* [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
@ 2019-11-06 1:00 Lin, Derek (HPS SW)
2019-11-06 1:31 ` Yao, Jiewen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Lin, Derek (HPS SW) @ 2019-11-06 1:00 UTC (permalink / raw)
To: derek.lin2, devel; +Cc: jason.spottswood, jiewen.yao, jian.j.wang, chao.b.zhang
We have discussed in this thread.
https://edk2.groups.io/g/devel/topic/32205028
Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because
TPM2 ACPI HID include FW version.
This change make the measurement before TPM2 HID fixup. So, after TPM FW
upgrade, the ACPI PCR record remains the same.
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
---
SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index bd786bf479..54966c83ce 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -664,7 +664,22 @@ PublishAcpiTable (
));
//
- // Update TPM2 HID before measuring it to PCR
+ // Measure to PCR[0] with event EV_POST_CODE ACPI DATA.
+ // The measurement has to be done before UpdateHID since TPM2 ACPI HID
+ // imply TPM Firmware Version. Otherwise, the PCR record would be
+ // different after TPM FW update.
+ //
+ TpmMeasureAndLogData(
+ 0,
+ EV_POST_CODE,
+ EV_POSTCODE_INFO_ACPI_DATA,
+ ACPI_DATA_LEN,
+ Table,
+ TableSize
+ );
+
+ //
+ // Update TPM2 HID after measuring it to PCR
//
Status = UpdateHID(Table);
if (EFI_ERROR(Status)) {
@@ -694,19 +709,6 @@ PublishAcpiTable (
}
}
- //
- // Measure to PCR[0] with event EV_POST_CODE ACPI DATA
- //
- TpmMeasureAndLogData(
- 0,
- EV_POST_CODE,
- EV_POSTCODE_INFO_ACPI_DATA,
- ACPI_DATA_LEN,
- Table,
- TableSize
- );
-
-
ASSERT (Table->OemTableId == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l'));
CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table->OemId) );
mTcgNvs = AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (UINT16) sizeof (TCG_NVS));
--
2.20.1.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
2019-11-06 1:00 [PATCH] SecurityPkg: Fix TPM2 ACPI measurement Lin, Derek (HPS SW)
@ 2019-11-06 1:31 ` Yao, Jiewen
2019-11-06 6:17 ` Wang, Jian J
2019-11-07 5:13 ` Wang, Jian J
2 siblings, 0 replies; 4+ messages in thread
From: Yao, Jiewen @ 2019-11-06 1:31 UTC (permalink / raw)
To: Derek Lin, devel@edk2.groups.io
Cc: jason.spottswood@hpe.com, Wang, Jian J, Zhang, Chao B
Reviewed by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Derek Lin <derek.lin2@hpe.com>
> Sent: Wednesday, November 6, 2019 9:01 AM
> To: derek.lin2@hpe.com; devel@edk2.groups.io
> Cc: jason.spottswood@hpe.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
>
> We have discussed in this thread.
> https://edk2.groups.io/g/devel/topic/32205028
>
> Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because
> TPM2 ACPI HID include FW version.
>
> This change make the measurement before TPM2 HID fixup. So, after TPM FW
> upgrade, the ACPI PCR record remains the same.
>
> Signed-off-by: Derek Lin <derek.lin2@hpe.com>
> ---
> SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++--------------
> 1 file changed, 16 insertions(+), 14 deletions(-)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> index bd786bf479..54966c83ce 100644
> --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> @@ -664,7 +664,22 @@ PublishAcpiTable (
> ));
>
> //
> - // Update TPM2 HID before measuring it to PCR
> + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA.
> + // The measurement has to be done before UpdateHID since TPM2 ACPI HID
> + // imply TPM Firmware Version. Otherwise, the PCR record would be
> + // different after TPM FW update.
> + //
> + TpmMeasureAndLogData(
> + 0,
> + EV_POST_CODE,
> + EV_POSTCODE_INFO_ACPI_DATA,
> + ACPI_DATA_LEN,
> + Table,
> + TableSize
> + );
> +
> + //
> + // Update TPM2 HID after measuring it to PCR
> //
> Status = UpdateHID(Table);
> if (EFI_ERROR(Status)) {
> @@ -694,19 +709,6 @@ PublishAcpiTable (
> }
> }
>
> - //
> - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA
> - //
> - TpmMeasureAndLogData(
> - 0,
> - EV_POST_CODE,
> - EV_POSTCODE_INFO_ACPI_DATA,
> - ACPI_DATA_LEN,
> - Table,
> - TableSize
> - );
> -
> -
> ASSERT (Table->OemTableId == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l'));
> CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table-
> >OemId) );
> mTcgNvs = AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (UINT16)
> sizeof (TCG_NVS));
> --
> 2.20.1.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
2019-11-06 1:00 [PATCH] SecurityPkg: Fix TPM2 ACPI measurement Lin, Derek (HPS SW)
2019-11-06 1:31 ` Yao, Jiewen
@ 2019-11-06 6:17 ` Wang, Jian J
2019-11-07 5:13 ` Wang, Jian J
2 siblings, 0 replies; 4+ messages in thread
From: Wang, Jian J @ 2019-11-06 6:17 UTC (permalink / raw)
To: Derek Lin, devel@edk2.groups.io
Cc: jason.spottswood@hpe.com, Yao, Jiewen, Zhang, Chao B
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regards,
Jian
> -----Original Message-----
> From: Derek Lin <derek.lin2@hpe.com>
> Sent: Wednesday, November 06, 2019 9:01 AM
> To: derek.lin2@hpe.com; devel@edk2.groups.io
> Cc: jason.spottswood@hpe.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
>
> We have discussed in this thread.
