From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117309+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 3F739AC09CE
	for <rebecca@openfw.io>; Tue,  2 Apr 2024 02:31:44 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=j3T+zN4nfDz2N7coRJmLdS2/1Z6J86WQIlB0mpFQPIk=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20240206; t=1712025102; v=1;
 b=w3fa5qoSzyn8WwvDTIx2ieE0R0knNHe4dK2qorUJmA9Pp9UGNcbSZE1H0UkYAR3g6MxEM0Tn
 ZYZIWtvQPSWnld0MdRmeR/F2wU3lgRRpRpT2eYs0TTfdXt3jCDCyqQEf3KdYymD0M/oFJK0NFJl
 rQsWWX37LWoS3nYT2HgI/CFHgQXURuZmV6vLhLzXuRjJB77ZFwjl7AjOFf1Q7R6q9VociHqWruH
 sh2uSY6vtiQ5JynhboEsxTzjf8QIuIiSLl4lRERh18o8VlA2qnmQJTKFi78QnANT5KGc0vD2Egz
 k51Hd2F/VdGBxtWg0r4+Q7x+kYjUkDENk8BXFxEPoHc0Q==
X-Received: by 127.0.0.2 with SMTP id Kc14YY7687511xS2A1lw8bMK; Mon, 01 Apr 2024 19:31:42 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.15])
 by mx.groups.io with SMTP id smtpd.web11.3474.1712025102417892860
 for <devel@edk2.groups.io>;
 Mon, 01 Apr 2024 19:31:42 -0700
X-CSE-ConnectionGUID: 2PiizW6USQqrEBFRmjGM1A==
X-CSE-MsgGUID: eXK1TOsJQpKnFbRkBfvAVQ==
X-IronPort-AV: E=McAfee;i="6600,9927,11031"; a="7362604"
X-IronPort-AV: E=Sophos;i="6.07,173,1708416000"; 
   d="scan'208";a="7362604"
X-Received: from orviesa007.jf.intel.com ([10.64.159.147])
  by fmvoesa109.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Apr 2024 19:31:38 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.07,173,1708416000"; 
   d="scan'208";a="18307385"
X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116])
  by orviesa007.jf.intel.com with ESMTP; 01 Apr 2024 19:31:37 -0700
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: devel@edk2.groups.io
Cc: Liming Gao <gaoliming@byosoft.com.cn>,
	Jiewen Yao <jiewen.yao@intel.com>
Subject: [edk2-devel] [PATCH 4/9] MdeModulePkg/Variable: Add TCG SPDM device measurement update
Date: Tue,  2 Apr 2024 10:31:20 +0800
Message-Id: <20240402023125.4168-5-wenxing.hou@intel.com>
In-Reply-To: <20240402023125.4168-1-wenxing.hou@intel.com>
References: <20240402023125.4168-1-wenxing.hou@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Mon, 01 Apr 2024 19:31:42 -0700
Resent-From: wenxing.hou@intel.com
Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: ESB29lHHsupkzRpLPVuXOx1Kx7686176AA=
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=w3fa5qoS;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 MdeModulePkg/MdeModulePkg.dec                 |  5 +++
 .../Variable/RuntimeDxe/Measurement.c         | 38 ++++++++++++++++---
 .../RuntimeDxe/VariableRuntimeDxe.inf         |  3 ++
 .../RuntimeDxe/VariableSmmRuntimeDxe.inf      |  3 ++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index a82dedc070..3dad5e6803 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -2139,6 +2139,11 @@
   # @Prompt TCG Platform Firmware Profile revision.=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x0=
0010077=0D
 =0D
+  ## Specify whether to enable the state of SPDM device authentication and=
 measurement.<BR><BR>=0D
+  #  0: Platform Firmware not supports SPDM device authentication and meas=
urement.=0D
+  #  1: Platform Firmware supports SPDM device authentication and measurem=
ent.=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion|0|UINT8|=
0x00010033=0D
+=0D
   ## Indicates if StatusCode is reported via Serial port.<BR><BR>=0D
   #   TRUE  - Reports StatusCode via Serial port.<BR>=0D
   #   FALSE - Does not report StatusCode via Serial port.<BR>=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/Mde=
ModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index c15cce9716..74514077bd 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 =0D
 #include <PiDxe.h>=0D
 #include <Guid/ImageAuthentication.h>=0D
+#include <Guid/DeviceAuthentication.h>=0D
 #include <IndustryStandard/UefiTcgPlatform.h>=0D
 =0D
 #include <Library/UefiBootServicesTableLib.h>=0D
@@ -26,12 +27,13 @@ typedef struct {
 } VARIABLE_TYPE;=0D
 =0D
 VARIABLE_TYPE  mVariableType[] =3D {=0D
-  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid        },=0D
-  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D
+  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid          },=0D
+  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid },=0D
 };=0D
 =0D
 //=0D
@@ -123,6 +125,22 @@ MeasureVariable (
       );=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType=
 - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY));=0D
+    DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, =
VendorGuid));=0D
+=0D
+    Status =3D TpmMeasureAndLogData (=0D
+               PCR_INDEX_FOR_SIGNATURE_DB,=0D
+               EV_EFI_SPDM_DEVICE_POLICY,=0D
+               VarLog,=0D
+               VarLogSize,=0D
+               VarLog,=0D
+               VarLogSize=0D
+               );=0D
+    FreePool (VarLog);=0D
+    return Status;=0D
+  }=0D
+=0D
   DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType -=
 %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));=0D
   DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, Ve=
ndorGuid));=0D
 =0D
@@ -228,6 +246,14 @@ SecureBootHook (
     return;=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStruc=
t_SPEC_ERRATA_TPM2_REV_106) ||=0D
+        (PcdGet8 (PcdEnableSpdmDeviceAuthenticaion) =3D=3D 0))=0D
+    {=0D
+      return;=0D
+    }=0D
+  }=0D
+=0D
   //=0D
   // We should NOT use Data and DataSize here,because it may include signa=
ture,=0D
   // or is just partial with append attributes, or is deleted.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 3858adf673..c729da448e 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -125,6 +125,7 @@
   ## SOMETIMES_CONSUMES   ## Variable:L"dbx"=0D
   ## SOMETIMES_CONSUMES   ## Variable:L"dbt"=0D
   gEfiImageSecurityDatabaseGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize                 ## CON=
SUMES=0D
@@ -138,6 +139,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe  ## CON=
SUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable         ## SOM=
ETIMES_CONSUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved      ## SOM=
ETIMES_CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision       ## CON=
SUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion   ## PRO=
DUCES AND CONSUMES=0D
 =0D
 [FeaturePcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics  ## CONSUMES=
 # statistic the information of variable.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD=
xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i=
nf
index a0d8b2267e..98ff7800c1 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
@@ -80,6 +80,8 @@
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision             =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion         =
    ## PRODUCES AND CONSUMES=0D
 =0D
 [Guids]=0D
   ## PRODUCES             ## GUID # Signature of Variable store header=0D
@@ -110,6 +112,7 @@
 =0D
   gVarCheckPolicyLibMmiHandlerGuid=0D
   gEfiEndOfDxeEventGroupGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Depex]=0D
   gEfiMmCommunication2ProtocolGuid=0D
--=20
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117309): https://edk2.groups.io/g/devel/message/117309
Mute This Topic: https://groups.io/mt/105281052/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-