviousRootKey[ROOT_KEY_LEN];
+} KEY_SERVICE_DATA;
+
+typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
+
+///
+/// KEY SERVICE PPI
+/// The interface functions are for Key Service in PEI Phase
+///
+struct _KEY_SERVICE_PPI {
+ KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
+};
+
+#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95991): https://edk2.groups.io/g/devel/message/95991
Mute This Topic: https://groups.io/mt/94840827/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 13/19] SecurityPkg: Update RPMC APIs with index
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Update RPMC APIs with index parameter because sometimes
there are more than 1 RPMC counter on the platform.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
index 792e48250e5d..557aeb6abf09 100644
--- a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
@@ -1,7 +1,7 @@
/** @file
NULL RpmcLib instance for build purpose.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
/**
Requests the monotonic counter from the designated RPMC counter.
+ @param[in]CounterIndexThe RPMC index
@param[out] CounterValueA pointer to a buffer to store the
RPMC value.
@retval EFI_SUCCESS The operation completed successfully.
@@ -21,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
RequestMonotonicCounter (
+ IN UINT8 CounterIndex,
OUT UINT32 *CounterValue
)
{
@@ -31,6 +33,8 @@ RequestMonotonicCounter (
/**
Increments the monotonic counter in the SPI flash device by 1.
+ @param[in]CounterIndexThe RPMC index
+
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_DEVICE_ERRORA device error occurred while
attempting to update the counter.
@retval EFI_UNSUPPORTED The operation is un-supported.
@@ -38,7 +42,7 @@ RequestMonotonicCounter (
EFI_STATUS
EFIAPI
IncrementMonotonicCounter (
- VOID
+ IN UINT8 CounterIndex
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95993): https://edk2.groups.io/g/devel/message/95993
Mute This Topic: https://groups.io/mt/94840829/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 05/19] MdeModulePkg: Add new GUID for Variable Store Info
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Discover if Variable Store Info HOB has been published
by platform driver. It contains information in regards
to HOB or NV Variable Store availability
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/MdeModulePkg.dec | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 58e6ab004882..e896dd038479 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -4,7 +4,7 @@
# and libraries instances, which are used for those modules.
#
# Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
-# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
# Copyright (c) 2016, Linaro Ltd. All rights reserved.
# (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
# Copyright (c) 2017, AMD Incorporated. All rights reserved.
@@ -93,6 +93,14 @@ [LibraryClasses]
#
TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
+
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
+
## @libraryclass Provides authenticated variable services.
#
AuthVariableLib|Include/Library/AuthVariableLib.h
@@ -516,6 +524,9 @@ [Ppis]
gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35, 0x4a5d, {
0xac, 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7, 0x4b75, {
0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
+ ## Include/Ppi/ReadOnlyVariable2.h
+ gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5, 0x4501, {
0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
+
[Protocols]
## Load File protocol provides capability to load and unload EFI image into
memory and execute it.
# Include/Protocol/LoadPe32Image.h
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95986): https://edk2.groups.io/g/devel/message/95986
Mute This Topic: https://groups.io/mt/94840822/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 04/19] MdeModulePkg: Add new include files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Updated with review comments for misspellings, mismatch
function prototype, missing function header comments, incorrect
function description.
V1: Add EncryptionVariableLib.h for providing encryption and
decryption services for protected variables.
Add ProtectedVariableLib.h for providing integrity or
variables.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607
2 files changed, 772 insertions(+)
diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
new file mode 100644
index ..68981f5aad6a
--- /dev/null
+++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
@@ -0,0 +1,165 @@
+/** @file
+ Provides services to encrypt/decrypt variables.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_LIB_H_
+#define ENCRYPTION_VARIABLE_LIB_H_
+
+#include
+
+#include
+
+#include
+
+#define ENC_TYPE_NULL 0
+#define ENC_TYPE_AES TPM_ALG_AES
+
+typedef struct _VARIABLE_ENCRYPTION_FLAGS {
+ BOOLEANAuth;// Variable is authenticated or not
+ BOOLEANDecryptInPlace; // Do decryption in place
+ BOOLEANProtected; // Variable is protected or not
+} VARIABLE_ENCRYPTION_FLAGS;
+
+typedef struct _VARIABLE_ENCRYPTION_INFO {
+ AUTH_VARIABLE_INFO Header;// Authenticated varabile
header
+ VARIABLE_HEADER *Buffer; // Pointer to variable buffer
+ UINT64 StoreIndex;// Variable store index
+ VOID *PlainData;// Pointer to plain data
+ UINT32 PlainDataSize; // Size of plain data
+ VOID *CipherData; // Pointer to cipher data
+ UINT32 CipherDataSize;// Size of cipher data
+ UINT32 CipherHeaderSize; // Size of cipher header
+ UINT32 CipherDataType;// Type of cipher data
+ VOID *Key; // Pointer to
encrypt/decrypt key
+ UINT32 KeySize; // Size of key
+ VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
+} VARIABLE_ENCRYPTION_INFO;
+
+/**
+ Encrypt variable data.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
information about a variable.
+
+ @retval EFI_SUCCESS Function successfully executed.
+ @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
ProtectedVarLibContextOut == NULL.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
+ @retval EFI_UNSUPPORTED Unsupported to process encrypted variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Decrypt variable data.
+
+ If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
+ decrypted. Otherwise, assume the cipher data from variable data buffer, i.e.
+ VarEncInfo->Header.Data.
+
+ If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
+ back in the same buffer as cipher buffer got above, after encryption header,
+ which helps to identify later if the data in buffer is decrypted or not. This
+ can avoid repeat decryption when accessing the same variable more than once.
+
+ If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
+ passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
+ with its size.
+
+ Note the VarEncInfo->PlainData is always pointing to the buffer address with
+ decrypted data without encryption header, and VarEncInfo->PlainDataSize is
+ always the size of original variable data, if this function returned
+ successfully.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_SUCCESS Variable was decrypted successfully.
+ @retval EFI_INVALID_PARAMETER Variable information in VarEncInfo is
invalid.
+ @retval EFI_BUFFER_TOO_SMALLVarEncInfo->PlainData is not NULL but
+ VarEncInfo->PlainDataSize is too small.
+ @retval EFI_ABORTED Unknown error occurred during decrypting.
+ @retval EFI_OUT_OF_RESOURCESFail to allocate enough resource.
+ @retval EFI_COMPROMISED_DATAThe cipher header is not valid.
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Get ciphe
[edk2-devel] [PATCH v5 06/19] MdeModulePkg: Add Null ProtectedVariable Library
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review comments - removed APIs that are not being
used.
V1: Add Null versions of the ProtectedVariable Library.
This will be the default libraries for platforms that
do not support ProtectedVariable.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf |
34 ++
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
336
2 files changed, 370 insertions(+)
diff --git
a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
new file mode 100644
index ..6a17191c4e1e
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
@@ -0,0 +1,34 @@
+## @file
+# Provides null version of protected variable services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = ProtectedVariableLibNull
+ FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
+ MODULE_TYPE= BASE
+ VERSION_STRING = 0.1
+ LIBRARY_CLASS = ProtectedVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ ProtectedVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+
diff --git a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
new file mode 100644
index ..074559f84f52
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
@@ -0,0 +1,336 @@
+/** @file
+ NULL version of ProtectedVariableLib used to disable protected variable
services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+
+#include
+#include
+#include
+
+/**
+
+ Initialization for protected varibale services.
+
+ @param[in] ContextIn Pointer to variable service context needed by
+ protected variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibInitialize (
+ IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Prepare for variable update.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibWriteInit (
+ VOID
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Update a variable with protection provided by this library.
+
+ @param[in,out] CurrVariableVariable to be updated. It's NULL if
+ adding a new variable.
+ @param[in] CurrVariableInDel In-delete-transiion copy of updating
variable.
+ @param[in,out] NewVariable Buffer of new variable data.
+ Buffer of "MetaDataHmacVar" and new
+ variable (encrypted).
+ @param[in,out] NewVariableSize Size of NewVariable.
+ Size of (encrypted) NewVariable and
+ "MetaDataHmacVar".
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibUpdate (
+ IN OUT VARIABLE_HEADER *CurrVariable,
+ IN VARIABLE_HEADER *CurrVariableInDel,
+ IN OUT VARIABLE_HEADER *NewVariable,
+ IN OUT UINTN*NewVariableSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Finalize a variable updating after it's written to NV variable storage
+ successfully.
+
+ @param[in] NewVariable Buffer of new variables and
MetaDataHmacVar.
+ @param[in] VariableSize Size of buffer pointed by NewVariable.
+ @param[in] StoreIndexNew index of the variable in store.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibWriteFinal (
+ IN VARIABLE_HEADER *NewVariable,
+ IN UINTNVariableSize,
+ IN UINT64 StoreIndex
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Retrieve plain data, if encrypted, of given variable.
+
+ @param[in] Variable Pointer to header of a Variable.
+ @param[in,out] Data Pointer to plain data of the given
variable.
+ @param[in,out] DataSize
[edk2-devel] [PATCH v5 00/19] UEFI variable protection
Patch 07 - Add PEI Variable Protection into a new directory and leave the existing PEI Variable unchanged. Patch 08 - Add RuntimeDxe Variable Protection into a new directory and keep existing Variable for RuntimeDxe unchanged. Patch 09 - Add reference to new Protected Variable libs. Patch 16 - Applied code review comments by adding PEIM to library class Patch 18 - Applied code review comments by removing unused API. Notes: The CryptoPkg changes are now being tracked separately. Patches 21 on is no longer needed due to reorganization of the new protected variable modules. Judah Vang (19): MdePkg: Add reference to new Ppi Guid MdeModulePkg: Update AUTH_VARIABLE_INFO struct MdeModulePkg: Add new ProtectedVariable GUIDs MdeModulePkg: Add new include files MdeModulePkg: Add new GUID for Variable Store Info MdeModulePkg: Add Null ProtectedVariable Library MdeModulePkg: Add new Variable functionality MdeModulePkg: Add support for Protected Variables MdeModulePkg: Reference Null ProtectedVariableLib SecurityPkg: Add new GUIDs for SecurityPkg: Add new KeyService types and defines SecurityPkg: Add new variable types and functions SecurityPkg: Update RPMC APIs with index SecurityPkg: Fix GetVariableKey API SecurityPkg: Add null encryption variable libs SecurityPkg: Add VariableKey library function SecurityPkg: Add EncryptionVariable lib with AES SecurityPkg: Add Protected Variable Services SecurityPkg: Add references to new *.inf files MdeModulePkg/MdeModulePkg.dec | 13 +- SecurityPkg/SecurityPkg.dec | 43 +- MdeModulePkg/MdeModulePkg.dsc | 20 +- MdeModulePkg/Test/MdeModulePkgHostTest.dsc |8 + SecurityPkg/SecurityPkg.dsc | 13 +- MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 + MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf | 79 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeDxeUnitTest/VariableLockRequestToLockUnitTest.inf | 36 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.inf | 151 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.inf | 153 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.inf | 119 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.inf | 143 + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 34 + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf | 64 + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf | 68 + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf | 67 + SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf | 62 + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36 + MdeModulePkg/Include/Guid/ProtectedVariable.h | 22 + MdeModulePkg/Include/Library/AuthVariableLib.h |4 +- MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 + MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607 +++ MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h | 225 ++ MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h | 309 ++ MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h | 116 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/PrivilegePolymorphic.h | 158 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Variable.h | 948 + MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableNonVolatile.h
[edk2-devel] [PATCH v5 03/19] MdeModulePkg: Add new ProtectedVariable GUIDs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
New ProtectVariable GUIDs for passing variable information
from PEI phase to SMM phase.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/Include/Guid/ProtectedVariable.h | 22
1 file changed, 22 insertions(+)
diff --git a/MdeModulePkg/Include/Guid/ProtectedVariable.h
b/MdeModulePkg/Include/Guid/ProtectedVariable.h
new file mode 100644
index ..0c6e19e0456b
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/ProtectedVariable.h
@@ -0,0 +1,22 @@
+/** @file
+ The GUID definitions specific for protected variable services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PROTECTED_VARIABLE_H_
+#define PROTECTED_VARIABLE_H_
+
+#define EDKII_PROTECTED_VARIABLE_GLOBAL_GUID \
+ { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4, 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe,
0x91 } }
+
+#define EDKII_METADATA_HMAC_VARIABLE_GUID \
+ { 0xb54cda50, 0xec54, 0x4b20, { 0x85, 0xb4, 0x57, 0xbf, 0x52, 0x98, 0x68,
0x3d } }
+
+extern EFI_GUID gEdkiiProtectedVariableGlobalGuid;
+extern EFI_GUID gEdkiiMetaDataHmacVariableGuid;
+extern EFI_GUID gEdkiiProtectedVariableContextGuid;
+
+#endif // __PROTECTED_VARIABLE_H__
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95984): https://edk2.groups.io/g/devel/message/95984
Mute This Topic: https://groups.io/mt/94840820/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 01/19] MdePkg: Add reference to new Ppi Guid
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add reference to gEfiPeiVariableStoreDiscoveredPpiGuid which
contains information whether variable store is available.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
index 926c0bc82a43..c5a8470565bb 100644
--- a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
+++ b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
@@ -2,7 +2,7 @@
This file declares Read-only Variable Service2 PPI.
This ppi permits read-only access to the UEFI variable store during the PEI
phase.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Revision Reference:
@@ -106,4 +106,6 @@ struct _EFI_PEI_READ_ONLY_VARIABLE2_PPI {
extern EFI_GUID gEfiPeiReadOnlyVariable2PpiGuid;
+extern EFI_GUID gEfiPeiVariableStoreDiscoveredPpiGuid;
+
#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95983): https://edk2.groups.io/g/devel/message/95983
Mute This Topic: https://groups.io/mt/94840819/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v5 09/19] MdeModulePkg: Reference Null ProtectedVariableLib
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V5: Add reference to new Protected Variable libs.
V1: Make reference to new Null ProtectVariableLib.
The null ProtectedVariableLib is used by default.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/MdeModulePkg.dsc | 20 +++-
MdeModulePkg/Test/MdeModulePkgHostTest.dsc | 8
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 659482ab737f..65ec6d1e0918 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -2,7 +2,7 @@
# EFI/PI Reference Module Package for All Architectures
#
# (C) Copyright 2014 Hewlett-Packard Development Company, L.P.
-# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
# Copyright (c) Microsoft Corporation.
#
#SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -104,6 +104,7 @@ [LibraryClasses]
VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
+
ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
[LibraryClasses.EBC.PEIM]
IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf
@@ -318,6 +319,7 @@ [Components]
MdeModulePkg/Library/PlatformBootManagerLibNull/PlatformBootManagerLibNull.inf
MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
@@ -397,6 +399,7 @@ [Components]
MdeModulePkg/Application/VariableInfo/VariableInfo.inf
MdeModulePkg/Universal/FaultTolerantWritePei/FaultTolerantWritePei.inf
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+ MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
MdeModulePkg/Universal/TimestampDxe/TimestampDxe.inf
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
@@ -461,6 +464,7 @@ [Components.IA32, Components.X64, Components.ARM,
Components.AARCH64]
!if $(TOOL_CHAIN_TAG) != "XCODE5"
MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteStandaloneMm.inf
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+ MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.inf
!endif
[Components.IA32, Components.X64]
@@ -475,13 +479,27 @@ [Components.IA32, Components.X64]
NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
}
+ MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.inf {
+
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
+ NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
+ NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
+ NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
+ }
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
}
+ MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.inf {
+
+ NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
+ NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
+ NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
+ }
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.inf
MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf
MdeModulePkg/Library/SmmReportStatusCodeLib/StandaloneMmReportStatusCodeLib.inf
MdeModulePkg/Universal/StatusCodeHandler/Smm/StatusCodeHandlerSmm.inf
diff --git a/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
b/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
index c9ec835df65d..c0ca9be71e8c 100644
--- a/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
+++ b/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
@@ -42,6 +42,14 @@ [Components]
gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
}
+
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeD
Re: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
Hi Mike,
This is not my realm of expertise. I'm just trying to fix an issue that I ran
into when enabling crypto.
