public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution
@ 2018-01-25  4:53 Zhang, Chao B
  2018-01-25  4:53 ` [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Zhang, Chao B @ 2018-01-25  4:53 UTC (permalink / raw)
  To: edk2-devel

---
 KabylakePlatSamplePkg/PlatformPkg.dsc       | 13 +++++++++--
 KabylakePlatSamplePkg/PlatformPkg.fdf       | 36 +++++++++++++++--------------
 KabylakePlatSamplePkg/PlatformPkgConfig.dsc |  2 +-
 3 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
 
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
 
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
 [PcdsFixedAtBuild.IA32]
 !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
     <LibraryClasses>
       NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
   }
+  
+  MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf {
+  <LibraryClasses>
+    NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRsa2048Sha256GuidedSectionExtractLib.inf
+  }
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE
@@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+    # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE
@@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif # PcdPubKeyHashBinEnable
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif # PcdPubKeyHashBinEnable
 !endif # PcdSecureBootEnable
 
 !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE
@@ -604,7 +605,7 @@ APRIORI PEI {
 !endif
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
+  #INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
 !endif
   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 !endif
@@ -619,7 +620,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE
@@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
 # ROYAL_PARK_PORTING - Porting Required
-INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
   !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-    SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+    SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
       SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
         SECTION FV_IMAGE = FVMAIN2
       }
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+  SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
        SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
           SECTION FV_IMAGE = FVMAIN
        }
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
   gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
-  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
   gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE             # SI:RestrictedContent
-- 
1.9.5.msysgit.1



^ permalink raw reply related	[flat|nested] 10+ messages in thread
* [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
@ 2018-01-15  7:29 Zhang, Chao B
  2018-01-15  7:52 ` Long, Qin
  2018-01-15  8:31 ` Yao, Jiewen
  0 siblings, 2 replies; 10+ messages in thread
From: Zhang, Chao B @ 2018-01-15  7:29 UTC (permalink / raw)
  To: edk2-devel; +Cc: Long Qin, Yao Jiewen, Chao Zhang

According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..5ece8e5 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1



^ permalink raw reply related	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2018-01-25 19:24 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-25  4:53 [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Zhang, Chao B
2018-01-25  4:53 ` [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
2018-01-25 19:34   ` Bill Paul
2018-01-25  4:53 ` [PATCH] SecurityPkg/PhysicalPresenceLib: " Zhang, Chao B
2018-01-25  4:53 ` [PATCH] SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command cancel Zhang, Chao B
2018-01-25  6:39   ` Yao, Jiewen
2018-01-25  4:55 ` [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Zhang, Chao B
  -- strict thread matches above, loose matches on Subject: below --
2018-01-15  7:29 [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
2018-01-15  7:52 ` Long, Qin
2018-01-15  8:31 ` Yao, Jiewen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox