Reviewed-by: [email protected]
> -----Original Message----- > From: edk2-devel [mailto:[email protected]] On Behalf Of Zhang, > Chao B > Sent: Thursday, January 19, 2017 1:14 PM > To: [email protected] > Cc: Zhang, Chao B <[email protected]>; Yao, Jiewen > <[email protected]>; Zeng, Star <[email protected]>; > [email protected] > Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update > PCR[7] measure logic > > Update PCR[7] measure logic according to TCG PC Client PFP 00.37. > Only entries in DB that is used for image authentication need to be > measured. > http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific > _Platform_Profile_for_TPM_2p0_Systems_v21.pdf > > Cc: Star Zeng <[email protected]> > Cc: Yao Jiewen <[email protected]> > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Chao Zhang <[email protected]> > --- > .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 10 > +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git > a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > index 7b7e6af..e28e106 100644 > --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c > @@ -12,7 +12,7 @@ > DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() > function will accept > untrusted PE/COFF image and validate its data structure within this image > buffer before use. > > -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR> > +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR> > (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> > This program and the accompanying materials > are licensed and made available under the terms and conditions of the BSD > License > @@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase ( > // Find the signature in database. > // > IsFound = TRUE; > - SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, > CertList->SignatureSize, Cert); > + // > + // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to > validate image should be measured > + // > + if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) { > + SecureBootHook (VariableName, > &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert); > + } > break; > } > > @@ -1309,7 +1314,6 @@ IsForbiddenByDbx ( > mImageDigestSize > ); > if (IsForbidden) { > - SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, > &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData); > DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed > but signature is forbidden by DBX.\n")); > goto Done; > } > -- > 1.9.5.msysgit.1 > > _______________________________________________ > edk2-devel mailing list > [email protected] > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