Can I suggest that someone like the maintainers or someone who knows how the
build works update the build?
Judah
-Original Message-
From: Kinney, Michael D
Sent: Wednesday, October 26, 2022 2:17 PM
To: Vang, Judah ; devel@edk2.groups.io; Sean Brogan
Cc: Wang, Jian J ; Mistry, Nishant C
Subject: RE: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
Hi Judah,
Does CryptoPkg.dsc break if DISABLE_SHA1_DEPRECATED_INTERFACE is defined in
that DSC file [BuildOptions] section?
All packages in edk2 repo have a .ci.yaml file that provides the set of CI
checks that are performed when a PR contains source changes to that package.
Here is link to CryptoPkg.ci.yaml file:
https://github.com/tianocore/edk2/blob/master/CryptoPkg/CryptoPkg.ci.yaml
The section of this file that identifies the package build step is
"CompilerPlugin".
It specifies the relative path to the DSC file to build to perform a package
scoped build verification.
"CompilerPlugin": {
"DscPath": "CryptoPkg.dsc"
},
The easiest way to make sure there is build coverage for SHA1 disabled is to
make sure this DSC file is updated to include builds with and without SHA1
disabled. SHA1 is enabled by default, so DSC file needs to be amended to
perform additional build(s) of components that disable SHA1. This is a
challenge because this define is used in both libraries and modules so the
define needs to be global to cover library instances.
The define DISABLE_SHA1_DEPRECATED_INTERFACES is also used in the SecurityPkg,
so that package may also need updates to get CI coverage with and without this
define.
https://github.com/tianocore/edk2/search?q=DISABLE_SHA1_DEPRECATED_INTERFACES&type=code
I just did a search for similar defines in edk2 repo:
* ENABLE_MD5_DEPRECATED_INTERFACES
* DISABLE_SHA1_DEPRECATED_INTERFACES
* DISABLE_NEW_DEPRECATED_INTERFACES
Perhaps Sean can provide advice on how to get full CI coverage for these types
of defines.
Best regards,
Mike
> -Original Message-
> From: Vang, Judah
> Sent: Wednesday, October 26, 2022 11:42 AM
> To: Kinney, Michael D ;
> devel@edk2.groups.io
> Cc: Wang, Jian J ; Mistry, Nishant C
>
> Subject: RE: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
>
> Mike,
>
> Can you explain #3? I have no idea how to update/modify the EDK2 CI.
> I know for MTL, we have this define there by default, that is why when
> I enabled crypto for RPMC feature for MTL we ran into the issue.
>
> #4, I prefer a build error.
>
> Judah
>
> -Original Message-
> From: Kinney, Michael D
> Sent: Monday, October 24, 2022 10:22 AM
> To: devel@edk2.groups.io; Vang, Judah ; Kinney,
> Michael D
> Subject: RE: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
>
> Hi Judah,
>
> There was an update to CryptoPkg pushed yesterday.
>
> 1) There is a CryptoPkg/Readme.md with tables and DSC content for services
> that are
>enabled in each phase. I think that needs updates too for the AES and KDF
> features.
> 2) The CryptoPkg.dsc file has recommended settings for PEI, DXE, SMM. I think
>they need to be updated for the AES and KDF features.
> 3) It looks like the SHA1 disable caused a build break. I would like to see
> the
>standard package builds for EDK II CI be updated to cover the failure case
> so
>we know that this case is covered in the future. It looks like the
> default is
>for SHA1 enabled and the build break is when define for SHA1 disabled is
>asserted.
> 4) There is an overlap between the defines to deprecate MD5 and SH1 and the
>structured PCD that allows those services to be disabled in the Crypto
>Protocol/PPI. The defines to deprecate MD5 and SH1 extend into the
> BaseCryptLib
>instance implementations such that a call to those services when static
> linking
>will generate a build error instead of a runtime ASSERT(). Which behavior
> do
>you prefer?
>
> Best regards,
>
> Mike
>
> > -Original Message-
> > From: devel@edk2.groups.io On Behalf Of Judah
> > Vang
> > Sent: Monday, October 24, 2022 9:42 AM
> > To: devel@edk2.groups.io
> > Subject: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=3991
> > https://bugzilla.tianocore.org/show_bug.cgi?id=3992
> >
> > There is a #define to deprecate Sha1 functions but not all the Sha1
> > function are wrapped around this #define causing a build error. The
> > fix is to wrap all Sha1 functions with the #define.
> >
> > Need crypto AES to be supported for PEI p
Re: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
Mike, Can you explain #3? I have no idea how to update/modify the EDK2 CI. I know for MTL, we have this define there by default, that is why when I enabled crypto for RPMC feature for MTL we ran into the issue. #4, I prefer a build error. Judah -Original Message- From: Kinney, Michael D Sent: Monday, October 24, 2022 10:22 AM To: devel@edk2.groups.io; Vang, Judah ; Kinney, Michael D Subject: RE: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes Hi Judah, There was an update to CryptoPkg pushed yesterday. 1) There is a CryptoPkg/Readme.md with tables and DSC content for services that are enabled in each phase. I think that needs updates too for the AES and KDF features. 2) The CryptoPkg.dsc file has recommended settings for PEI, DXE, SMM. I think they need to be updated for the AES and KDF features. 3) It looks like the SHA1 disable caused a build break. I would like to see the standard package builds for EDK II CI be updated to cover the failure case so we know that this case is covered in the future. It looks like the default is for SHA1 enabled and the build break is when define for SHA1 disabled is asserted. 4) There is an overlap between the defines to deprecate MD5 and SH1 and the structured PCD that allows those services to be disabled in the Crypto Protocol/PPI. The defines to deprecate MD5 and SH1 extend into the BaseCryptLib instance implementations such that a call to those services when static linking will generate a build error instead of a runtime ASSERT(). Which behavior do you prefer? Best regards, Mike > -Original Message- > From: devel@edk2.groups.io On Behalf Of Judah > Vang > Sent: Monday, October 24, 2022 9:42 AM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes > > https://bugzilla.tianocore.org/show_bug.cgi?id=3991 > https://bugzilla.tianocore.org/show_bug.cgi?id=3992 > > There is a #define to deprecate Sha1 functions but not all the Sha1 > function are wrapped around this #define causing a build error. The > fix is to wrap all Sha1 functions with the #define. > > Need crypto AES to be supported for PEI phase and need crypto KDF to > be supported for SMM phase. > > Judah Vang (2): > CryptoPkg: Sha1 functions causing build errors > CryptoPkg: Need to enable crypto functions > > CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- > CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- > CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +- > 3 files changed, 15 insertions(+), 3 deletions(-) > > -- > 2.35.1.windows.2 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95619): https://edk2.groups.io/g/devel/message/95619 Mute This Topic: https://groups.io/mt/94539162/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V1 2/2] CryptoPkg: Need to enable crypto functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index b1629647f9c6..ee5f3cd5d4b6 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptParallelHashNull.c Hmac/CryptHmac.c Kdf/CryptHkdf.c - Cipher/CryptAesNull.c + Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 0af7a3f96e8f..cc5a53ca92cd 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmac.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Cipher/CryptAeadAesGcmNull.c Pk/CryptRsaBasic.c -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95509): https://edk2.groups.io/g/devel/message/95509 Mute This Topic: https://groups.io/mt/94539166/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V1 1/2] CryptoPkg: Sha1 functions causing build errors
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3991
Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b215865..ede9fa8c09ec 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -6,7 +6,7 @@
This API, when called, will calculate the Hash using the
hashing algorithm specified by PcdHashApiLibPolicy.
- Copyright (c) 2020, Intel Corporation. All rights reserved.
+ Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256GetContextSize ();
@@ -75,9 +77,11 @@ HashApiInit (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Init (HashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Init (HashContext);
@@ -119,9 +123,11 @@ HashApiDuplicate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Duplicate (HashContext, NewHashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Duplicate (HashContext, NewHashContext);
@@ -165,9 +171,11 @@ HashApiUpdate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Update (HashContext, DataToHash, DataToHashLen);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Update (HashContext, DataToHash, DataToHashLen);
@@ -209,9 +217,11 @@ HashApiFinal (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Final (HashContext, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Final (HashContext, Digest);
@@ -255,9 +265,11 @@ HashApiHashAll (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1HashAll (DataToHash, DataToHashLen, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256HashAll (DataToHash, DataToHashLen, Digest);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95508): https://edk2.groups.io/g/devel/message/95508
Mute This Topic: https://groups.io/mt/94539163/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH V1 0/2] CryptoPkg bug fixes
https://bugzilla.tianocore.org/show_bug.cgi?id=3991 https://bugzilla.tianocore.org/show_bug.cgi?id=3992 There is a #define to deprecate Sha1 functions but not all the Sha1 function are wrapped around this #define causing a build error. The fix is to wrap all Sha1 functions with the #define. Need crypto AES to be supported for PEI phase and need crypto KDF to be supported for SMM phase. Judah Vang (2): CryptoPkg: Sha1 functions causing build errors CryptoPkg: Need to enable crypto functions CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf| 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf| 2 +- CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +- 3 files changed, 15 insertions(+), 3 deletions(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#95507): https://edk2.groups.io/g/devel/message/95507 Mute This Topic: https://groups.io/mt/94539162/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 26/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Gerd Hoffmann Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/Microvm/MicrovmX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 52498bbe90a8..dc7bb669527a 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -1,7 +1,7 @@ ## @file # EFI/Framework Open Virtual Machine Firmware (OVMF) platform # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) Microsoft Corporation. # @@ -185,6 +185,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92370): https://edk2.groups.io/g/devel/message/92370 Mute This Topic: https://groups.io/mt/92953552/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 27/28] OvmfPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Sebastien Boeuf Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index f0d700f14477..c2cd6214ad99 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -182,6 +182,7 @@ [LibraryClasses] MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92371): https://edk2.groups.io/g/devel/message/92371 Mute This Topic: https://groups.io/mt/92953553/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 28/28] IntelTdx: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 71b1cf8e7090..d895036e242f 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -166,6 +166,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92372): https://edk2.groups.io/g/devel/message/92372 Mute This Topic: https://groups.io/mt/92953555/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 25/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Rebecca Cran Cc: Peter Grehan Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index d4f0c90b8e00..77613a3b760a 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -1,6 +1,6 @@ # # Copyright (c) 2020, Rebecca Cran -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) 2014, Pluribus Networks, Inc. # @@ -172,6 +172,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92369): https://edk2.groups.io/g/devel/message/92369 Mute This Topic: https://groups.io/mt/92953551/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 24/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Jiewen Yao Cc: Min Xu Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Tom Lendacky Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 90e8a213ef77..a94a8c30ca3e 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -3,7 +3,7 @@ # virtual machine remote attestation and secret injection # # Copyright (c) 2020 James Bottomley, IBM Corporation. -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -170,6 +170,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92368): https://edk2.groups.io/g/devel/message/92368 Mute This Topic: https://groups.io/mt/92953550/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 23/28] OvmfPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/OvmfPkgIa32.dsc| 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc| 3 ++- 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 725a01ae9a20..0cc0171032de 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -180,6 +180,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLibNull.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index adc813ba2e1e..5eb696042ee7 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -184,6 +184,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLibNull.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 6e68f60dc90f..6aaf4a298b30 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -196,6 +196,7 @@ [LibraryClasses] MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index 58a7c97cddf7..4efe1a13446d 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -1,7 +1,7 @@ ## @file # EFI/Framework Open Virtual Machine Firmware (OVMF) platform # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) 2019, Citrix Systems, Inc. # Copyright (c) Microsoft Corporation. @@ -221,6 +221,7 @@ [LibraryClasses] Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf TimeBaseLib|EmbeddedPkg/Library/TimeBaseLib/TimeBaseLib.inf !ifdef $(DEBUG_ON_HYPERVISOR_CONSOLE) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92367): https://edk2.groups.io/g/devel/message/92367 Mute This Topic: https://groups.io/mt/92953549/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 21/28] UefiPayloadPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference for ProtectedVariableLib so build is successful. Cc: Jian J Wang Cc: Guo Dong Cc: Ray Ni Cc: Maurice Ma Cc: Benjamin You Cc: Sean Rhodes Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang Reviewed-by: Ray Ni --- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 91cd78dbf109..591fae635b23 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -287,9 +287,11 @@ [LibraryClasses] AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !if $(VARIABLE_SUPPORT) == "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !elseif $(VARIABLE_SUPPORT) == "SPI" PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + ProtectedVariableLib|SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92365): https://edk2.groups.io/g/devel/message/92365 Mute This Topic: https://groups.io/mt/92953547/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 22/28] EmulatorPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Andrew Fish Cc: Ray Ni Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- EmulatorPkg/EmulatorPkg.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index b44435d7e6ee..36a13b8a0620 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -4,7 +4,7 @@ # The Emulation Platform can be used to debug individual modules, prior to creating # a real platform. This also provides an example for how an DSC is created. # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # Portions copyright (c) 2010 - 2011, Apple Inc. All rights reserved. # Copyright (c) Microsoft Corporation. # @@ -119,6 +119,7 @@ [LibraryClasses] LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92366): https://edk2.groups.io/g/devel/message/92366 Mute This Topic: https://groups.io/mt/92953548/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 20/28] ArmVirtPkg: Add reference to ProtectedVariableNull
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Need reference to ProtectVariableNullLib otherwise build fails. Cc: Jian J Wang Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- ArmVirtPkg/ArmVirtQemu.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 9369a88858fd..1ddad340774f 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -1,7 +1,7 @@ # # Copyright (c) 2011-2015, ARM Limited. All rights reserved. # Copyright (c) 2014, Linaro Limited. All rights reserved. -# Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved. +# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -82,6 +82,7 @@ [LibraryClasses.common] PciHostBridgeLib|OvmfPkg/Fdt/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(TPM2_ENABLE) == TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92364): https://edk2.groups.io/g/devel/message/92364 Mute This Topic: https://groups.io/mt/92953546/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 19/28] SecurityPkg: Add references to new *.inf files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add references to the different *ProtectedVariableLib.inf. Also add references to VariableKeyLibNull.inf, EncryptionVariableLibNull.inf, ProtectedVariableNull.inf. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/SecurityPkg.dsc | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index f48187650f2f..f124084815cf 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file # Security Module Package for All Architectures. # -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -66,8 +66,11 @@ [LibraryClasses] TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf + + # These should be Null by default VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + EncryptionVariableLib|SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -260,9 +263,17 @@ [Components] # # Variable Confidentiality & Integrity # + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf + SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf # # Other -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92363): https://edk2.groups.io/g/devel/message/92363 Mute This Topic: https://groups.io/mt/92953545/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 17/28] SecurityPkg: Add EncryptionVariable lib with AES
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Change AllocateZeroPool() with AllocatePages() and FreePool()
with FreePages(). FreePool() is not supported in PEI phase so this was
causing a memory leak. Reverse the order of the FreePages() call.
V1: Add encryption/decryption of protected variable functionality.
Add functions to get/set cipher data of a protected variable.
