From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail04.groups.io (mail04.groups.io [45.79.224.9]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1D40BD800FF for ; Mon, 15 Apr 2024 01:59:17 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Xvf5m9A+XR63yhtJe1O08h5LT2az/o1ua710cHdCKOM=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1713146356; v=1; b=gAHlcNU7xh8wtKHaIJRKoiNRhbo6cLngiwZsZwlQE9iAySrimRepRUGzPFLD+QoM6eLriwJ1 5Br6JQ4RO+BtWkdoA+SfesNbEGROUeDmGmvX21RnN1CYQU3vHM1ymAAGFkngQWPCILHTPp8UOwU j6hNGtxJ4Cu3IhsgJjNuqoABvr6h5dT+FylxIOplbdCMPmW0YXQTYIPK5lMqmJuFl4EM9m3pH/p HflPHY0JYUOhMwrW/KO8fN/s6/rdONF3OvSDPfL6yWfYUUk79LWvtBkh6sCMV0Z3PcSofvY98Pn pJtDR+FzUs8/P677GtJ6gJGtgeoOEGUTLgtFF/hLP6UTw== X-Received: by 127.0.0.2 with SMTP id 2L6JYY7687511xx8q4bFK6xV; Sun, 14 Apr 2024 18:59:16 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.13]) by mx.groups.io with SMTP id smtpd.web10.11508.1713146349326840827 for ; Sun, 14 Apr 2024 18:59:16 -0700 X-CSE-ConnectionGUID: BNEzGD1kSAiftIgYlX2fjQ== X-CSE-MsgGUID: BMa2y6gSTGKDZEokJWM5nw== X-IronPort-AV: E=McAfee;i="6600,9927,11044"; a="19662575" X-IronPort-AV: E=Sophos;i="6.07,202,1708416000"; d="scan'208";a="19662575" X-Received: from fmviesa009.fm.intel.com ([10.60.135.149]) by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Apr 2024 18:59:16 -0700 X-CSE-ConnectionGUID: JiPJr7r9RY6hwsjXxPFRZQ== X-CSE-MsgGUID: H0aSU6qfRG2Zk5VuoLftFA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,202,1708416000"; d="scan'208";a="21824294" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116]) by fmviesa009.fm.intel.com with ESMTP; 14 Apr 2024 18:59:14 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Liming Gao , Jiewen Yao Subject: [edk2-devel] [PATCH v3 04/10] MdeModulePkg/Variable: Add TCG SPDM device measurement update Date: Mon, 15 Apr 2024 09:58:53 +0800 Message-Id: <20240415015859.2997-5-wenxing.hou@intel.com> In-Reply-To: <20240415015859.2997-1-wenxing.hou@intel.com> References: <20240415015859.2997-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Sun, 14 Apr 2024 18:59:16 -0700 Resent-From: wenxing.hou@intel.com Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: JOjUFBFu4m65r6Jcu0WRBC6Mx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=gAHlcNU7; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.9 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none) Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable. Cc: Liming Gao Cc: Jiewen Yao Signed-off-by: Wenxing Hou --- MdeModulePkg/MdeModulePkg.dec | 5 +++ .../Variable/RuntimeDxe/Measurement.c | 38 ++++++++++++++++--- .../RuntimeDxe/VariableRuntimeDxe.inf | 3 ++ .../RuntimeDxe/VariableSmmRuntimeDxe.inf | 3 ++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index a82dedc070..1a5fd5a190 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -2139,6 +2139,11 @@ # @Prompt TCG Platform Firmware Profile revision.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x0= 0010077=0D =0D + ## Specify whether to enable the state of SPDM device authentication and= measurement.

=0D + # 0: Platform Firmware not supports SPDM device authentication and meas= urement.=0D + # 1: Platform Firmware supports SPDM device authentication and measurem= ent.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication|0|UINT8= |0x00010033=0D +=0D ## Indicates if StatusCode is reported via Serial port.

=0D # TRUE - Reports StatusCode via Serial port.
=0D # FALSE - Does not report StatusCode via Serial port.
=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/Mde= ModulePkg/Universal/Variable/RuntimeDxe/Measurement.c index c15cce9716..a52683a9e3 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =0D #include =0D #include =0D +#include =0D #include =0D =0D #include =0D @@ -26,12 +27,13 @@ typedef struct { } VARIABLE_TYPE;=0D =0D VARIABLE_TYPE mVariableType[] =3D {=0D - { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D - { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D + { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid },=0D };=0D =0D //=0D @@ -123,6 +125,22 @@ MeasureVariable ( );=0D }=0D =0D + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D + DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType= - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY));=0D + DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, = VendorGuid));=0D +=0D + Status =3D TpmMeasureAndLogData (=0D + PCR_INDEX_FOR_SIGNATURE_DB,=0D + EV_EFI_SPDM_DEVICE_POLICY,=0D + VarLog,=0D + VarLogSize,=0D + VarLog,=0D + VarLogSize=0D + );=0D + FreePool (VarLog);=0D + return Status;=0D + }=0D +=0D DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType -= %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));=0D DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, Ve= ndorGuid));=0D =0D @@ -228,6 +246,14 @@ SecureBootHook ( return;=0D }=0D =0D + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D + if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStruc= t_SPEC_ERRATA_TPM2_REV_106) ||=0D + (PcdGet8 (PcdEnableSpdmDeviceAuthentication) =3D=3D 0))=0D + {=0D + return;=0D + }=0D + }=0D +=0D //=0D // We should NOT use Data and DataSize here,because it may include signa= ture,=0D // or is just partial with append attributes, or is deleted.=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 3858adf673..f90ec70b77 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -125,6 +125,7 @@ ## SOMETIMES_CONSUMES ## Variable:L"dbx"=0D ## SOMETIMES_CONSUMES ## Variable:L"dbt"=0D gEfiImageSecurityDatabaseGuid=0D + gEfiDeviceSignatureDatabaseGuid=0D =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CON= SUMES=0D @@ -138,6 +139,8 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe ## CON= SUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ## SOM= ETIMES_CONSUMES=0D gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved ## SOM= ETIMES_CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision ## CON= SUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication ## PR= ODUCES AND CONSUMES=0D =0D [FeaturePcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics ## CONSUMES= # statistic the information of variable.=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD= xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i= nf index a0d8b2267e..e1085653fe 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf @@ -80,6 +80,8 @@ =0D [Pcd]=0D gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable = ## CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision = ## CONSUMES=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication = ## PRODUCES AND CONSUMES=0D =0D [Guids]=0D ## PRODUCES ## GUID # Signature of Variable store header=0D @@ -110,6 +112,7 @@ =0D gVarCheckPolicyLibMmiHandlerGuid=0D gEfiEndOfDxeEventGroupGuid=0D + gEfiDeviceSignatureDatabaseGuid=0D =0D [Depex]=0D gEfiMmCommunication2ProtocolGuid=0D --=20 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117730): https://edk2.groups.io/g/devel/message/117730 Mute This Topic: https://groups.io/mt/105528205/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-