1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

Doug Flick via groups.io posted 6 patches 3 months, 3 weeks ago
Failed in applying to current master (apply log)
SecurityPkg/Test/SecurityPkgHostTest.dsc      |   2 +
.../DxeTpm2MeasureBootLib.inf                 |   4 +-
...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
.../DxeTpmMeasureBootLib.inf                  |   4 +-
...eTpmMeasureBootLibSanitizationTestHost.inf |  28 ++
.../DxeTpm2MeasureBootLibSanitization.h       | 139 +++++++
.../DxeTpmMeasureBootLibSanitization.h        | 137 +++++++
.../DxeTpm2MeasureBootLib.c                   |  87 ++--
.../DxeTpm2MeasureBootLibSanitization.c       | 319 +++++++++++++++
.../DxeTpm2MeasureBootLibSanitizationTest.c   | 345 ++++++++++++++++
.../DxeTpmMeasureBootLib.c                    |  53 ++-
.../DxeTpmMeasureBootLibSanitization.c        | 285 +++++++++++++
.../DxeTpmMeasureBootLibSanitizationTest.c    | 387 ++++++++++++++++++
SecurityPkg/SecurityFixes.yaml                |  36 ++
SecurityPkg/SecurityPkg.ci.yaml               |   2 +
15 files changed, 1801 insertions(+), 55 deletions(-)
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
create mode 100644 SecurityPkg/SecurityFixes.yaml
[edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Doug Flick via groups.io 3 months, 3 weeks ago 
This patch series include the combined / merged security patches
(as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
(CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
These patches have already been reviewed by SecurityPkg Maintainer
(Jiewen) on GHSA. 

This patch series (specifically TCBZ4117) supersedes TCBZ2168.

Cc: Jiewen Yao <jiewen.yao@intel.com>

Douglas Flick [MSFT] (6):
  SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE
    2022-36763
  SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE
    2022-36763
  SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
  SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
    2022-36764
  SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE
    2022-36764
  SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml

 SecurityPkg/Test/SecurityPkgHostTest.dsc      |   2 +
 .../DxeTpm2MeasureBootLib.inf                 |   4 +-
 ...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
 .../DxeTpmMeasureBootLib.inf                  |   4 +-
 ...eTpmMeasureBootLibSanitizationTestHost.inf |  28 ++
 .../DxeTpm2MeasureBootLibSanitization.h       | 139 +++++++
 .../DxeTpmMeasureBootLibSanitization.h        | 137 +++++++
 .../DxeTpm2MeasureBootLib.c                   |  87 ++--
 .../DxeTpm2MeasureBootLibSanitization.c       | 319 +++++++++++++++
 .../DxeTpm2MeasureBootLibSanitizationTest.c   | 345 ++++++++++++++++
 .../DxeTpmMeasureBootLib.c                    |  53 ++-
 .../DxeTpmMeasureBootLibSanitization.c        | 285 +++++++++++++
 .../DxeTpmMeasureBootLibSanitizationTest.c    | 387 ++++++++++++++++++
 SecurityPkg/SecurityFixes.yaml                |  36 ++
 SecurityPkg/SecurityPkg.ci.yaml               |   2 +
 15 files changed, 1801 insertions(+), 55 deletions(-)
 create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTestHost.inf
 create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTestHost.inf
 create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.h
 create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.h
 create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitization.c
 create mode 100644 SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2MeasureBootLibSanitizationTest.c
 create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitization.c
 create mode 100644 SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureBootLibSanitizationTest.c
 create mode 100644 SecurityPkg/SecurityFixes.yaml

-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113756): https://edk2.groups.io/g/devel/message/113756
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Gerd Hoffmann 3 months, 2 weeks ago 
On Thu, Jan 11, 2024 at 10:16:00AM -0800, Doug Flick via groups.io wrote:
> This patch series include the combined / merged security patches
> (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
> (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
> These patches have already been reviewed by SecurityPkg Maintainer
> (Jiewen) on GHSA. 

This patch series breaks ovmf build (duplicate symbols) in case both
TPM2 and TPM1 support are enabled (-D TPM2_ENABLE=TRUE
-DTPM1_ENABLE=TRUE).  Compiling with TPM2 only (-D TPM2_ENABLE=TRUE
-DTPM1_ENABLE=FALSE) works fine.

