From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 99075AC14A3 for ; Thu, 4 Apr 2024 15:57:41 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=6sk1g4sjd+9KKMhkJUG7PemIkSwo4+CFn3cSWqLGIQg=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:Message-ID:Date:MIME-Version:User-Agent:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20240206; t=1712246260; v=1; b=jaZPyuLUxF7m+qsGVX0my3QiIXjftt8k11cv56DNWSN4enWsQT11nDz7kDBIeFC9rXqDSwc+ ZUdwn8SszMN0GDfSs+Q/Dn1igcrFSIuuoTDRpgdyLSxj6DMvrWKck2O0tNh1G2PmVzVwYSZIKAs SUBgyEJW8vS2CieJAcIELRuBbj6EUe+f2qLXhoz+VyUtRyIEZ4icen2X/R7/O71gjjMIfQowK0e NnfXdTXcc/rrPMUZlN2FyBoyVSGqrVpgDLlkl4xWx7cHKY995Y1ZkgNkxJHznnVHLETBM6Dhq9d orPHiJYni5i/yTaOgcLbph7P9VkmTSmWk7Dr4BJzihQ0A== X-Received: by 127.0.0.2 with SMTP id 9DoEYY7687511x93KXPXbWAS; Thu, 04 Apr 2024 08:57:40 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.42112.1712246259388016404 for ; Thu, 04 Apr 2024 08:57:39 -0700 X-Received: from [10.6.0.181] (unknown [20.39.63.2]) by linux.microsoft.com (Postfix) with ESMTPSA id 9A73020E8FCF; Thu, 4 Apr 2024 08:57:38 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9A73020E8FCF Message-ID: <9046ad34-c294-48e4-9faa-9494823609ae@linux.microsoft.com> Date: Thu, 4 Apr 2024 11:57:37 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH 4/9] MdeModulePkg/Variable: Add TCG SPDM device measurement update To: devel@edk2.groups.io, wenxing.hou@intel.com Cc: Liming Gao , Jiewen Yao References: <20240402023125.4168-1-wenxing.hou@intel.com> <20240402023125.4168-5-wenxing.hou@intel.com> From: "Michael Kubacki" In-Reply-To: <20240402023125.4168-5-wenxing.hou@intel.com> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Thu, 04 Apr 2024 08:57:39 -0700 Resent-From: mikuback@linux.microsoft.com Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 8PaTBS7KSfEsDPJUxkP279P9x7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=jaZPyuLU; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Can you please fix the following typo? "PcdEnableSpdmDeviceAuthenticaion" Thanks, Michael On 4/1/2024 10:31 PM, Wenxing Hou wrote: > Add EV_EFI_SPDM_DEVICE_POLICY support for MeasureVariable. >=20 > Cc: Liming Gao > Cc: Jiewen Yao > Signed-off-by: Wenxing Hou > --- > MdeModulePkg/MdeModulePkg.dec | 5 +++ > .../Variable/RuntimeDxe/Measurement.c | 38 ++++++++++++++++--- > .../RuntimeDxe/VariableRuntimeDxe.inf | 3 ++ > .../RuntimeDxe/VariableSmmRuntimeDxe.inf | 3 ++ > 4 files changed, 43 insertions(+), 6 deletions(-) >=20 > diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.de= c > index a82dedc070..3dad5e6803 100644 > --- a/MdeModulePkg/MdeModulePkg.dec > +++ b/MdeModulePkg/MdeModulePkg.dec > @@ -2139,6 +2139,11 @@ > # @Prompt TCG Platform Firmware Profile revision. >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision|0|UINT32|= 0x00010077 >=20 > =20 >=20 > + ## Specify whether to enable the state of SPDM device authentication a= nd measurement.

>=20 > + # 0: Platform Firmware not supports SPDM device authentication and me= asurement. >=20 > + # 1: Platform Firmware supports SPDM device authentication and measur= ement. >=20 > + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion|0|UINT= 8|0x00010033 >=20 > + >=20 > ## Indicates if StatusCode is reported via Serial port.

>=20 > # TRUE - Reports StatusCode via Serial port.
>=20 > # FALSE - Does not report StatusCode via Serial port.
