/** Hash data and extend to PCR. @param PcrIndex PCR to be extended. @param DataToHash Data to be hashed. @param DataToHashLen Data size. @param DigestList Digest list. @retval EFI_SUCCESS Hash data and DigestList is returned. **/ EFI_STATUS EFIAPI HashAndExtend ( IN TPMI_DH_PCR PcrIndex, IN VOID *DataToHash, IN UINTN DataToHashLen, OUT TPML_DIGEST_VALUES *DigestList ) { HASH_INTERFACE_HOB *HashInterfaceHob; HASH_HANDLE HashHandle; EFI_STATUS Status; HashInterfaceHob = InternalGetHashInterface (); if (HashInterfaceHob == NULL) { return EFI_UNSUPPORTED; } if (HashInterfaceHob->HashInterfaceCount == 0) { return EFI_UNSUPPORTED; } HashStart (&HashHandle); HashUpdate (HashHandle, DataToHash, DataToHashLen); Status = HashCompleteAndExtend (HashHandle, PcrIndex, NULL, 0, DigestList); return Status; }
/**Send a slave error packet * @param error The error code. Error codes are defined in the header file. * @param description Pointer to a null-terminated string of additional data about the error */ void SendSlaveError(unsigned char error, char *description) { HashState=0; //Send the preamble BufferedSerialWrite(0x55); BufferedSerialWrite(TYPE_SLAVE_EXCEPTION); HashUpdate(TYPE_SLAVE_EXCEPTION); //Adress to master BufferedSerialWrite(1); HashUpdate(1); BufferedSerialWrite(0); HashUpdate(0); BufferedSerialWrite(PACKET_OVERHEAD + 1); HashUpdate(PACKET_OVERHEAD+1); BufferedSerialWrite(error); HashUpdate(error); BufferedSerialWrite(GetByteOf(1,HashState)); BufferedSerialWrite(GetByteOf(0,HashState)); // }
/**Print a null terminated string to the serial port * Hash every character, but do not reset the hash state beforehand. * @param str A null terminated string to be sent. */ void PrintNstringAndHash(const unsigned char *str) { unsigned char temp = 00; //This is just a counter to make sure we dont loop forever if no NUL is found unsigned char SafetyCounter =00; while(SafetyCounter<240) { temp = *str++; if (temp) { HashUpdate(temp); BufferedSerialWrite(temp) ; } else { HashUpdate(0); BufferedSerialWrite(0) ; break; } SafetyCounter++; } }
/**Send a slave data response packet. You only need to give it the data, it will handle framing. * @param data A pointer to the start of the data to be sent * @data_length The length of the data to be sent */ void SendSlaveDataResponse(const unsigned char *data, const unsigned char data_length) { //Initialize the CRC state HashState = 0; //We hash every byte we send but NOT the preamble because it is //not part of the packet data. //preamble BufferedSerialWrite(PACKET_PREAMBLE); //Send the packet type code, BufferedSerialWrite(TYPE_SLAVE_DATA_RESPONSE); HashUpdate(TYPE_SLAVE_DATA_RESPONSE); BufferedSerialWrite(0x01); HashUpdate(0x01); BufferedSerialWrite(0x00); HashUpdate(0x00); //Calculate what the length field will be because //The length field is not the same as the length of the actual data. BufferedSerialWrite(data_length +PACKET_OVERHEAD); HashUpdate(data_length+PACKET_OVERHEAD); //Send each character of the actual data and hash it unsigned char i; for(i=0; i<data_length; i++) { BufferedSerialWrite(data[i]); HashUpdate(data[i]); } BufferedSerialWrite(GetByteOf(1,HashState)); BufferedSerialWrite(GetByteOf(0,HashState)); }
/**This should get called every time a new byte is availible from the UART. * @param byte the new byte that just arrived. */ void OnByteRecieved(const unsigned char byte) { //Check the interframe spacing. //If it has been more than that time it is either an error or a new packet. //also check if we arent recieving a message at all. //Either of these conditions indicate that this byte could be the start of a new character. if (((TimeSinceLastByteWasRecieved() >= CurrentTimeOut)) | !(RecievingMessage)) { //A byte time of silence or more always delimits packets //So reset the recieve pointer to clear any garbage and reset the hash state. RecievePointer = 0; HashState = 0; //Consider this the start of a new packet ONLY if it matches the valid start code //And ONLY if the required interframe distance has been met or exceeded. //This lets us send one byte messages outside of a full packet if (byte == 0x55) { RecievingMessage = 1; } else { //If we don't see the valid start code we stay idle RecievingMessage = 0; } return; } //Only if a valid start code was detected at the start should we enter the byte in the buffer. else { RecieveBuffer[RecievePointer] = byte; RecievePointer++; //Update the checksum as we go so we don't have to do one huge batch of calculations //At the end, which would suck for realtime performance. //Also dont CRC the CRC because that would //not make sense unless we did that weird crc(message +crc)=0 thing if (!((RecievePointer >= (RecieveBuffer[LENGTH_OFFSET]-1)) &(RecievePointer>LENGTH_OFFSET))) { HashUpdate(byte); } //Not only check and see if we have as mny bytes as the length field says, //But also check that we even have the length field. if ((RecievePointer >= RecieveBuffer[LENGTH_OFFSET]) &(RecievePointer>LENGTH_OFFSET)) { //If we have recieved a complete message, Check the checksum. // DisableReciever(); //We must re enable this to be ready for the next packet. RecievingMessage = 0; //Do nothing with the packet if we have just been waiting for the end of it. if (CheckAddress(RecieveBuffer)) { //Don't do anything with incorrect packets, they are bad. if (GetByteOf(0,HashState ) == RecieveBuffer[RecievePointer-1]) { if(GetByteOf(1,HashState) == RecieveBuffer[RecievePointer-2]) { HandleNewPacket(RecieveBuffer); } } } } } }
/** Measure PE image into TPM log based on the authenticode image hashing in PE/COFF Specification 8.0 Appendix A. Caution: This function may receive untrusted input. PE/COFF image is external input, so this function will validate its data structure within this image buffer before use. @param[in] PCRIndex TPM PCR index @param[in] ImageAddress Start address of image buffer. @param[in] ImageSize Image size @param[out] DigestList Digeest list of this image. @retval EFI_SUCCESS Successfully measure image. @retval EFI_OUT_OF_RESOURCES No enough resource to measure image. @retval other error value **/ EFI_STATUS MeasurePeImageAndExtend ( IN UINT32 PCRIndex, IN EFI_PHYSICAL_ADDRESS ImageAddress, IN UINTN ImageSize, OUT TPML_DIGEST_VALUES *DigestList ) { EFI_STATUS Status; EFI_IMAGE_DOS_HEADER *DosHdr; UINT32 PeCoffHeaderOffset; EFI_IMAGE_SECTION_HEADER *Section; UINT8 *HashBase; UINTN HashSize; UINTN SumOfBytesHashed; EFI_IMAGE_SECTION_HEADER *SectionHeader; UINTN Index; UINTN Pos; UINT16 Magic; EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION Hdr; UINT32 NumberOfRvaAndSizes; UINT32 CertSize; HASH_HANDLE HashHandle; HashHandle = 0xFFFFFFFF; // Know bad value Status = EFI_UNSUPPORTED; SectionHeader = NULL; // // Check PE/COFF image // DosHdr = (EFI_IMAGE_DOS_HEADER *) (UINTN) ImageAddress; PeCoffHeaderOffset = 0; if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) { PeCoffHeaderOffset = DosHdr->e_lfanew; } Hdr.Pe32 = (EFI_IMAGE_NT_HEADERS32 *)((UINT8 *) (UINTN) ImageAddress + PeCoffHeaderOffset); if (Hdr.Pe32->Signature != EFI_IMAGE_NT_SIGNATURE) { Status = EFI_UNSUPPORTED; goto Finish; } // // PE/COFF Image Measurement // // NOTE: The following codes/steps are based upon the authenticode image hashing in // PE/COFF Specification 8.0 Appendix A. // // // 1. Load the image header into memory. // 2. Initialize a SHA hash context. Status = HashStart (&HashHandle); if (EFI_ERROR (Status)) { goto Finish; } // // Measuring PE/COFF Image Header; // But CheckSum field and SECURITY data directory (certificate) are excluded // if (Hdr.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && Hdr.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC // Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC; } else { // // Get the magic value from the PE/COFF Optional Header // Magic = Hdr.Pe32->OptionalHeader.Magic; } // // 3. Calculate the distance from the base of the image header to the image checksum address. // 4. Hash the image header from its base to beginning of the image checksum. // HashBase = (UINT8 *) (UINTN) ImageAddress; if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset // NumberOfRvaAndSizes = Hdr.Pe32->OptionalHeader.NumberOfRvaAndSizes; HashSize = (UINTN) ((UINT8 *)(&Hdr.Pe32->OptionalHeader.CheckSum) - HashBase); } else { // // Use PE32+ offset // NumberOfRvaAndSizes = Hdr.Pe32Plus->OptionalHeader.NumberOfRvaAndSizes; HashSize = (UINTN) ((UINT8 *)(&Hdr.Pe32Plus->OptionalHeader.CheckSum) - HashBase); } Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } // // 5. Skip over the image checksum (it occupies a single ULONG). // if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) { // // 6. Since there is no Cert Directory in optional header, hash everything // from the end of the checksum to the end of image header. // if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset. // HashBase = (UINT8 *) &Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32); HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - ImageAddress); } else { // // Use PE32+ offset. // HashBase = (UINT8 *) &Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32); HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - ImageAddress); } if (HashSize != 0) { Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } } } else { // // 7. Hash everything from the end of the checksum to the start of the Cert Directory. // if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset // HashBase = (UINT8 *) &Hdr.Pe32->OptionalHeader.CheckSum + sizeof (UINT32); HashSize = (UINTN) ((UINT8 *)(&Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase); } else { // // Use PE32+ offset // HashBase = (UINT8 *) &Hdr.