From nobody Thu Mar 28 18:42:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50014+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50014+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=hpe.com ARC-Seal: i=1; a=rsa-sha256; t=1573002088; cv=none; d=zoho.com; s=zohoarc; b=Y3UFn6Fps22k6TVjLyydB9KGFRZAQmExPRqw80t/CLgP2Y4/RH4CeERi6h8cSnSeKcwPn1IsCpiqIUoXf8apkxB+VhdUQrttdNeKTcYclwgL86R8OVsRe76R5yH0ytpFdKycfoiM0Q5WbISyCUXYPaEE92vltVKU6m1SvVUaxH4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573002088; h=Content-Transfer-Encoding:Cc:Date:From:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=OeZz12NJs6PHI4lSUvS7+dv4vQ9+JfSLUhqpKLoFx+8=; b=Vwn7FGDmN43EpWWhk2aQlF5AlR0stanhDzQxnJ3+7aaVfIgMHce/NYMAJK6OAkuebUjAjDlNbHImNkwp6pk+FzhrkpSk8xBe5Q8BavdEic96MpnBbcRftdK4qOsoJpjq1Z4102+/Z5bFUaWElPVObbD4ITpRisRSRj9yvkUqL0c= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50014+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573002088736272.39052575636515; Tue, 5 Nov 2019 17:01:28 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id wosoYY1788612xhOMUnYZrWs; Tue, 05 Nov 2019 17:01:28 -0800 X-Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) by mx.groups.io with SMTP id smtpd.web10.2598.1573002087018347422 for ; Tue, 05 Nov 2019 17:01:27 -0800 X-Received: from pps.filterd (m0150245.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA611Pgl026551; Wed, 6 Nov 2019 01:01:26 GMT X-Received: from g2t2352.austin.hpe.com (g2t2352.austin.hpe.com [15.233.44.25]) by mx0b-002e3701.pphosted.com with ESMTP id 2w3dfpaphb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Nov 2019 01:01:26 +0000 X-Received: from g2t2360.austin.hpecorp.net (g2t2360.austin.hpecorp.net [16.196.225.135]) by g2t2352.austin.hpe.com (Postfix) with ESMTP id EEDFD91; Wed, 6 Nov 2019 01:01:06 +0000 (UTC) X-Received: from SZC0PA4FXD.asiapacific.hpqcorp.net (szc0pa4fxd.asiapacific.hpqcorp.net [10.43.42.135]) by g2t2360.austin.hpecorp.net (Postfix) with ESMTP id BC3A136; Wed, 6 Nov 2019 01:01:04 +0000 (UTC) From: "Lin, Derek (HPS SW)" To: derek.lin2@hpe.com, devel@edk2.groups.io Cc: jason.spottswood@hpe.com, jiewen.yao@intel.com, jian.j.wang@intel.com, chao.b.zhang@intel.com Subject: [edk2-devel] [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. Date: Wed, 6 Nov 2019 09:00:47 +0800 Message-Id: <20191106010047.489176-1-derek.lin2@hpe.com> X-Proofpoint-UnRewURL: 0 URL was un-rewritten MIME-Version: 1.0 X-HPE-SCL: -1 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,derek.lin2@hpe.com X-Gm-Message-State: TN8xFR7AL51P0aA6DOIi77Skx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573002088; bh=WJcrSwTEcgGT+WPqWxWunIg+iIfkSRhqkeYLMbNMthI=; h=Cc:Date:From:Reply-To:Subject:To; b=YPennJSVFcd1rTih1fYGGIcKvuG2kIsPVReSPUuAFDTpeSsuQ6WGHZqHrciezrYafFM PoaOmfrf0VM/Q78Fs4ZraAlabs8GJogPvYZbRmbUQtSzRf8noBL1Pha8Ep9aEtbFr10Us PkoPvr5B2ZAcO6/shVPFnreByeii+xF4QRQ= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" We have discussed in this thread. https://edk2.groups.io/g/devel/topic/32205028 Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because TPM2 ACPI HID include FW version. This change make the measurement before TPM2 HID fixup. So, after TPM FW upgrade, the ACPI PCR record remains the same. Signed-off-by: Derek Lin Reviewed-by: Jian J Wang --- SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c b/SecurityPkg/Tcg/Tcg2Smm/Tc= g2Smm.c index bd786bf479..54966c83ce 100644 --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c @@ -664,7 +664,22 @@ PublishAcpiTable ( )); =20 // - // Update TPM2 HID before measuring it to PCR + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA. + // The measurement has to be done before UpdateHID since TPM2 ACPI HID + // imply TPM Firmware Version. Otherwise, the PCR record would be + // different after TPM FW update. + // + TpmMeasureAndLogData( + 0, + EV_POST_CODE, + EV_POSTCODE_INFO_ACPI_DATA, + ACPI_DATA_LEN, + Table, + TableSize + ); + + // + // Update TPM2 HID after measuring it to PCR // Status =3D UpdateHID(Table); if (EFI_ERROR(Status)) { @@ -694,19 +709,6 @@ PublishAcpiTable ( } } =20 - // - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA - // - TpmMeasureAndLogData( - 0, - EV_POST_CODE, - EV_POSTCODE_INFO_ACPI_DATA, - ACPI_DATA_LEN, - Table, - TableSize - ); - - ASSERT (Table->OemTableId =3D=3D SIGNATURE_64 ('T', 'p', 'm', '2', 'T', = 'a', 'b', 'l')); CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table->O= emId) ); mTcgNvs =3D AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (U= INT16) sizeof (TCG_NVS)); --=20 2.20.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50014): https://edk2.groups.io/g/devel/message/50014 Mute This Topic: https://groups.io/mt/42888234/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-