This is use for supporting confidentiality for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Min Xu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734
3 files changed, 826 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
new file mode 100644
index ..7ece52f2fb58
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
@@ -0,0 +1,43 @@
+## @file
+# Provides variable encryption/decryption services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = EncryptionVariableLib
+ FILE_GUID = 459E2CB0-AF4B-4415-B6A1-335E71FD8B85
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+ EncryptionVariable.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+
+[Guids]
+ gEfiVariableGuid
+ gEfiAuthenticatedVariableGuid
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
new file mode 100644
index ..f35f9f9e3ad7
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
@@ -0,0 +1,49 @@
+/** @file
+ Definitions used by this library implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_H_
+#define ENCRYPTION_VARIABLE_H_
+
+#define ENC_KEY_SEPL":"
+#define ENC_KEY_SEP_SIZE 2
+#define ENC_KEY_NAME L"VAR_ENC_KEY"
+#define ENC_KEY_NAME_SIZE 22
+
+#define ENC_KEY_SIZE(256/8)
+#define ENC_BLOCK_SIZE AES_BLOCK_SIZE
+#define ENC_IVEC_SIZE ENC_BLOCK_SIZE
+
+#define ENC_PADDING_BYTE 0x0F
+
+//
+// PKCS#5 padding
+//
+// #define AES_CIPHER_DATA_SIZE(PlainDataSize)
+// (AES_BLOCK_SIZE + (PlainDataSize)) & (~(AES_BLOCK_SIZE - 1))
+//
+#define AES_CIPHER_DATA_SIZE(PlainDataSize) ALIGN_VALUE (PlainDataSize,
AES_BLOCK_SIZE)
+
+#define FREE_POOL(Address) \
+if ((Address) != NULL) {\
+ FreePool (Address); \
+ (Address) = NULL; \
+}
+
+#pragma pack(1)
+
+typedef struct {
+ UINT32DataType; // SYM_TYPE_AES
+ UINT32HeaderSize; // sizeof(VARIABLE_ENCRYPTION_HEADER)
+ UINT32PlainDataSize;// Plain data size
+ UINT32CipherDataSize; // Cipher data size
+ UINT8 KeyIvec[ENC_IVEC_SIZE];
+} VARIABLE_ENCRYPTION_HEADER;
+
+#pragma pack()
+
+#endif // _ENCRYPTION_VARIABLE_H_
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
new file mode 100644
index ..d128b32f93e0
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
@@ -0,0 +1,734 @@
+/** @file
+ Implementation of EncryptionVariableLib with AES algorithm support.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "EncryptionVariable.h"
+
+/**
+ Derive encryption key for given variable from variable root key.
+
+ The derivation algorithm is depicted below
+
+HKDF_Expand(SHA256, RootKey, Name||':'||Guid||':'||Attr||"VAR_ENC_KEY")
+
+ @param[in]VarEncInfoPointer to structure containing detailed
+ information about a variable.
+ @param[in]EncKeySizeSize of key requested.
+ @param[out] EncKeyBuffer of key.
+
+ @retval TRUEThe key was derived su
[edk2-devel] [PATCH v4 15/28] SecurityPkg: Add null encryption variable libs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review - Remove empty Guids section
from .inf file. Update description in *.c. Remove *.uni file
and reference to it.
V1: Provide null ecryption variable libraries.
These will be used by default for platforms that don't
support protected variable encryption.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
34
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c |
92
2 files changed, 126 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
new file mode 100644
index ..185b6f9bedf7
--- /dev/null
+++
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
@@ -0,0 +1,34 @@
+## @file
+# Provides NULL version of encryption variable services.
+#
+# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = EncryptionVariableLibNull
+ FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
diff --git a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
new file mode 100644
index ..52ee8a7b5aae
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
@@ -0,0 +1,92 @@
+/** @file
+ NULL implementation of EncryptionVariableLib.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+
+/**
+ Encrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Decrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Get cipher information.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported interface.
+
+**/
+EFI_STATUS
+EFIAPI
+GetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Set cipher information for a variable.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED If this method is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+SetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92359): https://edk2.groups.io/g/devel/message/92359
Mute This Topic: https://groups.io/mt/92953541/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 16/28] SecurityPkg: Add VariableKey library function
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Provide function that retrieves the key for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59
2 files changed, 95 insertions(+)
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
new file mode 100644
index ..f62c80ce9943
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
@@ -0,0 +1,36 @@
+## @file
+# Provides default implementation of VariableKeyLib.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = VariableKeyLib
+ FILE_GUID = 7DF5A0BA-1DBB-4E67-A9F7-9FCCB1F9D250
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VariableKeyLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
+#
+
+[Sources]
+ VariableKeyLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
+[PpiS]
+ gKeyServicePpiGuid ## CONSUMES
+
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
new file mode 100644
index ..31b22782cb0c
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
@@ -0,0 +1,59 @@
+/** @file
+ VariableKeyLib implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+
+#include
+
+#define VAR_KEY_SALT L"Key for RPMC Variable"
+#define VAR_KEY_SALT_SIZE sizeof (VAR_KEY_SALT)
+
+/**
+ Retrieves the key for integrity and/or confidentiality of variables.
+
+ @param[out] VariableKey A pointer to pointer for the variable
key buffer.
+ @param[in] VariableKeySize The size in bytes of the variable key.
+
+ @retval EFI_SUCCESS The variable key was returned.
+ @retval EFI_DEVICE_ERRORAn error occurred while attempting to
get the variable key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking
the key interface.
+ @retval EFI_UNSUPPORTED The variable key is not supported in
the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableKey (
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
+ )
+{
+ EFI_STATUS Status;
+ KEY_SERVICE_PPI *KeyService;
+
+ Status = PeiServicesLocatePpi (
+ &gKeyServicePpiGuid,
+ 0,
+ NULL,
+ (void **)&KeyService
+ );
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+return Status;
+ }
+
+ Status = KeyService->GenerateKey (
+ (UINT8 *)VAR_KEY_SALT,
+ VAR_KEY_SALT_SIZE,
+ VariableKey,
+ VariableKeySize
+ );
+ return Status;
+}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92360): https://edk2.groups.io/g/devel/message/92360
Mute This Topic: https://groups.io/mt/92953542/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 13/28] SecurityPkg: Update RPMC APIs with index
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Update RPMC APIs with index parameter because sometimes
there are more than 1 RPMC counter on the platform.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
index 792e48250e5d..557aeb6abf09 100644
--- a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
@@ -1,7 +1,7 @@
/** @file
NULL RpmcLib instance for build purpose.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
/**
Requests the monotonic counter from the designated RPMC counter.
+ @param[in]CounterIndexThe RPMC index
@param[out] CounterValueA pointer to a buffer to store the
RPMC value.
@retval EFI_SUCCESS The operation completed successfully.
@@ -21,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
RequestMonotonicCounter (
+ IN UINT8 CounterIndex,
OUT UINT32 *CounterValue
)
{
@@ -31,6 +33,8 @@ RequestMonotonicCounter (
/**
Increments the monotonic counter in the SPI flash device by 1.
+ @param[in]CounterIndexThe RPMC index
+
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_DEVICE_ERRORA device error occurred while
attempting to update the counter.
@retval EFI_UNSUPPORTED The operation is un-supported.
@@ -38,7 +42,7 @@ RequestMonotonicCounter (
EFI_STATUS
EFIAPI
IncrementMonotonicCounter (
- VOID
+ IN UINT8 CounterIndex
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92357): https://edk2.groups.io/g/devel/message/92357
Mute This Topic: https://groups.io/mt/92953539/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 14/28] SecurityPkg: Fix GetVariableKey API
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review - function comments need to match
function prototype.
V1: Fix GetVariableKey API to match changes in header files.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
index a08def767b5f..2cf4b3cbf9f6 100644
--- a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
@@ -1,7 +1,7 @@
/** @file
Null version of VariableKeyLib for build purpose. Don't use it in real
product.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -12,7 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
Retrieves the key for integrity and/or confidentiality of variables.
@param[out] VariableKey A pointer to pointer for the variable
key buffer.
- @param[in,out] VariableKeySize The size in bytes of the variable key.
+ @param[in] VariableKeySize The size in bytes of the variable key.
@retval EFI_SUCCESS The variable key was returned.
@retval EFI_DEVICE_ERRORAn error occurred while attempting to
get the variable key.
@@ -22,8 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
GetVariableKey (
- OUT VOID **VariableKey,
- IN OUT UINTN *VariableKeySize
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92358): https://edk2.groups.io/g/devel/message/92358
Mute This Topic: https://groups.io/mt/92953540/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 12/28] SecurityPkg: Add new variable types and functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add new variable encryption/decryption function prototypes. Add new variable digest structure. Add new Protected variable function prototypes. Update RPMC APIs to Add an index because there is could more than one counter. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/Include/Library/RpmcLib.h| 15 +--- SecurityPkg/Include/Library/VariableKeyLib.h | 37 +++- 2 files changed, 16 insertions(+), 36 deletions(-) diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h index df4ba34ba8cf..cb71dfcd7e4d 100644 --- a/SecurityPkg/Include/Library/RpmcLib.h +++ b/SecurityPkg/Include/Library/RpmcLib.h @@ -1,19 +1,23 @@ /** @file Public definitions for the Replay Protected Monotonic Counter (RPMC) Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _RPMC_LIB_H_ -#define _RPMC_LIB_H_ +#ifndef RPMC_LIB_H_ +#define RPMC_LIB_H_ #include +#define RPMC_COUNTER_1 0 +#define RPMC_COUNTER_2 1 + /** Requests the monotonic counter from the designated RPMC counter. + @param[in]CounterIndexThe RPMC index @param[out] CounterValueA pointer to a buffer to store the RPMC value. @retval EFI_SUCCESS The operation completed successfully. @@ -23,12 +27,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI RequestMonotonicCounter ( + IN UINT8 CounterIndex, OUT UINT32 *CounterValue ); /** Increments the monotonic counter in the SPI flash device by 1. + @param[in]CounterIndexThe RPMC index + @retval EFI_SUCCESS The operation completed successfully. @retval EFI_DEVICE_ERRORA device error occurred while attempting to update the counter. @retval EFI_UNSUPPORTED The operation is un-supported. @@ -36,7 +43,7 @@ RequestMonotonicCounter ( EFI_STATUS EFIAPI IncrementMonotonicCounter ( - VOID + IN UINT8 CounterIndex ); #endif diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h index 561ebad09da2..6076c4d4731b 100644 --- a/SecurityPkg/Include/Library/VariableKeyLib.h +++ b/SecurityPkg/Include/Library/VariableKeyLib.h @@ -1,13 +1,13 @@ /** @file Public definitions for Variable Key Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _VARIABLE_KEY_LIB_H_ -#define _VARIABLE_KEY_LIB_H_ +#ifndef VARIABLE_KEY_LIB_H_ +#define VARIABLE_KEY_LIB_H_ #include @@ -25,35 +25,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI GetVariableKey ( - OUT VOID **VariableKey, - IN OUT UINTN *VariableKeySize - ); - -/** - Regenerates the variable key. - - @retval EFI_SUCCESS The variable key was regenerated successfully. - @retval EFI_DEVICE_ERRORAn error occurred while attempting to regenerate the key. - @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface. - @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration. -**/ -EFI_STATUS -EFIAPI -RegenerateVariableKey ( - VOID - ); - -/** - Locks the regenerate key interface. - - @retval EFI_SUCCESS The key interface was locked successfully. - @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration. - @retval Others An error occurred while attempting to lock the key interface. -**/ -EFI_STATUS -EFIAPI -LockVariableKeyInterface ( - VOID + OUT VOID *VariableKey, + IN UINTN VariableKeySize ); #endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92356): https://edk2.groups.io/g/devel/message/92356 Mute This Topic: https://groups.io/mt/92953537/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 11/28] SecurityPkg: Add new KeyService types and defines
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: revert copyright date change.
V1: Add new KeyService types and defines.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
1 file changed, 57 insertions(+)
diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
b/SecurityPkg/Include/Ppi/KeyServicePpi.h
new file mode 100644
index ..8cfec04f96e5
--- /dev/null
+++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
@@ -0,0 +1,57 @@
+/** @file
+ Provides Key Services.
+
+Copyright (c) 2008 - 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@par Specification Reference:
+**/
+
+#ifndef PEI_KEY_SERVICE_PPI_H_
+#define PEI_KEY_SERVICE_PPI_H_
+///
+/// KEY SERVICE PPI GUID
+///
+extern EFI_GUID gKeyServicePpiGuid;
+
+/**
+ Generate a new key from root key.
+
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[out] NewKey Pointer to buffer to receive new key.
+ @param[in] NewKeySize Size of new key bytes to generate.
+
+ @retval EFI_SUCCESS The function completed successfully
+ @retval OTHER The function completed with failure.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *KEY_SERVICE_GEN_KEY)(
+ IN UINT8*Salt,
+ IN UINTNSaltSize,
+ OUT UINT8*NewKey,
+ IN UINTNNewKeySize
+ );
+
+#define KEY_SERVICE_PPI_REVISION 1
+#define ROOT_KEY_LEN 64
+#define SALT_SIZE_MIN_LEN 64
+#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
+
+typedef struct {
+ UINT8RootKey[ROOT_KEY_LEN];
+ UINT8PreviousRootKey[ROOT_KEY_LEN];
+} KEY_SERVICE_DATA;
+
+typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
+
+///
+/// KEY SERVICE PPI
+/// The interface functions are for Key Service in PEI Phase
+///
+struct _KEY_SERVICE_PPI {
+ KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
+};
+
+#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92355): https://edk2.groups.io/g/devel/message/92355
Mute This Topic: https://groups.io/mt/92953536/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 10/28] SecurityPkg: Add new GUIDs for
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
The gEdkiiProtectedVariableGlobalGuid HOB contains the global
configuration data structure which is verified in PEI Phase.
The gEdkiiMetaDataHmacVariableGuid is used for saving the
meta data HMAC variable.
The gEdkiiProtectedVariableContextGuid contains the Protected
Variable context saved in PEI phase to be used later.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
SecurityPkg/SecurityPkg.dec | 43 +++-
1 file changed, 42 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 7ecf9565d98c..5e20111cceb7 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -5,7 +5,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
classes)
# and libraries instances, which are used for those features.
#
-# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -226,6 +226,18 @@ [Guids]
## GUID used to specify section with default dbt content
gDefaultdbtFileGuid= { 0x36c513ee, 0xa338, 0x4976, { 0xa0,
0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
+ ## Include/Guid/ProtectedVariable.h
+ # {8EBF379A-F18E-4728-A410-00CF9A65BE91}
+ gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4,
0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } }
+
+ ## Include/Guid/ProtectedVariable.h
+ # {e3e890ad-5b67-466e-904f-94ca7e9376bb}
+ gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90, 0x4f,
0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}}
+
+ ## Include/Guid/ProtectedVariable.h
+ # {a11a3652-875b-495a-b097-200917580b98}
+ gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0,
0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} }
+
[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
# Include/Ppi/LockPhysicalPresence.h
@@ -251,6 +263,10 @@ [Ppis]
## Include/Ppi/Tcg.h
gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca,
0xc7, 0x17, 0x6c, 0xf1 } }
+ ## Key Service Ppi
+ # Include/Ppi/KeyServicePpi.h
+ gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1,
0x36, 0x93, 0x04, 0x27}}
+
#
# [Error.gEfiSecurityPkgTokenSpaceGuid]
# 0x8001 | Invalid value provided.
@@ -334,6 +350,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032
+ ## Progress Code for variable integrity check result.
+ # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF])
+ # @Prompt Status Code for variable integiry check result
+
gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x0107|UINT32|0x00010033
+
+ ## Null-terminated Unicode string of the Platform Variable Name
+ # @Prompt known unprotected variable name
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010034
+
+ ## Guid name to identify Platform Variable Guid
+ # @Prompt known unprotected variable guid
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}|VOID*|0x00010035
+
+ ## Defines Protected Variable Integrity support.
+ # TRUE - Enable Protected Variable Integrity.
+ # FALSE - Disable Protected Variable Integrity.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEAN|0x00010036
+
+ ## Defines Protected Variable Confidentiality support.
+ # TRUE - Enable Protected Variable Confidentiality.
+ # FALSE - Disable Protected Variable Confidentiality.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableConfidentiality|FALSE|BOOLEAN|0x00010037
+
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## Image verification policy for OptionRom. Only following values are
valid:
# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and
has been removed.
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92354): https://edk2.groups.io/g/devel/message/92354
Mute This Topic: https://groups.io/mt/92953535/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 09/28] MdeModulePkg: Reference Null ProtectedVariableLib
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Make reference to new Null ProtectVariableLib. The null ProtectedVariableLib is used by default. Cc: Jian J Wang Cc: Liming Gao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- MdeModulePkg/MdeModulePkg.dsc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 45a8ec84ad69..db40c1734bb1 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -2,7 +2,7 @@ # EFI/PI Reference Module Package for All Architectures # # (C) Copyright 2014 Hewlett-Packard Development Company, L.P. -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved. # Copyright (c) Microsoft Corporation. # #SPDX-License-Identifier: BSD-2-Clause-Patent @@ -104,6 +104,7 @@ [LibraryClasses] VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf [LibraryClasses.EBC.PEIM] IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf @@ -318,6 +319,7 @@ [Components] MdeModulePkg/Library/PlatformBootManagerLibNull/PlatformBootManagerLibNull.inf MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#92353): https://edk2.groups.io/g/devel/message/92353 Mute This Topic: https://groups.io/mt/92953534/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 05/28] MdeModulePkg: Add new GUID for Variable Store Info
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Discover if Variable Store Info HOB has been published
by platform driver. It contains information in regards
to HOB or NV Variable Store availability
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/MdeModulePkg.dec | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 7d989108324a..e812e016ccca 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -4,7 +4,7 @@
# and libraries instances, which are used for those modules.
#
# Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
-# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
# Copyright (c) 2016, Linaro Ltd. All rights reserved.
# (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
# Copyright (c) 2017, AMD Incorporated. All rights reserved.
@@ -93,6 +93,14 @@ [LibraryClasses]
#
TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
+
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
+
## @libraryclass Provides authenticated variable services.
#
AuthVariableLib|Include/Library/AuthVariableLib.h
@@ -516,6 +524,9 @@ [Ppis]
gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35, 0x4a5d, {
0xac, 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7, 0x4b75, {
0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
+ ## Include/Ppi/ReadOnlyVariable2.h
+ gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5, 0x4501, {
0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
+
[Protocols]
## Load File protocol provides capability to load and unload EFI image into
memory and execute it.
# Include/Protocol/LoadPe32Image.h
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92349): https://edk2.groups.io/g/devel/message/92349
Mute This Topic: https://groups.io/mt/92953530/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 07/28] MdeModulePkg: Add new Variable functionality
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
and SafeUint64ToUint32().
V1: Provide new APIs for retrieving variable information.
Add new function stubs for retrieving Protected
variable information.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Hao A Wu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Acked-by: Hao A Wu
---
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
MdeModulePkg/Universal/Variable/Pei/Variable.h| 80 +-
MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 +++
MdeModulePkg/Universal/Variable/Pei/Variable.c| 890 +++---
MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941
MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 307 +++
7 files changed, 1893 insertions(+), 760 deletions(-)
diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
index 7264a24bdf71..0945b4dec435 100644
--- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
@@ -3,7 +3,7 @@
#
# This module implements ReadOnly Variable Services required by PEIM and
installs PEI ReadOnly Varaiable2 PPI.
#
-# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -26,6 +26,10 @@ [Defines]
[Sources]
Variable.c
Variable.h
+ VariableStore.c
+ VariableStore.h
+ VariableParsing.c
+ VariableParsing.h
[Packages]
MdePkg/MdePkg.dec
@@ -41,6 +45,7 @@ [LibraryClasses]
PeiServicesLib
SafeIntLib
VariableFlashInfoLib
+ ProtectedVariableLib
[Guids]
## CONSUMES ## GUID # Variable store header
@@ -58,7 +63,8 @@ [Guids]
gEdkiiFaultTolerantWriteGuid
[Ppis]
- gEfiPeiReadOnlyVariable2PpiGuid ## PRODUCES
+ gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
+ gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ##
SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h
b/MdeModulePkg/Universal/Variable/Pei/Variable.h
index 51effbf79987..8c79ff850b38 100644
--- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
+++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
@@ -2,7 +2,7 @@
The internal header file includes the common header files, defines
internal structure and functions used by PeiVariable module.
-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -22,11 +22,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
#include
#include
#include
#include
+#include
typedef enum {
VariableStoreTypeHob,
@@ -144,4 +146,80 @@ PeiGetNextVariableName (
IN OUT EFI_GUID*VariableGuid
);
+/**
+ This service retrieves a variable's value using its name and GUID.
+
+ Read the specified variable from the UEFI variable store. If the Data
+ buffer is too small to hold the contents of the variable, the error
+ EFI_BUFFER_TOO_SMALL is returned and DataSize is set to the required buffer
+ size to obtain the data.
+
+ @param This A pointer to this instance of the
EFI_PEI_READ_ONLY_VARIABLE2_PPI.
+ @param VariableName A pointer to a null-terminated string that is
the variable's name.
+ @param VariableGuid A pointer to an EFI_GUID that is the
variable's GUID. The combination of
+VariableGuid and VariableName must be unique.
+ @param AttributesIf non-NULL, on return, points to the
variable's attributes.
+ @param DataSize On entry, points to the size in bytes of the
Data buffer.
+On return, points to the size of the data
returned in Data.
+ @param Data Points to the buffer which will hold the
returned variable value.
+May be NULL with a zero DataSize in order to
determine the size of the buffer needed.
+
+ @retval EFI_SUCCESS The variable was read successfully.
+ @retval EFI_NOT_FOUND The variable was not found.
+ @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the resulting
data.
+DataSize is updated with the size required for
+the specified variable.
+ @retval EFI_INVALID_PARAMETER VariableName, VariableGuid, DataSize or Data
is NULL.
+ @retval EFI_DEVICE_ERROR The variable could not be retrieved becaus
[edk2-devel] [PATCH v4 06/28] MdeModulePkg: Add Null ProtectedVariable Library
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Applied code review comments - removed APIs that are not being
used.
V1: Add Null versions of the ProtectedVariable Library.
This will be the default libraries for platforms that
do not support ProtectedVariable.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf |
34 ++
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
336
2 files changed, 370 insertions(+)
diff --git
a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
new file mode 100644
index ..6a17191c4e1e
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
@@ -0,0 +1,34 @@
+## @file
+# Provides null version of protected variable services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = ProtectedVariableLibNull
+ FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
+ MODULE_TYPE= BASE
+ VERSION_STRING = 0.1
+ LIBRARY_CLASS = ProtectedVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ ProtectedVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+
diff --git a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
new file mode 100644
index ..074559f84f52
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
@@ -0,0 +1,336 @@
+/** @file
+ NULL version of ProtectedVariableLib used to disable protected variable
services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+
+#include
+#include
+#include
+
+/**
+
+ Initialization for protected varibale services.
+
+ @param[in] ContextIn Pointer to variable service context needed by
+ protected variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibInitialize (
+ IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Prepare for variable update.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibWriteInit (
+ VOID
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Update a variable with protection provided by this library.
+
+ @param[in,out] CurrVariableVariable to be updated. It's NULL if
+ adding a new variable.
+ @param[in] CurrVariableInDel In-delete-transiion copy of updating
variable.
+ @param[in,out] NewVariable Buffer of new variable data.
+ Buffer of "MetaDataHmacVar" and new
+ variable (encrypted).
+ @param[in,out] NewVariableSize Size of NewVariable.
+ Size of (encrypted) NewVariable and
+ "MetaDataHmacVar".
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibUpdate (
+ IN OUT VARIABLE_HEADER *CurrVariable,
+ IN VARIABLE_HEADER *CurrVariableInDel,
+ IN OUT VARIABLE_HEADER *NewVariable,
+ IN OUT UINTN*NewVariableSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Finalize a variable updating after it's written to NV variable storage
+ successfully.
+
+ @param[in] NewVariable Buffer of new variables and
MetaDataHmacVar.
+ @param[in] VariableSize Size of buffer pointed by NewVariable.
+ @param[in] StoreIndexNew index of the variable in store.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibWriteFinal (
+ IN VARIABLE_HEADER *NewVariable,
+ IN UINTNVariableSize,
+ IN UINT64 StoreIndex
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Retrieve plain data, if encrypted, of given variable.
+
+ @param[in] Variable Pointer to header of a Variable.
+ @param[in,out] Data Pointer to plain data of the given
variable.
+ @param[in,out] DataSize
[edk2-devel] [PATCH v4 03/28] MdeModulePkg: Add new ProtectedVariable GUIDs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
New ProtectVariable GUIDs for passing variable information
from PEI phase to SMM phase.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/Include/Guid/ProtectedVariable.h | 22
1 file changed, 22 insertions(+)
diff --git a/MdeModulePkg/Include/Guid/ProtectedVariable.h
b/MdeModulePkg/Include/Guid/ProtectedVariable.h
new file mode 100644
index ..0c6e19e0456b
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/ProtectedVariable.h
@@ -0,0 +1,22 @@
+/** @file
+ The GUID definitions specific for protected variable services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PROTECTED_VARIABLE_H_
+#define PROTECTED_VARIABLE_H_
+
+#define EDKII_PROTECTED_VARIABLE_GLOBAL_GUID \
+ { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4, 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe,
0x91 } }
+
+#define EDKII_METADATA_HMAC_VARIABLE_GUID \
+ { 0xb54cda50, 0xec54, 0x4b20, { 0x85, 0xb4, 0x57, 0xbf, 0x52, 0x98, 0x68,
0x3d } }
+
+extern EFI_GUID gEdkiiProtectedVariableGlobalGuid;
+extern EFI_GUID gEdkiiMetaDataHmacVariableGuid;
+extern EFI_GUID gEdkiiProtectedVariableContextGuid;
+
+#endif // __PROTECTED_VARIABLE_H__
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92346): https://edk2.groups.io/g/devel/message/92346
Mute This Topic: https://groups.io/mt/92953527/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 02/28] MdeModulePkg: Add reference to new Ppi Guid
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add reference to gEfiPeiVariableStoreDiscoveredPpiGuid which
contains information whether variable store is available.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
index 926c0bc82a43..c5a8470565bb 100644
--- a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
+++ b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
@@ -2,7 +2,7 @@
This file declares Read-only Variable Service2 PPI.
This ppi permits read-only access to the UEFI variable store during the PEI
phase.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Revision Reference:
@@ -106,4 +106,6 @@ struct _EFI_PEI_READ_ONLY_VARIABLE2_PPI {
extern EFI_GUID gEfiPeiReadOnlyVariable2PpiGuid;
+extern EFI_GUID gEfiPeiVariableStoreDiscoveredPpiGuid;
+
#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92347): https://edk2.groups.io/g/devel/message/92347
Mute This Topic: https://groups.io/mt/92953528/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 04/28] MdeModulePkg: Add new include files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V4: Updated with review comments for misspellings, mismatch
function prototype, missing function header comments, incorrect
function description.
V1: Add EncryptionVariableLib.h for providing encryption and
decryption services for protected variables.
Add ProtectedVariableLib.h for providing integrity or
variables.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607
2 files changed, 772 insertions(+)
diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
new file mode 100644
index ..68981f5aad6a
--- /dev/null
+++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
@@ -0,0 +1,165 @@
+/** @file
+ Provides services to encrypt/decrypt variables.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_LIB_H_
+#define ENCRYPTION_VARIABLE_LIB_H_
+
+#include
+
+#include
+
+#include
+
+#define ENC_TYPE_NULL 0
+#define ENC_TYPE_AES TPM_ALG_AES
+
+typedef struct _VARIABLE_ENCRYPTION_FLAGS {
+ BOOLEANAuth;// Variable is authenticated or not
+ BOOLEANDecryptInPlace; // Do decryption in place
+ BOOLEANProtected; // Variable is protected or not
+} VARIABLE_ENCRYPTION_FLAGS;
+
+typedef struct _VARIABLE_ENCRYPTION_INFO {
+ AUTH_VARIABLE_INFO Header;// Authenticated varabile
header
+ VARIABLE_HEADER *Buffer; // Pointer to variable buffer
+ UINT64 StoreIndex;// Variable store index
+ VOID *PlainData;// Pointer to plain data
+ UINT32 PlainDataSize; // Size of plain data
+ VOID *CipherData; // Pointer to cipher data
+ UINT32 CipherDataSize;// Size of cipher data
+ UINT32 CipherHeaderSize; // Size of cipher header
+ UINT32 CipherDataType;// Type of cipher data
+ VOID *Key; // Pointer to
encrypt/decrypt key
+ UINT32 KeySize; // Size of key
+ VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
+} VARIABLE_ENCRYPTION_INFO;
+
+/**
+ Encrypt variable data.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
information about a variable.
+
+ @retval EFI_SUCCESS Function successfully executed.
+ @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
ProtectedVarLibContextOut == NULL.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
+ @retval EFI_UNSUPPORTED Unsupported to process encrypted variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Decrypt variable data.
+
+ If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
+ decrypted. Otherwise, assume the cipher data from variable data buffer, i.e.
+ VarEncInfo->Header.Data.
+
+ If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
+ back in the same buffer as cipher buffer got above, after encryption header,
+ which helps to identify later if the data in buffer is decrypted or not. This
+ can avoid repeat decryption when accessing the same variable more than once.
+
+ If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
+ passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
+ with its size.
+
+ Note the VarEncInfo->PlainData is always pointing to the buffer address with
+ decrypted data without encryption header, and VarEncInfo->PlainDataSize is
+ always the size of original variable data, if this function returned
+ successfully.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_SUCCESS Variable was decrypted successfully.
+ @retval EFI_INVALID_PARAMETER Variable information in VarEncInfo is
invalid.
+ @retval EFI_BUFFER_TOO_SMALLVarEncInfo->PlainData is not NULL but
+ VarEncInfo->PlainDataSize is too small.
+ @retval EFI_ABORTED Unknown error occurred during decrypting.
+ @retval EFI_OUT_OF_RESOURCESFail to allocate enough resource.
+ @retval EFI_COMPROMISED_DATAThe cipher header is not valid.
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Get ciphe
[edk2-devel] [PATCH v4 01/28] MdeModulePkg: Update AUTH_VARIABLE_INFO struct
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Added NameSize and State to AUTH_VARIABLE_INFO struct.
The size of the name and state is needed when creating
the variable digest.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
Reviewed-by: Jian J Wang
---
MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Include/Library/AuthVariableLib.h
b/MdeModulePkg/Include/Library/AuthVariableLib.h
index 37aceba699e6..32391bbf2b61 100644
--- a/MdeModulePkg/Include/Library/AuthVariableLib.h
+++ b/MdeModulePkg/Include/Library/AuthVariableLib.h
@@ -1,7 +1,7 @@
/** @file
Provides services to initialize and process authenticated variables.
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -25,9 +25,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID,
CertData)))
typedef struct {
+ UINTN NameSize;
CHAR16 *VariableName;
EFI_GUID*VendorGuid;
UINT32 Attributes;
+ UINT8 State;
UINTN DataSize;
VOID*Data;
UINT32 PubKeyIndex;
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92345): https://edk2.groups.io/g/devel/message/92345
Mute This Topic: https://groups.io/mt/92953526/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v4 00/28] UEFI variable protection
Patch 04 - Updated with code review for misspellings, mismatch function prototype, missing function header comments, incorrect function description. Patch 06 - Applied code review - removed APIs that are not being used. Patch 08 - Applied code review - remove unreferenced library from *.inf. Updated some function description and parameters. Patch 11 - revert copyright date change. Patch 13 - Applied code review - function comments need to match function prototype. Patch 15 - Applied code review - Remove empty Guids section from .inf file. Update description in *.c. Remove *.uni file and reference to it. Notes: Some patches are reordered as suggested by code review due to dependencies and some reordered to be next to its package. Old Patch 01 "MdeModulePkg: Add new GUID for Variable Store Info" needs to go after Old Patch 06 "MdeModulePkg: Add new include files" Old Patch 02 "SecurityPkg: Add new GUIDs for" is moved to the beginning of the SecurityPkg patches. Old Patch 11 "SecurityPkg: Update RPMC APIs with index" needs to go after old Patch 12 "SecurityPkg: Add new variable types and functions". Old Patch 18 "MdeModulePkg: Reference Null ProtectedVariableLib" is moved to the end of the MdeModulePkg patches. Old Patch 28 - CryptoPkg: Enable cypto HMAC KDF and AES library is removed from here and is being tracked separately. New Patch 28 - OvmfPkg/IntelTdx requires NULL ProtectedVariableLib reference Patch 01 --> 05 Patch 02 --> 10 Patch 03 --> 01 Patch 04 --> 02 Patch 05 --> 03 Patch 06 --> 04 Patch 07 --> 06 Patch 08 --> 07 Patch 09 --> 08 Patch 10 --> 11 Patch 11 --> 12 Patch 12 --> 13 Patch 13 --> 14 Patch 14 --> 15 Patch 15 --> 16 Patch 16 --> 17 Patch 17 --> 18 Patch 18 --> 09 The rest stayed with the same patch # Judah Vang (28): MdeModulePkg: Update AUTH_VARIABLE_INFO struct MdeModulePkg: Add reference to new Ppi Guid MdeModulePkg: Add new ProtectedVariable GUIDs MdeModulePkg: Add new include files MdeModulePkg: Add new GUID for Variable Store Info MdeModulePkg: Add Null ProtectedVariable Library MdeModulePkg: Add new Variable functionality MdeModulePkg: Add support for Protected Variables MdeModulePkg: Reference Null ProtectedVariableLib SecurityPkg: Add new GUIDs for SecurityPkg: Add new KeyService types and defines SecurityPkg: Add new variable types and functions SecurityPkg: Update RPMC APIs with index SecurityPkg: Fix GetVariableKey API SecurityPkg: Add null encryption variable libs SecurityPkg: Add VariableKey library function SecurityPkg: Add EncryptionVariable lib with AES SecurityPkg: Add Protected Variable Services SecurityPkg: Add references to new *.inf files ArmVirtPkg: Add reference to ProtectedVariableNull UefiPayloadPkg: Add ProtectedVariable reference EmulatorPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariable reference IntelTdx: Add ProtectedVariable reference MdeModulePkg/MdeModulePkg.dec | 13 +- SecurityPkg/SecurityPkg.dec | 43 +- ArmVirtPkg/ArmVirtQemu.dsc | 3 +- EmulatorPkg/EmulatorPkg.dsc | 3 +- MdeModulePkg/MdeModulePkg.dsc | 4 +- OvmfPkg/AmdSev/AmdSevX64.dsc| 3 +- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/IntelTdx/IntelTdxX64.dsc| 1 + OvmfPkg/Microvm/MicrovmX64.dsc | 3 +- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc | 3 +- SecurityPkg/SecurityPkg.dsc | 13 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 + MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 3 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 +- MdeModulePkg/Uni
[edk2-devel] [PATCH v3 3/3] CryptoPkg: Need to enable crypto functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3992 Enable CryptAes for PEI phase. Enable CryptHkdf for SMM phase. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf index 01de27e03747..40728af37822 100644 --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptParallelHashNull.c Hmac/CryptHmacSha256.c Kdf/CryptHkdf.c - Cipher/CryptAesNull.c + Cipher/CryptAes.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c Pk/CryptPkcs1OaepNull.c diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index 91a171509540..706b527338f0 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmacSha256.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91387): https://edk2.groups.io/g/devel/message/91387 Mute This Topic: https://groups.io/mt/92389741/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 2/3] CryptoPkg: Sha1 functions causing build errors
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3991
Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b215865..ede9fa8c09ec 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -6,7 +6,7 @@
This API, when called, will calculate the Hash using the
hashing algorithm specified by PcdHashApiLibPolicy.
- Copyright (c) 2020, Intel Corporation. All rights reserved.
+ Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256GetContextSize ();
@@ -75,9 +77,11 @@ HashApiInit (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Init (HashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Init (HashContext);
@@ -119,9 +123,11 @@ HashApiDuplicate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Duplicate (HashContext, NewHashContext);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Duplicate (HashContext, NewHashContext);
@@ -165,9 +171,11 @@ HashApiUpdate (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Update (HashContext, DataToHash, DataToHashLen);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Update (HashContext, DataToHash, DataToHashLen);
@@ -209,9 +217,11 @@ HashApiFinal (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1Final (HashContext, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256Final (HashContext, Digest);
@@ -255,9 +265,11 @@ HashApiHashAll (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1HashAll (DataToHash, DataToHashLen, Digest);
break;
+ #endif
case HASH_ALG_SHA256:
return Sha256HashAll (DataToHash, DataToHashLen, Digest);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91386): https://edk2.groups.io/g/devel/message/91386
Mute This Topic: https://groups.io/mt/92389739/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 1/3] CryptoPkg: Fix memoryleak in BaseMemAllocation
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3990
Replace AllocatePool() with AllocatePages() and FreePool() with
FreePages() because FreePool() is not supported in PEI phase.
FreePool() does not free the allocated pool in PEI phase causing
a memory leak.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
index b7bed15c18df..d77e1f7de5e3 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
@@ -2,13 +2,14 @@
Base Memory Allocation Routines Wrapper for Crypto library over OpenSSL
during PEI & DXE phases.
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include
#include
+#include
//
// Extra header to record the memory buffer size from malloc routine.
@@ -41,7 +42,7 @@ malloc (
//
NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
- Data = AllocatePool (NewSize);
+ Data = AllocatePages (EFI_SIZE_TO_PAGES (NewSize));
if (Data != NULL) {
PoolHdr = (CRYPTMEM_HEAD *)Data;
//
@@ -73,7 +74,7 @@ realloc (
VOID *Data;
NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
- Data= AllocatePool (NewSize);
+ Data= AllocatePages (EFI_SIZE_TO_PAGES (NewSize));
if (Data != NULL) {
NewPoolHdr= (CRYPTMEM_HEAD *)Data;
NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
@@ -90,7 +91,7 @@ realloc (
// Duplicate the buffer content.
//
CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
- FreePool ((VOID *)OldPoolHdr);
+ FreePages (((VOID *)OldPoolHdr), EFI_SIZE_TO_PAGES (OldSize));
}
return (VOID *)(NewPoolHdr + 1);
@@ -117,6 +118,6 @@ free (
if (ptr != NULL) {
PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
-FreePool (PoolHdr);
+FreePages (((VOID *)PoolHdr), EFI_SIZE_TO_PAGES (PoolHdr->Size));
}
}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91385): https://edk2.groups.io/g/devel/message/91385
Mute This Topic: https://groups.io/mt/92389738/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 0/3] CryptoPkg bug fixes
https://bugzilla.tianocore.org/show_bug.cgi?id=3990 https://bugzilla.tianocore.org/show_bug.cgi?id=3991 https://bugzilla.tianocore.org/show_bug.cgi?id=3992 There is a memory leak issue with BaseMemAllocation. It calls AllocatePool() and FreePool() but FreePool() is not supported in PEI phase so this can cause a memory leak. There is a #define to deprecate Sha1 functions but not all the Sha1 function are wrapped around this #define causing a build error. The fix is to wrap all Sha1 functions with the #define. Need crypto AES to be supported for PEI phase and need crypto KDF to be supported for SMM phase. Judah Vang (3): CryptoPkg: Fix memoryleak in BaseMemAllocation CryptoPkg: Sha1 functions causing build errors CryptoPkg: Need to enable crypto functions CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c | 11 ++- CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +- 4 files changed, 21 insertions(+), 8 deletions(-) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91384): https://edk2.groups.io/g/devel/message/91384 Mute This Topic: https://groups.io/mt/92389737/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v3 17/28] SecurityPkg: Add Protected Variable Services
Min, I prefer not to do this since there is already 28 patches. The line changes are mostly from the .h and .c files, I do not think there is much benefit from moving the the .inf files to a different patch. Doing something like that will still leave 5800 lines changes in this patch. Judah -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90559): https://edk2.groups.io/g/devel/message/90559 Mute This Topic: https://groups.io/mt/91640198/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 26/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Gerd Hoffmann Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/Microvm/MicrovmX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 5b150a959c12..7ab6c8aa94cb 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -1,7 +1,7 @@ ## @file # EFI/Framework Open Virtual Machine Firmware (OVMF) platform # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) Microsoft Corporation. # @@ -183,6 +183,7 @@ [LibraryClasses] CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90380): https://edk2.groups.io/g/devel/message/90380 Mute This Topic: https://groups.io/mt/91640209/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 25/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Rebecca Cran Cc: Peter Grehan Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index f0166e136cd1..6a78f6d1b10f 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -1,6 +1,6 @@ # # Copyright (c) 2020, Rebecca Cran -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) 2014, Pluribus Networks, Inc. # @@ -170,6 +170,7 @@ [LibraryClasses] MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90378): https://edk2.groups.io/g/devel/message/90378 Mute This Topic: https://groups.io/mt/91640207/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 27/28] OvmfPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Sebastien Boeuf Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 8a111444f867..003c576092ee 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -180,6 +180,7 @@ [LibraryClasses] VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90379): https://edk2.groups.io/g/devel/message/90379 Mute This Topic: https://groups.io/mt/91640208/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 24/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Jiewen Yao Cc: Min Xu Cc: Brijesh Singh Cc: Erdem Aktas Cc: James Bottomley Cc: Tom Lendacky Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/AmdSev/AmdSevX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc index 6b3827f7f6ed..52c390cde2f0 100644 --- a/OvmfPkg/AmdSev/AmdSevX64.dsc +++ b/OvmfPkg/AmdSev/AmdSevX64.dsc @@ -3,7 +3,7 @@ # virtual machine remote attestation and secret injection # # Copyright (c) 2020 James Bottomley, IBM Corporation. -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -168,6 +168,7 @@ [LibraryClasses] FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf BlobVerifierLib|OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierLibSevHashes.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SOURCE_DEBUG_ENABLE) == TRUE PeCoffExtraActionLib|SourceLevelDebugPkg/Library/PeCoffExtraActionLibDebug/PeCoffExtraActionLibDebug.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90377): https://edk2.groups.io/g/devel/message/90377 Mute This Topic: https://groups.io/mt/91640206/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 22/28] EmulatorPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Andrew Fish Cc: Ray Ni Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- EmulatorPkg/EmulatorPkg.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 4cf886b9eac7..5b2a95c73ed3 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -4,7 +4,7 @@ # The Emulation Platform can be used to debug individual modules, prior to creating # a real platform. This also provides an example for how an DSC is created. # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # Portions copyright (c) 2010 - 2011, Apple Inc. All rights reserved. # Copyright (c) Microsoft Corporation. # @@ -119,6 +119,7 @@ [LibraryClasses] LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90376): https://edk2.groups.io/g/devel/message/90376 Mute This Topic: https://groups.io/mt/91640205/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 23/28] OvmfPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/OvmfPkgIa32.dsc| 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc| 3 ++- 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index a9841cbfc3ca..3d5368e28ee8 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -178,6 +178,7 @@ [LibraryClasses] LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index f7949780fa38..3d0948062c63 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -182,6 +182,7 @@ [LibraryClasses] LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 1448f925b782..3b79bc8a97aa 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -194,6 +194,7 @@ [LibraryClasses] LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index 6ba4bd729ae7..593b9f5b3eae 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -1,7 +1,7 @@ ## @file # EFI/Framework Open Virtual Machine Firmware (OVMF) platform # -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) 2019, Citrix Systems, Inc. # Copyright (c) Microsoft Corporation. @@ -219,6 +219,7 @@ [LibraryClasses] Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf TimeBaseLib|EmbeddedPkg/Library/TimeBaseLib/TimeBaseLib.inf !ifdef $(DEBUG_ON_HYPERVISOR_CONSOLE) -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90375): https://edk2.groups.io/g/devel/message/90375 Mute This Topic: https://groups.io/mt/91640204/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 20/28] ArmVirtPkg: Add reference to ProtectedVariableNull
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Need reference to ProtectVariableNullLib otherwise build fails. Cc: Jian J Wang Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- ArmVirtPkg/ArmVirtQemu.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index aa0ce61630f7..cdebd94a9fce 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -1,7 +1,7 @@ # # Copyright (c) 2011-2015, ARM Limited. All rights reserved. # Copyright (c) 2014, Linaro Limited. All rights reserved. -# Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved. +# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -81,6 +81,7 @@ [LibraryClasses.common] PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf PciHostBridgeLib|OvmfPkg/Fdt/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(TPM2_ENABLE) == TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90373): https://edk2.groups.io/g/devel/message/90373 Mute This Topic: https://groups.io/mt/91640202/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 21/28] UefiPayloadPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference for ProtectedVariableLib so build is successful. Cc: Jian J Wang Cc: Guo Dong Cc: Ray Ni Cc: Maurice Ma Cc: Benjamin You Cc: Sean Rhodes Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/UefiPayloadPkg/UefiPayloadPkg.dsc b/UefiPayloadPkg/UefiPayloadPkg.dsc index 4d9bbc80c866..dca0970ad61c 100644 --- a/UefiPayloadPkg/UefiPayloadPkg.dsc +++ b/UefiPayloadPkg/UefiPayloadPkg.dsc @@ -263,9 +263,11 @@ [LibraryClasses] AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf !if $(VARIABLE_SUPPORT) == "EMU" TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !elseif $(VARIABLE_SUPPORT) == "SPI" PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + ProtectedVariableLib|SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf S3BootScriptLib|MdePkg/Library/BaseS3BootScriptLibNull/BaseS3BootScriptLibNull.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf !endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90374): https://edk2.groups.io/g/devel/message/90374 Mute This Topic: https://groups.io/mt/91640203/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 28/28] CryptoPkg: Enable cypto HMAC KDF and AES library
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions. Replace AllocatePool() with
AllocatePages() and FreePool() with FreePages() because
FreePool() is not supported in PEI phase. FreePool() does not
free the allocated pool in PEI phase causing a memory leak.
V1: RPMC confidentiality feature requires HMAC-SHA256 support
during SMM phase. This allows the protected variable's data to
be encrypted in the SPI flash. PEI phase requires AES.
AllocatePool is replaced by AllocatePages because the memory
allocated by AllocatePool cannot be freed in PEI phase.
This is causing a memory leak error when running this new
feature.
Cc: Jiewen Yao
Cc: Jian J Wang
Cc: Xiaoyu Lu
Cc: Guomin Jiang
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +-
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +-
CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c | 11 ++-
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
4 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 01de27e03747..40728af37822 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -43,7 +43,7 @@ [Sources]
Hash/CryptParallelHashNull.c
Hmac/CryptHmacSha256.c
Kdf/CryptHkdf.c
- Cipher/CryptAesNull.c
+ Cipher/CryptAes.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 91a171509540..706b527338f0 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -43,7 +43,7 @@ [Sources]
Hash/CryptCShake256.c
Hash/CryptParallelHash.c
Hmac/CryptHmacSha256.c
- Kdf/CryptHkdfNull.c
+ Kdf/CryptHkdf.c
Cipher/CryptAes.c
Pk/CryptRsaBasic.c
Pk/CryptRsaExtNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
index b7bed15c18df..d77e1f7de5e3 100644
--- a/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
+++ b/CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c
@@ -2,13 +2,14 @@
Base Memory Allocation Routines Wrapper for Crypto library over OpenSSL
during PEI & DXE phases.
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include
#include
+#include
//
// Extra header to record the memory buffer size from malloc routine.
@@ -41,7 +42,7 @@ malloc (
//
NewSize = (UINTN)(size) + CRYPTMEM_OVERHEAD;
- Data = AllocatePool (NewSize);
+ Data = AllocatePages (EFI_SIZE_TO_PAGES (NewSize));
if (Data != NULL) {
PoolHdr = (CRYPTMEM_HEAD *)Data;
//
@@ -73,7 +74,7 @@ realloc (
VOID *Data;
NewSize = (UINTN)size + CRYPTMEM_OVERHEAD;
- Data= AllocatePool (NewSize);
+ Data= AllocatePages (EFI_SIZE_TO_PAGES (NewSize));
if (Data != NULL) {
NewPoolHdr= (CRYPTMEM_HEAD *)Data;
NewPoolHdr->Signature = CRYPTMEM_HEAD_SIGNATURE;
@@ -90,7 +91,7 @@ realloc (
// Duplicate the buffer content.
//
CopyMem ((VOID *)(NewPoolHdr + 1), ptr, MIN (OldSize, size));
- FreePool ((VOID *)OldPoolHdr);
+ FreePages (((VOID *)OldPoolHdr), EFI_SIZE_TO_PAGES (OldSize));
}
return (VOID *)(NewPoolHdr + 1);
@@ -117,6 +118,6 @@ free (
if (ptr != NULL) {
PoolHdr = (CRYPTMEM_HEAD *)ptr - 1;
ASSERT (PoolHdr->Signature == CRYPTMEM_HEAD_SIGNATURE);
-FreePool (PoolHdr);
+FreePages (((VOID *)PoolHdr), EFI_SIZE_TO_PAGES (PoolHdr->Size));
}
}
diff --git a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
index f9796b215865..ede9fa8c09ec 100644
--- a/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
+++ b/CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c
@@ -6,7 +6,7 @@
This API, when called, will calculate the Hash using the
hashing algorithm specified by PcdHashApiLibPolicy.
- Copyright (c) 2020, Intel Corporation. All rights reserved.
+ Copyright (c) 2020-2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -33,9 +33,11 @@ HashApiGetContextSize (
)
{
switch (PcdGet32 (PcdHashApiLibPolicy)) {
+ #ifndef DISABLE_SHA1_DEPRECATED_INTERFACES
case HASH_ALG_SHA1:
return Sha1GetContextSize ();
break;
+ #endif
case HASH_ALG_SHA256:
return Sh
[edk2-devel] [PATCH v3 11/28] SecurityPkg: Update RPMC APIs with index
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Update RPMC APIs with index parameter because sometimes
there are more than 1 RPMC counter on the platform.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
index 792e48250e5d..557aeb6abf09 100644
--- a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
@@ -1,7 +1,7 @@
/** @file
NULL RpmcLib instance for build purpose.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -12,6 +12,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
/**
Requests the monotonic counter from the designated RPMC counter.
+ @param[in]CounterIndexThe RPMC index
@param[out] CounterValueA pointer to a buffer to store the
RPMC value.
@retval EFI_SUCCESS The operation completed successfully.
@@ -21,6 +22,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
RequestMonotonicCounter (
+ IN UINT8 CounterIndex,
OUT UINT32 *CounterValue
)
{
@@ -31,6 +33,8 @@ RequestMonotonicCounter (
/**
Increments the monotonic counter in the SPI flash device by 1.
+ @param[in]CounterIndexThe RPMC index
+
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_DEVICE_ERRORA device error occurred while
attempting to update the counter.
@retval EFI_UNSUPPORTED The operation is un-supported.
@@ -38,7 +42,7 @@ RequestMonotonicCounter (
EFI_STATUS
EFIAPI
IncrementMonotonicCounter (
- VOID
+ IN UINT8 CounterIndex
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90362): https://edk2.groups.io/g/devel/message/90362
Mute This Topic: https://groups.io/mt/91640191/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 16/28] SecurityPkg: Add EncryptionVariable lib with AES
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Change AllocateZeroPool() with AllocatePages() and FreePool()
with FreePages(). FreePool() is not supported in PEI phase so this was
causing a memory leak. Reverse the order of the FreePages() call.
V1: Add encryption/decryption of protected variable functionality.
Add functions to get/set cipher data of a protected variable.
This is use for supporting confidentiality for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Min Xu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 ++
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734
3 files changed, 826 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
new file mode 100644
index ..7ece52f2fb58
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
@@ -0,0 +1,43 @@
+## @file
+# Provides variable encryption/decryption services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = EncryptionVariableLib
+ FILE_GUID = 459E2CB0-AF4B-4415-B6A1-335E71FD8B85
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+ EncryptionVariable.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+
+[Guids]
+ gEfiVariableGuid
+ gEfiAuthenticatedVariableGuid
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
new file mode 100644
index ..f35f9f9e3ad7
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
@@ -0,0 +1,49 @@
+/** @file
+ Definitions used by this library implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_H_
+#define ENCRYPTION_VARIABLE_H_
+
+#define ENC_KEY_SEPL":"
+#define ENC_KEY_SEP_SIZE 2
+#define ENC_KEY_NAME L"VAR_ENC_KEY"
+#define ENC_KEY_NAME_SIZE 22
+
+#define ENC_KEY_SIZE(256/8)
+#define ENC_BLOCK_SIZE AES_BLOCK_SIZE
+#define ENC_IVEC_SIZE ENC_BLOCK_SIZE
+
+#define ENC_PADDING_BYTE 0x0F
+
+//
+// PKCS#5 padding
+//
+// #define AES_CIPHER_DATA_SIZE(PlainDataSize)
+// (AES_BLOCK_SIZE + (PlainDataSize)) & (~(AES_BLOCK_SIZE - 1))
+//
+#define AES_CIPHER_DATA_SIZE(PlainDataSize) ALIGN_VALUE (PlainDataSize,
AES_BLOCK_SIZE)
+
+#define FREE_POOL(Address) \
+if ((Address) != NULL) {\
+ FreePool (Address); \
+ (Address) = NULL; \
+}
+
+#pragma pack(1)
+
+typedef struct {
+ UINT32DataType; // SYM_TYPE_AES
+ UINT32HeaderSize; // sizeof(VARIABLE_ENCRYPTION_HEADER)
+ UINT32PlainDataSize;// Plain data size
+ UINT32CipherDataSize; // Cipher data size
+ UINT8 KeyIvec[ENC_IVEC_SIZE];
+} VARIABLE_ENCRYPTION_HEADER;
+
+#pragma pack()
+
+#endif // _ENCRYPTION_VARIABLE_H_
diff --git a/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
new file mode 100644
index ..d128b32f93e0
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
@@ -0,0 +1,734 @@
+/** @file
+ Implementation of EncryptionVariableLib with AES algorithm support.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "EncryptionVariable.h"
+
+/**
+ Derive encryption key for given variable from variable root key.
+
+ The derivation algorithm is depicted below
+
+HKDF_Expand(SHA256, RootKey, Name||':'||Guid||':'||Attr||"VAR_ENC_KEY")
+
+ @param[in]VarEncInfoPointer to structure containing detailed
+ information about a variable.
+ @param[in]EncKeySizeSize of key requested.
+ @param[out] EncKeyBuffer of key.
+
+ @retval TRUEThe key was derived su
[edk2-devel] [PATCH v3 18/28] MdeModulePkg: Reference Null ProtectedVariableLib
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Make reference to new Null ProtectVariableLib. The null ProtectedVariableLib is used by default. Cc: Jian J Wang Cc: Liming Gao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- MdeModulePkg/MdeModulePkg.dsc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 90a0a7ec4a7c..1aefd242c83d 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -2,7 +2,7 @@ # EFI/PI Reference Module Package for All Architectures # # (C) Copyright 2014 Hewlett-Packard Development Company, L.P. -# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved. # Copyright (c) Microsoft Corporation. # #SPDX-License-Identifier: BSD-2-Clause-Patent @@ -104,6 +104,7 @@ [LibraryClasses] VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf [LibraryClasses.EBC.PEIM] IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf @@ -317,6 +318,7 @@ [Components] MdeModulePkg/Library/PlatformBootManagerLibNull/PlatformBootManagerLibNull.inf MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf + MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90370): https://edk2.groups.io/g/devel/message/90370 Mute This Topic: https://groups.io/mt/91640199/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 19/28] SecurityPkg: Add references to new *.inf files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add references to the different *ProtectedVariableLib.inf. Also add references to VariableKeyLibNull.inf, EncryptionVariableLibNull.inf, ProtectedVariableNull.inf. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/SecurityPkg.dsc | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474e4..08777c57a5e9 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file # Security Module Package for All Architectures. # -# Copyright (c) 2009 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2015-2020 Hewlett Packard Enterprise Development LP # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -66,8 +66,11 @@ [LibraryClasses] TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf + + # These should be Null by default VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + EncryptionVariableLib|SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -259,8 +262,16 @@ [Components] # # Variable Confidentiality & Integrity # + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf + SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf + SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf # # Other -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90371): https://edk2.groups.io/g/devel/message/90371 Mute This Topic: https://groups.io/mt/91640200/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 15/28] SecurityPkg: Add VariableKey library function
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Provide function that retrieves the key for protected
variables.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59
2 files changed, 95 insertions(+)
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
new file mode 100644
index ..f62c80ce9943
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
@@ -0,0 +1,36 @@
+## @file
+# Provides default implementation of VariableKeyLib.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = VariableKeyLib
+ FILE_GUID = 7DF5A0BA-1DBB-4E67-A9F7-9FCCB1F9D250
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VariableKeyLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
+#
+
+[Sources]
+ VariableKeyLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
+[PpiS]
+ gKeyServicePpiGuid ## CONSUMES
+
diff --git a/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
new file mode 100644
index ..31b22782cb0c
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
@@ -0,0 +1,59 @@
+/** @file
+ VariableKeyLib implementation.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+#include
+
+#include
+
+#define VAR_KEY_SALT L"Key for RPMC Variable"
+#define VAR_KEY_SALT_SIZE sizeof (VAR_KEY_SALT)
+
+/**
+ Retrieves the key for integrity and/or confidentiality of variables.
+
+ @param[out] VariableKey A pointer to pointer for the variable
key buffer.
+ @param[in] VariableKeySize The size in bytes of the variable key.
+
+ @retval EFI_SUCCESS The variable key was returned.
+ @retval EFI_DEVICE_ERRORAn error occurred while attempting to
get the variable key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking
the key interface.
+ @retval EFI_UNSUPPORTED The variable key is not supported in
the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableKey (
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
+ )
+{
+ EFI_STATUS Status;
+ KEY_SERVICE_PPI *KeyService;
+
+ Status = PeiServicesLocatePpi (
+ &gKeyServicePpiGuid,
+ 0,
+ NULL,
+ (void **)&KeyService
+ );
+ if (EFI_ERROR (Status)) {
+ASSERT_EFI_ERROR (Status);
+return Status;
+ }
+
+ Status = KeyService->GenerateKey (
+ (UINT8 *)VAR_KEY_SALT,
+ VAR_KEY_SALT_SIZE,
+ VariableKey,
+ VariableKeySize
+ );
+ return Status;
+}
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90367): https://edk2.groups.io/g/devel/message/90367
Mute This Topic: https://groups.io/mt/91640196/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 12/28] SecurityPkg: Add new variable types and functions
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add new variable encryption/decryption function prototypes. Add new variable digest structure. Add new Protected variable function prototypes. Update RPMC APIs to Add an index because there is could more than one counter. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/Include/Library/RpmcLib.h| 15 +--- SecurityPkg/Include/Library/VariableKeyLib.h | 37 +++- 2 files changed, 16 insertions(+), 36 deletions(-) diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h index df4ba34ba8cf..cb71dfcd7e4d 100644 --- a/SecurityPkg/Include/Library/RpmcLib.h +++ b/SecurityPkg/Include/Library/RpmcLib.h @@ -1,19 +1,23 @@ /** @file Public definitions for the Replay Protected Monotonic Counter (RPMC) Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _RPMC_LIB_H_ -#define _RPMC_LIB_H_ +#ifndef RPMC_LIB_H_ +#define RPMC_LIB_H_ #include +#define RPMC_COUNTER_1 0 +#define RPMC_COUNTER_2 1 + /** Requests the monotonic counter from the designated RPMC counter. + @param[in]CounterIndexThe RPMC index @param[out] CounterValueA pointer to a buffer to store the RPMC value. @retval EFI_SUCCESS The operation completed successfully. @@ -23,12 +27,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI RequestMonotonicCounter ( + IN UINT8 CounterIndex, OUT UINT32 *CounterValue ); /** Increments the monotonic counter in the SPI flash device by 1. + @param[in]CounterIndexThe RPMC index + @retval EFI_SUCCESS The operation completed successfully. @retval EFI_DEVICE_ERRORA device error occurred while attempting to update the counter. @retval EFI_UNSUPPORTED The operation is un-supported. @@ -36,7 +43,7 @@ RequestMonotonicCounter ( EFI_STATUS EFIAPI IncrementMonotonicCounter ( - VOID + IN UINT8 CounterIndex ); #endif diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h index 561ebad09da2..6076c4d4731b 100644 --- a/SecurityPkg/Include/Library/VariableKeyLib.h +++ b/SecurityPkg/Include/Library/VariableKeyLib.h @@ -1,13 +1,13 @@ /** @file Public definitions for Variable Key Library. -Copyright (c) 2020, Intel Corporation. All rights reserved. +Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ -#ifndef _VARIABLE_KEY_LIB_H_ -#define _VARIABLE_KEY_LIB_H_ +#ifndef VARIABLE_KEY_LIB_H_ +#define VARIABLE_KEY_LIB_H_ #include @@ -25,35 +25,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent EFI_STATUS EFIAPI GetVariableKey ( - OUT VOID **VariableKey, - IN OUT UINTN *VariableKeySize - ); - -/** - Regenerates the variable key. - - @retval EFI_SUCCESS The variable key was regenerated successfully. - @retval EFI_DEVICE_ERRORAn error occurred while attempting to regenerate the key. - @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface. - @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration. -**/ -EFI_STATUS -EFIAPI -RegenerateVariableKey ( - VOID - ); - -/** - Locks the regenerate key interface. - - @retval EFI_SUCCESS The key interface was locked successfully. - @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration. - @retval Others An error occurred while attempting to lock the key interface. -**/ -EFI_STATUS -EFIAPI -LockVariableKeyInterface ( - VOID + OUT VOID *VariableKey, + IN UINTN VariableKeySize ); #endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90364): https://edk2.groups.io/g/devel/message/90364 Mute This Topic: https://groups.io/mt/91640193/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 10/28] SecurityPkg: Add new KeyService types and defines
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add new KeyService types and defines.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Include/Ppi/KeyServicePpi.h | 57
1 file changed, 57 insertions(+)
diff --git a/SecurityPkg/Include/Ppi/KeyServicePpi.h
b/SecurityPkg/Include/Ppi/KeyServicePpi.h
new file mode 100644
index ..f126913d2d81
--- /dev/null
+++ b/SecurityPkg/Include/Ppi/KeyServicePpi.h
@@ -0,0 +1,57 @@
+/** @file
+ Provides Key Services.
