From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+117974+7686176+12367111@groups.io>
Received: from mail05.groups.io (mail05.groups.io [45.79.224.7])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 3F36FAC1211
	for <rebecca@openfw.io>; Thu, 18 Apr 2024 09:28:33 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=B+5wL/DjP8HRtmHdmTr5Qegw1YtbRvSSbT24ST+qyJk=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20240206; t=1713432511; v=1;
 b=uVxFnxjqyoj1Vwrv2YxQ18c1ID22DIzIzi6iUrmrEcSgRNuJX51UK5QrZRh4ba44RzCG1I5x
 DbMYWmm5QtiTdzahr2483OB+NmFDaiS+wSg7L05sINQY59TBC02Sr5LlO1eIYSX/SyRk6g177x1
 9tjLVXutT+gBaiDM6YKdO4A+8yzSJfHTZwxfJbOFHm3ENB5apSVLdOfR4ptkBtW8oFsH7CSZ7kz
 TDdw8k+/xDS7VkL9Pv3JmGkOqN04Tb+8QvXBgv+yWAR2hrddTYWLCXU0HscMsEdeeUmPbHNsH5z
 KzdXg0ckHucqpOU/IuXCpFIVEUdU1AIu83iJVChuuggeg==
X-Received: by 127.0.0.2 with SMTP id BHppYY7687511xgCmS77NeNc; Thu, 18 Apr 2024 02:28:31 -0700
X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.8])
 by mx.groups.io with SMTP id smtpd.web10.8624.1713432504284175070
 for <devel@edk2.groups.io>;
 Thu, 18 Apr 2024 02:28:31 -0700
X-CSE-ConnectionGUID: 30ped8OcTkW6ogaURgNs2Q==
X-CSE-MsgGUID: yE+gwPHkRxePj/dgnZcEdQ==
X-IronPort-AV: E=McAfee;i="6600,9927,11047"; a="26476947"
X-IronPort-AV: E=Sophos;i="6.07,211,1708416000"; 
   d="scan'208";a="26476947"
X-Received: from fmviesa002.fm.intel.com ([10.60.135.142])
  by fmvoesa102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Apr 2024 02:28:30 -0700
X-CSE-ConnectionGUID: vP7meeeySxqvMlhGB2sp2A==
X-CSE-MsgGUID: t6BHJqCcQmOx+tKxKFRIBA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.07,211,1708416000"; 
   d="scan'208";a="46210351"
X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116])
  by fmviesa002.fm.intel.com with ESMTP; 18 Apr 2024 02:28:29 -0700
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: devel@edk2.groups.io
Cc: Liming Gao <gaoliming@byosoft.com.cn>,
	Jiewen Yao <jiewen.yao@intel.com>
Subject: [edk2-devel] [PATCH v4 04/10] MdeModulePkg/Variable: Add TCG SPDM device measurement update
Date: Thu, 18 Apr 2024 17:28:13 +0800
Message-Id: <20240418092819.6570-5-wenxing.hou@intel.com>
In-Reply-To: <20240418092819.6570-1-wenxing.hou@intel.com>
References: <20240418092819.6570-1-wenxing.hou@intel.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Resent-Date: Thu, 18 Apr 2024 02:28:31 -0700
Resent-From: wenxing.hou@intel.com
Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: sSJLL6HrQxlAvn4wYW7UNJM4x7686176AA=
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20240206 header.b=uVxFnxjq;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io

Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable.

Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 MdeModulePkg/MdeModulePkg.dec                 |  5 +++
 .../Variable/RuntimeDxe/Measurement.c         | 38 ++++++++++++++++---
 .../RuntimeDxe/VariableRuntimeDxe.inf         |  3 ++
 .../RuntimeDxe/VariableSmmRuntimeDxe.inf      |  3 ++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index a91058e5b5..949babf61f 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -2146,6 +2146,11 @@
   # @Prompt TCG Platform Firmware Profile revision.=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|0x0=
0010077=0D
 =0D
+  ## Specify whether to enable the state of SPDM device authentication and=
 measurement.<BR><BR>=0D
+  #  0: Platform Firmware not supports SPDM device authentication and meas=
urement.=0D
+  #  1: Platform Firmware supports SPDM device authentication and measurem=
ent.=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication|0|UINT8=
|0x00010033=0D
+=0D
   ## Indicates if StatusCode is reported via Serial port.<BR><BR>=0D
   #   TRUE  - Reports StatusCode via Serial port.<BR>=0D
   #   FALSE - Does not report StatusCode via Serial port.<BR>=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/Mde=
ModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index c15cce9716..a52683a9e3 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 =0D
 #include <PiDxe.h>=0D
 #include <Guid/ImageAuthentication.h>=0D
+#include <Guid/DeviceAuthentication.h>=0D
 #include <IndustryStandard/UefiTcgPlatform.h>=0D
 =0D
 #include <Library/UefiBootServicesTableLib.h>=0D
@@ -26,12 +27,13 @@ typedef struct {
 } VARIABLE_TYPE;=0D
 =0D
 VARIABLE_TYPE  mVariableType[] =3D {=0D
-  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid        },=0D
-  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid        },=0D
-  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },=0D
-  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },=0D
+  { EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid          },=0D
+  { EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid          },=0D
+  { EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid   },=0D
+  { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid },=0D
 };=0D
 =0D
 //=0D
@@ -123,6 +125,22 @@ MeasureVariable (
       );=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType=
 - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY));=0D
+    DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, =
VendorGuid));=0D
+=0D
+    Status =3D TpmMeasureAndLogData (=0D
+               PCR_INDEX_FOR_SIGNATURE_DB,=0D
+               EV_EFI_SPDM_DEVICE_POLICY,=0D
+               VarLog,=0D
+               VarLogSize,=0D
+               VarLog,=0D
+               VarLogSize=0D
+               );=0D
+    FreePool (VarLog);=0D
+    return Status;=0D
+  }=0D
+=0D
   DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType -=
 %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));=0D
   DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, Ve=
ndorGuid));=0D
 =0D
@@ -228,6 +246,14 @@ SecureBootHook (
     return;=0D
   }=0D
 =0D
+  if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) {=0D
+    if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStruc=
t_SPEC_ERRATA_TPM2_REV_106) ||=0D
+        (PcdGet8 (PcdEnableSpdmDeviceAuthentication) =3D=3D 0))=0D
+    {=0D
+      return;=0D
+    }=0D
+  }=0D
+=0D
   //=0D
   // We should NOT use Data and DataSize here,because it may include signa=
ture,=0D
   // or is just partial with append attributes, or is deleted.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 3858adf673..f90ec70b77 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -125,6 +125,7 @@
   ## SOMETIMES_CONSUMES   ## Variable:L"dbx"=0D
   ## SOMETIMES_CONSUMES   ## Variable:L"dbt"=0D
   gEfiImageSecurityDatabaseGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize                 ## CON=
SUMES=0D
@@ -138,6 +139,8 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe  ## CON=
SUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable         ## SOM=
ETIMES_CONSUMES=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved      ## SOM=
ETIMES_CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision       ## CON=
SUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication   ## PR=
ODUCES AND CONSUMES=0D
 =0D
 [FeaturePcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics  ## CONSUMES=
 # statistic the information of variable.=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD=
xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i=
nf
index a0d8b2267e..e1085653fe 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
@@ -80,6 +80,8 @@
 =0D
 [Pcd]=0D
   gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision             =
    ## CONSUMES=0D
+  gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthentication        =
     ## PRODUCES AND CONSUMES=0D
 =0D
 [Guids]=0D
   ## PRODUCES             ## GUID # Signature of Variable store header=0D
@@ -110,6 +112,7 @@
 =0D
   gVarCheckPolicyLibMmiHandlerGuid=0D
   gEfiEndOfDxeEventGroupGuid=0D
+  gEfiDeviceSignatureDatabaseGuid=0D
 =0D
 [Depex]=0D
   gEfiMmCommunication2ProtocolGuid=0D
--=20
2.26.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117974): https://edk2.groups.io/g/devel/message/117974
Mute This Topic: https://groups.io/mt/105594742/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-