> https://edk2.groups.io/g/devel/topic/32205028
>
> Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because
> TPM2 ACPI HID include FW version.
>
> This change make the measurement before TPM2 HID fixup. So, after TPM FW
> upgrade, the ACPI PCR record remains the same.
>
> Signed-off-by: Derek Lin <derek.lin2@hpe.com>
> ---
> SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++--------------
> 1 file changed, 16 insertions(+), 14 deletions(-)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> index bd786bf479..54966c83ce 100644
> --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> @@ -664,7 +664,22 @@ PublishAcpiTable (
> ));
>
> //
> - // Update TPM2 HID before measuring it to PCR
> + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA.
> + // The measurement has to be done before UpdateHID since TPM2 ACPI HID
> + // imply TPM Firmware Version. Otherwise, the PCR record would be
> + // different after TPM FW update.
> + //
> + TpmMeasureAndLogData(
> + 0,
> + EV_POST_CODE,
> + EV_POSTCODE_INFO_ACPI_DATA,
> + ACPI_DATA_LEN,
> + Table,
> + TableSize
> + );
> +
> + //
> + // Update TPM2 HID after measuring it to PCR
> //
> Status = UpdateHID(Table);
> if (EFI_ERROR(Status)) {
> @@ -694,19 +709,6 @@ PublishAcpiTable (
> }
> }
>
> - //
> - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA
> - //
> - TpmMeasureAndLogData(
> - 0,
> - EV_POST_CODE,
> - EV_POSTCODE_INFO_ACPI_DATA,
> - ACPI_DATA_LEN,
> - Table,
> - TableSize
> - );
> -
> -
> ASSERT (Table->OemTableId == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l'));
> CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table-
> >OemId) );
> mTcgNvs = AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (UINT16)
> sizeof (TCG_NVS));
> --
> 2.20.1.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
2019-11-06 1:00 [PATCH] SecurityPkg: Fix TPM2 ACPI measurement Lin, Derek (HPS SW)
2019-11-06 1:31 ` Yao, Jiewen
2019-11-06 6:17 ` Wang, Jian J
@ 2019-11-07 5:13 ` Wang, Jian J
2 siblings, 0 replies; 4+ messages in thread
From: Wang, Jian J @ 2019-11-07 5:13 UTC (permalink / raw)
To: Derek Lin, devel@edk2.groups.io
Cc: jason.spottswood@hpe.com, Yao, Jiewen, Zhang, Chao B
Pushed at 3a63c17ebc853cbb27d190729d01e27f68e65b94
Regards,
Jian
> -----Original Message-----
> From: Derek Lin <derek.lin2@hpe.com>
> Sent: Wednesday, November 06, 2019 9:01 AM
> To: derek.lin2@hpe.com; devel@edk2.groups.io
> Cc: jason.spottswood@hpe.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
> Subject: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement.
>
> We have discussed in this thread.
> https://edk2.groups.io/g/devel/topic/32205028
>
> Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because
> TPM2 ACPI HID include FW version.
>
> This change make the measurement before TPM2 HID fixup. So, after TPM FW
> upgrade, the ACPI PCR record remains the same.
>
> Signed-off-by: Derek Lin <derek.lin2@hpe.com>
> ---
> SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++--------------
> 1 file changed, 16 insertions(+), 14 deletions(-)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> index bd786bf479..54966c83ce 100644
> --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
> @@ -664,7 +664,22 @@ PublishAcpiTable (
> ));
>
> //
> - // Update TPM2 HID before measuring it to PCR
> + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA.
> + // The measurement has to be done before UpdateHID since TPM2 ACPI HID
> + // imply TPM Firmware Version. Otherwise, the PCR record would be
> + // different after TPM FW update.
> + //
> + TpmMeasureAndLogData(
> + 0,
> + EV_POST_CODE,
> + EV_POSTCODE_INFO_ACPI_DATA,
> + ACPI_DATA_LEN,
> + Table,
> + TableSize
> + );
> +
> + //
> + // Update TPM2 HID after measuring it to PCR
> //
> Status = UpdateHID(Table);
> if (EFI_ERROR(Status)) {
> @@ -694,19 +709,6 @@ PublishAcpiTable (
> }
> }
>
> - //
> - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA
> - //
> - TpmMeasureAndLogData(
> - 0,
> - EV_POST_CODE,
> - EV_POSTCODE_INFO_ACPI_DATA,
> - ACPI_DATA_LEN,
> - Table,
> - TableSize
> - );
> -
> -
> ASSERT (Table->OemTableId == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 'b', 'l'));
> CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table-
> >OemId) );
> mTcgNvs = AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (UINT16)
> sizeof (TCG_NVS));
> --
> 2.20.1.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-11-07 5:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-11-06 1:00 [PATCH] SecurityPkg: Fix TPM2 ACPI measurement Lin, Derek (HPS SW)
2019-11-06 1:31 ` Yao, Jiewen
2019-11-06 6:17 ` Wang, Jian J
2019-11-07 5:13 ` Wang, Jian J
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox