SecurityPkg: Fix potential bug in Security Boot dxe.

v2: update hash value in SecureBootConfig.vfr to keep
them consistent with macro definition in SecureBootConfigImpl.h

since we removed the sha-1 definition in Hash table
and related macro, but the macro definition HashAlg index
may be value 4 which is exceed the range of the Hash
table array.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 02ddf4ad899bf43cf8b5b948e7a6f6f51f899b28..6f46d910333c9185f8dc380a736db516b5a7abb6 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -459,13 +459,13 @@ formset
           varid       = SECUREBOOT_CONFIGURATION.CertificateFormat,\r
           prompt      = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),\r
           help        = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x2, flags = DEFAULT;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x3, flags = 0;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x4, flags = 0;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x5, flags = 0;\r
+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;\r
+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;\r
+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;\r
+          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;\r
     endoneof;\r
 \r
-    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 5;\r
+    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;\r
         checkbox varid  = SECUREBOOT_CONFIGURATION.AlwaysRevocation,\r
                prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),\r
                help   = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),\r

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index d438d37e04b0f94d4afd58bea96f5736b71af9f4..f080f667a5e87ab7f7a32985e6da5c9ed63edb45 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -91,12 +91,12 @@ extern  EFI_IFR_GUID_LABEL         *mEndLabel;
 //\r
 // Support hash types\r
 //\r
-#define HASHALG_SHA224                         0x00000001\r
-#define HASHALG_SHA256                         0x00000002\r
-#define HASHALG_SHA384                         0x00000003\r
-#define HASHALG_SHA512                         0x00000004\r
-#define HASHALG_RAW                            0x00000005\r
-#define HASHALG_MAX                            0x00000005\r
+#define HASHALG_SHA224                         0x00000000\r
+#define HASHALG_SHA256                         0x00000001\r
+#define HASHALG_SHA384                         0x00000002\r
+#define HASHALG_SHA512                         0x00000003\r
+#define HASHALG_RAW                            0x00000004\r
+#define HASHALG_MAX                            0x00000004\r
 \r
 \r
 typedef struct {\r