2018-09-13 16:11:07 -07:00
|
|
|
/** @file
|
|
|
|
|
Secure boot library routines to provide hash verification.
|
|
|
|
|
|
|
|
|
|
Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
|
2019-06-12 18:01:09 -07:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
2018-09-13 16:11:07 -07:00
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
|
|
#include <Library/DebugLib.h>
|
|
|
|
|
#include <Library/BaseLib.h>
|
|
|
|
|
#include <Library/BaseMemoryLib.h>
|
|
|
|
|
#include <Library/CryptoLib.h>
|
|
|
|
|
#include <Library/SecureBootLib.h>
|
|
|
|
|
#include <Library/BootloaderCommonLib.h>
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Verify data block hash with the built-in one.
|
|
|
|
|
|
2019-07-29 14:44:33 -07:00
|
|
|
@param[in] Data Data buffer pointer.
|
|
|
|
|
@param[in] Length Data buffer size.
|
|
|
|
|
@param[in] HashAlg Specify hash algrothsm.
|
|
|
|
|
@param[in] ComponentType Component type.
|
|
|
|
|
@param[in,out] Hash On input, expected hash value when ComponentType is not used.
|
|
|
|
|
On output, calculated hash value when verification succeeds.
|
2018-09-13 16:11:07 -07:00
|
|
|
|
|
|
|
|
@retval RETURN_SUCCESS Hash verification succeeded.
|
2019-07-29 14:44:33 -07:00
|
|
|
@retval RETRUN_INVALID_PARAMETER Hash parameter is not valid.
|
2018-09-13 16:11:07 -07:00
|
|
|
@retval RETURN_NOT_FOUND Hash data for ComponentType is not found.
|
|
|
|
|
@retval RETURN_UNSUPPORTED Hash component type is not supported.
|
|
|
|
|
@retval RETURN_SECURITY_VIOLATION Hash verification failed.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
RETURN_STATUS
|
|
|
|
|
DoHashVerify (
|
|
|
|
|
IN CONST UINT8 *Data,
|
|
|
|
|
IN UINT32 Length,
|
2019-07-29 14:44:33 -07:00
|
|
|
IN UINT8 HashAlg,
|
|
|
|
|
IN UINT8 ComponentType,
|
|
|
|
|
IN OUT UINT8 *Hash
|
2018-09-13 16:11:07 -07:00
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
RETURN_STATUS Status;
|
|
|
|
|
UINT8 Digest[SHA256_DIGEST_SIZE];
|
2019-07-29 14:44:33 -07:00
|
|
|
CONST UINT8 *HashData;
|
2018-09-13 16:11:07 -07:00
|
|
|
|
2019-07-29 14:44:33 -07:00
|
|
|
if (HashAlg != HASH_TYPE_SHA256) {
|
|
|
|
|
return RETURN_UNSUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get expected hash to compare with
|
|
|
|
|
if (ComponentType >= COMP_TYPE_INVALID) {
|
|
|
|
|
HashData = Hash;
|
|
|
|
|
} else {
|
|
|
|
|
Status = GetComponentHash (ComponentType, &HashData);
|
|
|
|
|
if (RETURN_ERROR (Status)) {
|
|
|
|
|
DEBUG ((DEBUG_ERROR, "Warning: Component (%d) verification is bypassed.\n", ComponentType));
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (HashData == NULL) {
|
|
|
|
|
return RETURN_INVALID_PARAMETER;
|
2018-09-13 16:11:07 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Sha256 (Data, Length, Digest);
|
2019-07-29 14:44:33 -07:00
|
|
|
if (CompareMem (HashData, (VOID *)Digest, SHA256_DIGEST_SIZE)) {
|
2018-09-13 16:11:07 -07:00
|
|
|
Status = RETURN_SECURITY_VIOLATION;
|
|
|
|
|
|
|
|
|
|
DEBUG ((DEBUG_ERROR, "Hash check fail for component type (%d)\n", ComponentType));
|
|
|
|
|
|
|
|
|
|
DEBUG_CODE_BEGIN();
|
|
|
|
|
|
|
|
|
|
DEBUG ((DEBUG_INFO, "First 32Bytes Input Data\n"));
|
|
|
|
|
DumpHex (2, 0, SHA256_DIGEST_SIZE, (VOID *)Data);
|
|
|
|
|
|
|
|
|
|
DEBUG ((DEBUG_INFO, "Last 32Bytes Input Data\n"));
|
|
|
|
|
DumpHex (2, 0, SHA256_DIGEST_SIZE, (VOID *) (Data + Length - 32));
|
|
|
|
|
|
|
|
|
|
DEBUG ((DEBUG_INFO, "Image Digest\n"));
|
|
|
|
|
DumpHex (2, 0, SHA256_DIGEST_SIZE, (VOID *)Digest);
|
|
|
|
|
|
2018-11-09 16:05:42 -08:00
|
|
|
DEBUG ((DEBUG_INFO, "HashStore Digest\n"));
|
2019-07-29 14:44:33 -07:00
|
|
|
DumpHex (2, 0, SHA256_DIGEST_SIZE, (VOID *)HashData);
|
2018-09-13 16:11:07 -07:00
|
|
|
|
|
|
|
|
DEBUG_CODE_END();
|
|
|
|
|
|
|
|
|
|
} else {
|
2019-07-29 14:44:33 -07:00
|
|
|
if ((Hash != NULL) && (HashData != Hash)) {
|
|
|
|
|
CopyMem (Hash, Digest, sizeof(Digest));
|
|
|
|
|
}
|
2018-09-13 16:11:07 -07:00
|
|
|
Status = RETURN_SUCCESS;
|
|
|
|
|
DEBUG ((DEBUG_INFO, "HASH Verification Success! Component Type (%d)\n", ComponentType));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
