From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=jiewen.yao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C22DF21BADAB2 for ; Tue, 25 Sep 2018 23:58:54 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2018 23:58:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,305,1534834800"; d="scan'208,217";a="89430183" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga002.fm.intel.com with ESMTP; 25 Sep 2018 23:58:53 -0700 Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 25 Sep 2018 23:58:50 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 25 Sep 2018 23:58:50 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.140]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.220]) with mapi id 14.03.0319.002; Wed, 26 Sep 2018 14:58:27 +0800 From: "Yao, Jiewen" To: Jorge Fernandez Monteagudo , "Zhang, Chao B" , "edk2-devel@lists.01.org" Thread-Topic: Tianocore and TPM2 pcr values Thread-Index: AQHUU+rT8A2Fo9tZ6UKOSIY+RzW2uqUA/67ggAAJuZSAAQa+V4AAAi1wgAAImUyAAAWbQIAAAUkdgAABixA= Date: Wed, 26 Sep 2018 06:58:26 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503AD9C411@shsmsx102.ccr.corp.intel.com> References: , , , <74D8A39837DF1E4DA445A8C0B3885C503AD9AC26@shsmsx102.ccr.corp.intel.com> , <74D8A39837DF1E4DA445A8C0B3885C503AD9C2A3@shsmsx102.ccr.corp.intel.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMjhiZWYwZjUtYTJjMC00MGI5LTg0YjctYmYwMWIzNDhkYmZmIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiTWpSOGRqZmFMa2thTHhUSmZGWXZoMkxEYTF1QWNOcWtoNHlsNEJqTkVGa050RWdWaEhPNUhMTnpET2VGazErUiJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.29 Subject: Re: Tianocore and TPM2 pcr values X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2018 06:58:55 -0000 Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable That means the TPM2 device works well. We have code to dump the final event log at Tcg2GetEventLog(). // Dump Event Log for debug purpose if ((EventLogLocation !=3D NULL) && (EventLogLastEntry !=3D NULL)) { DumpEventLog (EventLogFormat, *EventLogLocation, *EventLogLastEntry, mT= cgDxeData.FinalEventsTable[Index]); } If your OS need consume the event log, I expect OS loader calls Tcg2GetEven= tLog(). If you don't have such OS, then you can add Tcg2GetEventLog() call in the e= nd of OnReadyToBoot() - just for debug purpose to dump the event log. As such we can know how many events are extended. Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:48 PM To: Yao, Jiewen ; Zhang, Chao B ; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Yes, from log I see: Loading driver at 0x0008F3F2000 EntryPoint=3D0x0008F3F2240 Tcg2Dxe.efi InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 8F410C18 ProtectUefiImageCommon - 0x8F4107C0 - 0x000000008F3F2000 - 0x000000000000D800 PROGRESS CODE: V03040002 I0 InterfaceId - 0xFFFFFFFF InterfaceType - 0x0F InterfaceCapability - 0x300000FF InterfaceVersion - 0x3 StatusEx - 0xFF TpmFamily - 0x3 PtpInterface - 0 VID - 0x15D1 DID - 0x001A RID - 0x10 Tcg2.ProtocolVersion - 01.01 Tcg2.StructureVersion - 01.01 Tpm2GetCapabilityManufactureID - 00584649 Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 GetSupportedAndActivePcrs - Count =3D 00000002 Tcg2.SupportedEventLogs - 0x00000003 Tcg2.HashAlgorithmBitmap - 0x00000003 Tcg2.NumberOfPCRBanks - 0x00000002 Tcg2.ActivePcrBanks - 0x00000003 ... ________________________________ De: Yao, Jiewen > Enviado: mi=E9rcoles, 26 de septiembre de 2018 8:44:54 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values ProtectUefiImageCommon is not related. Below code is the Tcg2Dxe entrypoint, I expect you can see some message the= re: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D DriverEntry() if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNon= eGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm= 12Guid)){ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); return EFI_UNSUPPORTED; } if (GetFirstGuidHob (&gTpmErrorHobGuid) !=3D NULL) { DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); return EFI_DEVICE_ERROR; } Status =3D Tpm2RequestUseTpm (); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); return Status; } // // Fill information // ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX =3D=3D sizeof(mTcg2EventInfo)/sizeof= (mTcg2EventInfo[0])); mTcgDxeData.BsCap.Size =3D sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); mTcgDxeData.BsCap.ProtocolVersion.Major =3D 1; mTcgDxeData.BsCap.ProtocolVersion.Minor =3D 1; mTcgDxeData.BsCap.StructureVersion.Major =3D 1; mTcgDxeData.BsCap.StructureVersion.Minor =3D 1; DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", mTcgDxeData.Bs= Cap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor)); DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", mTcgDxeData.Bs= Cap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor)); Status =3D Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.Manufacture= rID); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); } else { DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeD= ata.BsCap.ManufacturerID)); } From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:40 PM To: Yao, Jiewen >; Zhang,= Chao B >; edk2-devel= @lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi Yao > Yes, it is always good to enable serial port debug. There are lots of deb= ug message in Tcg2Dxe driver. We can know what is wrong. >>From the log I've been able to see that "measure" messages start once Tcg2D= xe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I = am not clear which driver you expect will extend something to PCR0. Do you = think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >res= ponsible to extend coreboot image from flash, and who should extend UEFI pa= yload? I think nothing is implemented in coreboot because when TPM2 was not activa= ted in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate = the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such c= ase in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen > Enviado: mi=E9rcoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug= message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measuremen= t lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7= , and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I a= m not clear which driver you expect will extend something to PCR0. Do you t= hink coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be respo= nsible to extend coreboot image from flash, and who should extend UEFI payl= oad? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such cas= e in your platform? Anyway, there should still be something measured - boot variable (PCR1), se= cure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you i= nclude Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according= to TCG PFP spec. If that is the case, we probably need a special handing i= n DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B >= ; edk2-devel@lists.01.org > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel > en nombre de Jorge > Fernandez Monteagudo > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and n= o > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. S= o > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload f= or a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable t= he > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCR= s 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought th= at > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected b= y > coreboot > (STABLE_COMMIT_ID=3D315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in th= is > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel