shim optimize SMx support patches

Feature-shim-support-sm2-and-sm3-algorithm.patch

@@ -0,0 +1,589 @@
+From b56474e6f7d0ddece0f5dd87e410f8f482f66a58 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Mon, 7 Nov 2022 11:47:42 +0800
+Subject: [PATCH 5/5] shim support sm2 and sm3 algorithm
+
+Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
+Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+---
+ Makefile          |   2 +-
+ MokManager.c      |   8 ++++
+ include/pe.h      |   7 ++++
+ include/peimage.h |   3 ++
+ pe.c              | 100 ++++++++++++++++++++++++++++++++++++++++++++++
+ shim.c            |  73 +++++++++++++++++++++++++++++++--
+ shim.h            |  20 ++++++++++
+ 7 files changed, 208 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 24ac314..8876f9f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -163,7 +163,7 @@ Cryptlib/libcryptlib.a:
+ 	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+ 
+ Cryptlib/OpenSSL/libopenssl.a:
+-	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
++	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes ec sm3 sm2 ecdsa; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
+ 	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+ 
+ lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
+diff --git a/MokManager.c b/MokManager.c
+index ffcd6a6..8b7fd4b 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1910,6 +1910,9 @@ static EFI_STATUS enroll_file(void *data, UINTN datasize, BOOLEAN hash)
+ 	if (hash) {
+ 		UINT8 sha256[SHA256_DIGEST_SIZE];
+ 		UINT8 sha1[SHA1_DIGEST_SIZE];
++#ifdef ENABLE_SHIM_SM
++		UINT8 sm3[SM3_DIGEST_SIZE];
++#endif
+ 		SHIM_LOCK *shim_lock;
+ 		PE_COFF_LOADER_IMAGE_CONTEXT context;
+ 
+@@ -1929,8 +1932,13 @@ static EFI_STATUS enroll_file(void *data, UINTN datasize, BOOLEAN hash)
+ 		if (EFI_ERROR(efi_status))
+ 			goto out;
+ 
++#ifdef ENABLE_SHIM_SM
++		efi_status = shim_lock->Hash(data, datasize, &context, sha256,
++					     sha1, sm3);
++#else
+ 		efi_status = shim_lock->Hash(data, datasize, &context, sha256,
+ 					     sha1);
++#endif
+ 		if (EFI_ERROR(efi_status))
+ 			goto out;
+ 
+diff --git a/include/pe.h b/include/pe.h
+index ccc8798..93af091 100644
+--- a/include/pe.h
++++ b/include/pe.h
+@@ -28,10 +28,17 @@ handle_image (void *data, unsigned int datasize,
+ 	      EFI_PHYSICAL_ADDRESS *alloc_address,
+ 	      UINTN *alloc_pages);
+ 
++#ifdef ENABLE_SHIM_SM
++EFI_STATUS
++generate_hash (char *data, unsigned int datasize,
++	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
++	       UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash);
++#else
+ EFI_STATUS
+ generate_hash (char *data, unsigned int datasize,
+ 	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ 	       UINT8 *sha256hash, UINT8 *sha1hash);
++#endif
+ 
+ EFI_STATUS
+ relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
+diff --git a/include/peimage.h b/include/peimage.h
+index e97b29c..7a4f356 100644
+--- a/include/peimage.h
++++ b/include/peimage.h
+@@ -807,6 +807,9 @@ typedef struct {
+ 
+ #define SHA1_DIGEST_SIZE	20
+ #define SHA256_DIGEST_SIZE	32
++#ifdef ENABLE_SHIM_SM
++#define SM3_DIGEST_SIZE	32
++#endif
+ #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
+ 
+ typedef struct {
+diff --git a/pe.c b/pe.c
+index ba3e2bb..37b08a3 100644
+--- a/pe.c
++++ b/pe.c
+@@ -297,13 +297,24 @@ get_section_vma_by_name (char *name, size_t namesz,
+  * Calculate the SHA1 and SHA256 hashes of a binary
+  */
+ 
++#ifdef ENABLE_SHIM_SM
++EFI_STATUS
++generate_hash(char *data, unsigned int datasize,
++	      PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash,
++	      UINT8 *sha1hash, UINT8 *sm3hash)
++#else
+ EFI_STATUS
+ generate_hash(char *data, unsigned int datasize,
+ 	      PE_COFF_LOADER_IMAGE_CONTEXT *context, UINT8 *sha256hash,
+ 	      UINT8 *sha1hash)
++#endif
+ {
+ 	unsigned int sha256ctxsize, sha1ctxsize;
+ 	void *sha256ctx = NULL, *sha1ctx = NULL;
++#ifdef ENABLE_SHIM_SM
++	unsigned int sm3ctxsize;
++	void *sm3ctx = NULL;
++#endif
+ 	char *hashbase;
+ 	unsigned int hashsize;
+ 	unsigned int SumOfBytesHashed, SumOfSectionBytes;
+@@ -327,12 +338,25 @@ generate_hash(char *data, unsigned int datasize,
+ 	sha1ctxsize = Sha1GetContextSize();
+ 	sha1ctx = AllocatePool(sha1ctxsize);
+ 
++#ifdef SHIM_ENABLE_SM
++	sm3ctxsize = Sm3GetContextSize();
++	sm3ctx = AllocatePool(sm3ctxsize);
++#endif
++
++#ifdef SHIM_ENABLE_SM
++	if (!sha256ctx || !sha1ctx || !sm3ctx) {
++#else
+ 	if (!sha256ctx || !sha1ctx) {
++#endif
+ 		perror(L"Unable to allocate memory for hash context\n");
+ 		return EFI_OUT_OF_RESOURCES;
+ 	}
+ 
++#ifdef SHIM_ENABLE_SM
++	if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx) || !Sm3Init(sm3ctx)) {
++#else
+ 	if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) {
++#endif
+ 		perror(L"Unable to initialise hash\n");
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto done;
+@@ -344,8 +368,14 @@ generate_hash(char *data, unsigned int datasize,
+ 		hashbase;
+ 	check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 		perror(L"Unable to generate hash\n");
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto done;
+@@ -357,8 +387,14 @@ generate_hash(char *data, unsigned int datasize,
+ 	hashsize = (char *)context->SecDir - hashbase;
+ 	check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 		perror(L"Unable to generate hash\n");
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto done;
+@@ -375,8 +411,14 @@ generate_hash(char *data, unsigned int datasize,
+ 	}
+ 	check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++	    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++	    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 	if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 	    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 		perror(L"Unable to generate hash\n");
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto done;
+@@ -505,8 +547,14 @@ generate_hash(char *data, unsigned int datasize,
+ 		hashsize  = (unsigned int) Section->SizeOfRawData;
+ 		check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 		    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 			perror(L"Unable to generate hash\n");
+ 			efi_status = EFI_OUT_OF_RESOURCES;
+ 			goto done;
+@@ -531,8 +579,14 @@ generate_hash(char *data, unsigned int datasize,
+ 		}
+ 		check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 		    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 			perror(L"Unable to generate hash\n");
+ 			efi_status = EFI_OUT_OF_RESOURCES;
+ 			goto done;
+@@ -551,8 +605,14 @@ generate_hash(char *data, unsigned int datasize,
+ 
+ 		check_size(data, datasize, hashbase, hashsize);
+ 
++#ifdef SHIM_ENABLE_SM
++		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
++		    !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
++		    !(Sm3Update(sm3ctx, hashbase, hashsize))) {
++#else
+ 		if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ 		    !(Sha1Update(sha1ctx, hashbase, hashsize))) {
++#endif
+ 			perror(L"Unable to generate hash\n");
+ 			efi_status = EFI_OUT_OF_RESOURCES;
+ 			goto done;
+@@ -562,8 +622,14 @@ generate_hash(char *data, unsigned int datasize,
+ 	}
+ #endif
+ 
++#ifdef SHIM_ENABLE_SM
++	if (!(Sha256Final(sha256ctx, sha256hash)) ||
++	    !(Sha1Final(sha1ctx, sha1hash)) ||
++	    !(Sm3Final(sm3ctx, sm3hash))) {
++#else
+ 	if (!(Sha256Final(sha256ctx, sha256hash)) ||
+ 	    !(Sha1Final(sha1ctx, sha1hash))) {
++#endif
+ 		perror(L"Unable to finalise hash\n");
+ 		efi_status = EFI_OUT_OF_RESOURCES;
+ 		goto done;
+@@ -573,6 +639,10 @@ generate_hash(char *data, unsigned int datasize,
+ 	dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0);
+ 	dprint(L"sha256 authenticode hash:\n");
+ 	dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0);
++#ifdef SHIM_ENABLE_SM
++	dprint(L"sm3 authenticode hash:\n");
++	dhexdumpat(sm3hash, SM3_DIGEST_SIZE, 0);
++#endif
+ 
+ done:
+ 	if (SectionHeader)
+@@ -581,6 +651,10 @@ done:
+ 		FreePool(sha1ctx);
+ 	if (sha256ctx)
+ 		FreePool(sha256ctx);
++#ifdef SHIM_ENABLE_SM
++	if (sm3ctx)
++		FreePool(sm3ctx);
++#endif
+ 
+ 	return efi_status;
+ }
+@@ -1027,6 +1101,9 @@ EFI_STATUS verify_image(void *data, unsigned int datasize,
+ 	EFI_STATUS efi_status;
+ 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
+ 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
++#ifdef SHIM_ENABLE_SM
++	UINT8 sm3hash[SHA256_DIGEST_SIZE];
++#endif
+ 
+ 	/*
+ 	 * The binary header contains relevant context and section pointers
+@@ -1042,8 +1119,13 @@ EFI_STATUS verify_image(void *data, unsigned int datasize,
+ 	 * in order to load it.
+ 	 */
+ 	if (secure_mode()) {
++#ifdef SHIM_ENABLE_SM
++		efi_status = verify_buffer(data, datasize,
++					   context, sha256hash, sha1hash, sm3hash);
++#else
+ 		efi_status = verify_buffer(data, datasize,
+ 					   context, sha256hash, sha1hash);
++#endif
+ 		if (EFI_ERROR(efi_status)) {
+ 			if (verbose)
+ 				console_print(L"Verification failed: %r\n", efi_status);
+@@ -1061,8 +1143,13 @@ EFI_STATUS verify_image(void *data, unsigned int datasize,
+ 	 *  this is only useful for the TPM1.2 case. We should try to fix
+ 	 *  this in a follow-up.
+ 	 */
++#ifdef SHIM_ENABLE_SM
++	efi_status = generate_hash(data, datasize, context, sha256hash,
++				   sha1hash, sm3hash);
++#else
+ 	efi_status = generate_hash(data, datasize, context, sha256hash,
+ 				   sha1hash);
++#endif
+ 	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+ 
+@@ -1103,6 +1190,9 @@ handle_image (void *data, unsigned int datasize,
+ 	int found_entry_point = 0;
+ 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
+ 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
++#ifdef SHIM_ENABLE_SM
++	UINT8 sm3hash[SM3_DIGEST_SIZE];
++#endif
+ 
+ 	/*
+ 	 * The binary header contains relevant context and section pointers
+@@ -1118,8 +1208,13 @@ handle_image (void *data, unsigned int datasize,
+ 	 * in order to load it.
+ 	 */
+ 	if (secure_mode ()) {
++#ifdef SHIM_ENABLE_SM
++		efi_status = verify_buffer(data, datasize, &context, sha256hash,
++					   sha1hash, sm3hash);
++#else
+ 		efi_status = verify_buffer(data, datasize, &context, sha256hash,
+ 					   sha1hash);
++#endif
+ 
+ 		if (EFI_ERROR(efi_status)) {
+ 			if (verbose)
+@@ -1140,8 +1235,13 @@ handle_image (void *data, unsigned int datasize,
+ 	 *  this is only useful for the TPM1.2 case. We should try to fix
+ 	 *  this in a follow-up.
