From nobody Fri May 17 21:49:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+91019+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+91019+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1656897882; cv=none; d=zohomail.com; s=zohoarc; b=O3tOeTcyY/vtztB5Q6ZjomMtRSX2y3PWD0BEqcxhlMSlDrptH/75fW+6B4lTxCI9QyiBX795m/kmEebSttydHFwmqHRhgGws7IOKLJSrMMMY6LDUOzv9E5wWoVsG9i/iJFrUWSbrG8rd6arL0boLkjdbyF2Q5CdZqiqy9mcd83c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656897882; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=oZDgYuigB/5BBv5lhZpuQJ4+gOBxlTjOwDiHzrfKcC8=; b=BP3VSSoKaVyybzcJRLn/F4eXgtXxd1O3HdOi4gAz60FYi0ryP76oN2sX56xt/m+iUeZyLyiujcfBB0i47njaejBB7gc9N9AzJHnzfjs47PMsb2FxpY5jjgIrdmcL4UxydGJxxe/SNMc+EjsZjedvEF7GfvH97J/Envw77cHCPUE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+91019+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16568978825151000.9229356876531; Sun, 3 Jul 2022 18:24:42 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id fW3YYY1788612xyJRjmvOJHr; Sun, 03 Jul 2022 18:24:41 -0700 X-Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.41564.1656697423162958433 for ; Fri, 01 Jul 2022 10:43:43 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10395"; a="308233029" X-IronPort-AV: E=Sophos;i="5.92,237,1650956400"; d="scan'208";a="308233029" X-Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2022 10:43:42 -0700 X-IronPort-AV: E=Sophos;i="5.92,237,1650956400"; d="scan'208";a="718690075" X-Received: from fm73lab065.amr.corp.intel.com ([10.121.72.253]) by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2022 10:43:42 -0700 From: "Snehal Kangralkar" To: devel@edk2.groups.io Cc: Jiewen Yao , Qi Zhang Subject: [edk2-devel] [PATCH v1 1/1] SecurityPkg : Sync PcdTpm2HashMask to the active PCR banks in the TPM Date: Fri, 1 Jul 2022 10:42:13 -0700 Message-Id: <20220701174213.935-2-snehal.kangralkar@intel.com> In-Reply-To: <20220701174213.935-1-snehal.kangralkar@intel.com> References: <20220701174213.935-1-snehal.kangralkar@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,snehal.kangralkar@intel.com X-Gm-Message-State: iRd5baxe4ddpYyws8QkhDeXrx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656897881; bh=ADxlQvl+nKsCiec36ZOvLkIIRN9WGFvCTiCvZEwfuzg=; h=Cc:Date:From:Reply-To:Subject:To; b=BeShKH4rLdq52TCTITOsaEsvi7j0DaSozN1IM3s1byJ1zP0NhcS1LZhU7bUEUH34Si4 fKSk+pR3yebo3SPAW7Lu2eaEvFHlXWbHtR3atM6G3hFyWW9v8cHenJOFltC/qEnmZh+44 scGFKPByw6keEyiSCMwsS8cqzgYxJy7hwPc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656897883338100006 Content-Type: text/plain; charset="utf-8" REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3923 According to definition of PcdTpm2HashMask, the mask reflects the PCR banks which need to be extended. In the Tcg2Pei SyncPcrAllocationsAndPcrMask function, we are setting PcdTpm2HashMask to match the active PCR banks, but this will only occur if the mask was originally set to 0. Always syncing the PcdTpm2HashMask to the active PCR banks in the TPM. Only then we do see the computed hashes are limited to those PCRs which are active. Cc: Jiewen Yao Cc: Qi Zhang Signed-off-by: Snehal Kangralkar --- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tc= g2Pei.c index 26bb5282a58b..a77d8c0a083c 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -279,15 +279,10 @@ SyncPcrAllocationsAndPcrMask ( DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActive= PcrBanks 0x%08x\n", TpmActivePcrBanks)); =20 Tpm2PcrMask =3D PcdGet32 (PcdTpm2HashMask); - if (Tpm2PcrMask =3D=3D 0) { - // - // If PcdTpm2HashMask is zero, use ActivePcr setting. - // Only when PcdTpm2HashMask is initialized to 0, will it be updated t= o current Active Pcrs. - // - PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks); - Tpm2PcrMask =3D TpmActivePcrBanks; - } =20 + // Sync the PcdTpm2HashMask to the active PCR banks. + PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks); + Tpm2PcrMask =3D TpmActivePcrBanks; DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); =20 // --=20 2.36.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91019): https://edk2.groups.io/g/devel/message/91019 Mute This Topic: https://groups.io/mt/92157477/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-