From nobody Fri May 17 07:47:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+91058+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+91058+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1657006063; cv=none; d=zohomail.com; s=zohoarc; b=DdOAnS39uleMXg4F7jfVJMogHLhcrqpSgpZOj7Q1NI9Rqw/PvuSB+ggolyYmt3RVuZ+dyxN50hOSdwG/0R9eBxyJbRvHv+P6XamAWTTZugramK+2yBoLUSG7lfi3JF2bG7azMwnZQSQbffuMRt4QBUNZ7QzzHfZnDRfdHzYrZQg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1657006063; h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=4M5maEdig+fW8ngocgJ2+LMSdUzI0YMOiYFqIIxrBFM=; b=D7Nga6r5cdeeKwTIovu6xvV1kAqdkWNsPXqhK0WfLtGYlKFE5GGDTCbuYZytZkVS+V/SpmNqIqRnFVDTN5kXFLKU+hpvv1Hikg8lFWK/S7AfQeXZqJlryM/du82OeK1rsWx7EM9lzqIGECM7jeINmC2Jxq3B4NoMbYNdY0bLF5o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+91058+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1657006063897534.2487095209852; Tue, 5 Jul 2022 00:27:43 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id qCMBYY1788612xZ7SZRMpbto; Tue, 05 Jul 2022 00:27:43 -0700 X-Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web12.81502.1657006062289859411 for ; Tue, 05 Jul 2022 00:27:42 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10398"; a="280830414" X-IronPort-AV: E=Sophos;i="5.92,245,1650956400"; d="scan'208";a="280830414" X-Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Jul 2022 00:26:30 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,245,1650956400"; d="scan'208";a="919602304" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga005.fm.intel.com with ESMTP; 05 Jul 2022 00:26:28 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Rahul Kumar Subject: [edk2-devel] [PATCH] SecurityPkg: Add TPM NVIndex Extend support. Date: Tue, 5 Jul 2022 15:26:25 +0800 Message-Id: <20220705072625.3501-1-qi1.zhang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: ZnH2pnntuXokAlXlgUmaIQ49x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1657006063; bh=WcmGpeD3eSLvDS9Dv01I/++TfiMh8P9oq3WBE5LOswM=; h=Cc:Date:From:Reply-To:Subject:To; b=NIQjUWQKSH926r8Vz7Vw4BOEl3QB/razgfvn85aJ4MwUk/sBEUiOxVujPQmfyk4NaIG rOXkG9A3e31OCyDKuG886ZzUfmk512YnqXBfVgLZMv63lgqZpnF1p3mWwyQBzte0LJct1 VMBL11IHPGlA/7o67cZEQvDmu25eHFf6GYE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1657006064694100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Qi Zhang Cc: Jiewen Yao Cc: Jian J Wang Cc: Rahul Kumar Cc: Qi Zhang --- SecurityPkg/Include/Library/Tpm2CommandLib.h | 21 +++ .../HashLibBaseCryptoRouterDxe.c | 77 +++++++++-- .../Library/Tpm2CommandLib/Tpm2NVStorage.c | 120 ++++++++++++++++++ SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 26 +++- 4 files changed, 229 insertions(+), 15 deletions(-) diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Inc= lude/Library/Tpm2CommandLib.h index a2fb97f18d..f2ff3a5c0c 100644 --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h @@ -467,6 +467,27 @@ Tpm2NvGlobalWriteLock ( IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL ); =20 +/** + This command extends a value to an area in NV memory that was previously= defined by TPM2_NV_DefineSpace(). + + @param[in] AuthHandle the handle indicating the source of the a= uthorization value. + @param[in] NvIndex The NV Index of the area to extend. + @param[in] AuthSession Auth Session context + @param[in] InData The data to extend. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + @retval EFI_NOT_FOUND The command was returned successfully, bu= t NvIndex is not found. +**/ +EFI_STATUS +EFIAPI +Tpm2NvExtend ( + IN TPMI_RH_NV_AUTH AuthHandle, + IN TPMI_RH_NV_INDEX NvIndex, + IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL, + IN TPM2B_MAX_BUFFER *InData + ); + /** This command is used to cause an update to the indicated PCR. The digests parameter contains one or more tagged digest value identifie= d by an algorithm ID. diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoR= outerDxe.c index ee8fe6e06e..264f500dc6 100644 --- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.c +++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDx= e.c @@ -16,6 +16,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include =20 #include "HashLibBaseCryptoRouterCommon.h" =20 @@ -128,6 +129,40 @@ HashUpdate ( return EFI_SUCCESS; } =20 +EFI_STATUS +EFIAPI +Tpm2ExtendNvIndex ( + TPMI_RH_NV_INDEX NvIndex, + UINT16 DataSize, + BYTE *Data + ) +{ + EFI_STATUS Status; + TPMI_RH_NV_AUTH AuthHandle; + TPM2B_MAX_BUFFER NvExtendData; + + AuthHandle =3D TPM_RH_PLATFORM; + ZeroMem (&NvExtendData, sizeof (NvExtendData)); + CopyMem (NvExtendData.buffer, Data, DataSize); + NvExtendData.size =3D DataSize; + Status =3D Tpm2NvExtend ( + AuthHandle, + NvIndex, + NULL, + &NvExtendData + ); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "Extend TPM NV index failed, Index: 0x%x Status: %d\n", + NvIndex, + Status + )); + } + + return Status; +} + /** Hash sequence complete and extend to PCR. =20 @@ -149,11 +184,16 @@ HashCompleteAndExtend ( OUT TPML_DIGEST_VALUES *DigestList ) { - TPML_DIGEST_VALUES Digest; - HASH_HANDLE *HashCtx; - UINTN Index; - EFI_STATUS Status; - UINT32 HashMask; + TPML_DIGEST_VALUES Digest; + HASH_HANDLE *HashCtx; + UINTN Index; + EFI_STATUS Status; + UINT32 HashMask; + TPML_DIGEST_VALUES TcgPcrEvent2Digest; + EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; + UINT32 ActivePcrBanks; + UINT32 *BufferPtr; + UINT32 DigestListBinSize; =20 if (mHashInterfaceCount =3D=3D 0) { return EFI_UNSUPPORTED; @@ -175,10 +215,29 @@ HashCompleteAndExtend ( =20 FreePool (HashCtx); =20 - Status =3D Tpm2PcrExtend ( - PcrIndex, - DigestList - ); + if (PcrIndex <=3D MAX_PCR_INDEX) { + Status =3D Tpm2PcrExtend ( + PcrIndex, + DigestList + ); + } else { + Status =3D Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmB= itmap, &ActivePcrBanks); + ASSERT_EFI_ERROR (Status); + ActivePcrBanks =3D ActivePcrBanks & mSupportedHashMaskCurrent; + ZeroMem (&TcgPcrEvent2Digest, sizeof (TcgPcrEvent2Digest)); + BufferPtr =3D CopyDigestListToBuffer (&TcgPcrEvent2Digest, Dig= estList, ActivePcrBanks); + DigestListBinSize =3D (UINT32)((UINT8 *)BufferPtr - (UINT8 *)&TcgPcrEv= ent2Digest); + + // + // Extend to TPM NvIndex + // + Status =3D Tpm2ExtendNvIndex ( + PcrIndex, + (UINT16)DigestListBinSize, + (BYTE *)&TcgPcrEvent2Digest + ); + } + return Status; } =20 diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 5077ace7c2..6f8badad3f 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -148,6 +148,22 @@ typedef struct { TPMS_AUTH_RESPONSE AuthSession; } TPM2_NV_GLOBALWRITELOCK_RESPONSE; =20 +typedef struct { + TPM2_COMMAND_HEADER Header; + TPMI_RH_NV_AUTH AuthHandle; + TPMI_RH_NV_INDEX NvIndex; + UINT32 AuthSessionSize; + TPMS_AUTH_COMMAND AuthSession; + TPM2B_MAX_BUFFER Data; + UINT16 Offset; +} TPM2_NV_EXTEND_COMMAND; + +typedef struct { + TPM2_RESPONSE_HEADER Header; + UINT32 AuthSessionSize; + TPMS_AUTH_RESPONSE AuthSession; +} TPM2_NV_EXTEND_RESPONSE; + #pragma pack() =20 /** @@ -1052,3 +1068,107 @@ Done: ZeroMem (&RecvBuffer, sizeof (RecvBuffer)); return Status; } + +/** + This command extends a value to an area in NV memory that was previously= defined by TPM2_NV_DefineSpace(). + + @param[in] AuthHandle the handle indicating the source of the a= uthorization value. + @param[in] NvIndex The NV Index of the area to extend. + @param[in] AuthSession Auth Session context + @param[in] InData The data to extend. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The command was unsuccessful. + @retval EFI_NOT_FOUND The command was returned successfully, bu= t NvIndex is not found. +**/ +EFI_STATUS +EFIAPI +Tpm2NvExtend ( + IN TPMI_RH_NV_AUTH AuthHandle, + IN TPMI_RH_NV_INDEX NvIndex, + IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL, + IN TPM2B_MAX_BUFFER *InData + ) +{ + EFI_STATUS Status; + TPM2_NV_EXTEND_COMMAND SendBuffer; + TPM2_NV_EXTEND_RESPONSE RecvBuffer; + UINT32 SendBufferSize; + UINT32 RecvBufferSize; + UINT8 *Buffer; + UINT32 SessionInfoSize; + TPM_RC ResponseCode; + + // + // Construct command + // + SendBuffer.Header.tag =3D SwapBytes16 (TPM_ST_SESSIONS); + SendBuffer.Header.commandCode =3D SwapBytes32 (TPM_CC_NV_Extend); + + SendBuffer.AuthHandle =3D SwapBytes32 (AuthHandle); + SendBuffer.NvIndex =3D SwapBytes32 (NvIndex); + + // + // Add in Auth session + // + Buffer =3D (UINT8 *)&SendBuffer.AuthSession; + + // sessionInfoSize + SessionInfoSize =3D CopyAuthSessionCommand (AuthSession, Buff= er); + Buffer +=3D SessionInfoSize; + SendBuffer.AuthSessionSize =3D SwapBytes32 (SessionInfoSize); + + WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (InData->size)); + Buffer +=3D sizeof (UINT16); + CopyMem (Buffer, InData->buffer, InData->size); + Buffer +=3D InData->size; + + SendBufferSize =3D (UINT32)(Buffer - (UINT8 *)&SendBuffer); + SendBuffer.Header.paramSize =3D SwapBytes32 (SendBufferSize); + + // + // send Tpm command + // + RecvBufferSize =3D sizeof (RecvBuffer); + Status =3D Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuff= er, &RecvBufferSize, (UINT8 *)&RecvBuffer); + if (EFI_ERROR (Status)) { + goto Done; + } + + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) { + DEBUG ((DEBUG_ERROR, "Tpm2NvExtend - RecvBufferSize Error - %x\n", Rec= vBufferSize)); + Status =3D EFI_DEVICE_ERROR; + goto Done; + } + + ResponseCode =3D SwapBytes32 (RecvBuffer.Header.responseCode); + if (ResponseCode !=3D TPM_RC_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Tpm2NvExtend - responseCode - %x\n", ResponseCod= e)); + } + + switch (ResponseCode) { + case TPM_RC_SUCCESS: + // return data + break; + case TPM_RC_ATTRIBUTES: + Status =3D EFI_UNSUPPORTED; + break; + case TPM_RC_NV_AUTHORIZATION: + Status =3D EFI_SECURITY_VIOLATION; + break; + case TPM_RC_NV_LOCKED: + Status =3D EFI_ACCESS_DENIED; + break; + default: + Status =3D EFI_DEVICE_ERROR; + break; + } + +Done: + // + // Clear AuthSession Content + // + ZeroMem (&SendBuffer, sizeof (SendBuffer)); + ZeroMem (&RecvBuffer, sizeof (RecvBuffer)); + return Status; +} diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tc= g2Dxe.c index f6ea8b2bbf..dfb7f28251 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c @@ -1230,12 +1230,26 @@ TcgDxeHashLogExtendEvent ( // // Do not do TPM extend for EV_NO_ACTION // - Status =3D EFI_SUCCESS; - InitNoActionEvent (&NoActionEvent, NewEventHdr->EventSize); - if ((Flags & EFI_TCG2_EXTEND_ONLY) =3D=3D 0) { - Status =3D TcgDxeLogHashEvent (&(NoActionEvent.Digests), NewEventHdr= , NewEventData); + if (NewEventHdr->PCRIndex <=3D MAX_PCR_INDEX) { + Status =3D EFI_SUCCESS; + InitNoActionEvent (&NoActionEvent, NewEventHdr->EventSize); + if ((Flags & EFI_TCG2_EXTEND_ONLY) =3D=3D 0) { + Status =3D TcgDxeLogHashEvent (&(NoActionEvent.Digests), NewEventH= dr, NewEventData); + } + } else { + // + // Extend to NvIndex + // + Status =3D HashAndExtend ( + NewEventHdr->PCRIndex, + HashData, + (UINTN)HashDataLen, + &DigestList + ); + if (!EFI_ERROR (Status)) { + Status =3D TcgDxeLogHashEvent (&DigestList, NewEventHdr, NewEventD= ata); + } } - return Status; } =20 @@ -1317,7 +1331,7 @@ Tcg2HashLogExtendEvent ( return EFI_INVALID_PARAMETER; } =20 - if (Event->Header.PCRIndex > MAX_PCR_INDEX) { + if ((Event->Header.EventType !=3D EV_NO_ACTION) && (Event->Header.PCRInd= ex > MAX_PCR_INDEX)) { return EFI_INVALID_PARAMETER; } =20 --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#91058): https://edk2.groups.io/g/devel/message/91058 Mute This Topic: https://groups.io/mt/92180525/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-