SecurityPkg/Test/SecurityPkgHostTest.dsc | 2 + .../DxeTpm2MeasureBootLib.inf | 4 +- ...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++ .../DxeTpmMeasureBootLib.inf | 4 +- ...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++ .../DxeTpm2MeasureBootLibSanitization.h | 139 +++++++ .../DxeTpmMeasureBootLibSanitization.h | 137 +++++++ .../DxeTpm2MeasureBootLib.c | 87 ++-- .../DxeTpm2MeasureBootLibSanitization.c | 319 +++++++++++++++ .../DxeTpm2MeasureBootLibSanitizationTest.c | 345 ++++++++++++++++ .../DxeTpmMeasureBootLib.c | 53 ++- .../DxeTpmMeasureBootLibSanitization.c | 285 +++++++++++++ .../DxeTpmMeasureBootLibSanitizationTest.c | 387 ++++++++++++++++++ SecurityPkg/SecurityFixes.yaml | 36 ++ SecurityPkg/SecurityPkg.ci.yaml | 2 + 15 files changed, 1801 insertions(+), 55 deletions(-) create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c create mode 100644 SecurityPkg/SecurityFixes.yaml
This patch series include the combined / merged security patches (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118 (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib. These patches have already been reviewed by SecurityPkg Maintainer (Jiewen) on GHSA. This patch series (specifically TCBZ4117) supersedes TCBZ2168. Cc: Jiewen Yao <jiewen.yao@intel.com> Douglas Flick [MSFT] (6): SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763 SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE 2022-36764 SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml SecurityPkg/Test/SecurityPkgHostTest.dsc | 2 + .../DxeTpm2MeasureBootLib.inf | 4 +- ...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++ .../DxeTpmMeasureBootLib.inf | 4 +- ...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++ .../DxeTpm2MeasureBootLibSanitization.h | 139 +++++++ .../DxeTpmMeasureBootLibSanitization.h | 137 +++++++ .../DxeTpm2MeasureBootLib.c | 87 ++-- .../DxeTpm2MeasureBootLibSanitization.c | 319 +++++++++++++++ .../DxeTpm2MeasureBootLibSanitizationTest.c | 345 ++++++++++++++++ .../DxeTpmMeasureBootLib.c | 53 ++- .../DxeTpmMeasureBootLibSanitization.c | 285 +++++++++++++ .../DxeTpmMeasureBootLibSanitizationTest.c | 387 ++++++++++++++++++ SecurityPkg/SecurityFixes.yaml | 36 ++ SecurityPkg/SecurityPkg.ci.yaml | 2 + 15 files changed, 1801 insertions(+), 55 deletions(-) create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c create mode 100644 SecurityPkg/SecurityFixes.yaml -- 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113756): https://edk2.groups.io/g/devel/message/113756 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On Thu, Jan 11, 2024 at 10:16:00AM -0800, Doug Flick via groups.io wrote: > This patch series include the combined / merged security patches > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118 > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib. > These patches have already been reviewed by SecurityPkg Maintainer > (Jiewen) on GHSA. This patch series breaks ovmf build (duplicate symbols) in case both TPM2 and TPM1 support are enabled (-D TPM2_ENABLE=TRUE -DTPM1_ENABLE=TRUE). Compiling with TPM2 only (-D TPM2_ENABLE=TRUE -DTPM1_ENABLE=FALSE) works fine. I see two options to deal with the problem: (1) Rename the Sanitize* functions in the TPM2 version of the library to carry a '2' somewhere in the function name, simliar to all other TPM2 functions, to avoid the name clash. (2) Remove TPM1 support from the edk2 code base. The relevance of TPM 1.2 support should be close to zero given that the TPM 2.0 specification was released almost a decade ago ... take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113889): https://edk2.groups.io/g/devel/message/113889 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Gerd I have merged this patch set today. I am fine to remove TPM1.2 in OVMF because of the known security limitation. Thank you Yao, Jiewen > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Tuesday, January 16, 2024 8:01 PM > To: devel@edk2.groups.io; dougflick@microsoft.com > Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen > <jiewen.yao@intel.com> > Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > On Thu, Jan 11, 2024 at 10:16:00AM -0800, Doug Flick via groups.io wrote: > > This patch series include the combined / merged security patches > > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118 > > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib. > > These patches have already been reviewed by SecurityPkg Maintainer > > (Jiewen) on GHSA. > > This patch series breaks ovmf build (duplicate symbols) in case both > TPM2 and TPM1 support are enabled (-D TPM2_ENABLE=TRUE > -DTPM1_ENABLE=TRUE). Compiling with TPM2 only (-D TPM2_ENABLE=TRUE > -DTPM1_ENABLE=FALSE) works fine. > > I see two options to deal with the problem: > > (1) Rename the Sanitize* functions in the TPM2 version of the library > to carry a '2' somewhere in the function name, simliar to all other > TPM2 functions, to avoid the name clash. > (2) Remove TPM1 support from the edk2 code base. The relevance of > TPM 1.2 support should be close to zero given that the TPM 2.0 > specification was released almost a decade ago ... > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113898): https://edk2.groups.io/g/devel/message/113898 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > Gerd > I have merged this patch set today. > > I am fine to remove TPM1.2 in OVMF because of the known security limitation. I was thinking about the complete edk2 code base not only OVMF. But I can surely start with OVMF. Maybe it is the only platform affected because on physical hardware you usually know whenever TPM 1.2 or TPM 2.0 is present so there is no need to include both. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113903): https://edk2.groups.io/g/devel/message/113903 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Sure. Let's start from OVMF. We have leaf enough time for feedback, but I see no comment from other people. > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Tuesday, January 16, 2024 10:35 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > TCBZ4118 > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > > Gerd > > I have merged this patch set today. > > > > I am fine to remove TPM1.2 in OVMF because of the known security limitation. > > I was thinking about the complete edk2 code base not only OVMF. > > But I can surely start with OVMF. Maybe it is the only platform > affected because on physical hardware you usually know whenever > TPM 1.2 or TPM 2.0 is present so there is no need to include both. > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113904): https://edk2.groups.io/g/devel/message/113904 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Jiewen, All EDK2 PR CI builds of OvmfPkg are broken due to this issue. Maybe we didn't have enough time to wait feedback and should fix the CI issue first. Regards, Yi -----Original Message----- From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen Sent: Tuesday, January 16, 2024 10:38 PM To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 Sure. Let's start from OVMF. We have leaf enough time for feedback, but I see no comment from other people. > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Tuesday, January 16, 2024 10:35 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > <doug.edk2@gmail.com> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > TCBZ4118 > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > > Gerd > > I have merged this patch set today. > > > > I am fine to remove TPM1.2 in OVMF because of the known security limitation. > > I was thinking about the complete edk2 code base not only OVMF. > > But I can surely start with OVMF. Maybe it is the only platform > affected because on physical hardware you usually know whenever TPM > 1.2 or TPM 2.0 is present so there is no need to include both. > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113933): https://edk2.groups.io/g/devel/message/113933 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Please check https://github.com/tianocore/edk2/pull/5264. It is merged after pass CI. May I know where you see PR CI builds are broken? Thank you Yao, Jiewen > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Wednesday, January 17, 2024 3:21 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd Hoffmann > <kraxel@redhat.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > Hi Jiewen, > > All EDK2 PR CI builds of OvmfPkg are broken due to this issue. > Maybe we didn't have enough time to wait feedback and should fix the CI issue > first. > > Regards, > Yi > > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen > Sent: Tuesday, January 16, 2024 10:38 PM > To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> > Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > Sure. Let's start from OVMF. > > We have leaf enough time for feedback, but I see no comment from other people. > > > > -----Original Message----- > > From: Gerd Hoffmann <kraxel@redhat.com> > > Sent: Tuesday, January 16, 2024 10:35 PM > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > > <doug.edk2@gmail.com> > > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > > TCBZ4118 > > > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > > > Gerd > > > I have merged this patch set today. > > > > > > I am fine to remove TPM1.2 in OVMF because of the known security > limitation. > > > > I was thinking about the complete edk2 code base not only OVMF. > > > > But I can surely start with OVMF. Maybe it is the only platform > > affected because on physical hardware you usually know whenever TPM > > 1.2 or TPM 2.0 is present so there is no need to include both. > > > > take care, > > Gerd > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113935): https://edk2.groups.io/g/devel/message/113935 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Jiewen, Sounds strange, but new PRs in today all broken due to this issue, e.g.: https://github.com/tianocore/edk2/pull/5210 https://github.com/tianocore/edk2/pull/5268 I checked build log, it matched the description from Gerd: https://dev.azure.com/tianocore/11ea4a10-ac9f-4e5f-8b13-7def1f19d478/_apis/build/builds/114097/logs/350 2024-01-17T04:09:52.5996237Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader': 2024-01-17T04:09:52.6010570Z INFO - (.text+0x0): multiple definition of `SanitizeEfiPartitionTableHeader'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here 2024-01-17T04:09:52.6020435Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader': 2024-01-17T04:09:52.6030987Z INFO - (.text+0x0): multiple definition of `SanitizePrimaryHeaderAllocationSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here 2024-01-17T04:09:52.6040167Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader': 2024-01-17T04:09:52.6050625Z INFO - (.text+0x0): multiple definition of `SanitizePrimaryHeaderGptEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here 2024-01-17T04:09:52.6061966Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader': 2024-01-17T04:09:52.6072661Z INFO - (.text+0x0): multiple definition of `SanitizePeImageEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here 2024-01-17T04:10:12.9532147Z INFO - build.py... 2024-01-17T04:10:12.9593220Z INFO - : error 7000: Failed to execute command 2024-01-17T04:10:23.2054653Z INFO - build.py... 2024-01-17T04:10:23.2055014Z INFO - : error F002: Failed to build module 2024-01-17T04:10:23.2055379Z INFO - /__w/1/s/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf [X64, GCC5, DEBUG] -----Original Message----- From: Yao, Jiewen <jiewen.yao@intel.com> Sent: Wednesday, January 17, 2024 4:09 PM To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Gerd Hoffmann <kraxel@redhat.com> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 Please check https://github.com/tianocore/edk2/pull/5264. It is merged after pass CI. May I know where you see PR CI builds are broken? Thank you Yao, Jiewen > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Wednesday, January 17, 2024 3:21 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd > Hoffmann <kraxel@redhat.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > <doug.edk2@gmail.com> > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > TCBZ4118 > > Hi Jiewen, > > All EDK2 PR CI builds of OvmfPkg are broken due to this issue. > Maybe we didn't have enough time to wait feedback and should fix the > CI issue first. > > Regards, > Yi > > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, > Jiewen > Sent: Tuesday, January 16, 2024 10:38 PM > To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > <doug.edk2@gmail.com> > Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > TCBZ4118 > > Sure. Let's start from OVMF. > > We have leaf enough time for feedback, but I see no comment from other people. > > > > -----Original Message----- > > From: Gerd Hoffmann <kraxel@redhat.com> > > Sent: Tuesday, January 16, 2024 10:35 PM > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > > <doug.edk2@gmail.com> > > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 > > & > > TCBZ4118 > > > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > > > Gerd > > > I have merged this patch set today. > > > > > > I am fine to remove TPM1.2 in OVMF because of the known security > limitation. > > > > I was thinking about the complete edk2 code base not only OVMF. > > > > But I can surely start with OVMF. Maybe it is the only platform > > affected because on physical hardware you usually know whenever TPM > > 1.2 or TPM 2.0 is present so there is no need to include both. > > > > take care, > > Gerd > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113937): https://edk2.groups.io/g/devel/message/113937 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
That is weird. It seems we need to merge Gerd's patch soon - https://github.com/tianocore/edk2/pull/5265 to unblock CI. Hi Gerd Would you please confirm what test you have done for removing TPM1.2? Does TPM2.0 in OvmfPkg still work? Hi Doug I cannot tell why CI passed before but failed now. But it does seems a big issue now. Would you please propose a patch to resolve it? Just rename the symbol. Thank you Yao, Jiewen > -----Original Message----- > From: Li, Yi1 <yi1.li@intel.com> > Sent: Wednesday, January 17, 2024 4:15 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Gerd Hoffmann > <kraxel@redhat.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > Hi Jiewen, > > Sounds strange, but new PRs in today all broken due to this issue, e.g.: > https://github.com/tianocore/edk2/pull/5210 > https://github.com/tianocore/edk2/pull/5268 > > > I checked build log, it matched the description from Gerd: > https://dev.azure.com/tianocore/11ea4a10-ac9f-4e5f-8b13- > 7def1f19d478/_apis/build/builds/114097/logs/350 > 2024-01-17T04:09:52.5996237Z INFO - /usr/bin/ld: > DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function > `SanitizeEfiPartitionTableHeader': > 2024-01-17T04:09:52.6010570Z INFO - (.text+0x0): multiple definition of > `SanitizeEfiPartitionTableHeader'; DxeTpmMeasureBootLibSanitization.obj > (symbol from plugin):(.text+0x0): first defined here > 2024-01-17T04:09:52.6020435Z INFO - /usr/bin/ld: > DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function > `SanitizeEfiPartitionTableHeader': > 2024-01-17T04:09:52.6030987Z INFO - (.text+0x0): multiple definition of > `SanitizePrimaryHeaderAllocationSize'; DxeTpmMeasureBootLibSanitization.obj > (symbol from plugin):(.text+0x0): first defined here > 2024-01-17T04:09:52.6040167Z INFO - /usr/bin/ld: > DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function > `SanitizeEfiPartitionTableHeader': > 2024-01-17T04:09:52.6050625Z INFO - (.text+0x0): multiple definition of > `SanitizePrimaryHeaderGptEventSize'; DxeTpmMeasureBootLibSanitization.obj > (symbol from plugin):(.text+0x0): first defined here > 2024-01-17T04:09:52.6061966Z INFO - /usr/bin/ld: > DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function > `SanitizeEfiPartitionTableHeader': > 2024-01-17T04:09:52.6072661Z INFO - (.text+0x0): multiple definition of > `SanitizePeImageEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol > from plugin):(.text+0x0): first defined here > 2024-01-17T04:10:12.9532147Z INFO - build.py... > 2024-01-17T04:10:12.9593220Z INFO - : error 7000: Failed to execute command > 2024-01-17T04:10:23.2054653Z INFO - build.py... > 2024-01-17T04:10:23.2055014Z INFO - : error F002: Failed to build module > 2024-01-17T04:10:23.2055379Z INFO - > /__w/1/s/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.i > nf [X64, GCC5, DEBUG] > > -----Original Message----- > From: Yao, Jiewen <jiewen.yao@intel.com> > Sent: Wednesday, January 17, 2024 4:09 PM > To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Gerd Hoffmann > <kraxel@redhat.com> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com> > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > Please check https://github.com/tianocore/edk2/pull/5264. It is merged after > pass CI. > > May I know where you see PR CI builds are broken? > > Thank you > Yao, Jiewen > > > -----Original Message----- > > From: Li, Yi1 <yi1.li@intel.com> > > Sent: Wednesday, January 17, 2024 3:21 PM > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd > > Hoffmann <kraxel@redhat.com> > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > > <doug.edk2@gmail.com> > > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > > TCBZ4118 > > > > Hi Jiewen, > > > > All EDK2 PR CI builds of OvmfPkg are broken due to this issue. > > Maybe we didn't have enough time to wait feedback and should fix the > > CI issue first. > > > > Regards, > > Yi > > > > -----Original Message----- > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, > > Jiewen > > Sent: Tuesday, January 16, 2024 10:38 PM > > To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > > <doug.edk2@gmail.com> > > Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > > TCBZ4118 > > > > Sure. Let's start from OVMF. > > > > We have leaf enough time for feedback, but I see no comment from other > people. > > > > > > > -----Original Message----- > > > From: Gerd Hoffmann <kraxel@redhat.com> > > > Sent: Tuesday, January 16, 2024 10:35 PM > > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] > > > <doug.edk2@gmail.com> > > > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 > > > & > > > TCBZ4118 > > > > > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote: > > > > Gerd > > > > I have merged this patch set today. > > > > > > > > I am fine to remove TPM1.2 in OVMF because of the known security > > limitation. > > > > > > I was thinking about the complete edk2 code base not only OVMF. > > > > > > But I can surely start with OVMF. Maybe it is the only platform > > > affected because on physical hardware you usually know whenever TPM > > > 1.2 or TPM 2.0 is present so there is no need to include both. > > > > > > take care, > > > Gerd > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113938): https://edk2.groups.io/g/devel/message/113938 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
On Wed, Jan 17, 2024 at 08:23:19AM +0000, Yao, Jiewen wrote: > That is weird. > It seems we need to merge Gerd's patch soon - https://github.com/tianocore/edk2/pull/5265 to unblock CI. > > Hi Gerd > Would you please confirm what test you have done for removing TPM1.2? > Does TPM2.0 in OvmfPkg still work? For RHEL we build OVMF with TPM1_ENABLE=FALSE for quite a while without seeing any problems, removing the TPM1_ENABLE option altogether should give in identical results. I have to admit that I didn't actually test that though. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113949): https://edk2.groups.io/g/devel/message/113949 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Marc I notice you are reviewer for TPM module in OvmfPkg. Would you please help to test the TPM2.0 feature with patch from Gerd? Thank you Yao, Jiewen > -----Original Message----- > From: Gerd Hoffmann <kraxel@redhat.com> > Sent: Wednesday, January 17, 2024 10:06 PM > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com> > Cc: Li, Yi1 <yi1.li@intel.com>; dougflick@microsoft.com; Douglas Flick [MSFT] > <doug.edk2@gmail.com> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & > TCBZ4118 > > On Wed, Jan 17, 2024 at 08:23:19AM +0000, Yao, Jiewen wrote: > > That is weird. > > It seems we need to merge Gerd's patch soon - > https://github.com/tianocore/edk2/pull/5265 to unblock CI. > > > > Hi Gerd > > Would you please confirm what test you have done for removing TPM1.2? > > Does TPM2.0 in OvmfPkg still work? > > For RHEL we build OVMF with TPM1_ENABLE=FALSE for quite a while without > seeing any problems, removing the TPM1_ENABLE option altogether should > give in identical results. I have to admit that I didn't actually test > that though. > > take care, > Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113952): https://edk2.groups.io/g/devel/message/113952 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Merged https://github.com/tianocore/edk2/pull/5264 > -----Original Message----- > From: Douglas Flick [MSFT] <doug.edk2@gmail.com> > Sent: Friday, January 12, 2024 2:16 AM > To: devel@edk2.groups.io > Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen > <jiewen.yao@intel.com> > Subject: [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > This patch series include the combined / merged security patches > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118 > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib. > These patches have already been reviewed by SecurityPkg Maintainer > (Jiewen) on GHSA. > > This patch series (specifically TCBZ4117) supersedes TCBZ2168. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Douglas Flick [MSFT] (6): > SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE > 2022-36763 > SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE > 2022-36763 > SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml > SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE > 2022-36764 > SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE > 2022-36764 > SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml > > SecurityPkg/Test/SecurityPkgHostTest.dsc | 2 + > .../DxeTpm2MeasureBootLib.inf | 4 +- > ...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++ > .../DxeTpmMeasureBootLib.inf | 4 +- > ...