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32); HashSize = (UINTN) ((UINT8 *)(&Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase); } if (HashSize != 0) { Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } } // // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.) // 9. Hash everything from the end of the Cert Directory to the end of image header. // if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset // HashBase = (UINT8 *) &Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; HashSize = Hdr.Pe32->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - ImageAddress); } else { // // Use PE32+ offset // HashBase = (UINT8 *) &Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; HashSize = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN) (HashBase - ImageAddress); } if (HashSize != 0) { Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } } } // // 10. Set the SUM_OF_BYTES_HASHED to the size of the header // if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset // SumOfBytesHashed = Hdr.Pe32->OptionalHeader.SizeOfHeaders; } else { // // Use PE32+ offset // SumOfBytesHashed = Hdr.Pe32Plus->OptionalHeader.SizeOfHeaders; } // // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER // structures in the image. The 'NumberOfSections' field of the image // header indicates how big the table should be. Do not include any // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero. // SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * Hdr.Pe32->FileHeader.NumberOfSections); if (SectionHeader == NULL) { Status = EFI_OUT_OF_RESOURCES; goto Finish; } // // 12. Using the 'PointerToRawData' in the referenced section headers as // a key, arrange the elements in the table in ascending order. In other // words, sort the section headers according to the disk-file offset of // the section. // Section = (EFI_IMAGE_SECTION_HEADER *) ( (UINT8 *) (UINTN) ImageAddress + PeCoffHeaderOffset + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER) + Hdr.Pe32->FileHeader.SizeOfOptionalHeader ); for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) { Pos = Index; while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) { CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof(EFI_IMAGE_SECTION_HEADER)); Pos--; } CopyMem (&SectionHeader[Pos], Section, sizeof(EFI_IMAGE_SECTION_HEADER)); Section += 1; } // // 13. Walk through the sorted table, bring the corresponding section // into memory, and hash the entire section (using the 'SizeOfRawData' // field in the section header to determine the amount of data to hash). // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED . // 15. Repeat steps 13 and 14 for all the sections in the sorted table. // for (Index = 0; Index < Hdr.Pe32->FileHeader.NumberOfSections; Index++) { Section = (EFI_IMAGE_SECTION_HEADER *) &SectionHeader[Index]; if (Section->SizeOfRawData == 0) { continue; } HashBase = (UINT8 *) (UINTN) ImageAddress + Section->PointerToRawData; HashSize = (UINTN) Section->SizeOfRawData; Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } SumOfBytesHashed += HashSize; } // // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra // data in the file that needs to be added to the hash. This data begins // at file offset SUM_OF_BYTES_HASHED and its length is: // FileSize - (CertDirectory->Size) // if (ImageSize > SumOfBytesHashed) { HashBase = (UINT8 *) (UINTN) ImageAddress + SumOfBytesHashed; if (NumberOfRvaAndSizes <= EFI_IMAGE_DIRECTORY_ENTRY_SECURITY) { CertSize = 0; } else { if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { // // Use PE32 offset. // CertSize = Hdr.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size; } else { // // Use PE32+ offset. // CertSize = Hdr.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size; } } if (ImageSize > CertSize + SumOfBytesHashed) { HashSize = (UINTN) (ImageSize - CertSize - SumOfBytesHashed); Status = HashUpdate (HashHandle, HashBase, HashSize); if (EFI_ERROR (Status)) { goto Finish; } } else if (ImageSize < CertSize + SumOfBytesHashed) { Status = EFI_UNSUPPORTED; goto Finish; } } // // 17. Finalize the SHA hash. // Status = HashCompleteAndExtend (HashHandle, PCRIndex, NULL, 0, DigestList); if (EFI_ERROR (Status)) { goto Finish; } Finish: if (SectionHeader != NULL) { FreePool (SectionHeader); } return Status; }