>=20 > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/Measurement.c > index c15cce9716..74514077bd 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c > @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > =20 >=20 > #include >=20 > #include >=20 > +#include >=20 > #include >=20 > =20 >=20 > #include >=20 > @@ -26,12 +27,13 @@ typedef struct { > } VARIABLE_TYPE; >=20 > =20 >=20 > VARIABLE_TYPE mVariableType[] =3D { >=20 > - { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid }, >=20 > - { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid }, >=20 > - { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid }, >=20 > - { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid }, >=20 > - { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid }, >=20 > - { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid }, >=20 > + { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid }, >=20 > + { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid }, >=20 > + { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid }, >=20 > + { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid }, >=20 > + { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid }, >=20 > + { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid }, >=20 > + { EFI_DEVICE_SECURITY_DATABASE, &gEfiDeviceSignatureDatabaseGuid }, >=20 > }; >=20 > =20 >=20 > // >=20 > @@ -123,6 +125,22 @@ MeasureVariable ( > ); >=20 > } >=20 > =20 >=20 > + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) { >=20 > + DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventTy= pe - %x, ", PCR_INDEX_FOR_SIGNATURE_DB, (UINTN)EV_EFI_SPDM_DEVICE_POLICY)); >=20 > + DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName= , VendorGuid)); >=20 > + >=20 > + Status =3D TpmMeasureAndLogData ( >=20 > + PCR_INDEX_FOR_SIGNATURE_DB, >=20 > + EV_EFI_SPDM_DEVICE_POLICY, >=20 > + VarLog, >=20 > + VarLogSize, >=20 > + VarLog, >=20 > + VarLogSize >=20 > + ); >=20 > + FreePool (VarLog); >=20 > + return Status; >=20 > + } >=20 > + >=20 > DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventTyp= e - %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG)); >=20 > DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName,= VendorGuid)); >=20 > =20 >=20 > @@ -228,6 +246,14 @@ SecureBootHook ( > return; >=20 > } >=20 > =20 >=20 > + if (CompareGuid (VendorGuid, &gEfiDeviceSignatureDatabaseGuid)) { >=20 > + if ((PcdGet32 (PcdTcgPfpMeasurementRevision) < TCG_EfiSpecIDEventStr= uct_SPEC_ERRATA_TPM2_REV_106) || >=20 > + (PcdGet8 (PcdEnableSpdmDeviceAuthenticaion) =3D=3D 0)) >=20 > + { >=20 > + return; >=20 > + } >=20 > + } >=20 > + >=20 > // >=20 > // We should NOT use Data and DataSize here,because it may include si= gnature, >=20 > // or is just partial with append attributes, or is deleted. >=20 > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDx= e.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > index 3858adf673..c729da448e 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > @@ -125,6 +125,7 @@ > ## SOMETIMES_CONSUMES ## Variable:L"dbx" >=20 > ## SOMETIMES_CONSUMES ## Variable:L"dbt" >=20 > gEfiImageSecurityDatabaseGuid >=20 > + gEfiDeviceSignatureDatabaseGuid >=20 > =20 >=20 > [Pcd] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## = CONSUMES >=20 > @@ -138,6 +139,8 @@ > gEfiMdeModulePkgTokenSpaceGuid.PcdReclaimVariableSpaceAtEndOfDxe ## = CONSUMES >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvModeEnable ## = SOMETIMES_CONSUMES >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdEmuVariableNvStoreReserved ## = SOMETIMES_CONSUMES >=20 > + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision ## C= ONSUMES >=20 > + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion ## P= RODUCES AND CONSUMES >=20 > =20 >=20 > [FeaturePcd] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics ## CONSU= MES # statistic the information of variable. >=20 > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntim= eDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe= .inf > index a0d8b2267e..98ff7800c1 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.in= f > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.in= f > @@ -80,6 +80,8 @@ > =20 >=20 > [Pcd] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisab= le ## CONSUMES >=20 > + gEfiMdeModulePkgTokenSpaceGuid.PcdTcgPfpMeasurementRevision = ## CONSUMES >=20 > + gEfiMdeModulePkgTokenSpaceGuid.PcdEnableSpdmDeviceAuthenticaion = ## PRODUCES AND CONSUMES >=20 > =20 >=20 > [Guids] >=20 > ## PRODUCES ## GUID # Signature of Variable store header >=20 > @@ -110,6 +112,7 @@ > =20 >=20 > gVarCheckPolicyLibMmiHandlerGuid >=20 > gEfiEndOfDxeEventGroupGuid >=20 > + gEfiDeviceSignatureDatabaseGuid >=20 > =20 >=20 > [Depex] >=20 > gEfiMmCommunication2ProtocolGuid >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117441): https://edk2.groups.io/g/devel/message/117441 Mute This Topic: https://groups.io/mt/105281052/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-