From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1098:0:80:1000:c:0:1; helo=cavan.codon.org.uk; envelope-from=prvs=0885d74de0=mjg59@cavan.codon.org.uk; receiver=edk2-devel@lists.01.org Received: from cavan.codon.org.uk (cavan.codon.org.uk [IPv6:2a00:1098:0:80:1000:c:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 445D92194D3B3 for ; Thu, 13 Dec 2018 10:51:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784; h=In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date: Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xiH1zJJX1pKkgU7FK0h8SH95AfTZGWoM5GNMHgINZdk=; b=Zn+Lkp9F65NcbfjipbreZKHApi bQnyWX1Pt4XNl13EY6YKkW3kKs0QMhUKkLkpquPEyllhf4Gs5odTRSOAkju3qx4M9vEGRrPcWPrHI Sqo8CjUUvCfGZQqcbSCGxLT5S1vY4stYI5ame44NP0+X94fXOIBeEpR1JTIfNimbybv4=; Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.89) (envelope-from ) id 1gXW5A-0004ge-N9; Thu, 13 Dec 2018 18:51:36 +0000 Date: Thu, 13 Dec 2018 18:51:36 +0000 From: Matthew Garrett To: "Yao, Jiewen" Cc: Laszlo Ersek , "edk2-devel@lists.01.org" , =?iso-8859-1?Q?Marc-Andr=E9?= Lureau , Stefan Berger Message-ID: <20181213185136.u7kwuenifopvgorp@srcf.ucam.org> References: <20181213011750.bfzfyhrr4ufsiu6j@srcf.ucam.org> <74D8A39837DF1E4DA445A8C0B3885C503F452EC4@shsmsx102.ccr.corp.intel.com> MIME-Version: 1.0 In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F452EC4@shsmsx102.ccr.corp.intel.com> User-Agent: NeoMutt/20170113 (1.7.2) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false Subject: Re: Obtaining TCG final events on systems without TCG2 log support X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 X-List-Received-Date: Thu, 13 Dec 2018 18:51:46 -0000 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit I don't see how that follows - regardless of whether or not we'd like to deprecate SHA1 support, people use it. There's little value in having an incomplete event log. On Thu, Dec 13, 2018 at 01:23:35PM +0000, Yao, Jiewen wrote: > Right. > I think we are trying to deprecate the old SHA1 support, because SHA1 is considered as unsecure algorithm. > We are moving to crypto agile. As such, we do not see the need to support old style event log. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Laszlo Ersek [mailto:lersek@redhat.com] > > Sent: Thursday, December 13, 2018 8:36 PM > > To: Matthew Garrett > > Cc: edk2-devel@lists.01.org; Yao, Jiewen ; > > Marc-André Lureau ; Stefan Berger > > > > Subject: Re: [edk2] Obtaining TCG final events on systems without TCG2 log > > support > > > > + Jiewen, Marc-André, Stefan > > > > On 12/13/18 02:17, Matthew Garrett wrote: > > > SetupEventLog() in Tcg2Dxe.c only installs the final event log > > > configuration table if SupportedEventLogs includes the TCG2 log format. > > > If the platform only supports the TCG1.2 log format then the final > > > events table isn't installed. However, ExitBootServices() should > > > generate an event even on systems that don't support the TCG2 log > > > format. How is an OS supposed to obtain the log of the > > > ExitBootServices() events in that case? > > > > > > > I don't think it can. > > > > You probably refer to the code below the comment "No need to handle > > EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2", in SetupEventLog(). This code > > dates > > back to commit fd46e831bc33 ("SecurityPkg: Update final event log > > calculation.", 2016-01-18). And the commit message says, "... there is > > no need to record TCG12 format log to final event log area ...". > > > > Hence, the code is intentional. I even think the code is valid > > (according to the spec [*]); I just think the commit message should have > > said, "there is no *way* to record TCG12 format log to final event log > > area". Because, IMO, the bug is in the spec. > > > > [*] TCG EFI Protocol Specification > > Family “2.0” > > Level 00 Revision 00.13 > > March 30, 2016 > > > > Here's why I think it's a spec bug: > > > > > > (1) If EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 is *clear* in > > SupportedEventLogs, > > then the platform advertizes GetEventLog() as unable to produce the > > crypto agile log format. > > > > In other words, the platform is unable to produce a log which consists > > of TCG_PCR_EVENT2 entries, beyond the sole TCG_PCR_EVENT ("SHA1 > > format") > > header entry. > > > > Accordingly, GetEventLog() will fail with EFI_INVALID_PARAMETER, when > > called with EventLogFormat=EFI_TCG2_EVENT_LOG_FORMAT_TCG_2. (BTW, > > I > > think EFI_UNSUPPORTED would have been better for this, but I digress.) > > > > (2) EFI_TCG2_FINAL_EVENTS_TABLE is defined with TCG_PCR_EVENT2 > > entries > > *only*. TCG_PCR_EVENT is not accommodated. > > > > > > That's the contradiction. If a platform is unable to produce > > TCG_PCR_EVENT2 entries in GetEventLog(), it is fairly certainly also > > unable to produce them in the final events table. > > > > And, while the first *instance* of the limitation is conformant, via > > SupportedEventLogs, the second instance of the same limitation isn't. > > > > Thanks, > > Laszlo -- Matthew Garrett | mjg59@srcf.ucam.org