From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (EUR05-VI1-obe.outbound.protection.outlook.com [40.107.21.43]) by mx.groups.io with SMTP id smtpd.web09.12243.1636035501686230662 for ; Thu, 04 Nov 2021 07:18:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=yKBKP5MO; spf=pass (domain: arm.com, ip: 40.107.21.43, mailfrom: sami.mujawar@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=; b=yKBKP5MO92IMkYisa0q8jGwpNspqZ97/8ncZLG9PPOvmcJgUrjpKgmWV7cEfS9uUVwzjd374dOZt+RrYSY94NH6keelkg0kezSDs2QEIdmL6Z4Qhp82tayklpyFWT6E6sIeJGSMQHcFd05v3XrVFwx+0V6m6TxhRA0b/RVRx35U= Received: from AM6PR01CA0051.eurprd01.prod.exchangelabs.com (2603:10a6:20b:e0::28) by PR3PR08MB5738.eurprd08.prod.outlook.com (2603:10a6:102:81::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10; Thu, 4 Nov 2021 14:18:18 +0000 Received: from AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:e0:cafe::92) by AM6PR01CA0051.outlook.office365.com (2603:10a6:20b:e0::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Thu, 4 Nov 2021 14:18:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT051.mail.protection.outlook.com (10.152.16.246) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.14 via Frontend Transport; Thu, 4 Nov 2021 14:18:17 +0000 Received: ("Tessian outbound 7129402754f2:v108"); Thu, 04 Nov 2021 14:18:17 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: ef67ead45e7ac6e8 X-CR-MTA-TID: 64aa7808 Received: from 3febb6479e9d.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id CD5E4231-3095-4FC4-99B0-93FF94A1930B.1; Thu, 04 Nov 2021 14:18:08 +0000 Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 3febb6479e9d.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 04 Nov 2021 14:18:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kkYQ7oNAaWgHWGAqyvxTyB0wrWAQrs2jhzIdZx6rkbFLOfF7rYPWKqz40YWwAKHY57KDt4B/8q5kfB5c8CenuxrIETtytUMMbwrAgqrYUzLgbTC7Q2bAWTm7MLRiuoVFxygmAbpY2YWtyL4ILS0XuYxGcqllCLrbpywbZWlhNTKrHQnzE1Twb0+xQFJ8juXvYEhWKD/SbFu7qN9SLLJioJX4vlpBnlmKZAwElplf7hlbVPPjd4cTpdVtKCagiuqzQ2wZOV3FAN2khN66uq6NkfFfJwQJnWlzicjqKzQeOOT936GXttGkG27Ci2J1jFW7REDBJ1AHBZN/LcZiLT8gLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=; b=dQHG0VK2h4qiZEv7qeSNNoNQO6YPWhAl2M7UOAqO4MCU5FylCOR2nThmr/+XjFDdURvgZDadUBTfT1KVnUGUW4ViT3qDEy/4qNigiorssmhSXXR2CbtTZGo7PMQfNFuMX1dFGuj81fq/OC/vhxoe3ZqjTA7MXdC230yBl97EMs0lLev0SVbj1jNDIGCghVKJcQQ+9PF/jgaLTshwcnb6pZowvVH9kG4F7tZQ60ECT4FgYwE2D68HyRHXX8hIso9hwJun5gVUfLqGsB5Fe6C1xqvKuGZdFGD4DuXcc49Fqd8ucBSOf3Wobgeip++MgH6X3hVRx565YcIecLKayNrdoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=; b=yKBKP5MO92IMkYisa0q8jGwpNspqZ97/8ncZLG9PPOvmcJgUrjpKgmWV7cEfS9uUVwzjd374dOZt+RrYSY94NH6keelkg0kezSDs2QEIdmL6Z4Qhp82tayklpyFWT6E6sIeJGSMQHcFd05v3XrVFwx+0V6m6TxhRA0b/RVRx35U= Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Received: from AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12) by AM6PR08MB4852.eurprd08.prod.outlook.com (2603:10a6:20b:cc::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Thu, 4 Nov 2021 14:18:06 +0000 Received: from AS8PR08MB6806.eurprd08.prod.outlook.com ([fe80::54b5:239d:9896:ee65]) by AS8PR08MB6806.eurprd08.prod.outlook.com ([fe80::54b5:239d:9896:ee65%4]) with mapi id 15.20.4669.010; Thu, 4 Nov 2021 14:18:06 +0000 Subject: Re: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib To: "Xu, Min M" , "devel@edk2.groups.io" , "kraxel@redhat.com" Cc: "Kinney, Michael D" , Liming Gao , "Liu, Zhiguang" , "Yao, Jiewen" , "Wang, Jian J" , nd References: <44a80d4605e02dcf5fed85c5669aedbff3a283a1.1635818903.git.min.m.xu@intel.com> <3f1ba671-cb5f-7849-9439-9af6326de84a@arm.com> <20211104082041.dlkl52izdlo7c4uh@sirius.home.kraxel.org> From: "Sami Mujawar" Message-ID: <316386e6-8da1-a48b-cecb-82d4a9afb85c@arm.com> Date: Thu, 4 Nov 2021 14:18:11 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 In-Reply-To: X-ClientProxiedBy: LO4P123CA0063.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:153::14) To AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12) MIME-Version: 1.0 Received: from [10.1.196.43] (217.140.106.52) by LO4P123CA0063.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:153::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Thu, 4 Nov 2021 14:18:06 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6645f2ab-6b26-44db-4686-08d99f9df2b6 X-MS-TrafficTypeDiagnostic: AM6PR08MB4852:|PR3PR08MB5738: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:10000;OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: thzj1FOxMCtBS/byCTjGZb09aIsLiLnBIr45TJQspOwZqrsMtO1uFJ+ZqXvHzb/U6Kfp7Z4Wcak7+tCFNzXXYiLVk86V5m97+ts3crcCKoKMPNLHyYtPkKzKMtj7RAKv/EMfQ3Zbw33xxbdd6yaD4GXN2AA87zzjvIZg43q34i+m0V1de3xuAvozH8CNU2pnv1mPe3fD0ttcMSTwXa9PhK0zRh1hN6mkanPM4H1QPh9B8QJZ2Uuw5pGKuZ34KQ2/UUWpPbMxJousMl+Z+iOT3mB6sLNVkW3DCNqf8jHXpwMwlED0s5kvlAR/HS7AlRj2koooFPJAnjuuVzMP6sFWdx2sWV5Hciij9TOy0l8Tg7B4eT+031YDXbCyD+JxN/7acJIZXiS4iTFZ3U8VHC11x2F/gxhx3IWyY09RSka0n5lOu9aS2kusBuf6e07xUGq9fF9sN52vN1TbrFPTiwulbZFB8iXBv9RnGjMFekalijqNhlg0oSJHZx4dtQI2NmRpFkS6H3IzeaAoIhWJ0UVABzioKDI7PHMJsGvEcvZqWeYyu7/E03Hcqy53GfF5Y2D8viqr6SgfAjkXizUmG92XxZMSkEhdhT/rb5DfNVRx/+0sPkfOP2oGWKvUUFvmGVZ+oziA1MPrqPMPbJCK6LerbHp45rcq7jS8KZe8sI03hLB37vNk37jAYOsZa92Aj8H9/dv/MhAK1MFn0DbRSW5FWmIEM89MHSCMOGzqIz+yjMikeG+16xvlno3pIzvPK1ola+LQw6/FinytwkSsG8JNPA== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR08MB6806.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(4636009)(366004)(26005)(316002)(6486002)(16576012)(8936002)(66476007)(86362001)(5660300002)(2616005)(110136005)(44832011)(66556008)(53546011)(6666004)(54906003)(66946007)(956004)(36756003)(15650500001)(83380400001)(508600001)(38100700002)(19627235002)(31686004)(4326008)(52116002)(38350700002)(8676002)(2906002)(186003)(31696002)(45980500001)(43740500002);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4852 Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Return-Path: Sami.Mujawar@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 2d7ba130-2468-4ce5-2cb7-08d99f9debb3 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ddm4X/pc0iLCr3n5PBOPE4yWcDDZRZz5GIOjE1r0Z86IkeC2tPiz4pZYiZ/C1ywhbEK0R5STwjbn0XkmSMkyPgbUVLiI3UBE1waK1miGIoKdQM6u79GXuk2EC7S84u3WtZ6SGJOjkkoJ4yvu24pnxDRt/KqR8RKY0sGbBWj4k1HWYu+Lyn0oipw7v1iSU18tAmhFuiSauVso45fl/nzjc9XDYdQWm9lyBIH8EOGUNk8JK1yeC0sKayTQ5JDk7Ol8F6Hjgwd94JV0/YqFfCnjsjAl4FoA0aDYiS9GlvLQCQm1mD4Ag/XtL9iROdbga4ziMupt352CzfjtZy6Bus+zoHE3U/em+JZh43AaKtBO02EorpJMYHLyGOQZPtRudis13GPoKv7s6hH0WxeHvVQqMzNr8AaCfduoFLW5JzPHYNNQq+pyD45Iq+gk9okwkiRAF4DBOagAyyjUYW5vQpF4k73n7avZwr0UbNFcQuFUp6iJuMt1Zy8Z6QF2koNjDPRDqizJqjcs42/FwUFB4pOHWCieDG98xy74RLKHvFozCxq9QYxNYMM3+dGlhH8kNpb1+A2ZJzanKWvZw/fx0UhdEhRc6up7omG3349+EQsXGvOq5su+8zXBnE6zACz8W2floRwGPp/dNh/MZufAIXrMB1Ri+7CgyJeG2nl87P5mOM8+mUxu5Tj7s6kZO9ceJ1Dtf24JCJqFd6XxHB8APn0vh/0DwkNwtLUhpHNgbIsjsro= X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(6029001)(4636009)(36840700001)(46966006)(53546011)(54906003)(5660300002)(6486002)(316002)(4326008)(83380400001)(508600001)(70206006)(82310400003)(86362001)(70586007)(19627235002)(31696002)(47076005)(26005)(8936002)(36756003)(36860700001)(6666004)(15650500001)(81166007)(336012)(956004)(2616005)(16576012)(44832011)(110136005)(2906002)(356005)(186003)(8676002)(31686004)(43740500002);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Nov 2021 14:18:17.9749 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6645f2ab-6b26-44db-4686-08d99f9df2b6 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5738 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Hi Min, Please find my response inline marked [SAMI]. Regards, Sami Mujawar On 04/11/2021 01:49 PM, Xu, Min M wrote: > On November 4, 2021 9:35 PM, Xu Min wrote: >> On November 4, 2021 4:21 PM, Gerd Hoffmann wrote: >>> Hi, >>> >>>> [SAMI] Apologies, I missed this in my previous review. I think the >>>> behaviour if both the TCG2 and CC measurement protocols are >>>> installed would be inconsistent between DxeTpmMeasurementLib and >>>> DxeTpm2MeasureBootLib. The main difference being in the later, the >>>> TCG2 protocol takes precedence for extending the measurement. >>> Yes, we should have consistent behavior in both cases. >> In DxeTpmMeasurementLib, Cc measurement protocol is used as the first try. If >> it fails, then it try to measure with TCG2 / TCG protocol in turn. >> In DxeTpm2MeasureBootLib, TCG2 protocol is used the as the first try. If it fails, >> CC measurement protocol is tried in turn. >> Yes, this is inconsistent. I will update DxeTpm2MeasureBootLib to try Cc >> measurement protocol first, then try TCG2 protocol if Cc measurement protocol >> fails. In this way, only one protocol will be called to do the measurement. But >> TCG2 protocol is the first try, CC measurement protocol is the second try. >> >>>> I think it would be good to modify DxeTpm2MeasureBootLib so that the >>>> CC measurement protocol is used if both protocols are installed. >>>> What do you think? >>> Does it makes sense to use both protocols? >> Agree with Gerd. I don't think we should use both protocols to do the >> measurement. >> My suggestion is that, first try CC protocol, if it fails, then try TCG2 protocol. Just >> as I explained above. > Another option will be that: > In DxeTpmMeasurementLib the pseudo would look like: > If (CC Protocol is installed) { > Status = CcMeasureAndLogData (...) > } else { // below is the original code > Status = Tpm20MeasureAndLogData (...) > If (EFI_ERROR (Status)) { > Status = Tpm12MeasureAndLogData (...) > } > } > > In DxeTpm2MeasureBootLib, the pseudo would look like: > If (CC Protocol is installed) { > Status = DoCcMeasureBoot(...) > } else if (TCG2 protocol is installed) { > Status = DoTcg2MeasureBoot(...) > } [SAMI] Your pseudo code looks good to me. It makes the measurement logic much clearer. Also, I am not aware if there is a use-case for both the CC Protocol and the TCG2 protocols to be installed at the same time. [/SAMI] > Sami & Gerd > What's your thougth? > > Thanks > Min