From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (EUR05-VI1-obe.outbound.protection.outlook.com [40.107.21.43])
 by mx.groups.io with SMTP id smtpd.web09.12243.1636035501686230662
 for <devel@edk2.groups.io>;
 Thu, 04 Nov 2021 07:18:22 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=yKBKP5MO;
 spf=pass (domain: arm.com, ip: 40.107.21.43, mailfrom: sami.mujawar@arm.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=;
 b=yKBKP5MO92IMkYisa0q8jGwpNspqZ97/8ncZLG9PPOvmcJgUrjpKgmWV7cEfS9uUVwzjd374dOZt+RrYSY94NH6keelkg0kezSDs2QEIdmL6Z4Qhp82tayklpyFWT6E6sIeJGSMQHcFd05v3XrVFwx+0V6m6TxhRA0b/RVRx35U=
Received: from AM6PR01CA0051.eurprd01.prod.exchangelabs.com
 (2603:10a6:20b:e0::28) by PR3PR08MB5738.eurprd08.prod.outlook.com
 (2603:10a6:102:81::7) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10; Thu, 4 Nov
 2021 14:18:18 +0000
Received: from AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com
 (2603:10a6:20b:e0:cafe::92) by AM6PR01CA0051.outlook.office365.com
 (2603:10a6:20b:e0::28) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend
 Transport; Thu, 4 Nov 2021 14:18:18 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123)
 smtp.mailfrom=arm.com; dkim=pass (signature was verified)
 header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates
 63.35.35.123 as permitted sender) receiver=protection.outlook.com;
 client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by
 AM5EUR03FT051.mail.protection.outlook.com (10.152.16.246) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4649.14 via Frontend Transport; Thu, 4 Nov 2021 14:18:17 +0000
Received: ("Tessian outbound 7129402754f2:v108"); Thu, 04 Nov 2021 14:18:17 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: ef67ead45e7ac6e8
X-CR-MTA-TID: 64aa7808
Received: from 3febb6479e9d.1
	by 64aa7808-outbound-1.mta.getcheckrecipient.com id CD5E4231-3095-4FC4-99B0-93FF94A1930B.1;
	Thu, 04 Nov 2021 14:18:08 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com
    by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 3febb6479e9d.1
    (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384);
    Thu, 04 Nov 2021 14:18:08 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=kkYQ7oNAaWgHWGAqyvxTyB0wrWAQrs2jhzIdZx6rkbFLOfF7rYPWKqz40YWwAKHY57KDt4B/8q5kfB5c8CenuxrIETtytUMMbwrAgqrYUzLgbTC7Q2bAWTm7MLRiuoVFxygmAbpY2YWtyL4ILS0XuYxGcqllCLrbpywbZWlhNTKrHQnzE1Twb0+xQFJ8juXvYEhWKD/SbFu7qN9SLLJioJX4vlpBnlmKZAwElplf7hlbVPPjd4cTpdVtKCagiuqzQ2wZOV3FAN2khN66uq6NkfFfJwQJnWlzicjqKzQeOOT936GXttGkG27Ci2J1jFW7REDBJ1AHBZN/LcZiLT8gLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=;
 b=dQHG0VK2h4qiZEv7qeSNNoNQO6YPWhAl2M7UOAqO4MCU5FylCOR2nThmr/+XjFDdURvgZDadUBTfT1KVnUGUW4ViT3qDEy/4qNigiorssmhSXXR2CbtTZGo7PMQfNFuMX1dFGuj81fq/OC/vhxoe3ZqjTA7MXdC230yBl97EMs0lLev0SVbj1jNDIGCghVKJcQQ+9PF/jgaLTshwcnb6pZowvVH9kG4F7tZQ60ECT4FgYwE2D68HyRHXX8hIso9hwJun5gVUfLqGsB5Fe6C1xqvKuGZdFGD4DuXcc49Fqd8ucBSOf3Wobgeip++MgH6X3hVRx565YcIecLKayNrdoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass
 header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;
 s=selector2-armh-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=4KrhKEtjOJGl9G0z3xsA18QMlkJxyADlN2OgdWe/8xk=;
 b=yKBKP5MO92IMkYisa0q8jGwpNspqZ97/8ncZLG9PPOvmcJgUrjpKgmWV7cEfS9uUVwzjd374dOZt+RrYSY94NH6keelkg0kezSDs2QEIdmL6Z4Qhp82tayklpyFWT6E6sIeJGSMQHcFd05v3XrVFwx+0V6m6TxhRA0b/RVRx35U=
Authentication-Results-Original: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=arm.com;
Received: from AS8PR08MB6806.eurprd08.prod.outlook.com (2603:10a6:20b:39b::12)
 by AM6PR08MB4852.eurprd08.prod.outlook.com (2603:10a6:20b:cc::19) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Thu, 4 Nov
 2021 14:18:06 +0000
Received: from AS8PR08MB6806.eurprd08.prod.outlook.com
 ([fe80::54b5:239d:9896:ee65]) by AS8PR08MB6806.eurprd08.prod.outlook.com
 ([fe80::54b5:239d:9896:ee65%4]) with mapi id 15.20.4669.010; Thu, 4 Nov 2021
 14:18:06 +0000
Subject: Re: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib
To: "Xu, Min M" <min.m.xu@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>,
 "kraxel@redhat.com" <kraxel@redhat.com>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
 Liming Gao <gaoliming@byosoft.com.cn>, "Liu, Zhiguang"
 <zhiguang.liu@intel.com>, "Yao, Jiewen" <jiewen.yao@intel.com>,
 "Wang, Jian J" <jian.j.wang@intel.com>, nd <nd@arm.com>
References: <cover.1635818903.git.min.m.xu@intel.com>
 <44a80d4605e02dcf5fed85c5669aedbff3a283a1.1635818903.git.min.m.xu@intel.com>
 <3f1ba671-cb5f-7849-9439-9af6326de84a@arm.com>
 <20211104082041.dlkl52izdlo7c4uh@sirius.home.kraxel.org>
 <CO1PR11MB5058471578870897AB97FA03C58D9@CO1PR11MB5058.namprd11.prod.outlook.com>
 <CO1PR11MB5058249DD43059FE85ADE57EC58D9@CO1PR11MB5058.namprd11.prod.outlook.com>
From: "Sami Mujawar" <sami.mujawar@arm.com>
Message-ID: <316386e6-8da1-a48b-cecb-82d4a9afb85c@arm.com>
Date: Thu, 4 Nov 2021 14:18:11 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.0.1
In-Reply-To: <CO1PR11MB5058249DD43059FE85ADE57EC58D9@CO1PR11MB5058.namprd11.prod.outlook.com>
X-ClientProxiedBy: LO4P123CA0063.GBRP123.PROD.OUTLOOK.COM
 (2603:10a6:600:153::14) To AS8PR08MB6806.eurprd08.prod.outlook.com
 (2603:10a6:20b:39b::12)
MIME-Version: 1.0
Received: from [10.1.196.43] (217.140.106.52) by LO4P123CA0063.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:153::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Thu, 4 Nov 2021 14:18:06 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6645f2ab-6b26-44db-4686-08d99f9df2b6
X-MS-TrafficTypeDiagnostic: AM6PR08MB4852:|PR3PR08MB5738:
X-Microsoft-Antispam-PRVS: 
	<PR3PR08MB5738AC506C38F58EA164E8D5848D9@PR3PR08MB5738.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
NoDisclaimer: true
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 
 thzj1FOxMCtBS/byCTjGZb09aIsLiLnBIr45TJQspOwZqrsMtO1uFJ+ZqXvHzb/U6Kfp7Z4Wcak7+tCFNzXXYiLVk86V5m97+ts3crcCKoKMPNLHyYtPkKzKMtj7RAKv/EMfQ3Zbw33xxbdd6yaD4GXN2AA87zzjvIZg43q34i+m0V1de3xuAvozH8CNU2pnv1mPe3fD0ttcMSTwXa9PhK0zRh1hN6mkanPM4H1QPh9B8QJZ2Uuw5pGKuZ34KQ2/UUWpPbMxJousMl+Z+iOT3mB6sLNVkW3DCNqf8jHXpwMwlED0s5kvlAR/HS7AlRj2koooFPJAnjuuVzMP6sFWdx2sWV5Hciij9TOy0l8Tg7B4eT+031YDXbCyD+JxN/7acJIZXiS4iTFZ3U8VHC11x2F/gxhx3IWyY09RSka0n5lOu9aS2kusBuf6e07xUGq9fF9sN52vN1TbrFPTiwulbZFB8iXBv9RnGjMFekalijqNhlg0oSJHZx4dtQI2NmRpFkS6H3IzeaAoIhWJ0UVABzioKDI7PHMJsGvEcvZqWeYyu7/E03Hcqy53GfF5Y2D8viqr6SgfAjkXizUmG92XxZMSkEhdhT/rb5DfNVRx/+0sPkfOP2oGWKvUUFvmGVZ+oziA1MPrqPMPbJCK6LerbHp45rcq7jS8KZe8sI03hLB37vNk37jAYOsZa92Aj8H9/dv/MhAK1MFn0DbRSW5FWmIEM89MHSCMOGzqIz+yjMikeG+16xvlno3pIzvPK1ola+LQw6/FinytwkSsG8JNPA==
X-Forefront-Antispam-Report-Untrusted: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR08MB6806.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(4636009)(366004)(26005)(316002)(6486002)(16576012)(8936002)(66476007)(86362001)(5660300002)(2616005)(110136005)(44832011)(66556008)(53546011)(6666004)(54906003)(66946007)(956004)(36756003)(15650500001)(83380400001)(508600001)(38100700002)(19627235002)(31686004)(4326008)(52116002)(38350700002)(8676002)(2906002)(186003)(31696002)(45980500001)(43740500002);DIR:OUT;SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4852
Original-Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=arm.com;
Return-Path: Sami.Mujawar@arm.com
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: 
 AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 
	2d7ba130-2468-4ce5-2cb7-08d99f9debb3
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	ddm4X/pc0iLCr3n5PBOPE4yWcDDZRZz5GIOjE1r0Z86IkeC2tPiz4pZYiZ/C1ywhbEK0R5STwjbn0XkmSMkyPgbUVLiI3UBE1waK1miGIoKdQM6u79GXuk2EC7S84u3WtZ6SGJOjkkoJ4yvu24pnxDRt/KqR8RKY0sGbBWj4k1HWYu+Lyn0oipw7v1iSU18tAmhFuiSauVso45fl/nzjc9XDYdQWm9lyBIH8EOGUNk8JK1yeC0sKayTQ5JDk7Ol8F6Hjgwd94JV0/YqFfCnjsjAl4FoA0aDYiS9GlvLQCQm1mD4Ag/XtL9iROdbga4ziMupt352CzfjtZy6Bus+zoHE3U/em+JZh43AaKtBO02EorpJMYHLyGOQZPtRudis13GPoKv7s6hH0WxeHvVQqMzNr8AaCfduoFLW5JzPHYNNQq+pyD45Iq+gk9okwkiRAF4DBOagAyyjUYW5vQpF4k73n7avZwr0UbNFcQuFUp6iJuMt1Zy8Z6QF2koNjDPRDqizJqjcs42/FwUFB4pOHWCieDG98xy74RLKHvFozCxq9QYxNYMM3+dGlhH8kNpb1+A2ZJzanKWvZw/fx0UhdEhRc6up7omG3349+EQsXGvOq5su+8zXBnE6zACz8W2floRwGPp/dNh/MZufAIXrMB1Ri+7CgyJeG2nl87P5mOM8+mUxu5Tj7s6kZO9ceJ1Dtf24JCJqFd6XxHB8APn0vh/0DwkNwtLUhpHNgbIsjsro=
X-Forefront-Antispam-Report: 
	CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(6029001)(4636009)(36840700001)(46966006)(53546011)(54906003)(5660300002)(6486002)(316002)(4326008)(83380400001)(508600001)(70206006)(82310400003)(86362001)(70586007)(19627235002)(31696002)(47076005)(26005)(8936002)(36756003)(36860700001)(6666004)(15650500001)(81166007)(336012)(956004)(2616005)(16576012)(44832011)(110136005)(2906002)(356005)(186003)(8676002)(31686004)(43740500002);DIR:OUT;SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Nov 2021 14:18:17.9749
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6645f2ab-6b26-44db-4686-08d99f9df2b6
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	AM5EUR03FT051.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5738
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB

Hi Min,

Please find my response inline marked [SAMI].

Regards,

Sami Mujawar


On 04/11/2021 01:49 PM, Xu, Min M wrote:
> On November 4, 2021 9:35 PM, Xu Min wrote:
>> On November 4, 2021 4:21 PM, Gerd Hoffmann wrote:
>>>    Hi,
>>>
>>>> [SAMI] Apologies, I missed this in my previous review. I think the
>>>> behaviour if both the TCG2 and CC measurement protocols are
>>>> installed would be inconsistent between DxeTpmMeasurementLib and
>>>> DxeTpm2MeasureBootLib. The main difference being in the later, the
>>>> TCG2 protocol takes precedence for extending the measurement.
>>> Yes, we should have consistent behavior in both cases.
>> In DxeTpmMeasurementLib, Cc measurement protocol is used as the first try. If
>> it fails, then it try to measure with TCG2 / TCG protocol in turn.
>> In DxeTpm2MeasureBootLib, TCG2 protocol is used the as the first try. If it fails,
>> CC measurement protocol is tried in turn.
>> Yes, this is inconsistent. I will update DxeTpm2MeasureBootLib to try Cc
>> measurement protocol first, then try TCG2 protocol if Cc measurement protocol
>> fails. In this way, only one protocol will be called to do the measurement. But
>> TCG2 protocol is the first try, CC measurement protocol is the second try.
>>
>>>> I think it would be good to modify DxeTpm2MeasureBootLib so that the
>>>> CC measurement protocol is used if both protocols are installed.
>>>> What do you think?
>>> Does it makes sense to use both protocols?
>> Agree with Gerd. I don't think we should use both protocols to do the
>> measurement.
>> My suggestion is that, first try CC protocol, if it fails, then try TCG2 protocol. Just
>> as I explained above.
> Another option will be that:
> In DxeTpmMeasurementLib the pseudo would look like:
> If (CC Protocol is installed) {
>    Status = CcMeasureAndLogData (...)
> } else {  // below is the original code
>   Status = Tpm20MeasureAndLogData (...)
>   If (EFI_ERROR (Status)) {
>      Status = Tpm12MeasureAndLogData (...)
>   }
> }
>
> In DxeTpm2MeasureBootLib, the pseudo would look like:
> If (CC Protocol is installed) {
>      Status = DoCcMeasureBoot(...)
> } else if (TCG2 protocol is installed) {
>      Status = DoTcg2MeasureBoot(...)
> }
[SAMI] Your pseudo code looks good to me. It makes the measurement logic 
much clearer.
  Also, I am not aware if there is a use-case for both the CC Protocol 
and the TCG2 protocols to be installed at the same time.
[/SAMI]
> Sami & Gerd
> What's your thougth?
>
> Thanks
> Min