* [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
@ 2018-01-15 7:29 Zhang, Chao B
2018-01-15 7:52 ` Long, Qin
2018-01-15 8:31 ` Yao, Jiewen
0 siblings, 2 replies; 4+ messages in thread
From: Zhang, Chao B @ 2018-01-15 7:29 UTC (permalink / raw)
To: edk2-devel; +Cc: Long Qin, Yao Jiewen, Chao Zhang
According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
.../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..5ece8e5 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
+
+ //
+ // PP spec requirements:
+ // Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+ // Firmware has to ensure that at least one PCR banks is active.
+ // If not, an error is returned and no action is taken.
+ //
+ if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+ DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+ return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+ }
+
Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
if (EFI_ERROR (Status)) {
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
--
1.9.5.msysgit.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
2018-01-15 7:29 [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
@ 2018-01-15 7:52 ` Long, Qin
2018-01-15 8:31 ` Yao, Jiewen
1 sibling, 0 replies; 4+ messages in thread
From: Long, Qin @ 2018-01-15 7:52 UTC (permalink / raw)
To: Zhang, Chao B, edk2-devel@lists.01.org; +Cc: Yao, Jiewen, Zhang, Chao B
Reviewed-by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang, Chao B
Sent: Monday, January 15, 2018 3:29 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; Long, Qin <qin.long@intel.com>
Subject: [edk2] [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
According to TCG PP1.3 spec, error PCR bank allocation input should be rejected by Physical Presence. Firmware has to ensure that at least one PCR banks is active.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
.../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..5ece8e5 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPres
+++ enceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
+
+ //
+ // PP spec requirements:
+ // Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+ // Firmware has to ensure that at least one PCR banks is active.
+ // If not, an error is returned and no action is taken.
+ //
+ if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+ DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+ return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+ }
+
Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
if (EFI_ERROR (Status)) {
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
2018-01-15 7:29 [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
2018-01-15 7:52 ` Long, Qin
@ 2018-01-15 8:31 ` Yao, Jiewen
1 sibling, 0 replies; 4+ messages in thread
From: Yao, Jiewen @ 2018-01-15 8:31 UTC (permalink / raw)
To: Zhang, Chao B, edk2-devel@lists.01.org; +Cc: Long, Qin
Reviewed-by: Jiewen.yao@intel.com
> -----Original Message-----
> From: Zhang, Chao B
> Sent: Monday, January 15, 2018 3:29 PM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin <qin.long@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank
> allocation
>
> According to TCG PP1.3 spec, error PCR bank allocation input should be
> rejected by Physical Presence. Firmware has to ensure that at least one
> PCR banks is active.
>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> ---
> .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c | 12
> ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> index 5bf95a1..5ece8e5 100644
> ---
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> +++
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> @@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
> case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
> Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
> ASSERT_EFI_ERROR (Status);
> +
> + //
> + // PP spec requirements:
> + // Firmware should check that all requested (set) hashing algorithms
> are supported with respective PCR banks.
> + // Firmware has to ensure that at least one PCR banks is active.
> + // If not, an error is returned and no action is taken.
> + //
> + if (CommandParameter == 0 || (CommandParameter &
> (~TpmHashAlgorithmBitmap)) != 0) {
> + DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported
> by TPM. Skip operation\n", CommandParameter));
> + return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> + }
> +
> Status = Tpm2PcrAllocateBanks (PlatformAuth,
> TpmHashAlgorithmBitmap, CommandParameter);
> if (EFI_ERROR (Status)) {
> return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> --
> 1.9.5.msysgit.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution
@ 2018-01-25 4:53 Zhang, Chao B
2018-01-25 4:53 ` [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
0 siblings, 1 reply; 4+ messages in thread
From: Zhang, Chao B @ 2018-01-25 4:53 UTC (permalink / raw)
To: edk2-devel
---
KabylakePlatSamplePkg/PlatformPkg.dsc | 13 +++++++++--
KabylakePlatSamplePkg/PlatformPkg.fdf | 36 +++++++++++++++--------------
KabylakePlatSamplePkg/PlatformPkgConfig.dsc | 2 +-
3 files changed, 31 insertions(+), 20 deletions(-)
diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
[PcdsFixedAtBuild.IA32]
!if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
<LibraryClasses>
NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
}
+
+ MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf {
+ <LibraryClasses>
+ NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRsa2048Sha256GuidedSectionExtractLib.inf
+ }
!endif
!if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE
@@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
<LibraryClasses>
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
!endif
!if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
<LibraryClasses>
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+ NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
!endif
!if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
!endif
!if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE
@@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
- $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
- }
-!endif # PcdPubKeyHashBinEnable
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+# }
+#!endif # PcdPubKeyHashBinEnable
!endif # PcdSecureBootEnable
!if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE
@@ -604,7 +605,7 @@ APRIORI PEI {
!endif
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent
+ #INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf # RPPO-SKL-0031: RoyalParkOverrideContent
!endif
INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
!endif
@@ -619,7 +620,7 @@ INF $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
!endif
!if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE
@@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
# ROYAL_PARK_PORTING - Porting Required
-INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
- $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
- }
-!endif
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+# $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+# }
+#!endif
!endif
!if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS = TRUE
FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 {
!if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+ SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
SECTION FV_IMAGE = FVMAIN2
}
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS = TRUE
FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
!if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
!if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
- SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+ SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
SECTION FV_IMAGE = FVMAIN
}
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
- gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+ gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE # SI:RestrictedContent
--
1.9.5.msysgit.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
2018-01-25 4:53 [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Zhang, Chao B
@ 2018-01-25 4:53 ` Zhang, Chao B
0 siblings, 0 replies; 4+ messages in thread
From: Zhang, Chao B @ 2018-01-25 4:53 UTC (permalink / raw)
To: edk2-devel; +Cc: Long Qin, Yao Jiewen, Chao Zhang
According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
.../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..28f0ca0 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
+
+ //
+ // PP spec requirements:
+ // Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+ // Firmware has to ensure that at least one PCR banks is active.
+ // If not, an error is returned and no action is taken.
+ //
+ if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+ DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+ return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
+ }
+ DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter));
Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
if (EFI_ERROR (Status)) {
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
--
1.9.5.msysgit.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-01-25 4:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-15 7:29 [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
2018-01-15 7:52 ` Long, Qin
2018-01-15 8:31 ` Yao, Jiewen
-- strict thread matches above, loose matches on Subject: below --
2018-01-25 4:53 [PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution Zhang, Chao B
2018-01-25 4:53 ` [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation Zhang, Chao B
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox