From nobody Fri May 3 04:24:38 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78688+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78688+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1628119703; cv=none; d=zohomail.com; s=zohoarc; b=FZ4O7TSLRmezCkcuYTuvyZh2jajHoze39iyavpGl1WkQ9b/9RgzmSlhfC7VHFL0SVLONUG7rV/2+NBMGx1zMER3Zqrdm6HqIL2DsY8Pd+npKX8rtjV5q04nnRbqCYF7c68XLXgGyJEmb3stbhIZ0+MNvuoXIhlLoZ1H/rGQsQaE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1628119703; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=O0icncUautzpDmdDQRAXjqe1rR0yvK2Q7QfxWLcld34=; b=btpScZJROANpe/gZ7lU3QEICuxUcypnL0kndM7GvXldKfqQuOyMgGpxdi+whgJxb43VXTCwP6ZXeo2zdOebIbyI8sgcthb/ad+GjKoCjVAMqezWSynj1b2fx3yXbwyDNB1bH365upVYKCR6Pn5sXHPgxX2xO4e4Tg5DtA5jE3rw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78688+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1628119703305927.6268578209532; Wed, 4 Aug 2021 16:28:23 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id UKwaYY1788612xRAYD38sx87; Wed, 04 Aug 2021 16:28:23 -0700 X-Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mx.groups.io with SMTP id smtpd.web08.2014.1628119701899403954 for ; Wed, 04 Aug 2021 16:28:22 -0700 X-IronPort-AV: E=McAfee;i="6200,9189,10066"; a="277790001" X-IronPort-AV: E=Sophos;i="5.84,295,1620716400"; d="scan'208";a="277790001" X-Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2021 16:28:20 -0700 X-IronPort-AV: E=Sophos;i="5.84,295,1620716400"; d="scan'208";a="419609584" X-Received: from fm73lab177-1.amr.corp.intel.com ([10.80.209.189]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2021 16:28:20 -0700 From: "Rodrigo Gonzalez del Cueto" To: devel@edk2.groups.io Cc: Rodrigo Gonzalez del Cueto , Jian J Wang , Jiewen Yao Subject: [edk2-devel] [PATCH] Reallocate TPM Active PCRs based on platform support. Date: Wed, 4 Aug 2021 16:28:13 -0700 Message-Id: <20210804232813.818-1-rodrigo.gonzalez.del.cueto@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,rodrigo.gonzalez.del.cueto@intel.com X-Gm-Message-State: d8Uaud9XyqUornBCQukZOOrmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1628119703; bh=LVWPMhQnuPp9FveCCI0CKD2m1R2VH2DjX/yduMjd2mM=; h=Cc:Date:From:Reply-To:Subject:To; b=Io4mAHoI77zHBahoICEGX+vh6iP6eEit35eVxX+VXe6b7q7c+yNdxkQzh3SJ3uk2jr3 YxHkknexOtukHesdPDnKx4q7FycNQBhCYj6++hU3LUokDx7BjGtKJy4CRTzclozuQoeCh MeLFH4HDWhHVndcXdUG/iPrBFnpYkta2DdU= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1628119704328100001 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3515 In V2: Add case to RegisterHashInterfaceLib logic RegisterHashInterfaceLib needs to correctly handle registering the HashLib instance supported algorithm bitmap when PcdTpm2HashMask is set to zero. The current implementation of SyncPcrAllocationsAndPcrMask() triggers PCR bank reallocation only based on the intersection between TpmActivePcrBanks and PcdTpm2HashMask. When the software HashLibBaseCryptoRouter solution is used, no PCR bank reallocation is occurring based on the supported hashing algorithms registered by the HashLib instances. Need to have an additional check for the intersection between the TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the HashLib instances present on the platform's BIOS. Signed-off-by: Rodrigo Gonzalez del Cueto Cc: Jian J Wang Cc: Jiewen Yao Reviewed-by: Jiewen Yao --- SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c |= 6 +++++- SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c |= 6 +++++- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c |= 18 +++++++++++++++++- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf |= 1 + 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c index 7a0f61efbb..0821159120 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.c +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.c @@ -230,13 +230,17 @@ RegisterHashInterfaceLib ( { UINTN Index; UINT32 HashMask; + UINT32 Tpm2HashMask; EFI_STATUS Status; =20 // // Check allow // HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid); - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { + Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask); + + if ((Tpm2HashMask !