From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117481+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 8F938940F30
	for <rebecca@openfw.io>; Mon,  8 Apr 2024 01:47:03 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=F+B59Ql2eSNLgts7r4pf/TFHhBBnirJcH/PPClrJUtc=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20240206; t=1712540822; v=1;
 b=G1Og6XHTegg7N10HH1McZHoZTPgpTRVn+0gbXGJKzZZwo+XeB8qFbq3SX1j9uFxjwP5aKIfk
 DASNQSUyEOjrGUrS9tUNWhruHpl5yglb1n5bdy1NKOt/HhXGZCZ+mPf0xsNlhmJjFtz2QQGo4ZZ
 VbNHDGjZnFMjpZ3m9K3qDGrA9Bnl2ka4s86F6xy6B4D6Jeg0fnmgqqSTus5oruSQJWzUMHwJyp5
 KnECx8pXuFXNsYdvsvUMKY/OiT66k3gXYdoFGHW7sPTHvZ9zK8QHS4/vIsDoLJKTNRbDwXmEjc4
 8MxAFxkslXMKhiJVeUjxe3w0kfRJsitTIOyUlf57c7aTA==
X-Received: by 127.0.0.2 with SMTP id fChJYY7687511xcxZPEoa8mw; Sun, 07 Apr 2024 18:47:02 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.18])
 by mx.groups.io with SMTP id smtpd.web11.96783.1712540815713985685
 for <devel@edk2.groups.io>;
 Sun, 07 Apr 2024 18:47:01 -0700
X-CSE-ConnectionGUID: BtsndZI0Qj+ZUOMzb4Knwg==
X-CSE-MsgGUID: Y34Xx9HZTtGodEarpob8OQ==
X-IronPort-AV: E=McAfee;i="6600,9927,11037"; a="7969736"
X-IronPort-AV: E=Sophos;i="6.07,186,1708416000"; 
   d="scan'208";a="7969736"
X-Received: from fmviesa003.fm.intel.com ([10.60.135.143])
  by orvoesa110.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2024 18:47:01 -0700
X-CSE-ConnectionGUID: NHuRe45rRWuFy16GMaKxZQ==
X-CSE-MsgGUID: 5Q3o2BBBQrysh/6zuKudfA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.07,186,1708416000"; 
   d="scan'208";a="24209684"
X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116])
  by fmviesa003.fm.intel.com with ESMTP; 07 Apr 2024 18:47:00 -0700
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: devel@edk2.groups.io
Cc: Liming Gao <gaoliming@byosoft.com.cn>,
	Jiewen Yao <jiewen.yao@intel.com>
Subject: [edk2-devel] [PATCH v2 4/9] MdeModulePkg/Variable: Add TCG SPDM device measurement update
Date: Mon,  8 Apr 2024 09:46:44 +0800
Message-Id: <20240408014649.2521-5-wenxing.hou@intel.com>
In-Reply-To: <20240408014649.2521-1-wenxing.hou@intel.com>
References: <20240408014649.2521-1-wenxing.hou@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Sun, 07 Apr 2024 18:47:01 -0700
Resent-From: wenxing.hou@intel.com
Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: 8OWuZApQT14loiLBCxzVoxZbx7686176AA=
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=G1Og6XHT;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 MdeModulePkg/MdeModulePkg.dec                 |  5 +++
 .../Variable/RuntimeDxe/Measurement.c         | 38 ++++++++++++++++---
 .../RuntimeDxe/VariableRuntimeDxe.inf         |  3 ++
 .../RuntimeDxe/VariableSmmRuntimeDxe.inf      |  3 ++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index a82dedc070..1a5fd5a190 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -2139,6 +2139,11 @@
   # @Prompt TCG Platform Firmware Profile revision.=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x0=
0010077=0D
 =0D
+  ## Specify whether to enable the state of SPDM device authentication and=
 measurement.<BR><BR>=0D
+  #  0: Platform Firmware not supports SPDM device authentication and meas=
urement.=0D
+  #  1: Platform Firmware supports SPDM device authentication and measurem=
ent.=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication|0|UINT8=
|0x00010033=0D
+=0D
   ## Indicates if StatusCode is reported via Serial port.<BR><BR>=0D
   #   TRUE  - Reports StatusCode via Serial port.<BR>=0D
   #   FALSE - Does not report StatusCode via Serial port.<BR>=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/Mde=
ModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index c15cce9716..a52683a9e3 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 =0D
 #include <PiDxe.h>=0D
 #include <Guid/ImageAuthentication.h>=0D
+#include <Guid/DeviceAuthentication.h>=0D
 #include <IndustryStandard/UefiTcgPlatform.h>=0D
 =0D
 #include <Library/UefiBootServicesTableLib.h>=0D
@@ -26,12 +27,13 @@ typedef struct {
 } VARIABLE_TYPE;=0D
 =0D
 VARIABLE_TYPE  mVariableType[] =3D {=0D
-  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid        },=0D
-  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D
+  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid          },=0D
+  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid },=0D
 };=0D
 =0D
 //=0D
@@ -123,6 +125,22 @@ MeasureVariable (
       );=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType=
 - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY));=0D
+    DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, =
VendorGuid));=0D
+=0D
+    Status =3D TpmMeasureAndLogData (=0D
+               PCR_INDEX_FOR_SIGNATURE_DB,=0D
+               EV_EFI_SPDM_DEVICE_POLICY,=0D
+               VarLog,=0D
+               VarLogSize,=0D
+               VarLog,=0D
+               VarLogSize=0D
+               );=0D
+    FreePool (VarLog);=0D
+    return Status;=0D
+  }=0D
+=0D
   DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType -=
 %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));=0D
   DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, Ve=
ndorGuid));=0D
 =0D
@@ -228,6 +246,14 @@ SecureBootHook (
     return;=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStruc=
t_SPEC_ERRATA_TPM2_REV_106) ||=0D
+        (PcdGet8 (PcdEnableSpdmDeviceAuthentication) =3D=3D 0))=0D
+    {=0D
+      return;=0D
+    }=0D
+  }=0D
+=0D
   //=0D
   // We should NOT use Data and DataSize here,because it may include signa=
ture,=0D
   // or is just partial with append attributes, or is deleted.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 3858adf673..f90ec70b77 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -125,6 +125,7 @@
   ## SOMETIMES_CONSUMES   ## Variable:L"dbx"=0D
   ## SOMETIMES_CONSUMES   ## Variable:L"dbt"=0D
   gEfiImageSecurityDatabaseGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize                 ## CON=
SUMES=0D
@@ -138,6 +139,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe  ## CON=
SUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable         ## SOM=
ETIMES_CONSUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved      ## SOM=
ETIMES_CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision       ## CON=
SUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication   ## PR=
ODUCES AND CONSUMES=0D
 =0D
 [FeaturePcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics  ## CONSUMES=
 # statistic the information of variable.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD=
xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i=
nf
index a0d8b2267e..e1085653fe 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
@@ -80,6 +80,8 @@
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision             =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication        =
     ## PRODUCES AND CONSUMES=0D
 =0D
 [Guids]=0D
   ## PRODUCES             ## GUID # Signature of Variable store header=0D
@@ -110,6 +112,7 @@
 =0D
   gVarCheckPolicyLibMmiHandlerGuid=0D
   gEfiEndOfDxeEventGroupGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Depex]=0D
   gEfiMmCommunication2ProtocolGuid=0D
--=20
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117481): https://edk2.groups.io/g/devel/message/117481
Mute This Topic: https://groups.io/mt/105394116/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-