Re: Obtaining TCG final events on systems without TCG2 log support

["Yao, Jiewen" <jiewen.yao@intel.com>]

Right.
I think we are trying to deprecate the old SHA1 support, because SHA1 is considered as unsecure algorithm.
We are moving to crypto agile. As such, we do not see the need to support old style event log.

Thank you
Yao Jiewen


> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Thursday, December 13, 2018 8:36 PM
> To: Matthew Garrett <mjg59@srcf.ucam.org>
> Cc: edk2-devel@lists.01.org; Yao, Jiewen <jiewen.yao@intel.com>;
> Marc-André Lureau <marcandre.lureau@redhat.com>; Stefan Berger
> <stefanb@linux.vnet.ibm.com>
> Subject: Re: [edk2] Obtaining TCG final events on systems without TCG2 log
> support
> 
> + Jiewen, Marc-André, Stefan
> 
> On 12/13/18 02:17, Matthew Garrett wrote:
> > SetupEventLog() in Tcg2Dxe.c only installs the final event log
> > configuration table if SupportedEventLogs includes the TCG2 log format.
> > If the platform only supports the TCG1.2 log format then the final
> > events table isn't installed. However, ExitBootServices() should
> > generate an event even on systems that don't support the TCG2 log
> > format. How is an OS supposed to obtain the log of the
> > ExitBootServices() events in that case?
> >
> 
> I don't think it can.
> 
> You probably refer to the code below the comment "No need to handle
> EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2", in SetupEventLog(). This code
> dates
> back to commit fd46e831bc33 ("SecurityPkg: Update final event log
> calculation.", 2016-01-18). And the commit message says, "... there is
> no need to record TCG12 format log to final event log area ...".
> 
> Hence, the code is intentional. I even think the code is valid
> (according to the spec [*]); I just think the commit message should have
> said, "there is no *way* to record TCG12 format log to final event log
> area". Because, IMO, the bug is in the spec.
> 
> [*] TCG EFI Protocol Specification
>     Family “2.0”
>     Level 00 Revision 00.13
>     March 30, 2016
> 
> Here's why I think it's a spec bug:
> 
> 
> (1) If EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 is *clear* in
> SupportedEventLogs,
> then the platform advertizes GetEventLog() as unable to produce the
> crypto agile log format.
> 
> In other words, the platform is unable to produce a log which consists
> of TCG_PCR_EVENT2 entries, beyond the sole TCG_PCR_EVENT ("SHA1
> format")
> header entry.
> 
> Accordingly, GetEventLog() will fail with EFI_INVALID_PARAMETER, when
> called with EventLogFormat=EFI_TCG2_EVENT_LOG_FORMAT_TCG_2. (BTW,
> I
> think EFI_UNSUPPORTED would have been better for this, but I digress.)
> 
> (2) EFI_TCG2_FINAL_EVENTS_TABLE is defined with TCG_PCR_EVENT2
> entries
> *only*. TCG_PCR_EVENT is not accommodated.
> 
> 
> That's the contradiction. If a platform is unable to produce
> TCG_PCR_EVENT2 entries in GetEventLog(), it is fairly certainly also
> unable to produce them in the final events table.
> 
> And, while the first *instance* of the limitation is conformant, via
> SupportedEventLogs, the second instance of the same limitation isn't.
> 
> Thanks,
> Laszlo