From: "Zeng, Star" <star.zeng@intel.com>
To: "Zhang, Chao B" <chao.b.zhang@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>, "Zeng, Star" <star.zeng@intel.com>
Subject: Re: [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec
Date: Sun, 22 Jan 2017 01:19:53 +0000 [thread overview]
Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103B818BB6@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <20170119051359.14044-3-chao.b.zhang@intel.com>
Chao,
I have some minor comments.
1. Suggest to add mSecureBootVarData and mSecureBootVarDataSize and remove VARIABLE_FOLLOW_TYPE and SecureBootFollowUpdate.
2. Suggest to update function name RecordSecureBootPolicyVarFollow to RecordSecureBootPolicyVarData.
3. Please remember to add " ## SOMETIMES_CONSUMES ## Variable:L"DBT" " in VariableRuntimeDxe.inf and VariableSmmRuntimeDxe.inf.
With those comments covered, Reviewed-by: Star Zeng <star.zeng@intel.com>
Thanks,
Star
-----Original Message-----
From: Zhang, Chao B
Sent: Thursday, January 19, 2017 1:14 PM
To: edk2-devel@lists.01.org
Cc: yao.jiewen@intel.com; Zeng, Star <star.zeng@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec
Measure DBT into PCR[7] when it is updated between initial measure and ExitBootService. Measure "SecureBoot" change after PK update.
Spec version : TCG PC Client PFP 00.37. http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf
Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
.../Universal/Variable/RuntimeDxe/Measurement.c | 88 +++++++++++++++++++++-
.../Universal/Variable/RuntimeDxe/VariableDxe.c | 17 +++++
.../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 17 +++++
3 files changed, 121 insertions(+), 1 deletion(-)
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index 2f92fae..707f988 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -1,7 +1,7 @@
/** @file
Measure TrEE required variable.
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -36,6 +36,24 @@ VARIABLE_TYPE mVariableType[] = {
{EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid},
{EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid},
{EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid},
+ {EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid}, };
+
+typedef struct {
+ CHAR16 *VariableName;
+ EFI_GUID *VendorGuid;
+ UINT8 *VarData;
+ UINTN VarDataSize;
+} VARIABLE_FOLLOW_TYPE;
+
+//
+// "SecureBoot" may update following PK Del/Add // static
+VARIABLE_FOLLOW_TYPE SecureBootFollowUpdate = {
+ EFI_SECURE_BOOT_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ NULL,
+ 0,
};
/**
@@ -251,5 +269,73 @@ SecureBootHook (
FreePool (VariableData);
}
+ //
+ // "SecureBoot" is 8bit & read-only. It can only be changed according
+ to PK update // if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) ==
+ 0) &&
+ CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {
+ Status = InternalGetVariable (
+ SecureBootFollowUpdate.VariableName,
+ SecureBootFollowUpdate.VendorGuid,
+ &VariableData,
+ &VariableDataSize
+ );
+ if (EFI_ERROR (Status)) {
+ return;
+ }
+
+ if ((SecureBootFollowUpdate.VarData != NULL) &&
+ (CompareMem(SecureBootFollowUpdate.VarData, VariableData, VariableDataSize) != 0)) {
+ FreePool(SecureBootFollowUpdate.VarData);
+ SecureBootFollowUpdate.VarData = VariableData;
+ SecureBootFollowUpdate.VarDataSize = VariableDataSize;
+
+ DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", SecureBootFollowUpdate.VariableName));
+ Status = MeasureVariable (
+ SecureBootFollowUpdate.VariableName,
+ SecureBootFollowUpdate.VendorGuid,
+ SecureBootFollowUpdate.VarData,
+ SecureBootFollowUpdate.VarDataSize
+ );
+ DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+ } else {
+ //
+ // "SecureBoot" variable is not changed
+ //
+ FreePool(VariableData);
+ }
+ }
+
return ;
}
+
+/**
+ Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).
+ Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarFollow(
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ //
+ // Record initial "SecureBoot" variable value.
+ // It is used to detect SecureBoot variable change in SecureBootHook.
+ //
+ Status = InternalGetVariable (
+ SecureBootFollowUpdate.VariableName,
+ SecureBootFollowUpdate.VendorGuid,
+ (VOID **)&SecureBootFollowUpdate.VarData,
+ &SecureBootFollowUpdate.VarDataSize
+ );
+ if (EFI_ERROR(Status)) {
+ //
+ // Read could fail when Auth Variable solution is not supported
+ //
+ DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarFollow GetVariable %s
+Status %x\n", SecureBootFollowUpdate.VariableName, Status));
+ }
+}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 3d3cd24..5d81f87 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -32,6 +32,17 @@ EDKII_VAR_CHECK_PROTOCOL mVarCheck = { VarCheckRegis
VarCheckVariablePropertyGet };
/**
+ Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).
+ Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarFollow(
+ VOID
+ );
+
+/**
Return TRUE if ExitBootServices () has been called.
@retval TRUE If ExitBootServices () has been called.
@@ -415,6 +426,12 @@ FtwNotificationEvent (
}
//
+ // Some Secure Boot Policy Var (SecureBoot, etc) updates following
+ other // Secure Boot Policy Variable change. Record their initial value.
+ //
+ RecordSecureBootPolicyVarFollow();
+
+ //
// Install the Variable Write Architectural protocol.
//
Status = gBS->InstallProtocolInterface ( diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
index 0a076ae..3d0925d 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -71,6 +71,17 @@ SecureBootHook (
);
/**
+ Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).
+ Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarFollow(
+ VOID
+ );
+
+/**
Acquires lock only at boot time. Simply returns at runtime.
This is a temperary function that will be removed when @@ -1079,6 +1090,12 @@ SmmVariableWriteReady (
return;
}
+ //
+ // Some Secure Boot Policy Var (SecureBoot, etc) updates following
+ other // Secure Boot Policy Variable change. Record their initial value.
+ //
+ RecordSecureBootPolicyVarFollow();
+
Status = gBS->InstallProtocolInterface (
&mHandle,
&gEfiVariableWriteArchProtocolGuid,
--
1.9.5.msysgit.1
next prev parent reply other threads:[~2017-01-22 1:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 5:13 [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Zhang, Chao B
2017-01-19 5:13 ` [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7] Zhang, Chao B
2017-01-22 1:22 ` Zeng, Star
2017-01-22 2:03 ` Yao, Jiewen
2017-01-19 5:13 ` [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec Zhang, Chao B
2017-01-22 1:19 ` Zeng, Star [this message]
2017-01-22 2:20 ` Yao, Jiewen
2017-01-22 1:25 ` [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic Zeng, Star
2017-01-22 2:04 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0C09AFA07DD0434D9E2A0C6AEB0483103B818BB6@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox