From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by mx.groups.io with SMTP id smtpd.web10.41564.1656697423162958433
 for <devel@edk2.groups.io>;
 Fri, 01 Jul 2022 10:43:43 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Xxx5pJfM;
 spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: snehal.kangralkar@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1656697423; x=1688233423;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=9AvPFLtf1uZVxgjRneE8kIl1b98GOptUDzFnDoa8VWo=;
  b=Xxx5pJfMlgLhLrjljTJWgF0m8syAt2l1RidZJVPxkML8TWFCMs1Qjj0Y
   XLRZFpt4RPrfLYXcNb8SPVMgcGWY8zYHsWDpbm/KpTsIVuXrE7JB51hrE
   W8+Y0uj44SIhgZJh7dr/RRf7P4m4jTOtU364DNq1vbJF1XQ2vnz9I+jY2
   pWiyZY69u0aO7MsBKi1aSdO6fxt440I9padmmaK0hbsyYsv/3Gt2+HcyM
   WvAjHqDfKvZJRILNlkRt9ESg7EfHCnIcDJ20ZKAW09mwIlJ+4NGKORmUO
   JuZ4VG6FaCHs1tsWftGjk+gTo7Dxvtf+k5W+ON74JAUFkdsWikAI2tWiQ
   g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10395"; a="308233029"
X-IronPort-AV: E=Sophos;i="5.92,237,1650956400"; 
   d="scan'208";a="308233029"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2022 10:43:42 -0700
X-IronPort-AV: E=Sophos;i="5.92,237,1650956400"; 
   d="scan'208";a="718690075"
Received: from fm73lab065.amr.corp.intel.com ([10.121.72.253])
  by orsmga004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jul 2022 10:43:42 -0700
From: "Snehal Kangralkar" <snehal.kangralkar@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Qi Zhang <qi1.zhang@intel.com>
Subject: [PATCH v1 1/1] SecurityPkg : Sync PcdTpm2HashMask to the active PCR banks in the TPM
Date: Fri,  1 Jul 2022 10:42:13 -0700
Message-Id: <20220701174213.935-2-snehal.kangralkar@intel.com>
X-Mailer: git-send-email 2.36.1.windows.1
In-Reply-To: <20220701174213.935-1-snehal.kangralkar@intel.com>
References: <20220701174213.935-1-snehal.kangralkar@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3923
According to definition of PcdTpm2HashMask, the mask reflects the PCR
banks which need to be extended.
In the Tcg2Pei SyncPcrAllocationsAndPcrMask function, we are setting
PcdTpm2HashMask to match the active PCR banks, but this will only occur
if the mask was originally set to 0.
Always syncing the PcdTpm2HashMask to the active PCR banks in the TPM.
Only then we do see the computed hashes are limited to those PCRs
which are active.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Signed-off-by: Snehal Kangralkar <snehal.kangralkar@intel.com>
---
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 26bb5282a58b..a77d8c0a083c 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -279,15 +279,10 @@ SyncPcrAllocationsAndPcrMask (
   DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
 
   Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
-  if (Tpm2PcrMask == 0) {
-    //
-    // If PcdTpm2HashMask is zero, use ActivePcr setting.
-    // Only when PcdTpm2HashMask is initialized to 0, will it be updated to current Active Pcrs.
-    //
-    PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
-    Tpm2PcrMask = TpmActivePcrBanks;
-  }
 
+  // Sync the PcdTpm2HashMask to the active PCR banks.
+  PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
+  Tpm2PcrMask = TpmActivePcrBanks;
   DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));
 
   //
-- 
2.36.1.windows.1