From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 9ACF0D8060D for ; Mon, 18 Mar 2024 15:41:35 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=o2DoleAdIWTc9jJyVAlHrWImxXJw6FNbVrTEDaU9UiA=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1710776494; v=1; b=b04yzqj3PWrTXq6CV1itEEuEDO+WdsdzTbNxsiJAa/EwIT/td0AD1Kfahq/ZY4EGS9MnCQjU wFxH8VJa1j7OINEjj+URFRaa4yzhUr0XUMHKXdJSj4RKnDPq/D6n+HI3RM4zI44o9rC/kU2TZH3 4gI2DMncghBlxgUxaa83QoSgz8a7vbMg4V57o+l70fbdDgM6mwQWf3x3QP7l8Dw6y5cT2YdtAWC lK0HfkTS3z3OW3PhmZVfalsNlT36qvxL8Jieiq1s2hh66eMbWuARvZoQXLQSYfyL3krudGNlR3r yBQAsPsxnhMXh3APNvf3DbQehrZfL0yVJNicRiGpboBZA== X-Received: by 127.0.0.2 with SMTP id oKXgYY7687511xmul0VWsQAa; Mon, 18 Mar 2024 08:41:34 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.14]) by mx.groups.io with SMTP id smtpd.web10.48104.1710776493332002647 for ; Mon, 18 Mar 2024 08:41:33 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,11017"; a="9424424" X-IronPort-AV: E=Sophos;i="6.07,134,1708416000"; d="scan'208";a="9424424" X-Received: from fmviesa002.fm.intel.com ([10.60.135.142]) by orvoesa106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Mar 2024 08:41:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,134,1708416000"; d="scan'208";a="36628667" X-Received: from shpfwdbuild003.ccr.corp.intel.com ([10.239.56.82]) by fmviesa002.fm.intel.com with ESMTP; 18 Mar 2024 08:41:31 -0700 From: "Xu, Wei6" To: devel@edk2.groups.io Cc: Wei6 Xu , Rahul Kumar , Jiewen Yao Subject: [edk2-devel] [PATCH] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI Date: Mon, 18 Mar 2024 23:41:27 +0800 Message-Id: <54a37af6bf5580bd8c11ea3b1de71929da5b77a1.1710775554.git.wei6.xu@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 18 Mar 2024 08:41:33 -0700 Reply-To: devel@edk2.groups.io,wei6.xu@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: yg15HqchsG544wfrAL5JBR9ex7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=b04yzqj3; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731 TCG2 configuration UI shows all the hash algorithms that TPM hardware supports in the checkbox. If user only selects one algorithm that is supported by TPM hardware but not supported by BIOS and uncheck the others, the SyncPcrAllocationsAndPcrMask in Tcg2Pei will not be able to decide a viable PCR to activate, then an assert occurs. Add check against PcdTcg2HashAlgorithmBitmap when deciding whether to suppress the hash algorithm checkbox to avoid user to select the hash algorithm which may cause an assert. Cc: Rahul Kumar Cc: Jiewen Yao Signed-off-by: Wei6 Xu --- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++------- 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c index 6eb04c014448..39b639039525 100644 --- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c +++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c @@ -722,33 +722,50 @@ FillBufferWithBootHashAlg ( } /** - Set ConfigInfo according to TpmAlgHash. + Set ConfigInfo according to TpmAlgHash and BiosHashAlgBitmap. @param[in,out] Tcg2ConfigInfo TCG2 config info. @param[in] TpmAlgHash TpmAlgHash. + @param[in] BiosHashAlgBitmap Bios Hash Algorithm Bitmap. **/ VOID SetConfigInfo ( IN OUT TCG2_CONFIGURATION_INFO *Tcg2ConfigInfo, - IN UINT32 TpmAlgHash + IN UINT32 TpmAlgHash, + IN UINT32 BiosHashAlgBitmap ) { switch (TpmAlgHash) { case TPM_ALG_SHA1: - Tcg2ConfigInfo->Sha1Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA1) != 0) { + Tcg2ConfigInfo->Sha1Supported = TRUE; + } + break; case TPM_ALG_SHA256: - Tcg2ConfigInfo->Sha256Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA256) != 0) { + Tcg2ConfigInfo->Sha256Supported = TRUE; + } + break; case TPM_ALG_SHA384: - Tcg2ConfigInfo->Sha384Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA384) != 0) { + Tcg2ConfigInfo->Sha384Supported = TRUE; + } + break; case TPM_ALG_SHA512: - Tcg2ConfigInfo->Sha512Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA512) != 0) { + Tcg2ConfigInfo->Sha512Supported = TRUE; + } + break; case TPM_ALG_SM3_256: - Tcg2ConfigInfo->Sm3Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SM3_256) != 0) { + Tcg2ConfigInfo->Sm3Supported = TRUE; + } + break; } } @@ -809,16 +826,17 @@ InstallTcg2ConfigForm ( IN OUT TCG2_CONFIG_PRIVATE_DATA *PrivateData ) { - EFI_STATUS Status; - EFI_HII_HANDLE HiiHandle; - EFI_HANDLE DriverHandle; - EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; - UINTN Index; - TPML_PCR_SELECTION Pcrs; - CHAR16 TempBuffer[1024]; - TCG2_CONFIGURATION_INFO Tcg2ConfigInfo; - TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected; - BOOLEAN IsCmdImp = FALSE; + EFI_STATUS Status; + EFI_HII_HANDLE HiiHandle; + EFI_HANDLE DriverHandle; + EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; + UINTN Index; + TPML_PCR_SELECTION Pcrs; + CHAR16 TempBuffer[1024]; + TCG2_CONFIGURATION_INFO Tcg2ConfigInfo; + TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected; + BOOLEAN IsCmdImp; + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap; DriverHandle = NULL; ConfigAccess = &PrivateData->ConfigAccess; @@ -879,6 +897,8 @@ InstallTcg2ConfigForm ( break; } + BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap); + ZeroMem (&Tcg2ConfigInfo, sizeof (Tcg2ConfigInfo)); Status = Tpm2GetCapabilityPcrs (&Pcrs); if (EFI_ERROR (Status)) { @@ -897,20 +917,21 @@ InstallTcg2ConfigForm ( TempBuffer[0] = 0; for (Index = 0; Index < Pcrs.count; Index++) { AppendBufferWithTpmAlgHash (TempBuffer, sizeof (TempBuffer), Pcrs.pcrSelections[Index].hash); - SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash); + SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash, BiosHashAlgorithmBitmap); } HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TPM2_SUPPORTED_HASH_ALGO_CONTENT), TempBuffer, NULL); } - Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp); + IsCmdImp = FALSE; + Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityIsCmdImpl fails %r\n", Status)); } Tcg2ConfigInfo.ChangeEPSSupported = IsCmdImp; - FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), PcdGet32 (PcdTcg2HashAlgorithmBitmap)); + FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), BiosHashAlgorithmBitmap); HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_BIOS_HASH_ALGO_CONTENT), TempBuffer, NULL); // -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#116844): https://edk2.groups.io/g/devel/message/116844 Mute This Topic: https://groups.io/mt/105005532/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-