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++ > .../DxeTpm2MeasureBootLibSanitization.h | 139 +++++++ > .../DxeTpmMeasureBootLibSanitization.h | 137 +++++++ > .../DxeTpm2MeasureBootLib.c | 87 ++-- > .../DxeTpm2MeasureBootLibSanitization.c | 319 +++++++++++++++ > .../DxeTpm2MeasureBootLibSanitizationTest.c | 345 ++++++++++++++++ > .../DxeTpmMeasureBootLib.c | 53 ++- > .../DxeTpmMeasureBootLibSanitization.c | 285 +++++++++++++ > .../DxeTpmMeasureBootLibSanitizationTest.c | 387 ++++++++++++++++++ > SecurityPkg/SecurityFixes.yaml | 36 ++ > SecurityPkg/SecurityPkg.ci.yaml | 2 + > 15 files changed, 1801 insertions(+), 55 deletions(-) > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur > eBootLibSanitizationTestHost.inf > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB > ootLibSanitizationTestHost.inf > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza > tion.h > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio > n.h > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza > tion.c > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur > eBootLibSanitizationTest.c > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio > n.c > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB > ootLibSanitizationTest.c > create mode 100644 SecurityPkg/SecurityFixes.yaml > > -- > 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113878): https://edk2.groups.io/g/devel/message/113878 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Hi Doug Thanks for the fix. Please remember to CC all SecurityPkg maintainer and reviewer. I will merge after several days to see if there is any additional feedback from the community. Thank you Yao, Jiewen > -----Original Message----- > From: Douglas Flick [MSFT] <doug.edk2@gmail.com> > Sent: Friday, January 12, 2024 2:16 AM > To: devel@edk2.groups.io > Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen > <jiewen.yao@intel.com> > Subject: [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118 > > This patch series include the combined / merged security patches > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118 > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib. > These patches have already been reviewed by SecurityPkg Maintainer > (Jiewen) on GHSA. > > This patch series (specifically TCBZ4117) supersedes TCBZ2168. > > Cc: Jiewen Yao <jiewen.yao@intel.com> > > Douglas Flick [MSFT] (6): > SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE > 2022-36763 > SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE > 2022-36763 > SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml > SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE > 2022-36764 > SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE > 2022-36764 > SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml > > SecurityPkg/Test/SecurityPkgHostTest.dsc | 2 + > .../DxeTpm2MeasureBootLib.inf | 4 +- > ...Tpm2MeasureBootLibSanitizationTestHost.inf | 28 ++ > .../DxeTpmMeasureBootLib.inf | 4 +- > ...eTpmMeasureBootLibSanitizationTestHost.inf | 28 ++ > .../DxeTpm2MeasureBootLibSanitization.h | 139 +++++++ > .../DxeTpmMeasureBootLibSanitization.h | 137 +++++++ > .../DxeTpm2MeasureBootLib.c | 87 ++-- > .../DxeTpm2MeasureBootLibSanitization.c | 319 +++++++++++++++ > .../DxeTpm2MeasureBootLibSanitizationTest.c | 345 ++++++++++++++++ > .../DxeTpmMeasureBootLib.c | 53 ++- > .../DxeTpmMeasureBootLibSanitization.c | 285 +++++++++++++ > .../DxeTpmMeasureBootLibSanitizationTest.c | 387 ++++++++++++++++++ > SecurityPkg/SecurityFixes.yaml | 36 ++ > SecurityPkg/SecurityPkg.ci.yaml | 2 + > 15 files changed, 1801 insertions(+), 55 deletions(-) > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur > eBootLibSanitizationTestHost.inf > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB > ootLibSanitizationTestHost.inf > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza > tion.h > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio > n.h > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza > tion.c > create mode 100644 > SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur > eBootLibSanitizationTest.c > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio > n.c > create mode 100644 > SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB > ootLibSanitizationTest.c > create mode 100644 SecurityPkg/SecurityFixes.yaml > > -- > 2.43.0 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113637): https://edk2.groups.io/g/devel/message/113637 Mute This Topic: https://groups.io/mt/103675434/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.