+ 	 */
++#ifdef SHIM_ENABLE_SM
++	efi_status = generate_hash(data, datasize, &context, sha256hash,
++				   sha1hash, sm3hash);
++#else
+ 	efi_status = generate_hash(data, datasize, &context, sha256hash,
+ 				   sha1hash);
++#endif
+ 	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+ 
+diff --git a/shim.c b/shim.c
+index fdd205e..5662ca8 100644
+--- a/shim.c
++++ b/shim.c
+@@ -458,11 +458,20 @@ BOOLEAN secure_mode (void)
+ 	return TRUE;
+ }
+ 
++#ifdef ENABLE_SHIM_SM
++static EFI_STATUS
++verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
++		     UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash)
++#else
+ static EFI_STATUS
+ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
+ 		     UINT8 *sha256hash, UINT8 *sha1hash)
++#endif
+ {
+ 	EFI_STATUS efi_status;
++#ifdef ENABLE_SHIM_SM
++	sm3hash = sm3hash;
++#endif
+ 
+ 	/*
+ 	 * Ensure that the binary isn't forbidden
+@@ -533,10 +542,15 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
+ 		dprint("verifying against vendor_cert\n");
+ 	}
+ 	if (vendor_cert_size &&
+-	    AuthenticodeVerify(sig->CertData,
+-			       sig->Hdr.dwLength - sizeof(sig->Hdr),
+-			       vendor_cert, vendor_cert_size,
+-			       sha256hash, SHA256_DIGEST_SIZE)) {
++#ifdef ENABLE_SHIM_SM
++	    (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
++							vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE) ||
++	     AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
++							vendor_cert, vendor_cert_size, sm3hash, SM3_DIGEST_SIZE))) {
++#else
++	    (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
++							vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) {
++#endif
+ 		dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n");
+ 		update_verification_method(VERIFIED_BY_CERT);
+ 		tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
+@@ -558,10 +572,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
+ /*
+  * Check that the signature is valid and matches the binary
+  */
++#ifdef ENABLE_SHIM_SM
++EFI_STATUS
++verify_buffer_authenticode (char *data, int datasize,
++			    PE_COFF_LOADER_IMAGE_CONTEXT *context,
++			    UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash)
++#else
+ EFI_STATUS
+ verify_buffer_authenticode (char *data, int datasize,
+ 			    PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ 			    UINT8 *sha256hash, UINT8 *sha1hash)
++#endif
+ {
+ 	EFI_STATUS ret_efi_status;
+ 	size_t size = datasize;
+@@ -578,7 +599,12 @@ verify_buffer_authenticode (char *data, int datasize,
+ 	 */
+ 	drain_openssl_errors();
+ 
++#ifdef ENABLE_SHIM_SM
++	ret_efi_status = generate_hash(data, datasize, context, sha256hash, sha1hash, sm3hash);
++#else
+ 	ret_efi_status = generate_hash(data, datasize, context, sha256hash, sha1hash);
++#endif
++
+ 	if (EFI_ERROR(ret_efi_status)) {
+ 		dprint(L"generate_hash: %r\n", ret_efi_status);
+ 		PrintErrors();
+@@ -665,7 +691,11 @@ verify_buffer_authenticode (char *data, int datasize,
+ 
+ 			dprint(L"Attempting to verify signature %d:\n", i++);
+ 
++#ifdef ENABLE_SHIM_SM
++			efi_status = verify_one_signature(sig, sha256hash, sha1hash, sm3hash);
++#else
+ 			efi_status = verify_one_signature(sig, sha256hash, sha1hash);
++#endif
+ 
+ 			/*
+ 			 * If we didn't get EFI_SECURITY_VIOLATION from
+@@ -746,10 +776,17 @@ verify_buffer_sbat (char *data, int datasize,
+  * Check that the signature is valid and matches the binary and that
+  * the binary is permitted to load by SBAT.
+  */
++#ifdef ENABLE_SHIM_SM
++EFI_STATUS
++verify_buffer (char *data, int datasize,
++	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
++	       UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash)
++#else
+ EFI_STATUS
+ verify_buffer (char *data, int datasize,
+ 	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ 	       UINT8 *sha256hash, UINT8 *sha1hash)
++#endif
+ {
+ 	EFI_STATUS efi_status;
+ 
+@@ -757,7 +794,11 @@ verify_buffer (char *data, int datasize,
+ 	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+ 
++#ifdef ENABLE_SHIM_SM
++	return verify_buffer_authenticode(data, datasize, context, sha256hash, sha1hash, sm3hash);
++#else
+ 	return verify_buffer_authenticode(data, datasize, context, sha256hash, sha1hash);
++#endif
+ }
+ 
+ static int
+@@ -970,6 +1011,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+ 	PE_COFF_LOADER_IMAGE_CONTEXT context;
+ 	UINT8 sha1hash[SHA1_DIGEST_SIZE];
+ 	UINT8 sha256hash[SHA256_DIGEST_SIZE];
++#ifdef ENABLE_SHIM_SM
++	UINT8 sm3hash[SM3_DIGEST_SIZE];
++#endif
+ 
+ 	if ((INT32)size < 0)
+ 		return EFI_INVALID_PARAMETER;
+@@ -981,8 +1025,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+ 	if (EFI_ERROR(efi_status))
+ 		goto done;
+ 
++#ifdef ENABLE_SHIM_SM
++	efi_status = generate_hash(buffer, size, &context,
++				   sha256hash, sha1hash, sm3hash);
++#else
+ 	efi_status = generate_hash(buffer, size, &context,
+ 				   sha256hash, sha1hash);
++#endif
+ 	if (EFI_ERROR(efi_status))
+ 		goto done;
+ 
+@@ -1002,16 +1051,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
+ 		goto done;
+ 	}
+ 
++#ifdef ENABLE_SHIM_SM
++	efi_status = verify_buffer(buffer, size,
++				   &context, sha256hash, sha1hash, sm3hash);
++#else
+ 	efi_status = verify_buffer(buffer, size,
+ 				   &context, sha256hash, sha1hash);
++#endif
+ done:
+ 	in_protocol = 0;
+ 	return efi_status;
+ }
+ 
++#ifdef ENABLE_SHIM_SM
++static EFI_STATUS shim_hash (char *data, int datasize,
++			     PE_COFF_LOADER_IMAGE_CONTEXT *context,
++			     UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash)
++#else
+ static EFI_STATUS shim_hash (char *data, int datasize,
+ 			     PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ 			     UINT8 *sha256hash, UINT8 *sha1hash)
++#endif
+ {
+ 	EFI_STATUS efi_status;
+ 
+@@ -1019,8 +1079,13 @@ static EFI_STATUS shim_hash (char *data, int datasize,
+ 		return EFI_INVALID_PARAMETER;
+ 
+ 	in_protocol = 1;
++#ifdef ENABLE_SHIM_SM
++	efi_status = generate_hash(data, datasize, context,
++				   sha256hash, sha1hash, sm3hash);
++#else
+ 	efi_status = generate_hash(data, datasize, context,
+ 				   sha256hash, sha1hash);
++#endif
+ 	in_protocol = 0;
+ 
+ 	return efi_status;
+diff --git a/shim.h b/shim.h
+index b5272b9..b9aa982 100644
+--- a/shim.h
++++ b/shim.h
+@@ -208,6 +208,18 @@ EFI_STATUS
+ 	IN UINT32 size
+ 	);
+ 
++#ifdef ENABLE_SHIM_SM
++typedef
++EFI_STATUS
++(*EFI_SHIM_LOCK_HASH) (
++	IN char *data,
++	IN int datasize,
++	PE_COFF_LOADER_IMAGE_CONTEXT *context,
++	UINT8 *sha256hash,
++	UINT8 *sha1hash,
++	UINT8 *sm3hash
++	);
++#else
+ typedef
+ EFI_STATUS
+ (*EFI_SHIM_LOCK_HASH) (
+@@ -217,6 +229,7 @@ EFI_STATUS
+ 	UINT8 *sha256hash,
+ 	UINT8 *sha1hash
+ 	);
++#endif
+ 
+ typedef
+ EFI_STATUS
+@@ -271,10 +284,17 @@ extern UINT32 load_options_size;
+ 
+ BOOLEAN secure_mode (void);
+ 
++#ifdef ENABLE_SHIM_SM
++EFI_STATUS
++verify_buffer (char *data, int datasize,
++	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
++	       UINT8 *sha256hash, UINT8 *sha1hash, UINT8 *sm3hash);
++#else
+ EFI_STATUS
+ verify_buffer (char *data, int datasize,
+ 	       PE_COFF_LOADER_IMAGE_CONTEXT *context,
+ 	       UINT8 *sha256hash, UINT8 *sha1hash);
++#endif
+ 
+ #ifndef SHIM_UNIT_TEST
+ #define perror_(file, line, func, fmt, ...) ({					\
+-- 
+2.33.0
+

shim.spec

@@ -22,7 +22,7 @@
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   2
+Release:	   3
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -31,7 +31,12 @@ Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
 
-Patch9000:         Feature-shim-support-SMx-verify.patch
+# Feature for shim SMx support
+Patch9000:Feature-shim-openssl-add-ec-support.patch
+Patch9001:Feature-shim-openssl-add-ecdsa-support.patch
+Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch
+Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
+Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
 
 BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc
 Requires:      dbxtool efi-filesystem mokutil
@@ -136,6 +141,9 @@ cd ..
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Tue Nov 8 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-3
+- Optimize patches for SMx feature
+
 * Mon Oct 31 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-2
 - Feature: shim support SM2 and SM3