+
+Copyright (c) 2008 - 2018, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+@par Specification Reference:
+**/
+
+#ifndef PEI_KEY_SERVICE_PPI_H_
+#define PEI_KEY_SERVICE_PPI_H_
+///
+/// KEY SERVICE PPI GUID
+///
+extern EFI_GUID gKeyServicePpiGuid;
+
+/**
+ Generate a new key from root key.
+
+ @param[in] Salt Pointer to the salt(non-secret) value.
+ @param[in] SaltSize Salt size in bytes.
+ @param[out] NewKey Pointer to buffer to receive new key.
+ @param[in] NewKeySize Size of new key bytes to generate.
+
+ @retval EFI_SUCCESS The function completed successfully
+ @retval OTHER The function completed with failure.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *KEY_SERVICE_GEN_KEY)(
+ IN UINT8*Salt,
+ IN UINTNSaltSize,
+ OUT UINT8*NewKey,
+ IN UINTNNewKeySize
+ );
+
+#define KEY_SERVICE_PPI_REVISION 1
+#define ROOT_KEY_LEN 64
+#define SALT_SIZE_MIN_LEN 64
+#define KEY_SERVICE_KEY_NAME L"KEY_SERVICE_KEY"
+
+typedef struct {
+ UINT8RootKey[ROOT_KEY_LEN];
+ UINT8PreviousRootKey[ROOT_KEY_LEN];
+} KEY_SERVICE_DATA;
+
+typedef struct _KEY_SERVICE_PPI KEY_SERVICE_PPI;
+
+///
+/// KEY SERVICE PPI
+/// The interface functions are for Key Service in PEI Phase
+///
+struct _KEY_SERVICE_PPI {
+ KEY_SERVICE_GEN_KEYGenerateKey; /// Generate Key
+};
+
+#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90363): https://edk2.groups.io/g/devel/message/90363
Mute This Topic: https://groups.io/mt/91640192/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 13/28] SecurityPkg: Fix GetVariableKey API
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Fix GetVariableKey API to match changes in header files.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
index a08def767b5f..cfbad54ba106 100644
--- a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
@@ -1,7 +1,7 @@
/** @file
Null version of VariableKeyLib for build purpose. Don't use it in real
product.
-Copyright (c) 2020, Intel Corporation. All rights reserved.
+Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -22,8 +22,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
EFI_STATUS
EFIAPI
GetVariableKey (
- OUT VOID **VariableKey,
- IN OUT UINTN *VariableKeySize
+ OUT VOID *VariableKey,
+ IN UINTN VariableKeySize
)
{
ASSERT (FALSE);
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90365): https://edk2.groups.io/g/devel/message/90365
Mute This Topic: https://groups.io/mt/91640194/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 14/28] SecurityPkg: Add null encryption variable libs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Provide null ecryption variable libraries.
These will be used by default for platforms that don't
support protected variable encryption.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
38 +++
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c |
107
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni |
16 +++
3 files changed, 161 insertions(+)
diff --git
a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
new file mode 100644
index ..ff5631b336eb
--- /dev/null
+++
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
@@ -0,0 +1,38 @@
+## @file
+# Provides NULL version of encryption variable services.
+#
+# Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010005
+ BASE_NAME = EncryptionVariableLibNull
+ MODULE_UNI_FILE= EncryptionVariableLib.uni
+ FILE_GUID = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
+ MODULE_TYPE= BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = EncryptionVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ EncryptionVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
+[Guids]
+
diff --git a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
new file mode 100644
index ..58a4ae9f4282
--- /dev/null
+++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
@@ -0,0 +1,107 @@
+/** @file
+ The common variable operation routines shared by DXE_RUNTIME variable
+ module and DXE_SMM variable module.
+
+ Caution: This module requires additional review when modified.
+ This driver will have external input - variable data. They may be input in
SMM mode.
+ This external input must be validated carefully to avoid security issue like
+ buffer overflow, integer overflow.
+
+ VariableServiceGetNextVariableName () and VariableServiceQueryVariableInfo()
are external API.
+ They need check input parameter.
+
+ VariableServiceGetVariable() and VariableServiceSetVariable() are external
API
+ to receive datasize and data buffer. The size should be checked carefully.
+
+ VariableServiceSetVariable() should also check authenticate data to avoid
buffer overflow,
+ integer overflow. It should also check attribute to avoid authentication
bypass.
+
+Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+
+#include
+#include
+
+/**
+ Encrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Decrypt variable data.
+
+ Null version.
+
+ @param[in, out] VarEncInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Get cipher information.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED Unsupported interface.
+
+**/
+EFI_STATUS
+EFIAPI
+GetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Set cipher information for a variable.
+
+ Null version.
+
+ @param[in] VarEncInfo Pointer to structure containing detailed
+information about a variable.
+
+ @retval EFI_UNSUPPORTED If this method is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+SetCipherDataInfo (
+ IN VARIABLE_ENCRYPTION_INFO *VarEncInfo
+ )
+{
+ return EFI_UNSUPPORTED;
+}
diff --git
a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
b/SecurityPkg/Library/EncryptionVariableLi
[edk2-devel] [PATCH v3 06/28] MdeModulePkg: Add new include files
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add EncryptionVariableLib.h for providing encryption and
decryption services for protected variables.
Add ProtectedVariableLib.h for providing integrity or
variables.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 +
MdeModulePkg/Include/Library/ProtectedVariableLib.h | 700
2 files changed, 865 insertions(+)
diff --git a/MdeModulePkg/Include/Library/EncryptionVariableLib.h
b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
new file mode 100644
index ..c7740e659dcf
--- /dev/null
+++ b/MdeModulePkg/Include/Library/EncryptionVariableLib.h
@@ -0,0 +1,165 @@
+/** @file
+ Provides services to encrypt/decrypt variables.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef ENCRYPTION_VARIABLE_LIB_H_
+#define ENCRYPTION_VARIABLE_LIB_H_
+
+#include
+
+#include
+
+#include
+
+#define ENC_TYPE_NULL 0
+#define ENC_TYPE_AES TPM_ALG_AES
+
+typedef struct _VARIABLE_ENCRYPTION_FLAGS {
+ BOOLEANAuth;// Variable is authenticated or not
+ BOOLEANDecryptInPlace; // Do decryption in place
+ BOOLEANProtected; // Variable is protected or not
+} VARIABLE_ENCRYPTION_FLAGS;
+
+typedef struct _VARIABLE_ENCRYPTION_INFO {
+ AUTH_VARIABLE_INFO Header;// Authenticated varabile
header
+ VARIABLE_HEADER *Buffer; // Pointer to variable buffer
+ UINT64 StoreIndex;// Variable store index
+ VOID *PlainData;// Pointer to plain data
+ UINT32 PlainDataSize; // Size of plain data
+ VOID *CipherData; // Pointer to cipher data
+ UINT32 CipherDataSize;// Size of cipher data
+ UINT32 CipherHeaderSize; // Size of cipher header
+ UINT32 CipherDataType;// Type of cipher data
+ VOID *Key; // Pointer to
encrypt/decrypt key
+ UINT32 KeySize; // Size of key
+ VARIABLE_ENCRYPTION_FLAGSFlags; // Encryption flags
+} VARIABLE_ENCRYPTION_INFO;
+
+/**
+ Encrypt variable data.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
information about a variable.
+
+ @retval EFI_SUCCESS Function successfully executed.
+ @retval EFI_INVALID_PARAMETER If ProtectedVarLibContextIn == NULL or
ProtectedVarLibContextOut == NULL.
+ @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
+ @retval EFI_UNSUPPORTED Unsupported to process authenticated
variable.
+
+**/
+EFI_STATUS
+EFIAPI
+EncryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Decrypt variable data.
+
+ If VarEncInfo->CipherData is not NULL, it must holds the cipher data to be
+ decrypted. Otherwise, assume the cipher data from variable data buffer, i.e.
+ VarEncInfo->Header.Data.
+
+ If VarEncInfo->Flags.DecryptInPlace is TRUE, the decrypted data will be put
+ back in the same buffer as cipher buffer got above, after encryption header,
+ which helps to identify later if the data in buffer is decrypted or not. This
+ can avoid repeat decryption when accessing the same variable more than once.
+
+ If VarEncInfo->Flags.DecryptInPlace is FALSE, VarEncInfo->PlainData must be
+ passed in with a valid buffer with VarEncInfo->PlainDataSize set correctly
+ with its size.
+
+ Note the VarEncInfo->PlainData is always pointing to the buffer address with
+ decrypted data without encryption header, and VarEncInfo->PlainDataSize is
+ always the size of original variable data, if this function returned
+ successfully.
+
+ @param[in, out] VarInfo Pointer to structure containing detailed
+ information about a variable.
+
+ @retval EFI_SUCCESS Variable was decrypted successfully.
+ @retval EFI_INVALID_PARAMETER Variable information in VarEncInfo is
invalid.
+ @retval EFI_BUFFER_TOO_SMALLVarEncInfo->PlainData is not NULL but
+ VarEncInfo->PlainDataSize is too small.
+ @retval EFI_ABORTED Uknown error occurred during decrypting.
+ @retval EFI_OUT_OF_RESOURCESFail to allocate enough resource.
+ @retval EFI_COMPROMISED_DATAThe cipher header is not valid.
+ @retval EFI_UNSUPPORTED Unsupported to encrypt variable.
+
+**/
+EFI_STATUS
+EFIAPI
+DecryptVariable (
+ IN OUT VARIABLE_ENCRYPTION_INFO *VarInfo
+ );
+
+/**
+ Get cipher information about a variable, including plaindata size,
+ cipher algorithm type, etc.
+
+ For data passed in with VarEncInfo,
+
+VarEncInfo->
[edk2-devel] [PATCH v3 02/28] SecurityPkg: Add new GUIDs for
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
The gEdkiiProtectedVariableGlobalGuid HOB contains the global
configuration data structure which is verified in PEI Phase.
The gEdkiiMetaDataHmacVariableGuid is used for saving the
meta data HMAC variable.
The gEdkiiProtectedVariableContextGuid contains the Protected
Variable context saved in PEI phase to be used later.
Cc: Jian J Wang
Cc: Jiewen Yao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
SecurityPkg/SecurityPkg.dec | 43 +++-
1 file changed, 42 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 0ee75efc1a97..fc690d874eed 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -5,7 +5,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library
classes)
# and libraries instances, which are used for those features.
#
-# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -221,6 +221,18 @@ [Guids]
## GUID used to specify section with default dbt content
gDefaultdbtFileGuid= { 0x36c513ee, 0xa338, 0x4976, { 0xa0,
0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
+ ## Include/Guid/ProtectedVariable.h
+ # {8EBF379A-F18E-4728-A410-00CF9A65BE91}
+ gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4,
0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } }
+
+ ## Include/Guid/ProtectedVariable.h
+ # {e3e890ad-5b67-466e-904f-94ca7e9376bb}
+ gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90, 0x4f,
0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}}
+
+ ## Include/Guid/ProtectedVariable.h
+ # {a11a3652-875b-495a-b097-200917580b98}
+ gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0,
0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} }
+
[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
# Include/Ppi/LockPhysicalPresence.h
@@ -246,6 +258,10 @@ [Ppis]
## Include/Ppi/Tcg.h
gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca,
0xc7, 0x17, 0x6c, 0xf1 } }
+ ## Key Service Ppi
+ # Include/Ppi/KeyServicePpi.h
+ gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1,
0x36, 0x93, 0x04, 0x27}}
+
#
# [Error.gEfiSecurityPkgTokenSpaceGuid]
# 0x8001 | Invalid value provided.
@@ -329,6 +345,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032
+ ## Progress Code for variable integrity check result.
+ # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF])
+ # @Prompt Status Code for variable integiry check result
+
gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x0107|UINT32|0x00010033
+
+ ## Null-terminated Unicode string of the Platform Variable Name
+ # @Prompt known unprotected variable name
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010034
+
+ ## Guid name to identify Platform Variable Guid
+ # @Prompt known unprotected variable guid
+ gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}|VOID*|0x00010035
+
+ ## Defines Protected Variable Integrity support.
+ # TRUE - Enable Protected Variable Integrity.
+ # FALSE - Disable Protected Variable Integrity.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEAN|0x00010036
+
+ ## Defines Protected Variable Confidentiality support.
+ # TRUE - Enable Protected Variable Confidentiality.
+ # FALSE - Disable Protected Variable Confidentiality.
+ # @Prompt Protected Variable Integrity support.
+
gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableConfidentiality|FALSE|BOOLEAN|0x00010037
+
[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
## Image verification policy for OptionRom. Only following values are
valid:
# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and
has been removed.
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90359): https://edk2.groups.io/g/devel/message/90359
Mute This Topic: https://groups.io/mt/91640188/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 08/28] MdeModulePkg: Add new Variable functionality
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
V3: Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
and SafeUint64ToUint32().
V1: Provide new APIs for retrieving variable information.
Add new function stubs for retrieving Protected
variable information.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Hao A Wu
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
MdeModulePkg/Universal/Variable/Pei/Variable.h| 80 +-
MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 +++
MdeModulePkg/Universal/Variable/Pei/Variable.c| 890 +++---
MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941
MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 307 +++
7 files changed, 1893 insertions(+), 760 deletions(-)
diff --git a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
index 7264a24bdf71..0945b4dec435 100644
--- a/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
+++ b/MdeModulePkg/Universal/Variable/Pei/VariablePei.inf
@@ -3,7 +3,7 @@
#
# This module implements ReadOnly Variable Services required by PEIM and
installs PEI ReadOnly Varaiable2 PPI.
#
-# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -26,6 +26,10 @@ [Defines]
[Sources]
Variable.c
Variable.h
+ VariableStore.c
+ VariableStore.h
+ VariableParsing.c
+ VariableParsing.h
[Packages]
MdePkg/MdePkg.dec
@@ -41,6 +45,7 @@ [LibraryClasses]
PeiServicesLib
SafeIntLib
VariableFlashInfoLib
+ ProtectedVariableLib
[Guids]
## CONSUMES ## GUID # Variable store header
@@ -58,7 +63,8 @@ [Guids]
gEdkiiFaultTolerantWriteGuid
[Ppis]
- gEfiPeiReadOnlyVariable2PpiGuid ## PRODUCES
+ gEfiPeiReadOnlyVariable2PpiGuid## PRODUCES
+ gEfiPeiVariableStoreDiscoveredPpiGuid ## CONSUMES
[Pcd]
gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ##
SOMETIMES_CONSUMES
diff --git a/MdeModulePkg/Universal/Variable/Pei/Variable.h
b/MdeModulePkg/Universal/Variable/Pei/Variable.h
index 51effbf79987..8c79ff850b38 100644
--- a/MdeModulePkg/Universal/Variable/Pei/Variable.h
+++ b/MdeModulePkg/Universal/Variable/Pei/Variable.h
@@ -2,7 +2,7 @@
The internal header file includes the common header files, defines
internal structure and functions used by PeiVariable module.
-Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -22,11 +22,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include
#include
#include
+#include
#include
#include
#include
#include
+#include
typedef enum {
VariableStoreTypeHob,
@@ -144,4 +146,80 @@ PeiGetNextVariableName (
IN OUT EFI_GUID*VariableGuid
);
+/**
+ This service retrieves a variable's value using its name and GUID.
+
+ Read the specified variable from the UEFI variable store. If the Data
+ buffer is too small to hold the contents of the variable, the error
+ EFI_BUFFER_TOO_SMALL is returned and DataSize is set to the required buffer
+ size to obtain the data.