=3D 0) && + ((HashMask & Tpm2HashMask) =3D=3D 0)) { return EFI_UNSUPPORTED; } =20 diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerPei.c index 42cb562f67..6ae51dbce4 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPe= i.c +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPe= i.c @@ -327,13 +327,17 @@ RegisterHashInterfaceLib ( UINTN Index; HASH_INTERFACE_HOB *HashInterfaceHob; UINT32 HashMask; + UINT32 Tpm2HashMask; EFI_STATUS Status; =20 // // Check allow // HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid); - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { + Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask); + + if ((Tpm2HashMask !=3D 0) && + ((HashMask & Tpm2HashMask) =3D=3D 0)) { return EFI_UNSUPPORTED; } =20 diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tc= g2Pei.c index 93a8803ff6..5ad6a45cf3 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -262,6 +262,7 @@ SyncPcrAllocationsAndPcrMask ( { EFI_STATUS Status; EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap; UINT32 TpmActivePcrBanks; UINT32 NewTpmActivePcrBanks; UINT32 Tpm2PcrMask; @@ -273,16 +274,27 @@ SyncPcrAllocationsAndPcrMask ( // Determine the current TPM support and the Platform PCR mask. // Status =3D Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBit= map, &TpmActivePcrBanks); + ASSERT_EFI_ERROR (Status); + =20 + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAl= gorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap)); + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActive= PcrBanks 0x%08x\n", TpmActivePcrBanks)); =20 Tpm2PcrMask =3D PcdGet32 (PcdTpm2HashMask); if (Tpm2PcrMask =3D=3D 0) { // // if PcdTPm2HashMask is zero, use ActivePcr setting // + DEBUG ((EFI_D_VERBOSE, "Initializing PcdTpm2HashMask to TpmActivePcrBa= nks 0x%08x\n", TpmActivePcrBanks)); PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks); + DEBUG ((EFI_D_VERBOSE, "Initializing Tpm2PcrMask to TpmActivePcrBanks = 0x%08x\n", Tpm2PcrMask)); Tpm2PcrMask =3D TpmActivePcrBanks; } + =20 + BiosHashAlgorithmBitmap =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap); + DEBUG ((EFI_D_INFO, "PcdTcg2HashAlgorithmBitmap 0x%08x\n", BiosHashAlgor= ithmBitmap)); + DEBUG ((EFI_D_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); // Active PCR= banks from TPM input + DEBUG ((EFI_D_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =3D 0x%= 08x\n", NewTpmActivePcrBanks)); =20 // // Find the intersection of Pcd support and TPM support. @@ -294,9 +306,12 @@ SyncPcrAllocationsAndPcrMask ( // If there are active PCR banks that are not supported by the Platform = mask, // update the TPM allocations and reboot the machine. // - if ((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) { + if (((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) || + ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) !=3D TpmActivePcrBank= s)) { NewTpmActivePcrBanks =3D TpmActivePcrBanks & Tpm2PcrMask; + NewTpmActivePcrBanks &=3D BiosHashAlgorithmBitmap; =20 + DEBUG ((EFI_D_INFO, "NewTpmActivePcrBanks 0x%08x\n", NewTpmActivePcrBa= nks)); DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n"= , __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks)); if (NewTpmActivePcrBanks =3D=3D 0) { DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a less = restrictive value for PcdTpm2HashMask!\n", __FUNCTION__)); @@ -331,6 +346,7 @@ SyncPcrAllocationsAndPcrMask ( } =20 Status =3D PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask); + DEBUG ((EFI_D_INFO, "Setting PcdTpm2Hash Mask to 0x%08x\n", NewTpm2Pcr= Mask)); ASSERT_EFI_ERROR (Status); } } diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/= Tcg2Pei.inf index 06c26a2904..17ad116126 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf @@ -86,6 +86,7 @@ ## SOMETIMES_CONSUMES ## SOMETIMES_PRODUCES gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap = ## CONSUMES =20 [Depex] gEfiPeiMasterBootModePpiGuid AND --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78688): https://edk2.groups.io/g/devel/message/78688 Mute This Topic: https://groups.io/mt/84674454/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-