* Tianocore and TPM2 pcr values @ 2018-09-24 9:57 Jorge Fernandez Monteagudo 2018-09-25 13:41 ` Zhang, Chao B 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-24 9:57 UTC (permalink / raw) To: edk2-devel@lists.01.org Hi all, This is my first message in this list. I'm using tianocore as a payload for a Coreboot in order to boot a custom board I'm working on it. Finally I've been able to enable the TPM2 support in coreboot and in tianocore but I have some questions regarding the values I'm seeing in the PCRs. I'm using Tianocore master branch as is selected by coreboot menuconfig and x64 architecture. Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 to 7 are handled by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release mode and a coreboot+ tianocore in debug mode and the PCRs are the same. Is it ok? I thought that any change in the coreboot.rom will made the PCR values to change... pcr0: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr1: a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 pcr2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr3: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr4: 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871f pcr5: dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad8 pcr6: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr7: b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 Another test I've done is using the Tianocore stable branch as selected by coreboot (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and I get the same values from release and build coreboot.roms except that PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this version. Is this the expected behavior? Thanks! Jorge ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-24 9:57 Tianocore and TPM2 pcr values Jorge Fernandez Monteagudo @ 2018-09-25 13:41 ` Zhang, Chao B 2018-09-25 14:09 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Zhang, Chao B @ 2018-09-25 13:41 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, edk2-devel@lists.01.org Hi Jorge: PCR 0 should change if you use different core boot payload + UEFI. So your case seems to be an issue. Can you provide more detailed info? -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jorge Fernandez Monteagudo Sent: Monday, September 24, 2018 5:57 PM To: edk2-devel@lists.01.org Subject: [edk2] Tianocore and TPM2 pcr values Hi all, This is my first message in this list. I'm using tianocore as a payload for a Coreboot in order to boot a custom board I'm working on it. Finally I've been able to enable the TPM2 support in coreboot and in tianocore but I have some questions regarding the values I'm seeing in the PCRs. I'm using Tianocore master branch as is selected by coreboot menuconfig and x64 architecture. Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 to 7 are handled by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release mode and a coreboot+ tianocore in debug mode and the PCRs are the same. Is it ok? I thought that any change in the coreboot.rom will made the PCR values to change... pcr0: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr1: a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 pcr2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr3: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr4: 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871f pcr5: dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad8 pcr6: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr7: b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 Another test I've done is using the Tianocore stable branch as selected by coreboot (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and I get the same values from release and build coreboot.roms except that PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this version. Is this the expected behavior? Thanks! Jorge _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-25 13:41 ` Zhang, Chao B @ 2018-09-25 14:09 ` Jorge Fernandez Monteagudo 2018-09-26 5:46 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-25 14:09 UTC (permalink / raw) To: Zhang, Chao B, edk2-devel@lists.01.org [-- Attachment #1: Type: text/plain, Size: 2924 bytes --] Hi Chao! PCR0 has not changed in any of the test I've done! What info do you need? I'm using: coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot branch Attached are the changes I've done to tianocore to get TPM2 support and no console. PCR0 is always 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 Thanks! ________________________________ De: Zhang, Chao B <chao.b.zhang@intel.com> Enviado: martes, 25 de septiembre de 2018 15:41:45 Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org Cc: You, Benjamin Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge: PCR 0 should change if you use different core boot payload + UEFI. So your case seems to be an issue. Can you provide more detailed info? -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jorge Fernandez Monteagudo Sent: Monday, September 24, 2018 5:57 PM To: edk2-devel@lists.01.org Subject: [edk2] Tianocore and TPM2 pcr values Hi all, This is my first message in this list. I'm using tianocore as a payload for a Coreboot in order to boot a custom board I'm working on it. Finally I've been able to enable the TPM2 support in coreboot and in tianocore but I have some questions regarding the values I'm seeing in the PCRs. I'm using Tianocore master branch as is selected by coreboot menuconfig and x64 architecture. Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 to 7 are handled by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release mode and a coreboot+ tianocore in debug mode and the PCRs are the same. Is it ok? I thought that any change in the coreboot.rom will made the PCR values to change... pcr0: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr1: a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 pcr2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr3: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr4: 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871f pcr5: dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad8 pcr6: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr7: b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 Another test I've done is using the Tianocore stable branch as selected by coreboot (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and I get the same values from release and build coreboot.roms except that PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this version. Is this the expected behavior? Thanks! Jorge _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #2: enabling-tpm2-tianocore.diff --] [-- Type: text/x-patch; name="enabling-tpm2-tianocore.diff", Size: 24716 bytes --] diff --git a/CorebootModulePkg/CorebootModulePkg.dec b/CorebootModulePkg/CorebootModulePkg.dec index 20932a1..7372773 100644 --- a/CorebootModulePkg/CorebootModulePkg.dec +++ b/CorebootModulePkg/CorebootModulePkg.dec @@ -35,6 +35,8 @@ gUefiFrameBufferInfoGuid = {0xdc2cd8bd, 0x402c, 0x4dc4, {0x9b, 0xe0, 0xc, 0x43, 0x2b, 0x7, 0xfa, 0x34}} gEfiPciExpressBaseAddressGuid = {0x3677d529, 0x326f, 0x4603, {0xa9, 0x26, 0xea, 0xac, 0xe0, 0x1d, 0xcb, 0xb0 }} gUefiAcpiBoardInfoGuid = {0xad3d31b, 0xb3d8, 0x4506, {0xae, 0x71, 0x2e, 0xf1, 0x10, 0x6, 0xd9, 0xf}} + gPayloadTpm2DeviceInstanceGuid = { 0x8fe03b09, 0xcc66, 0x4797, { 0xba, 0x99, 0xfb, 0x92, 0x35, 0xb9, 0x80, 0x52 } } + gUefiTpmInfoGuid = { 0x3BC812AA, 0xB998, 0x4B05, { 0xA0, 0xDF, 0xE5, 0x34, 0xED, 0x08, 0xEE, 0xBB}} ## Include/Guid/PciOptionRomTable.h gEfiPciOptionRomTableGuid = { 0x7462660F, 0x1CBD, 0x48DA, { 0xAD, 0x11, 0x91, 0x71, 0x79, 0x13, 0x83, 0x1C }} diff --git a/CorebootPayloadPkg/CorebootPayloadPkg.dec b/CorebootPayloadPkg/CorebootPayloadPkg.dec index b33b79c..2b04b4b 100644 --- a/CorebootPayloadPkg/CorebootPayloadPkg.dec +++ b/CorebootPayloadPkg/CorebootPayloadPkg.dec @@ -31,7 +31,7 @@ # # Gop Temp # - gBmpImageGuid = { 0x878AC2CC, 0x5343, 0x46F2, { 0xB5, 0x63, 0x51, 0xF8, 0x9D, 0xAF, 0x56, 0xBA } } + gBmpImageGuid = { 0x878AC2CC, 0x5343, 0x46F2, { 0xB5, 0x63, 0x51, 0xF8, 0x9D, 0xAF, 0x56, 0xBA } } [Ppis] @@ -39,7 +39,7 @@ # # Gop Temp # - gPlatformGOPPolicyGuid = { 0xec2e931b, 0x3281, 0x48a5, { 0x81, 0x07, 0xdf, 0x8a, 0x8b, 0xed, 0x3c, 0x5d } } + gPlatformGOPPolicyGuid = { 0xec2e931b, 0x3281, 0x48a5, { 0x81, 0x07, 0xdf, 0x8a, 0x8b, 0xed, 0x3c, 0x5d } } ################################################################################ # diff --git a/CorebootPayloadPkg/CorebootPayloadPkg.fdf b/CorebootPayloadPkg/CorebootPayloadPkg.fdf index 0961e96..dd6faa4 100644 --- a/CorebootPayloadPkg/CorebootPayloadPkg.fdf +++ b/CorebootPayloadPkg/CorebootPayloadPkg.fdf @@ -52,8 +52,10 @@ INF CorebootModulePkg/SecCore/SecCore.inf INF MdeModulePkg/Core/Pei/PeiMain.inf INF MdeModulePkg/Universal/PCD/Pei/Pcd.inf +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Universal/ReportStatusCodeRouter/Pei/ReportStatusCodeRouterPei.inf INF MdeModulePkg/Universal/StatusCodeHandler/Pei/StatusCodeHandlerPei.inf +!endif INF CorebootModulePkg/CbSupportPei/CbSupportPei.inf INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -81,8 +83,10 @@ READ_LOCK_STATUS = TRUE APRIORI DXE { INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf INF MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf +!endif } # @@ -90,13 +94,15 @@ APRIORI DXE { # INF MdeModulePkg/Core/Dxe/DxeMain.inf INF MdeModulePkg/Universal/PCD/Dxe/Pcd.inf +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf INF MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf +!endif INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf INF UefiCpuPkg/CpuDxe/CpuDxe.inf -INF IntelFrameworkModulePkg/Universal/BdsDxe/BdsDxe.inf +INF IntelFrameworkModulePkg/Universal/BdsDxe/BdsDxe.inf !if $(USE_HPET_TIMER) == TRUE INF PcAtChipsetPkg/HpetTimerDxe/HpetTimerDxe.inf @@ -116,25 +122,38 @@ INF UefiCpuPkg/CpuIo2Dxe/CpuIo2Dxe.inf INF MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf INF MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf INF PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf -INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf -INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf -INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf INF CorebootModulePkg/CbSupportDxe/CbSupportDxe.inf INF MdeModulePkg/Universal/SmbiosDxe/SmbiosDxe.inf + # # PCI Support # INF DuetPkg/PciRootBridgeNoEnumerationDxe/PciRootBridgeNoEnumeration.inf INF DuetPkg/PciBusNoEnumerationDxe/PciBusNoEnumeration.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # ISA Support # +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Universal/SerialDxe/SerialDxe.inf -INF PcAtChipsetPkg/IsaAcpiDxe/IsaAcpi.inf -INF IntelFrameworkModulePkg/Bus/Isa/IsaBusDxe/IsaBusDxe.inf -INF IntelFrameworkModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2keyboardDxe.inf +INF PcAtChipsetPkg/IsaAcpiDxe/IsaAcpi.inf +INF IntelFrameworkModulePkg/Bus/Isa/IsaBusDxe/IsaBusDxe.inf +INF IntelFrameworkModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2keyboardDxe.inf +!endif + +!if $(FTPM_ENABLE) == TRUE + INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +# INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf +## INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf +## INF SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf +## INF RuleOverride = DRIVER_ACPITABLE UefiPayloadPkg/Drivers/Tcg2Smm/Tcg2Smm.inf +## INF MdeModulePkg/Universal/Acpi/AcpiTableDxe/AcpiTableDxe.inf +!endif # # Console Support @@ -144,26 +163,31 @@ INF MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitterDxe.inf INF MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf INF MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +INF MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf +INF MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf +INF MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf +INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + # # SCSI/ATA/IDE/DISK Support # INF MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf INF MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf -INF MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf +INF FatPkg/EnhancedFatDxe/Fat.inf INF CorebootModulePkg/SataControllerDxe/SataControllerDxe.inf INF MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf INF MdeModulePkg/Bus/Ata/AtaAtapiPassThru/AtaAtapiPassThru.inf INF MdeModulePkg/Bus/Scsi/ScsiBusDxe/ScsiBusDxe.inf INF MdeModulePkg/Bus/Scsi/ScsiDiskDxe/ScsiDiskDxe.inf -INF FatPkg/EnhancedFatDxe/Fat.inf - # # SD/eMMC Support # +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHcDxe.inf INF MdeModulePkg/Bus/Sd/EmmcDxe/EmmcDxe.inf INF MdeModulePkg/Bus/Sd/SdDxe/SdDxe.inf +!endif # # Usb Support @@ -172,13 +196,17 @@ INF MdeModulePkg/Bus/Pci/UhciDxe/UhciDxe.inf INF MdeModulePkg/Bus/Pci/EhciDxe/EhciDxe.inf INF MdeModulePkg/Bus/Pci/XhciDxe/XhciDxe.inf INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf +!if $(MINIMUM_PAYLOAD) == FALSE INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf +!endif INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf # # OHCI Support # +!if $(MINIMUM_PAYLOAD) == FALSE INF QuarkSocPkg/QuarkSouthCluster/Usb/Ohci/Dxe/OhciDxe.inf +!endif # # Shell @@ -213,9 +241,11 @@ INF RuleOverride = BINARY USE = X64 ShellBinPkg/UefiShell/UefiShell.inf !endif !endif +!if $(MINIMUM_PAYLOAD) == FALSE FILE FREEFORM = PCD(gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdLogoFile) { SECTION RAW = MdeModulePkg/Logo/Logo.bmp } +!endif # # Framebuffer Gop diff --git a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc index 5470c11..fabccb3 100644 --- a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc +++ b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc @@ -32,6 +32,8 @@ DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE SOURCE_DEBUG_ENABLE = FALSE + DEFINE FTPM_ENABLE = TRUE + DEFINE MINIMUM_PAYLOAD = TRUE # # CPU options @@ -85,7 +87,8 @@ # # Shell options: [BUILD_SHELL, FULL_BIN, MIN_BIN, NONE, UEFI] # - DEFINE SHELL_TYPE = FULL_BIN + #DEFINE SHELL_TYPE = FULL_BIN + DEFINE SHELL_TYPE = NONE [BuildOptions] *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES @@ -165,6 +168,8 @@ UefiUsbLib|MdePkg/Library/UefiUsbLib/UefiUsbLib.inf UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + BmpSupportLib|MdeModulePkg/Library/BaseBmpSupportLib/BaseBmpSupportLib.inf GenericBdsLib|IntelFrameworkModulePkg/Library/GenericBdsLib/GenericBdsLib.inf CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf SecurityManagementLib|MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.inf @@ -188,6 +193,16 @@ IoApicLib|PcAtChipsetPkg/Library/BaseIoApicLib/BaseIoApicLib.inf CbPlatformSupportLib|CorebootModulePkg/Library/CbPlatformSupportLibNull/CbPlatformSupportLibNull.inf +!if $(FTPM_ENABLE) == TRUE + TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf + Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf + TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf + Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf +!endif + # # Misc # @@ -205,6 +220,25 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + # + # API + # + FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + +!if $(FTPM_ENABLE) == FALSE + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf +!endif + VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.IA32.SEC] DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -217,7 +251,11 @@ PcdLib|MdePkg/Library/PeiPcdLib/PeiPcdLib.inf HobLib|MdePkg/Library/PeiHobLib/PeiHobLib.inf MemoryAllocationLib|MdePkg/Library/PeiMemoryAllocationLib/PeiMemoryAllocationLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE ReportStatusCodeLib|MdeModulePkg/Library/PeiReportStatusCodeLib/PeiReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif ExtractGuidedSectionLib|MdePkg/Library/PeiExtractGuidedSectionLib/PeiExtractGuidedSectionLib.inf !if $(SOURCE_DEBUG_ENABLE) DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/SecPeiDebugAgentLib.inf @@ -228,7 +266,11 @@ HobLib|MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf MemoryAllocationLib|MdeModulePkg/Library/DxeCoreMemoryAllocationLib/DxeCoreMemoryAllocationLib.inf ExtractGuidedSectionLib|MdePkg/Library/DxeExtractGuidedSectionLib/DxeExtractGuidedSectionLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif !if $(SOURCE_DEBUG_ENABLE) DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/DxeDebugAgentLib.inf !endif @@ -239,7 +281,11 @@ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf ExtractGuidedSectionLib|MdePkg/Library/DxeExtractGuidedSectionLib/DxeExtractGuidedSectionLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif !if $(SOURCE_DEBUG_ENABLE) DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/DxeDebugAgentLib.inf !endif @@ -250,21 +296,71 @@ PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/RuntimeDxeReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf +[LibraryClasses.common.SMM_CORE] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf + SmmServicesTableLib|MdeModulePkg/Library/PiSmmCoreSmmServicesTableLib/PiSmmCoreSmmServicesTableLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE + ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif + MemoryAllocationLib|MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf + SmmCorePlatformHookLib|MdeModulePkg/Library/SmmCorePlatformHookLibNull/SmmCorePlatformHookLibNull.inf + SmmMemLib|MdePkg/Library/SmmMemLib/SmmMemLib.inf + +[LibraryClasses.common.DXE_SMM_DRIVER] + PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf +!if $(MINIMUM_PAYLOAD) == FALSE + ReportStatusCodeLib|MdeModulePkg/Library/SmmReportStatusCodeLib/SmmReportStatusCodeLib.inf +!else + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf +!endif + MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAllocationLib.inf + SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf + SmmMemLib|MdePkg/Library/SmmMemLib/SmmMemLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + SmmCpuPlatformHookLib|UefiCpuPkg/Library/SmmCpuPlatformHookLibNull/SmmCpuPlatformHookLibNull.inf + CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf + SmmCpuFeaturesLib|UefiCpuPkg/Library/SmmCpuFeaturesLib/SmmCpuFeaturesLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf +!endif +!if $(FTPM_ENABLE) == TRUE + Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf +!endif + ################################################################################ # # Pcd Section - list of all EDK II PCD Entries defined by this Platform. # ################################################################################ [PcdsFeatureFlag] +!if $(MINIMUM_PAYLOAD) == FALSE + gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeUseSerial|TRUE +!else gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeUseSerial|FALSE +!endif gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeUseMemory|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdDxeIplSwitchToLongMode|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE @@ -284,10 +380,19 @@ !if $(SOURCE_DEBUG_ENABLE) gEfiSourceLevelDebugPkgTokenSpaceGuid.PcdDebugLoadImageMethod|0x2 !endif +!if $(FTPM_ENABLE) == TRUE + # Set it to false to avoid reset at memory mapping difference when enable TPM + gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE +!endif + +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif [PcdsPatchableInModule.common] gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 - gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + #gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8000004F + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F !if $(SOURCE_DEBUG_ENABLE) gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x17 !else @@ -344,7 +449,11 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwWorkingBase|0 gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageFtwSpareBase|0 +!if $(MINIMUM_PAYLOAD) == FALSE gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|3 +!else + gEfiMdePkgTokenSpaceGuid.PcdPlatformBootTimeOut|0xffff +!endif ## This PCD defines the video horizontal resolution. # This PCD could be set to 0 then video resolution could be at highest resolution. @@ -358,6 +467,20 @@ ## The PCD is used to specify the video vertical resolution of text setup. gEfiMdeModulePkgTokenSpaceGuid.PcdSetupVideoVerticalResolution|0 + # + # TPM1.2 { 0x8b01e5b6, 0x4f19, 0x46e8, { 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc } } + # TPM2.0 DTPM { 0x286bf25a, 0xc2c3, 0x408c, { 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17 } } + # + #gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0xb6, 0xe5, 0x01, 0x8b, 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc} + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0x5A, 0xF2, 0x6B, 0x28, 0xC3, 0xC2, 0x8C, 0x40, 0xB3, 0xB4, 0x25, 0xE6, 0x75, 0x8B, 0x73, 0x17} + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1 + gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1 + + # (BIT0 - SHA1. BIT1 - SHA256) + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x00000003 + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0x00000003 + + ################################################################################ # # Components Section - list of all EDK II Modules needed by this Platform. @@ -381,8 +504,11 @@ <LibraryClasses> PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf } + +!if $(MINIMUM_PAYLOAD) == FALSE MdeModulePkg/Universal/ReportStatusCodeRouter/Pei/ReportStatusCodeRouterPei.inf MdeModulePkg/Universal/StatusCodeHandler/Pei/StatusCodeHandlerPei.inf +!endif CorebootModulePkg/CbSupportPei/CbSupportPei.inf MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf @@ -399,7 +525,16 @@ # # Components that produce the architectural protocols # - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> + !if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf + !endif + !if $(FTPM_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf + !endif + } + UefiCpuPkg/CpuDxe/CpuDxe.inf IntelFrameworkModulePkg/Universal/BdsDxe/BdsDxe.inf { @@ -435,12 +570,12 @@ MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf PcAtChipsetPkg/8259InterruptControllerDxe/8259.inf - MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf - MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf - MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf - CorebootModulePkg/CbSupportDxe/CbSupportDxe.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # SMBIOS Support # @@ -457,12 +592,25 @@ DuetPkg/PciRootBridgeNoEnumerationDxe/PciRootBridgeNoEnumeration.inf DuetPkg/PciBusNoEnumerationDxe/PciBusNoEnumeration.inf +!if $(FTPM_ENABLE) == TRUE + SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf + SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf +# SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf + SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf { + <LibraryClasses> + Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf + NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf + HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf + NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf + NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf + } +!endif + # # SCSI/ATA/IDE/DISK Support # MdeModulePkg/Universal/Disk/DiskIoDxe/DiskIoDxe.inf MdeModulePkg/Universal/Disk/PartitionDxe/PartitionDxe.inf - MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf FatPkg/EnhancedFatDxe/Fat.inf CorebootModulePkg/SataControllerDxe/SataControllerDxe.inf MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBusDxe.inf @@ -473,9 +621,11 @@ # # SD/eMMC Support # +!if $(MINIMUM_PAYLOAD) == FALSE MdeModulePkg/Bus/Pci/SdMmcPciHcDxe/SdMmcPciHcDxe.inf MdeModulePkg/Bus/Sd/EmmcDxe/EmmcDxe.inf MdeModulePkg/Bus/Sd/SdDxe/SdDxe.inf +!endif # # Usb Support @@ -484,21 +634,27 @@ MdeModulePkg/Bus/Pci/EhciDxe/EhciDxe.inf MdeModulePkg/Bus/Pci/XhciDxe/XhciDxe.inf MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf +!if $(MINIMUM_PAYLOAD) == FALSE MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf +!endif MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf # # OHCI support # +!if $(MINIMUM_PAYLOAD) == FALSE QuarkSocPkg/QuarkSouthCluster/Usb/Ohci/Dxe/OhciDxe.inf +!endif # # ISA Support # +!if $(MINIMUM_PAYLOAD) == FALSE MdeModulePkg/Universal/SerialDxe/SerialDxe.inf PcAtChipsetPkg/IsaAcpiDxe/IsaAcpi.inf IntelFrameworkModulePkg/Bus/Isa/IsaBusDxe/IsaBusDxe.inf IntelFrameworkModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2keyboardDxe.inf +!endif # # Console Support @@ -508,6 +664,11 @@ MdeModulePkg/Universal/Console/GraphicsConsoleDxe/GraphicsConsoleDxe.inf MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf + MdeModulePkg/Universal/HiiDatabaseDxe/HiiDatabaseDxe.inf + MdeModulePkg/Universal/SetupBrowserDxe/SetupBrowserDxe.inf + MdeModulePkg/Universal/DisplayEngineDxe/DisplayEngineDxe.inf + MdeModulePkg/Universal/Disk/UnicodeCollation/EnglishDxe/EnglishDxe.inf + # # Framebuffer Gop # diff --git a/IntelFrameworkModulePkg/Universal/BdsDxe/FrontPage.c b/IntelFrameworkModulePkg/Universal/BdsDxe/FrontPage.c index 46fdc53..b6210d9 100644 --- a/IntelFrameworkModulePkg/Universal/BdsDxe/FrontPage.c +++ b/IntelFrameworkModulePkg/Universal/BdsDxe/FrontPage.c @@ -871,6 +871,8 @@ ShowProgress ( EFI_GRAPHICS_OUTPUT_BLT_PIXEL Background; EFI_GRAPHICS_OUTPUT_BLT_PIXEL Color; + return EFI_TIMEOUT; + if (TimeoutDefault != 0) { DEBUG ((EFI_D_INFO, "\n\nStart showing progress bar... Press any key to stop it! ...Zzz....\n")); diff --git a/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c b/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c index 56ddc3e..7fe8513 100644 --- a/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c +++ b/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c @@ -138,7 +138,7 @@ InitializePcRtc ( mModuleGlobal.CenturyRtcAddress = GetCenturyRtcAddress (); Status = PcRtcInit (&mModuleGlobal); - ASSERT_EFI_ERROR (Status); + //ASSERT_EFI_ERROR (Status); Status = gBS->CreateEventEx ( EVT_NOTIFY_SIGNAL, ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-25 14:09 ` Jorge Fernandez Monteagudo @ 2018-09-26 5:46 ` Jorge Fernandez Monteagudo 2018-09-26 6:11 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-26 5:46 UTC (permalink / raw) To: Zhang, Chao B, edk2-devel@lists.01.org Hi Chao! Maybe the traces I get from the debug build and gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F can help. ________________________________ De: edk2-devel <edk2-devel-bounces@lists.01.org> en nombre de Jorge Fernandez Monteagudo <jorgefm@cirsa.com> Enviado: martes, 25 de septiembre de 2018 16:09:31 Para: Zhang, Chao B; edk2-devel@lists.01.org Asunto: Re: [edk2] Tianocore and TPM2 pcr values Hi Chao! PCR0 has