+
+ @param This A pointer to this instance of the
EFI_PEI_READ_ONLY_VARIABLE2_PPI.
+ @param VariableName A pointer to a null-terminated string that is
the variable's name.
+ @param VariableGuid A pointer to an EFI_GUID that is the
variable's GUID. The combination of
+VariableGuid and VariableName must be unique.
+ @param AttributesIf non-NULL, on return, points to the
variable's attributes.
+ @param DataSize On entry, points to the size in bytes of the
Data buffer.
+On return, points to the size of the data
returned in Data.
+ @param Data Points to the buffer which will hold the
returned variable value.
+May be NULL with a zero DataSize in order to
determine the size of the buffer needed.
+
+ @retval EFI_SUCCESS The variable was read successfully.
+ @retval EFI_NOT_FOUND The variable was not found.
+ @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the resulting
data.
+DataSize is updated with the size required for
+the specified variable.
+ @retval EFI_INVALID_PARAMETER VariableName, VariableGuid, DataSize or Data
is NULL.
+ @retval EFI_DEVICE_ERROR The variable could not be retrieved because of
a device error
[edk2-devel] [PATCH v3 05/28] MdeModulePkg: Add new ProtectedVariable GUIDs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
New ProtectVariable GUIDs for passing variable information
from PEI phase to SMM phase.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Include/Guid/ProtectedVariable.h | 22
1 file changed, 22 insertions(+)
diff --git a/MdeModulePkg/Include/Guid/ProtectedVariable.h
b/MdeModulePkg/Include/Guid/ProtectedVariable.h
new file mode 100644
index ..0c6e19e0456b
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/ProtectedVariable.h
@@ -0,0 +1,22 @@
+/** @file
+ The GUID definitions specific for protected variable services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PROTECTED_VARIABLE_H_
+#define PROTECTED_VARIABLE_H_
+
+#define EDKII_PROTECTED_VARIABLE_GLOBAL_GUID \
+ { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4, 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe,
0x91 } }
+
+#define EDKII_METADATA_HMAC_VARIABLE_GUID \
+ { 0xb54cda50, 0xec54, 0x4b20, { 0x85, 0xb4, 0x57, 0xbf, 0x52, 0x98, 0x68,
0x3d } }
+
+extern EFI_GUID gEdkiiProtectedVariableGlobalGuid;
+extern EFI_GUID gEdkiiMetaDataHmacVariableGuid;
+extern EFI_GUID gEdkiiProtectedVariableContextGuid;
+
+#endif // __PROTECTED_VARIABLE_H__
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90356): https://edk2.groups.io/g/devel/message/90356
Mute This Topic: https://groups.io/mt/91640185/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 07/28] MdeModulePkg: Add Null ProtectedVariable Library
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add Null versions of the ProtectedVariable Library.
This will be the default libraries for platforms that
do not support ProtectedVariable.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf |
34 ++
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c |
449
2 files changed, 483 insertions(+)
diff --git
a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
new file mode 100644
index ..6a17191c4e1e
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
@@ -0,0 +1,34 @@
+## @file
+# Provides null version of protected variable services.
+#
+# Copyright (c) 2022, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION= 0x00010029
+ BASE_NAME = ProtectedVariableLibNull
+ FILE_GUID = 352C6A1B-403A-4E37-8517-FAA50BC45251
+ MODULE_TYPE= BASE
+ VERSION_STRING = 0.1
+ LIBRARY_CLASS = ProtectedVariableLib
+
+#
+# The following information is for reference only and not required by the
build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64
+#
+
+[Sources]
+ ProtectedVariable.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+
diff --git a/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
new file mode 100644
index ..cc1e16c1a671
--- /dev/null
+++ b/MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
@@ -0,0 +1,449 @@
+/** @file
+ NULL version of ProtectedVariableLib used to disable protected variable
services.
+
+Copyright (c) 2022, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include
+#include
+
+#include
+#include
+#include
+
+/**
+
+ Initialization for protected varibale services.
+
+ @param[in] ContextIn Pointer to variable service context needed by
+ protected variable.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibInitialize (
+ IN PROTECTED_VARIABLE_CONTEXT_IN *ContextIn
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Get a verified copy of NV variable storage.
+
+ @param[out] VariableFvHeader Pointer to the header of whole NV
firmware volume.
+ @param[out] VariableStoreHeader Pointer to the header of variable
storage.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibGetStore (
+ OUT EFI_FIRMWARE_VOLUME_HEADER **VariableFvHeader,
+ OUT VARIABLE_STORE_HEADER **VariableStoreHeader
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Prepare for variable update.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibWriteInit (
+ VOID
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Update a variable with protection provided by this library.
+
+ @param[in,out] CurrVariableVariable to be updated. It's NULL if
+ adding a new variable.
+ @param[in] CurrVariableInDel In-delete-transiion copy of updating
variable.
+ @param[in,out] NewVariable Buffer of new variable data.
+ Buffer of "MetaDataHmacVar" and new
+ variable (encrypted).
+ @param[in,out] NewVariableSize Size of NewVariable.
+ Size of (encrypted) NewVariable and
+ "MetaDataHmacVar".
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variable.
+
+**/
+EFI_STATUS
+EFIAPI
+ProtectedVariableLibUpdate (
+ IN OUT VARIABLE_HEADER *CurrVariable,
+ IN VARIABLE_HEADER *CurrVariableInDel,
+ IN OUT VARIABLE_HEADER *NewVariable,
+ IN OUT UINTN*NewVariableSize
+ )
+{
+ return EFI_UNSUPPORTED;
+}
+
+/**
+
+ Finalize a variable updating after it's written to NV variable storage
+ successfully.
+
+ @param[in] NewVariable Buffer of new variables and
MetaDataHmacVar.
+ @param[in] VariableSize Size of buffer pointed by NewVariable.
+ @param[in] StoreIndexNew index of the variable in store.
+
+ @retval EFI_UNSUPPORTED Unsupported to process protected variab
[edk2-devel] [PATCH v3 03/28] MdeModulePkg: Update AUTH_VARIABLE_INFO struct
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Added NameSize and State to AUTH_VARIABLE_INFO struct.
The size of the name and state is needed when creating
the variable digest.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Include/Library/AuthVariableLib.h
b/MdeModulePkg/Include/Library/AuthVariableLib.h
index 37aceba699e6..32391bbf2b61 100644
--- a/MdeModulePkg/Include/Library/AuthVariableLib.h
+++ b/MdeModulePkg/Include/Library/AuthVariableLib.h
@@ -1,7 +1,7 @@
/** @file
Provides services to initialize and process authenticated variables.
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -25,9 +25,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID,
CertData)))
typedef struct {
+ UINTN NameSize;
CHAR16 *VariableName;
EFI_GUID*VendorGuid;
UINT32 Attributes;
+ UINT8 State;
UINTN DataSize;
VOID*Data;
UINT32 PubKeyIndex;
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90354): https://edk2.groups.io/g/devel/message/90354
Mute This Topic: https://groups.io/mt/91640183/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 01/28] MdeModulePkg: Add new GUID for Variable Store Info
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Discover if Variable Store Info HOB has been published
by platform driver. It contains information in regards
to HOB or NV Variable Store availability
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdeModulePkg/MdeModulePkg.dec | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 2bcb9f9453af..5c1dda004808 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -4,7 +4,7 @@
# and libraries instances, which are used for those modules.
#
# Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
-# Copyright (c) 2007 - 2021, Intel Corporation. All rights reserved.
+# Copyright (c) 2007 - 2022, Intel Corporation. All rights reserved.
# Copyright (c) 2016, Linaro Ltd. All rights reserved.
# (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
# Copyright (c) 2017, AMD Incorporated. All rights reserved.
@@ -93,6 +93,14 @@ [LibraryClasses]
#
TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ EncryptionVariableLib|Include/Library/EncryptionVariableLib.h
+
+ ## @libraryclass Provides interfaces to encrypt/decrypt variable.
+ #
+ ProtectedVariableLib|Include/Library/ProtectedVariableLib.h
+
## @libraryclass Provides authenticated variable services.
#
AuthVariableLib|Include/Library/AuthVariableLib.h
@@ -513,6 +521,9 @@ [Ppis]
gEdkiiPeiCapsuleOnDiskPpiGuid = { 0x71a9ea61, 0x5a35, 0x4a5d, {
0xac, 0xef, 0x9c, 0xf8, 0x6d, 0x6d, 0x67, 0xe0 } }
gEdkiiPeiBootInCapsuleOnDiskModePpiGuid = { 0xb08a11e4, 0xe2b7, 0x4b75, {
0xb5, 0x15, 0xaf, 0x61, 0x6, 0x68, 0xbf, 0xd1 } }
+ ## Include/Ppi/ReadOnlyVariable2.h
+ gEfiPeiVariableStoreDiscoveredPpiGuid = { 0xa2fc038d, 0xfdf5, 0x4501, {
0xaf, 0x8e, 0x69, 0xb0, 0x20, 0xec, 0xe6, 0x63 } }
+
[Protocols]
## Load File protocol provides capability to load and unload EFI image into
memory and execute it.
# Include/Protocol/LoadPe32Image.h
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90352): https://edk2.groups.io/g/devel/message/90352
Mute This Topic: https://groups.io/mt/91640181/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 04/28] MdeModulePkg: Add reference to new Ppi Guid
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add reference to gEfiPeiVariableStoreDiscoveredPpiGuid which
contains information whether variable store is available.
Cc: Jian J Wang
Cc: Liming Gao
Cc: Nishant C Mistry
Signed-off-by: Jian J Wang
Signed-off-by: Nishant C Mistry
Signed-off-by: Judah Vang
---
MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
index 926c0bc82a43..c5a8470565bb 100644
--- a/MdePkg/Include/Ppi/ReadOnlyVariable2.h
+++ b/MdePkg/Include/Ppi/ReadOnlyVariable2.h
@@ -2,7 +2,7 @@
This file declares Read-only Variable Service2 PPI.
This ppi permits read-only access to the UEFI variable store during the PEI
phase.
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Revision Reference:
@@ -106,4 +106,6 @@ struct _EFI_PEI_READ_ONLY_VARIABLE2_PPI {
extern EFI_GUID gEfiPeiReadOnlyVariable2PpiGuid;
+extern EFI_GUID gEfiPeiVariableStoreDiscoveredPpiGuid;
+
#endif
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90355): https://edk2.groups.io/g/devel/message/90355
Mute This Topic: https://groups.io/mt/91640184/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v3 00/28] UEFI variable protection
For a more detail description of the UEFI variable protected feature you can view the Readme.md located at the following location: https://github.com/judahvang/edk2/tree/rpmc-update Patch 08 - Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo() and SafeUint64ToUint32(). Patch 09 - Fix 'NextVariableStore' parameter for CopyMem. It was causing an exception. Need to correctly cast 'NextVariableStore' so all platforms build. Add code to initialize 'ContextIn' structure in SmmVariableReady() to fix issue with NULL function pointer. Patch 16 - Change AllocateZeroPool() with AllocatePages() and FreePool() with FreePages(). FreePool() is not supported in PEI phase so this was causing a memory leak. Reverse the order of the FreePages() call. Patch 17 - Change placement of buffer used for confidentiality crypto operation to fix an issue when enabling confidentiality. Remove unneeded increment of monotonic counter. Patch 28 - Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES to all the Sha1 functions. Replace AllocatePool() with AllocatePages() and FreePool() with FreePages() because FreePool() is not supported in PEI phase. FreePool() does not free the allocated pool in PEI phase causing a memory leak. Judah Vang (28): MdeModulePkg: Add new GUID for Variable Store Info SecurityPkg: Add new GUIDs for MdeModulePkg: Update AUTH_VARIABLE_INFO struct MdeModulePkg: Add reference to new Ppi Guid MdeModulePkg: Add new ProtectedVariable GUIDs MdeModulePkg: Add new include files MdeModulePkg: Add Null ProtectedVariable Library MdeModulePkg: Add new Variable functionality MdeModulePkg: Add support for Protected Variables SecurityPkg: Add new KeyService types and defines SecurityPkg: Update RPMC APIs with index SecurityPkg: Add new variable types and functions SecurityPkg: Fix GetVariableKey API SecurityPkg: Add null encryption variable libs SecurityPkg: Add VariableKey library function SecurityPkg: Add EncryptionVariable lib with AES SecurityPkg: Add Protected Variable Services MdeModulePkg: Reference Null ProtectedVariableLib SecurityPkg: Add references to new *.inf files ArmVirtPkg: Add reference to ProtectedVariableNull UefiPayloadPkg: Add ProtectedVariable reference EmulatorPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariable reference CryptoPkg: Enable cypto HMAC KDF and AES library MdeModulePkg/MdeModulePkg.dec | 13 +- SecurityPkg/SecurityPkg.dec | 43 +- ArmVirtPkg/ArmVirtQemu.dsc | 3 +- EmulatorPkg/EmulatorPkg.dsc | 3 +- MdeModulePkg/MdeModulePkg.dsc | 4 +- OvmfPkg/AmdSev/AmdSevX64.dsc| 3 +- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/Microvm/MicrovmX64.dsc | 3 +- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc | 3 +- SecurityPkg/SecurityPkg.dsc | 13 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 + MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 3 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf| 4 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 3 +- SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 38 + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf| 64 + SecurityPk
[edk2-devel] [Patch v2 28/28] CryptoPkg: Enable cypto HMAC KDF library
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 RPMC confidentiality feature requires HMAC-SHA256 support during SMM phase. This allows the protected variable's data to be encrypted in the SPI flash. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf index ae75bc87b5e5..28ad0bf0816d 100644 --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf @@ -43,7 +43,7 @@ [Sources] Hash/CryptCShake256.c Hash/CryptParallelHash.c Hmac/CryptHmacSha256.c - Kdf/CryptHkdfNull.c + Kdf/CryptHkdf.c Cipher/CryptAes.c Pk/CryptRsaBasic.c Pk/CryptRsaExtNull.c -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89446): https://edk2.groups.io/g/devel/message/89446 Mute This Topic: https://groups.io/mt/90781918/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [Patch v2 25/28] OvmfPkg: Add ProtectedVariableLib reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Rebecca Cran Cc: Peter Grehan Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index a8fa4d38ab60..5b36dc2358bb 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -1,6 +1,6 @@ # # Copyright (c) 2020, Rebecca Cran -# Copyright (c) 2006 - 2021, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2022, Intel Corporation. All rights reserved. # (C) Copyright 2016 Hewlett Packard Enterprise Development LP # Copyright (c) 2014, Pluribus Networks, Inc. # @@ -171,6 +171,7 @@ [LibraryClasses] MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf MemEncryptTdxLib|OvmfPkg/Library/BaseMemEncryptTdxLib/BaseMemEncryptTdxLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89444): https://edk2.groups.io/g/devel/message/89444 Mute This Topic: https://groups.io/mt/90781916/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [Patch v2 27/28] OvmfPkg: Add ProtectedVariable reference
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 Add reference to null ProtectedVariableLib. Cc: Jian J Wang Cc: Sebastien Boeuf Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index d1c85f60c768..3ec7e860c613 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -180,6 +180,7 @@ [LibraryClasses] VirtioLib|OvmfPkg/Library/VirtioLib/VirtioLib.inf LoadLinuxLib|OvmfPkg/Library/LoadLinuxLib/LoadLinuxLib.inf MemEncryptSevLib|OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf + ProtectedVariableLib|MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf !if $(SMM_REQUIRE) == FALSE LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf !endif -- 2.35.1.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89443): https://edk2.groups.io/g/devel/message/89443 Mute This Topic: https://groups.io/mt/90781915/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
