[PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[Zhang, Chao B]

According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..5ece8e5 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1

Re: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[Long, Qin]

Reviewed-by: Long Qin <qin.long@intel.com>


Best Regards & Thanks,
LONG, Qin

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhang, Chao B
Sent: Monday, January 15, 2018 3:29 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; Long, Qin <qin.long@intel.com>
Subject: [edk2] [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

According to TCG PP1.3 spec, error PCR bank allocation input should be rejected by Physical Presence. Firmware has to ensure that at least one PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..5ece8e5 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPres
+++ enceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
--
1.9.5.msysgit.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[Yao, Jiewen]

Reviewed-by: Jiewen.yao@intel.com

> -----Original Message-----
> From: Zhang, Chao B
> Sent: Monday, January 15, 2018 3:29 PM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin <qin.long@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank
> allocation
> 
> According to TCG PP1.3 spec, error PCR bank allocation input should be
> rejected by Physical Presence. Firmware has to ensure that at least one
> PCR banks is active.
> 
> Cc: Long Qin <qin.long@intel.com>
> Cc: Yao Jiewen <jiewen.yao@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
> ---
>  .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12
> ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> index 5bf95a1..5ece8e5 100644
> ---
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> +++
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.
> c
> @@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
>      case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
>        Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
>        ASSERT_EFI_ERROR (Status);
> +
> +      //
> +      // PP spec requirements:
> +      //    Firmware should check that all requested (set) hashing algorithms
> are supported with respective PCR banks.
> +      //    Firmware has to ensure that at least one PCR banks is active.
> +      // If not, an error is returned and no action is taken.
> +      //
> +      if (CommandParameter == 0 || (CommandParameter &
> (~TpmHashAlgorithmBitmap)) != 0) {
> +        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported
> by TPM. Skip operation\n", CommandParameter));
> +        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> +      }
> +
>        Status = Tpm2PcrAllocateBanks (PlatformAuth,
> TpmHashAlgorithmBitmap, CommandParameter);
>        if (EFI_ERROR (Status)) {
>          return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> --
> 1.9.5.msysgit.1

[PATCH] Enable RSA2048SHA256 to replace CCG SignedSection solution

[Zhang, Chao B]

---
 KabylakePlatSamplePkg/PlatformPkg.dsc       | 13 +++++++++--
 KabylakePlatSamplePkg/PlatformPkg.fdf       | 36 +++++++++++++++--------------
 KabylakePlatSamplePkg/PlatformPkgConfig.dsc |  2 +-
 3 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/KabylakePlatSamplePkg/PlatformPkg.dsc b/KabylakePlatSamplePkg/PlatformPkg.dsc
index fb085b9..125e018 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkg.dsc
@@ -1114,6 +1114,8 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
 
   gUefiCpuPkgTokenSpaceGuid.PcdCpuMsegSize|0x8c0000
 
+gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}
+
 [PcdsFixedAtBuild.IA32]
 !if gPlatformModuleTokenSpaceGuid.PcdFspWrapperEnable == TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -1445,6 +1447,11 @@ gPlatformModuleTokenSpaceGuid.PcdWsmtProtectionFlags|0x07
     <LibraryClasses>
       NULL|$(CLIENT_COMMON_PACKAGE)/Library/PeiSignedSectionVerificationLib/PeiSignedSectionVerificationLib.inf
   }
+  
+  MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf {
+  <LibraryClasses>
+    NULL|SecurityPkg\Library\PeiRsa2048Sha256GuidedSectionExtractLib\PeiRsa2048Sha256GuidedSectionExtractLib.inf
+  }
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdS3Enable == TRUE
@@ -1575,7 +1582,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x80080046
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+    # NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
@@ -1600,7 +1608,8 @@ $(CLIENT_COMMON_PACKAGE)/Universal/DebugServicePei/DebugServicePei.inf {
       gEfiMdeModulePkgTokenSpaceGuid.PcdPropertiesTableEnable|FALSE
     <LibraryClasses>
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-      NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      #NULL|$(CLIENT_COMMON_PACKAGE)/Library/DxeSignedSectionVerificationLib/DxeSignedSectionVerificationLib.inf
+      NULL|SecurityPkg\Library\DxeRsa2048Sha256GuidedSectionExtractLib\DxeRsa2048Sha256GuidedSectionExtractLib.inf
 !endif
 !if gPlatformModuleTokenSpaceGuid.PcdDxeCrc32SectionEnable == TRUE
       NULL|MdeModulePkg/Library/DxeCrc32GuidedSectionExtractLib/DxeCrc32GuidedSectionExtractLib.inf
diff --git a/KabylakePlatSamplePkg/PlatformPkg.fdf b/KabylakePlatSamplePkg/PlatformPkg.fdf
index d2e8ee3..9d3fa5d 100644
--- a/KabylakePlatSamplePkg/PlatformPkg.fdf
+++ b/KabylakePlatSamplePkg/PlatformPkg.fdf
@@ -406,7 +406,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf # AdvancedFeaturesContent
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == FALSE
@@ -462,12 +462,13 @@ INF $(PLATFORM_PACKAGE)/Platform/MsegSmramPei/MsegSmramPei.inf
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif # PcdPubKeyHashBinEnable
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif # PcdPubKeyHashBinEnable
 !endif # PcdSecureBootEnable
 
 !if gPlatformModuleTokenSpaceGuid.PcdTpmEnable == TRUE
@@ -604,7 +605,7 @@ APRIORI PEI {
 !endif
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
+  #INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf  # RPPO-SKL-0031: RoyalParkOverrideContent
 !endif
   INF  MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 !endif
@@ -619,7 +620,7 @@ INF  $(PLATFORM_FEATURES_PATH)/Amt/AmtStatusCodePei/AmtStatusCodePei.inf
 
 INF $(PLATFORM_PACKAGE)/BiosInfo/BiosInfo.inf
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
+#INF  $(PLATFORM_PACKAGE)/Override/$(CLIENT_COMMON_PACKAGE)/Universal/BiosInfoChecker/BiosInfoChecker.inf
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSleEnable == TRUE
@@ -692,12 +693,13 @@ INF $(PLATFORM_FEATURES_PATH)/OverClocking/OverClockInit/PeiOverClock.inf
 
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
 # ROYAL_PARK_PORTING - Porting Required
-INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
-!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
-FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
-    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
-  }
-!endif
+INF MdeModulePkg/Universal/SectionExtractionPei/SectionExtractionPei.inf
+#INF RuleOverride = LzmaCompress $(CLIENT_COMMON_PACKAGE)/Universal/SignedSectionPei/SignedSectionPei.inf
+#!if gPlatformModuleTokenSpaceGuid.PcdPubKeyHashBinEnable == TRUE
+#FILE RAW = 31C17ABE-6071-435e-BAA4-0B8A8C3649F3 {
+#    $(PLATFORM_PACKAGE)/Tools/ToolScripts/SignFv/pubkeyhash.bin
+#  }
+#!endif
 !endif
 
 !if gSiPkgTokenSpaceGuid.PcdSvBuild == TRUE
@@ -1174,7 +1176,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
   !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-    SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+    SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
       SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
         SECTION FV_IMAGE = FVMAIN2
       }
@@ -2497,7 +2499,7 @@ READ_LOCK_STATUS   = TRUE
 FILE FV_IMAGE = 9E21FD93-9C72-4c15-8C4B-E77F1DB2D792 {
 !if gPlatformModuleTokenSpaceGuid.PcdLzmaEnable == TRUE
 !if gPlatformModuleTokenSpaceGuid.PcdSecureBootEnable == TRUE
-  SECTION GUIDED 0f9d89e8-9259-4f76-a5af-0c89e34023df PROCESSING_REQUIRED = TRUE {
+  SECTION GUIDED A7717414-C616-4977-9420-844712A735BF AUTH_STATUS_VALID = TRUE {
        SECTION GUIDED EE4E5898-3914-4259-9D6E-DC7BD79403CF PROCESSING_REQUIRED = TRUE {
           SECTION FV_IMAGE = FVMAIN
        }
diff --git a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
index fd2d368..755e66c 100644
--- a/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
+++ b/KabylakePlatSamplePkg/PlatformPkgConfig.dsc
@@ -117,7 +117,7 @@
   gPlatformModuleTokenSpaceGuid.PcdNvmeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdOverclockEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdPciHotplugEnable|TRUE
-  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|FALSE
+  gPlatformModuleTokenSpaceGuid.PcdPerformanceEnable|TRUE
   gPlatformModuleTokenSpaceGuid.PcdIntelFpdtEnable|FALSE
   gPlatformModuleTokenSpaceGuid.PcdPostCodeStatusCodeEnable|TRUE
   gSiPkgTokenSpaceGuid.PcdPowerOnEnable|FALSE             # SI:RestrictedContent
-- 
1.9.5.msysgit.1

[PATCH] SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

[Zhang, Chao B]

According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..28f0ca0 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
+      }
+      DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter));
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1