From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 8F938940F30 for ; Mon, 8 Apr 2024 01:47:03 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=F+B59Ql2eSNLgts7r4pf/TFHhBBnirJcH/PPClrJUtc=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1712540822; v=1; b=G1Og6XHTegg7N10HH1McZHoZTPgpTRVn+0gbXGJKzZZwo+XeB8qFbq3SX1j9uFxjwP5aKIfk DASNQSUyEOjrGUrS9tUNWhruHpl5yglb1n5bdy1NKOt/HhXGZCZ+mPf0xsNlhmJjFtz2QQGo4ZZ VbNHDGjZnFMjpZ3m9K3qDGrA9Bnl2ka4s86F6xy6B4D6Jeg0fnmgqqSTus5oruSQJWzUMHwJyp5 KnECx8pXuFXNsYdvsvUMKY/OiT66k3gXYdoFGHW7sPTHvZ9zK8QHS4/vIsDoLJKTNRbDwXmEjc4 8MxAFxkslXMKhiJVeUjxe3w0kfRJsitTIOyUlf57c7aTA== X-Received: by 127.0.0.2 with SMTP id fChJYY7687511xcxZPEoa8mw; Sun, 07 Apr 2024 18:47:02 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18]) by mx.groups.io with SMTP id smtpd.web11.96783.1712540815713985685 for ; Sun, 07 Apr 2024 18:47:01 -0700 X-CSE-ConnectionGUID: BtsndZI0Qj+ZUOMzb4Knwg== X-CSE-MsgGUID: Y34Xx9HZTtGodEarpob8OQ== X-IronPort-AV: E=McAfee;i="6600,9927,11037"; a="7969736" X-IronPort-AV: E=Sophos;i="6.07,186,1708416000"; d="scan'208";a="7969736" X-Received: from fmviesa003.fm.intel.com ([10.60.135.143]) by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2024 18:47:01 -0700 X-CSE-ConnectionGUID: NHuRe45rRWuFy16GMaKxZQ== X-CSE-MsgGUID: 5Q3o2BBBQrysh/6zuKudfA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,186,1708416000"; d="scan'208";a="24209684" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116]) by fmviesa003.fm.intel.com with ESMTP; 07 Apr 2024 18:47:00 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Liming Gao , Jiewen Yao Subject: [edk2-devel] [PATCH v2 4/9] MdeModulePkg/Variable: Add TCG SPDM device measurement update Date: Mon, 8 Apr 2024 09:46:44 +0800 Message-Id: <20240408014649.2521-5-wenxing.hou@intel.com> In-Reply-To: <20240408014649.2521-1-wenxing.hou@intel.com> References: <20240408014649.2521-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Sun, 07 Apr 2024 18:47:01 -0700 Resent-From: wenxing.hou@intel.com Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 8OWuZApQT14loiLBCxzVoxZbx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=G1Og6XHT; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable. Cc: Liming Gao Cc: Jiewen Yao Signed-off-by: Wenxing Hou --- MdeModulePkg/MdeModulePkg.dec | 5 +++ .../Variable/RuntimeDxe/Measurement.c | 38 ++++++++++++++++--- .../RuntimeDxe/VariableRuntimeDxe.inf | 3 ++ .../RuntimeDxe/VariableSmmRuntimeDxe.inf | 3 ++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index a82dedc070..1a5fd5a190 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -2139,6 +2139,11 @@ # @Prompt TCG Platform Firmware Profile revision.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x0= 0010077=0D =0D + ## Specify whether to enable the state of SPDM device authentication and= measurement.

=0D + # 0: Platform Firmware not supports SPDM device authentication and meas= urement.=0D + # 1: Platform Firmware supports SPDM device authentication and measurem= ent.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication|0|UINT8= |0x00010033=0D +=0D ## Indicates if StatusCode is reported via Serial port.

=0D # TRUE - Reports StatusCode via Serial port.
=0D # FALSE - Does not report StatusCode via Serial port.
=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/Mde= ModulePkg/Universal/Variable/RuntimeDxe/Measurement.c index c15cce9716..a52683a9e3 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =0D #include =0D #include =0D +#include =0D #include =0D =0D #include =0D @@ -26,12 +27,13 @@ typedef struct { } VARIABLE_TYPE;=0D =0D VARIABLE_TYPE mVariableType[] =3D {=0D - { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid },=0D };=0D =0D //=0D @@ -123,6 +125,22 @@ MeasureVariable ( );=0D }=0D =0D + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D + DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType= - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY));=0D + DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, = VendorGuid));=0D +=0D + Status =3D TpmMeasureAndLogData (=0D + PCR_INDEX_FOR_SIGNATURE_DB,=0D + EV_EFI_SPDM_DEVICE_POLICY,=0D + VarLog,=0D + VarLogSize,=0D + VarLog,=0D + VarLogSize=0D + );=0D + FreePool (VarLog);=0D + return Status;=0D + }=0D +=0D DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType -= %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));=0D DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, Ve= ndorGuid));=0D =0D @@ -228,6 +246,14 @@ SecureBootHook ( return;=0D }=0D =0D + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D + if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStruc= t_SPEC_ERRATA_TPM2_REV_106) ||=0D + (PcdGet8 (PcdEnableSpdmDeviceAuthentication) =3D=3D 0))=0D + {=0D + return;=0D + }=0D + }=0D +=0D //=0D // We should NOT use Data and DataSize here,because it may include signa= ture,=0D // or is just partial with append attributes, or is deleted.=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 3858adf673..f90ec70b77 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -125,6 +125,7 @@ ## SOMETIMES_CONSUMES ## Variable:L"dbx"=0D ## SOMETIMES_CONSUMES ## Variable:L"dbt"=0D gEfiImageSecurityDatabaseGuid=0D + gEfiDeviceSignatureDatabaseGuid=0D =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CON= SUMES=0D @@ -138,6 +139,8 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe ## CON= SUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ## SOM= ETIMES_CONSUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved ## SOM= ETIMES_CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision ## CON= SUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication ## PR= ODUCES AND CONSUMES=0D =0D [FeaturePcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics ## CONSUMES= # statistic the information of variable.=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD= xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i= nf index a0d8b2267e..e1085653fe 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf @@ -80,6 +80,8 @@ =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable = ## CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision = ## CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication = ## PRODUCES AND CONSUMES=0D =0D [Guids]=0D ## PRODUCES ## GUID # Signature of Variable store header=0D @@ -110,6 +112,7 @@ =0D gVarCheckPolicyLibMmiHandlerGuid=0D gEfiEndOfDxeEventGroupGuid=0D + gEfiDeviceSignatureDatabaseGuid=0D =0D [Depex]=0D gEfiMmCommunication2ProtocolGuid=0D --=20 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117481): https://edk2.groups.io/g/devel/message/117481 Mute This Topic: https://groups.io/mt/105394116/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-