I see two options to deal with the problem:

 (1) Rename the Sanitize* functions in the TPM2 version of the library
     to carry a '2' somewhere in the function name, simliar to all other
     TPM2 functions, to avoid the name clash.
 (2) Remove TPM1 support from the edk2 code base.  The relevance of
     TPM 1.2 support should be close to zero given that the TPM 2.0
     specification was released almost a decade ago ...

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113889): https://edk2.groups.io/g/devel/message/113889
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Gerd
I have merged this patch set today.

I am fine to remove TPM1.2 in OVMF because of the known security limitation.

Thank you
Yao, Jiewen


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 16, 2024 8:01 PM
> To: devel@edk2.groups.io; dougflick@microsoft.com
> Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> On Thu, Jan 11, 2024 at 10:16:00AM -0800, Doug Flick via groups.io wrote:
> > This patch series include the combined / merged security patches
> > (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
> > (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
> > These patches have already been reviewed by SecurityPkg Maintainer
> > (Jiewen) on GHSA.
> 
> This patch series breaks ovmf build (duplicate symbols) in case both
> TPM2 and TPM1 support are enabled (-D TPM2_ENABLE=TRUE
> -DTPM1_ENABLE=TRUE).  Compiling with TPM2 only (-D TPM2_ENABLE=TRUE
> -DTPM1_ENABLE=FALSE) works fine.
> 
> I see two options to deal with the problem:
> 
>  (1) Rename the Sanitize* functions in the TPM2 version of the library
>      to carry a '2' somewhere in the function name, simliar to all other
>      TPM2 functions, to avoid the name clash.
>  (2) Remove TPM1 support from the edk2 code base.  The relevance of
>      TPM 1.2 support should be close to zero given that the TPM 2.0
>      specification was released almost a decade ago ...
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113898): https://edk2.groups.io/g/devel/message/113898
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Gerd Hoffmann 3 months, 2 weeks ago 
On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> Gerd
> I have merged this patch set today.
> 
> I am fine to remove TPM1.2 in OVMF because of the known security limitation.

I was thinking about the complete edk2 code base not only OVMF.

But I can surely start with OVMF.  Maybe it is the only platform
affected because on physical hardware you usually know whenever
TPM 1.2 or TPM 2.0 is present so there is no need to include both.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113903): https://edk2.groups.io/g/devel/message/113903
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Sure. Let's start from OVMF.

We have leaf enough time for feedback, but I see no comment from other people.


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 16, 2024 10:35 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> TCBZ4118
> 
> On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> > Gerd
> > I have merged this patch set today.
> >
> > I am fine to remove TPM1.2 in OVMF because of the known security limitation.
> 
> I was thinking about the complete edk2 code base not only OVMF.
> 
> But I can surely start with OVMF.  Maybe it is the only platform
> affected because on physical hardware you usually know whenever
> TPM 1.2 or TPM 2.0 is present so there is no need to include both.
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113904): https://edk2.groups.io/g/devel/message/113904
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Li, Yi 3 months, 2 weeks ago 
Hi Jiewen,

All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
Maybe we didn't have enough time to wait feedback and should fix the CI issue first.

Regards,
Yi

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
Sent: Tuesday, January 16, 2024 10:38 PM
To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

Sure. Let's start from OVMF.

We have leaf enough time for feedback, but I see no comment from other people.


> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Tuesday, January 16, 2024 10:35 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] 
> <doug.edk2@gmail.com>
> Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> TCBZ4118
> 
> On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> > Gerd
> > I have merged this patch set today.
> >
> > I am fine to remove TPM1.2 in OVMF because of the known security limitation.
> 
> I was thinking about the complete edk2 code base not only OVMF.
> 
> But I can surely start with OVMF.  Maybe it is the only platform 
> affected because on physical hardware you usually know whenever TPM 
> 1.2 or TPM 2.0 is present so there is no need to include both.
> 
> take care,
>   Gerd








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113933): https://edk2.groups.io/g/devel/message/113933
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Please check https://github.com/tianocore/edk2/pull/5264. It is merged after pass CI.

May I know where you see PR CI builds are broken?

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Wednesday, January 17, 2024 3:21 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd Hoffmann
> <kraxel@redhat.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> Hi Jiewen,
> 
> All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
> Maybe we didn't have enough time to wait feedback and should fix the CI issue
> first.
> 
> Regards,
> Yi
> 
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Tuesday, January 16, 2024 10:38 PM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> Sure. Let's start from OVMF.
> 
> We have leaf enough time for feedback, but I see no comment from other people.
> 
> 
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Tuesday, January 16, 2024 10:35 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT]
> > <doug.edk2@gmail.com>
> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> > TCBZ4118
> >
> > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> > > Gerd
> > > I have merged this patch set today.
> > >
> > > I am fine to remove TPM1.2 in OVMF because of the known security
> limitation.
> >
> > I was thinking about the complete edk2 code base not only OVMF.
> >
> > But I can surely start with OVMF.  Maybe it is the only platform
> > affected because on physical hardware you usually know whenever TPM
> > 1.2 or TPM 2.0 is present so there is no need to include both.
> >
> > take care,
> >   Gerd
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113935): https://edk2.groups.io/g/devel/message/113935
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Li, Yi 3 months, 2 weeks ago 
Hi Jiewen,

Sounds strange, but new PRs in today all broken due to this issue, e.g.:
https://github.com/tianocore/edk2/pull/5210
https://github.com/tianocore/edk2/pull/5268


I checked build log, it matched the description from Gerd:
https://dev.azure.com/tianocore/11ea4a10-ac9f-4e5f-8b13-7def1f19d478/_apis/build/builds/114097/logs/350
2024-01-17T04:09:52.5996237Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6010570Z INFO - (.text+0x0): multiple definition of `SanitizeEfiPartitionTableHeader'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6020435Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6030987Z INFO - (.text+0x0): multiple definition of `SanitizePrimaryHeaderAllocationSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6040167Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6050625Z INFO - (.text+0x0): multiple definition of `SanitizePrimaryHeaderGptEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:09:52.6061966Z INFO - /usr/bin/ld: DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function `SanitizeEfiPartitionTableHeader':
2024-01-17T04:09:52.6072661Z INFO - (.text+0x0): multiple definition of `SanitizePeImageEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol from plugin):(.text+0x0): first defined here
2024-01-17T04:10:12.9532147Z INFO - build.py...
2024-01-17T04:10:12.9593220Z INFO -  : error 7000: Failed to execute command
2024-01-17T04:10:23.2054653Z INFO - build.py...
2024-01-17T04:10:23.2055014Z INFO -  : error F002: Failed to build module
2024-01-17T04:10:23.2055379Z INFO - 	/__w/1/s/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf [X64, GCC5, DEBUG]

-----Original Message-----
From: Yao, Jiewen <jiewen.yao@intel.com> 
Sent: Wednesday, January 17, 2024 4:09 PM
To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Gerd Hoffmann <kraxel@redhat.com>
Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118

Please check https://github.com/tianocore/edk2/pull/5264. It is merged after pass CI.

May I know where you see PR CI builds are broken?

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Wednesday, January 17, 2024 3:21 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd 
> Hoffmann <kraxel@redhat.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] 
> <doug.edk2@gmail.com>
> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & 
> TCBZ4118
> 
> Hi Jiewen,
> 
> All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
> Maybe we didn't have enough time to wait feedback and should fix the 
> CI issue first.
> 
> Regards,
> Yi
> 
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, 
> Jiewen
> Sent: Tuesday, January 16, 2024 10:38 PM
> To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] 
> <doug.edk2@gmail.com>
> Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & 
> TCBZ4118
> 
> Sure. Let's start from OVMF.
> 
> We have leaf enough time for feedback, but I see no comment from other people.
> 
> 
> > -----Original Message-----
> > From: Gerd Hoffmann <kraxel@redhat.com>
> > Sent: Tuesday, January 16, 2024 10:35 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT] 
> > <doug.edk2@gmail.com>
> > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 
> > &
> > TCBZ4118
> >
> > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> > > Gerd
> > > I have merged this patch set today.
> > >
> > > I am fine to remove TPM1.2 in OVMF because of the known security
> limitation.
> >
> > I was thinking about the complete edk2 code base not only OVMF.
> >
> > But I can surely start with OVMF.  Maybe it is the only platform 
> > affected because on physical hardware you usually know whenever TPM
> > 1.2 or TPM 2.0 is present so there is no need to include both.
> >
> > take care,
> >   Gerd
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113937): https://edk2.groups.io/g/devel/message/113937
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
That is weird.
It seems we need to merge Gerd's patch soon - https://github.com/tianocore/edk2/pull/5265 to unblock CI.

Hi Gerd
Would you please confirm what test you have done for removing TPM1.2?
Does TPM2.0 in OvmfPkg still work?

Hi Doug
I cannot tell why CI passed before but failed now.
But it does seems a big issue now. Would you please propose a patch to resolve it? Just rename the symbol.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Li, Yi1 <yi1.li@intel.com>
> Sent: Wednesday, January 17, 2024 4:15 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io; Gerd Hoffmann
> <kraxel@redhat.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> Hi Jiewen,
> 
> Sounds strange, but new PRs in today all broken due to this issue, e.g.:
> https://github.com/tianocore/edk2/pull/5210
> https://github.com/tianocore/edk2/pull/5268
> 
> 
> I checked build log, it matched the description from Gerd:
> https://dev.azure.com/tianocore/11ea4a10-ac9f-4e5f-8b13-
> 7def1f19d478/_apis/build/builds/114097/logs/350
> 2024-01-17T04:09:52.5996237Z INFO - /usr/bin/ld:
> DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function
> `SanitizeEfiPartitionTableHeader':
> 2024-01-17T04:09:52.6010570Z INFO - (.text+0x0): multiple definition of
> `SanitizeEfiPartitionTableHeader'; DxeTpmMeasureBootLibSanitization.obj
> (symbol from plugin):(.text+0x0): first defined here
> 2024-01-17T04:09:52.6020435Z INFO - /usr/bin/ld:
> DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function
> `SanitizeEfiPartitionTableHeader':
> 2024-01-17T04:09:52.6030987Z INFO - (.text+0x0): multiple definition of
> `SanitizePrimaryHeaderAllocationSize'; DxeTpmMeasureBootLibSanitization.obj
> (symbol from plugin):(.text+0x0): first defined here
> 2024-01-17T04:09:52.6040167Z INFO - /usr/bin/ld:
> DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function
> `SanitizeEfiPartitionTableHeader':
> 2024-01-17T04:09:52.6050625Z INFO - (.text+0x0): multiple definition of
> `SanitizePrimaryHeaderGptEventSize'; DxeTpmMeasureBootLibSanitization.obj
> (symbol from plugin):(.text+0x0): first defined here
> 2024-01-17T04:09:52.6061966Z INFO - /usr/bin/ld:
> DxeTpm2MeasureBootLibSanitization.obj (symbol from plugin): in function
> `SanitizeEfiPartitionTableHeader':
> 2024-01-17T04:09:52.6072661Z INFO - (.text+0x0): multiple definition of
> `SanitizePeImageEventSize'; DxeTpmMeasureBootLibSanitization.obj (symbol
> from plugin):(.text+0x0): first defined here
> 2024-01-17T04:10:12.9532147Z INFO - build.py...
> 2024-01-17T04:10:12.9593220Z INFO -  : error 7000: Failed to execute command
> 2024-01-17T04:10:23.2054653Z INFO - build.py...
> 2024-01-17T04:10:23.2055014Z INFO -  : error F002: Failed to build module
> 2024-01-17T04:10:23.2055379Z INFO -
> 	/__w/1/s/MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.i
> nf [X64, GCC5, DEBUG]
> 
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Wednesday, January 17, 2024 4:09 PM
> To: Li, Yi1 <yi1.li@intel.com>; devel@edk2.groups.io; Gerd Hoffmann
> <kraxel@redhat.com>
> Cc: dougflick@microsoft.com; Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> Please check https://github.com/tianocore/edk2/pull/5264. It is merged after
> pass CI.
> 
> May I know where you see PR CI builds are broken?
> 
> Thank you
> Yao, Jiewen
> 
> > -----Original Message-----
> > From: Li, Yi1 <yi1.li@intel.com>
> > Sent: Wednesday, January 17, 2024 3:21 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; Gerd
> > Hoffmann <kraxel@redhat.com>
> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT]
> > <doug.edk2@gmail.com>
> > Subject: RE: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> > TCBZ4118
> >
> > Hi Jiewen,
> >
> > All EDK2 PR CI builds of OvmfPkg are broken due to this issue.
> > Maybe we didn't have enough time to wait feedback and should fix the
> > CI issue first.
> >
> > Regards,
> > Yi
> >
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> > Jiewen
> > Sent: Tuesday, January 16, 2024 10:38 PM
> > To: Gerd Hoffmann <kraxel@redhat.com>; devel@edk2.groups.io
> > Cc: dougflick@microsoft.com; Douglas Flick [MSFT]
> > <doug.edk2@gmail.com>
> > Subject: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> > TCBZ4118
> >
> > Sure. Let's start from OVMF.
> >
> > We have leaf enough time for feedback, but I see no comment from other
> people.
> >
> >
> > > -----Original Message-----
> > > From: Gerd Hoffmann <kraxel@redhat.com>
> > > Sent: Tuesday, January 16, 2024 10:35 PM
> > > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> > > Cc: dougflick@microsoft.com; Douglas Flick [MSFT]
> > > <doug.edk2@gmail.com>
> > > Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117
> > > &
> > > TCBZ4118
> > >
> > > On Tue, Jan 16, 2024 at 01:30:43PM +0000, Yao, Jiewen wrote:
> > > > Gerd
> > > > I have merged this patch set today.
> > > >
> > > > I am fine to remove TPM1.2 in OVMF because of the known security
> > limitation.
> > >
> > > I was thinking about the complete edk2 code base not only OVMF.
> > >
> > > But I can surely start with OVMF.  Maybe it is the only platform
> > > affected because on physical hardware you usually know whenever TPM
> > > 1.2 or TPM 2.0 is present so there is no need to include both.
> > >
> > > take care,
> > >   Gerd
> >
> >
> >
> > 
> >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113938): https://edk2.groups.io/g/devel/message/113938
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Gerd Hoffmann 3 months, 2 weeks ago 
On Wed, Jan 17, 2024 at 08:23:19AM +0000, Yao, Jiewen wrote:
> That is weird.
> It seems we need to merge Gerd's patch soon - https://github.com/tianocore/edk2/pull/5265 to unblock CI.
> 
> Hi Gerd
> Would you please confirm what test you have done for removing TPM1.2?
> Does TPM2.0 in OvmfPkg still work?