not changed in any of the test I've done! What info do you need? I'm using: coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot branch Attached are the changes I've done to tianocore to get TPM2 support and no console. PCR0 is always 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 Thanks! ________________________________ De: Zhang, Chao B <chao.b.zhang@intel.com> Enviado: martes, 25 de septiembre de 2018 15:41:45 Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org Cc: You, Benjamin Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge: PCR 0 should change if you use different core boot payload + UEFI. So your case seems to be an issue. Can you provide more detailed info? -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jorge Fernandez Monteagudo Sent: Monday, September 24, 2018 5:57 PM To: edk2-devel@lists.01.org Subject: [edk2] Tianocore and TPM2 pcr values Hi all, This is my first message in this list. I'm using tianocore as a payload for a Coreboot in order to boot a custom board I'm working on it. Finally I've been able to enable the TPM2 support in coreboot and in tianocore but I have some questions regarding the values I'm seeing in the PCRs. I'm using Tianocore master branch as is selected by coreboot menuconfig and x64 architecture. Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 to 7 are handled by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release mode and a coreboot+ tianocore in debug mode and the PCRs are the same. Is it ok? I thought that any change in the coreboot.rom will made the PCR values to change... pcr0: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr1: a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 pcr2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr3: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr4: 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871f pcr5: dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad8 pcr6: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 pcr7: b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 Another test I've done is using the Tianocore stable branch as selected by coreboot (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and I get the same values from release and build coreboot.roms except that PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this version. Is this the expected behavior? Thanks! Jorge _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 5:46 ` Jorge Fernandez Monteagudo @ 2018-09-26 6:11 ` Yao, Jiewen 2018-09-26 6:39 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-26 6:11 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 6:11 ` Yao, Jiewen @ 2018-09-26 6:39 ` Jorge Fernandez Monteagudo 2018-09-26 6:44 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-26 6:39 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org Hi Yao > Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. >From the log I've been able to see that "measure" messages start once Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >responsible to extend coreboot image from flash, and who should extend UEFI payload? I think nothing is implemented in coreboot because when TPM2 was not activated in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: miércoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 6:39 ` Jorge Fernandez Monteagudo @ 2018-09-26 6:44 ` Yao, Jiewen 2018-09-26 6:48 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-26 6:44 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org ProtectUefiImageCommon is not related. Below code is the Tcg2Dxe entrypoint, I expect you can see some message there: ==================================== DriverEntry() if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); return EFI_UNSUPPORTED; } if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); return EFI_DEVICE_ERROR; } Status = Tpm2RequestUseTpm (); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); return Status; } // // Fill information // ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); mTcgDxeData.BsCap.Size = sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); mTcgDxeData.BsCap.ProtocolVersion.Major = 1; mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; mTcgDxeData.BsCap.StructureVersion.Major = 1; mTcgDxeData.BsCap.StructureVersion.Minor = 1; DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", mTcgDxeData.BsCap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor)); DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", mTcgDxeData.BsCap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor)); Status = Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.ManufacturerID); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); } else { DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeData.BsCap.ManufacturerID)); } From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:40 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi Yao > Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. >From the log I've been able to see that "measure" messages start once Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >responsible to extend coreboot image from flash, and who should extend UEFI payload? I think nothing is implemented in coreboot because when TPM2 was not activated in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org>> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 6:44 ` Yao, Jiewen @ 2018-09-26 6:48 ` Jorge Fernandez Monteagudo 2018-09-26 6:58 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-26 6:48 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org Yes, from log I see: Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 8F410C18 ProtectUefiImageCommon - 0x8F4107C0 - 0x000000008F3F2000 - 0x000000000000D800 PROGRESS CODE: V03040002 I0 InterfaceId - 0xFFFFFFFF InterfaceType - 0x0F InterfaceCapability - 0x300000FF InterfaceVersion - 0x3 StatusEx - 0xFF TpmFamily - 0x3 PtpInterface - 0 VID - 0x15D1 DID - 0x001A RID - 0x10 Tcg2.ProtocolVersion - 01.01 Tcg2.StructureVersion - 01.01 Tpm2GetCapabilityManufactureID - 00584649 Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 GetSupportedAndActivePcrs - Count = 00000002 Tcg2.SupportedEventLogs - 0x00000003 Tcg2.HashAlgorithmBitmap - 0x00000003 Tcg2.NumberOfPCRBanks - 0x00000002 Tcg2.ActivePcrBanks - 0x00000003 ... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: miércoles, 26 de septiembre de 2018 8:44:54 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values ProtectUefiImageCommon is not related. Below code is the Tcg2Dxe entrypoint, I expect you can see some message there: ==================================== DriverEntry() if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); return EFI_UNSUPPORTED; } if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); return EFI_DEVICE_ERROR; } Status = Tpm2RequestUseTpm (); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); return Status; } // // Fill information // ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); mTcgDxeData.BsCap.Size = sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); mTcgDxeData.BsCap.ProtocolVersion.Major = 1; mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; mTcgDxeData.BsCap.StructureVersion.Major = 1; mTcgDxeData.BsCap.StructureVersion.Minor = 1; DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", mTcgDxeData.BsCap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor)); DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", mTcgDxeData.BsCap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor)); Status = Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.ManufacturerID); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); } else { DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeData.BsCap.ManufacturerID)); } From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:40 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi Yao > Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. >From the log I've been able to see that "measure" messages start once Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >responsible to extend coreboot image from flash, and who should extend UEFI payload? I think nothing is implemented in coreboot because when TPM2 was not activated in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org>> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 6:48 ` Jorge Fernandez Monteagudo @ 2018-09-26 6:58 ` Yao, Jiewen 2018-09-26 8:53 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-26 6:58 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org That means the TPM2 device works well. We have code to dump the final event log at Tcg2GetEventLog(). // Dump Event Log for debug purpose if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { DumpEventLog (EventLogFormat, *EventLogLocation, *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); } If your OS need consume the event log, I expect OS loader calls Tcg2GetEventLog(). If you don't have such OS, then you can add Tcg2GetEventLog() call in the end of OnReadyToBoot() - just for debug purpose to dump the event log. As such we can know how many events are extended. Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:48 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Yes, from log I see: Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 8F410C18 ProtectUefiImageCommon - 0x8F4107C0 - 0x000000008F3F2000 - 0x000000000000D800 PROGRESS CODE: V03040002 I0 InterfaceId - 0xFFFFFFFF InterfaceType - 0x0F InterfaceCapability - 0x300000FF InterfaceVersion - 0x3 StatusEx - 0xFF TpmFamily - 0x3 PtpInterface - 0 VID - 0x15D1 DID - 0x001A RID - 0x10 Tcg2.ProtocolVersion - 01.01 Tcg2.StructureVersion - 01.01 Tpm2GetCapabilityManufactureID - 00584649 Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 GetSupportedAndActivePcrs - Count = 00000002 Tcg2.SupportedEventLogs - 0x00000003 Tcg2.HashAlgorithmBitmap - 0x00000003 Tcg2.NumberOfPCRBanks - 0x00000002 Tcg2.ActivePcrBanks - 0x00000003 ... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:44:54 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values ProtectUefiImageCommon is not related. Below code is the Tcg2Dxe entrypoint, I expect you can see some message there: ==================================== DriverEntry() if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); return EFI_UNSUPPORTED; } if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); return EFI_DEVICE_ERROR; } Status = Tpm2RequestUseTpm (); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); return Status; } // // Fill information // ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); mTcgDxeData.BsCap.Size = sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); mTcgDxeData.BsCap.ProtocolVersion.Major = 1; mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; mTcgDxeData.BsCap.StructureVersion.Major = 1; mTcgDxeData.BsCap.StructureVersion.Minor = 1; DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", mTcgDxeData.BsCap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor)); DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", mTcgDxeData.BsCap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor)); Status = Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.ManufacturerID); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); } else { DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeData.BsCap.ManufacturerID)); } From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:40 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values Hi Yao > Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. >From the log I've been able to see that "measure" messages start once Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >responsible to extend coreboot image from flash, and who should extend UEFI payload? I think nothing is implemented in coreboot because when TPM2 was not activated in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org>> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 6:58 ` Yao, Jiewen @ 2018-09-26 8:53 ` Jorge Fernandez Monteagudo 2018-09-26 8:56 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-26 8:53 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org I've added the Tcg2GetEventLog at the end of OnReadyToBoot from Tcg2Dxe.c and I can see: TPM2 Tcg2Dxe Measure Data when ReadyToBoot Tcg2GetEventLog ... (0x2) Tcg2GetEventLog (EventLogLocation - 8F3D2000) Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) Tcg2GetEventLog (EventLogTruncated - 0) Tcg2GetEventLog - Success EventLogFormat: (0x2) Event: PCRIndex - 0 EventType - 0x00000003 Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EventSize - 0x00000025 0000: 53706563204944204576656E7430330000000000000200020200000004001400 0020: 0B00200000 TCG_EfiSpecIDEventStruct: signature - 'Spec ID Event03 ' platformClass - 0x00000000 specVersion - 2.00 uintnSize - 0x02 NumberOfAlgorithms - 0x00000002 digest(0) algorithmId - 0x0004 digestSize - 0x0014 digest(1) algorithmId - 0x000B digestSize - 0x0020 VendorInfoSize - 0x00 VendorInfo - Event: PCRIndex - 7 EventType - 0x80000001 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 23 HashAlgo : 0x000B Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF EventSize - 0x00000034 0000: 61DFE48BCA93D211AA0D00E098032B8C0A000000000000000000000000000000 0020: 53006500630075007200650042006F006F007400 Event: PCRIndex - 7 EventType - 0x80000001 