Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be
measured.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf
Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept\r
untrusted PE/COFF image and validate its data structure within this image buffer before use.\r
\r
DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function will accept\r
untrusted PE/COFF image and validate its data structure within this image buffer before use.\r
\r
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>\r
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
// Find the signature in database.\r
//\r
IsFound = TRUE;\r
// Find the signature in database.\r
//\r
IsFound = TRUE;\r
- SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);\r
+ //\r
+ // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate image should be measured\r
+ //\r
+ if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {\r
+ SecureBootHook (VariableName, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, Cert);\r
+ }\r
mImageDigestSize\r
);\r
if (IsForbidden) {\r
mImageDigestSize\r
);\r
if (IsForbidden) {\r
- SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, CertList->SignatureSize, CertData);\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));\r
goto Done;\r
}\r
DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but signature is forbidden by DBX.\n"));\r
goto Done;\r
}\r