For RHEL we build OVMF with TPM1_ENABLE=FALSE for quite a while without
seeing any problems, removing the TPM1_ENABLE option altogether should
give in identical results.  I have to admit that I didn't actually test
that though.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113949): https://edk2.groups.io/g/devel/message/113949
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Hi Marc
I notice you are reviewer for TPM module in OvmfPkg.

Would you please help to test the TPM2.0 feature with patch from Gerd?

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Gerd Hoffmann <kraxel@redhat.com>
> Sent: Wednesday, January 17, 2024 10:06 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Li, Yi1 <yi1.li@intel.com>; dougflick@microsoft.com; Douglas Flick [MSFT]
> <doug.edk2@gmail.com>
> Subject: Re: Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 &
> TCBZ4118
> 
> On Wed, Jan 17, 2024 at 08:23:19AM +0000, Yao, Jiewen wrote:
> > That is weird.
> > It seems we need to merge Gerd's patch soon -
> https://github.com/tianocore/edk2/pull/5265 to unblock CI.
> >
> > Hi Gerd
> > Would you please confirm what test you have done for removing TPM1.2?
> > Does TPM2.0 in OvmfPkg still work?
> 
> For RHEL we build OVMF with TPM1_ENABLE=FALSE for quite a while without
> seeing any problems, removing the TPM1_ENABLE option altogether should
> give in identical results.  I have to admit that I didn't actually test
> that though.
> 
> take care,
>   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113952): https://edk2.groups.io/g/devel/message/113952
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Merged https://github.com/tianocore/edk2/pull/5264

> -----Original Message-----
> From: Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Sent: Friday, January 12, 2024 2:16 AM
> To: devel@edk2.groups.io
> Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> This patch series include the combined / merged security patches
> (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
> (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
> These patches have already been reviewed by SecurityPkg Maintainer
> (Jiewen) on GHSA.
> 
> This patch series (specifically TCBZ4117) supersedes TCBZ2168.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> 
> Douglas Flick [MSFT] (6):
>   SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE
>     2022-36763
>   SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE
>     2022-36763
>   SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
>   SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
>     2022-36764
>   SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE
>     2022-36764
>   SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
> 
>  SecurityPkg/Test/SecurityPkgHostTest.dsc      |   2 +
>  .../DxeTpm2MeasureBootLib.inf                 |   4 +-
>  ...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
>  .../DxeTpmMeasureBootLib.inf                  |   4 +-
>  ...eTpmMeasureBootLibSanitizationTestHost.inf |  28 ++
>  .../DxeTpm2MeasureBootLibSanitization.h       | 139 +++++++
>  .../DxeTpmMeasureBootLibSanitization.h        | 137 +++++++
>  .../DxeTpm2MeasureBootLib.c                   |  87 ++--
>  .../DxeTpm2MeasureBootLibSanitization.c       | 319 +++++++++++++++
>  .../DxeTpm2MeasureBootLibSanitizationTest.c   | 345 ++++++++++++++++
>  .../DxeTpmMeasureBootLib.c                    |  53 ++-
>  .../DxeTpmMeasureBootLibSanitization.c        | 285 +++++++++++++
>  .../DxeTpmMeasureBootLibSanitizationTest.c    | 387 ++++++++++++++++++
>  SecurityPkg/SecurityFixes.yaml                |  36 ++
>  SecurityPkg/SecurityPkg.ci.yaml               |   2 +
>  15 files changed, 1801 insertions(+), 55 deletions(-)
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur
> eBootLibSanitizationTestHost.inf
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB
> ootLibSanitizationTestHost.inf
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza
> tion.h
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio
> n.h
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza
> tion.c
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur
> eBootLibSanitizationTest.c
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio
> n.c
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB
> ootLibSanitizationTest.c
>  create mode 100644 SecurityPkg/SecurityFixes.yaml
> 
> --
> 2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113878): https://edk2.groups.io/g/devel/message/113878
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
Posted by Yao, Jiewen 3 months, 2 weeks ago 
Hi Doug
Thanks for the fix.

Please remember to CC all SecurityPkg maintainer and reviewer.

I will merge after several days to see if there is any additional feedback from the community.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Douglas Flick [MSFT] <doug.edk2@gmail.com>
> Sent: Friday, January 12, 2024 2:16 AM
> To: devel@edk2.groups.io
> Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Yao, Jiewen
> <jiewen.yao@intel.com>
> Subject: [PATCH 0/6] SECURITY PATCHES TCBZ4117 & TCBZ4118
> 
> This patch series include the combined / merged security patches
> (as seperate commits) for TCBZ4117 (CVE-2022-36763) and TCBZ4118
> (CVE-2022-36764) for DxeTpm2MeasureBootLib and DxeTpmMeasureBootLib.
> These patches have already been reviewed by SecurityPkg Maintainer
> (Jiewen) on GHSA.
> 
> This patch series (specifically TCBZ4117) supersedes TCBZ2168.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> 
> Douglas Flick [MSFT] (6):
>   SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE
>     2022-36763
>   SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE
>     2022-36763
>   SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml
>   SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4118 - CVE
>     2022-36764
>   SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4118 - CVE
>     2022-36764
>   SecurityPkg: : Adding CVE 2022-36764 to SecurityFixes.yaml
> 
>  SecurityPkg/Test/SecurityPkgHostTest.dsc      |   2 +
>  .../DxeTpm2MeasureBootLib.inf                 |   4 +-
>  ...Tpm2MeasureBootLibSanitizationTestHost.inf |  28 ++
>  .../DxeTpmMeasureBootLib.inf                  |   4 +-
>  ...eTpmMeasureBootLibSanitizationTestHost.inf |  28 ++
>  .../DxeTpm2MeasureBootLibSanitization.h       | 139 +++++++
>  .../DxeTpmMeasureBootLibSanitization.h        | 137 +++++++
>  .../DxeTpm2MeasureBootLib.c                   |  87 ++--
>  .../DxeTpm2MeasureBootLibSanitization.c       | 319 +++++++++++++++
>  .../DxeTpm2MeasureBootLibSanitizationTest.c   | 345 ++++++++++++++++
>  .../DxeTpmMeasureBootLib.c                    |  53 ++-
>  .../DxeTpmMeasureBootLibSanitization.c        | 285 +++++++++++++
>  .../DxeTpmMeasureBootLibSanitizationTest.c    | 387 ++++++++++++++++++
>  SecurityPkg/SecurityFixes.yaml                |  36 ++
>  SecurityPkg/SecurityPkg.ci.yaml               |   2 +
>  15 files changed, 1801 insertions(+), 55 deletions(-)
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur
> eBootLibSanitizationTestHost.inf
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB
> ootLibSanitizationTestHost.inf
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza
> tion.h
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio
> n.h
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLibSanitiza
> tion.c
>  create mode 100644
> SecurityPkg/Library/DxeTpm2MeasureBootLib/InternalUnitTest/DxeTpm2Measur
> eBootLibSanitizationTest.c
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLibSanitizatio
> n.c
>  create mode 100644
> SecurityPkg/Library/DxeTpmMeasureBootLib/InternalUnitTest/DxeTpmMeasureB
> ootLibSanitizationTest.c
>  create mode 100644 SecurityPkg/SecurityFixes.yaml
> 
> --
> 2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113637): https://edk2.groups.io/g/devel/message/113637
Mute This Topic: https://groups.io/mt/103675434/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.