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 6E HashAlgo : 0x000B Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 EventSize - 0x00000024 0000: 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000000 0020: 50004B00 Event: PCRIndex - 7 EventType - 0x80000001 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 58 HashAlgo : 0x000B Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F EventSize - 0x00000026 0000: 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000000 0020: 4B0045004B00 Event: PCRIndex - 7 EventType - 0x80000001 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 E0 HashAlgo : 0x000B Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C EventSize - 0x00000024 0000: CBB219D73A3D9645A3BCDAD00E67656F02000000000000000000000000000000 0020: 64006200 Event: PCRIndex - 7 EventType - 0x80000001 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 5E HashAlgo : 0x000B Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 EventSize - 0x00000026 0000: CBB219D73A3D9645A3BCDAD00E67656F03000000000000000000000000000000 0020: 640062007800 Event: PCRIndex - 7 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 1 EventType - 0x80000002 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F 45 HashAlgo : 0x000B Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 EventSize - 0x00000038 0000: 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000000 0020: 42006F006F0074004F007200640065007200000001000200 Event: PCRIndex - 1 EventType - 0x80000002 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB 66 HashAlgo : 0x000B Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C EventSize - 0x00000070 0000: 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000000 0020: 42006F006F0074003000300030003000010000001C0045004600490020005500 0040: 530042002000440065007600690063006500000002010C00D041030A00000000 0060: 0101060000100305060001007FFF0400 Event: PCRIndex - 1 EventType - 0x80000002 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E 3A HashAlgo : 0x000B Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA EventSize - 0x00000074 0000: 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000000 0020: 42006F006F007400300030003000310001000000200045004600490020004800 0040: 610072006400200044007200690076006500000002010C00D041030A00000000 0060: 01010600001103120A000100FFFF00007FFF0400 Event: PCRIndex - 1 EventType - 0x80000002 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E 86 HashAlgo : 0x000B Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 EventSize - 0x00000079 0000: 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000000 0020: 42006F006F007400300030003000320001000000230045004600490020004D00 0040: 6900730063002000440065007600690063006500000002010C00D041030A0000 0060: 0000010106000714031D05000001050800000000007FFF0400 Event: PCRIndex - 4 EventType - 0x80000007 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 56 HashAlgo : 0x000B Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA EventSize - 0x00000028 0000: 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F6F 0020: 74204F7074696F6E Event: PCRIndex - 0 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 1 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 2 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 3 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 4 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 5 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 Event: PCRIndex - 6 EventType - 0x00000004 DigestCount: 0x00000002 HashAlgo : 0x0004 Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 73 HashAlgo : 0x000B Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 EventSize - 0x00000004 0000: 00000000 FinalEventsTable: (0x8F408000) Version: (0x1) NumberOfEvents: (0x0) PROGRESS CODE: V03051001 I0 ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: miércoles, 26 de septiembre de 2018 8:58:26 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values That means the TPM2 device works well. We have code to dump the final event log at Tcg2GetEventLog(). // Dump Event Log for debug purpose if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { DumpEventLog (EventLogFormat, *EventLogLocation, *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); } If your OS need consume the event log, I expect OS loader calls Tcg2GetEventLog(). If you don’t have such OS, then you can add Tcg2GetEventLog() call in the end of OnReadyToBoot() – just for debug purpose to dump the event log. As such we can know how many events are extended. Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:48 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Yes, from log I see: Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF 8F410C18 ProtectUefiImageCommon - 0x8F4107C0 - 0x000000008F3F2000 - 0x000000000000D800 PROGRESS CODE: V03040002 I0 InterfaceId - 0xFFFFFFFF InterfaceType - 0x0F InterfaceCapability - 0x300000FF InterfaceVersion - 0x3 StatusEx - 0xFF TpmFamily - 0x3 PtpInterface - 0 VID - 0x15D1 DID - 0x001A RID - 0x10 Tcg2.ProtocolVersion - 01.01 Tcg2.StructureVersion - 01.01 Tpm2GetCapabilityManufactureID - 00584649 Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 GetSupportedAndActivePcrs - Count = 00000002 Tcg2.SupportedEventLogs - 0x00000003 Tcg2.HashAlgorithmBitmap - 0x00000003 Tcg2.NumberOfPCRBanks - 0x00000002 Tcg2.ActivePcrBanks - 0x00000003 ... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:44:54 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values ProtectUefiImageCommon is not related. Below code is the Tcg2Dxe entrypoint, I expect you can see some message there: ==================================== DriverEntry() if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); return EFI_UNSUPPORTED; } if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); return EFI_DEVICE_ERROR; } Status = Tpm2RequestUseTpm (); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); return Status; } // // Fill information // ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); mTcgDxeData.BsCap.Size = sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); mTcgDxeData.BsCap.ProtocolVersion.Major = 1; mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; mTcgDxeData.BsCap.StructureVersion.Major = 1; mTcgDxeData.BsCap.StructureVersion.Minor = 1; DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", mTcgDxeData.BsCap.ProtocolVersion.Major, mTcgDxeData.BsCap.ProtocolVersion.Minor)); DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", mTcgDxeData.BsCap.StructureVersion.Major, mTcgDxeData.BsCap.StructureVersion.Minor)); Status = Tpm2GetCapabilityManufactureID (&mTcgDxeData.BsCap.ManufacturerID); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); } else { DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", mTcgDxeData.BsCap.ManufacturerID)); } From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 2:40 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values Hi Yao > Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. >From the log I've been able to see that "measure" messages start once Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" messages but I don't know if they are related. >In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be >responsible to extend coreboot image from flash, and who should extend UEFI payload? I think nothing is implemented in coreboot because when TPM2 was not activated in edk2 PCR0-10 were all 0. It's only checking what device is available and sending the tpm2_startup command. I'll try to investigate the coreboot project to see if the tianocore payload could be extended before loading because coreboot should be the CRTM. > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? First notice. No I don't have such case in my platform. Thanks! Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 8:11:58 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values Hi Jorge Yes, it is always good to enable serial port debug. There are lots of debug message in Tcg2Dxe driver. We can know what is wrong. In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. In your patch, since we are using UEFI as payload, and there is no PEI, I am not clear which driver you expect will extend something to PCR0. Do you think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be responsible to extend coreboot image from flash, and who should extend UEFI payload? Also, only *3rd part* image will change PCR2 and PCR4. Do you have such case in your platform? Anyway, there should still be something measured - boot variable (PCR1), secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you include Tcg2Dxe driver. I am not clear if coreboot already extends something to separator according to TCG PFP spec. If that is the case, we probably need a special handing in DXE driver. I look forward to your serial debug message and design discussion. Thank you Yao Jiewen > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 1:46 PM > To: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > Maybe the traces I get from the debug build and > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > can help. > > > ________________________________ > De: edk2-devel <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org>> en nombre de Jorge > Fernandez Monteagudo <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > Enviado: martes, 25 de septiembre de 2018 16:09:31 > Para: Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > Hi Chao! > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > I'm using: > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master branch > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > branch > > Attached are the changes I've done to tianocore to get TPM2 support and no > console. > PCR0 is always > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > Thanks! > ________________________________ > De: Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > Enviado: martes, 25 de septiembre de 2018 15:41:45 > Para: Jorge Fernandez Monteagudo; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Cc: You, Benjamin > Asunto: RE: Tianocore and TPM2 pcr values > > Hi Jorge: > PCR 0 should change if you use different core boot payload + UEFI. So > your case seems to be an issue. Can you provide more detailed info? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Monday, September 24, 2018 5:57 PM > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: [edk2] Tianocore and TPM2 pcr values > > Hi all, > > > This is my first message in this list. I'm using tianocore as a payload for a > Coreboot in order to > > boot a custom board I'm working on it. Finally I've been able to enable the > TPM2 support in > > coreboot and in tianocore but I have some questions regarding the values > I'm seeing in the PCRs. > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > and x64 architecture. > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 > to 7 are handled > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > mode and a coreboot+ > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought that > any change in the > > coreboot.rom will made the PCR values to change... > > > pcr0: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr1: > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > pcr2: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr3: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr4: > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > f > pcr5: > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > 8 > pcr6: > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > pcr7: > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > Another test I've done is using the Tianocore stable branch as selected by > coreboot > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and > I get the same values from release and build coreboot.roms except that > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > version. > > Is this the expected behavior? > > Thanks! > Jorge > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 8:53 ` Jorge Fernandez Monteagudo @ 2018-09-26 8:56 ` Yao, Jiewen 2018-09-26 9:06 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-26 8:56 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B > <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B > <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org > >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 8:56 ` Yao, Jiewen @ 2018-09-26 9:06 ` Jorge Fernandez Monteagudo 2018-09-26 12:17 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-26 9:06 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B > <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B > <chao.b.zhang@intel.com>; edk2-devel@lists.01.org > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org > >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 9:06 ` Jorge Fernandez Monteagudo @ 2018-09-26 12:17 ` Yao, Jiewen 2018-09-27 6:11 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-26 12:17 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-26 12:17 ` Yao, Jiewen @ 2018-09-27 6:11 ` Jorge Fernandez Monteagudo 2018-09-27 6:22 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-27 6:11 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org Hi, the only remaining issue is this dmesg TPM error trace I get when booting with the UEFI payload but not present when SeaBIOS is used: [ 0.390995] tpm_tis 00:02: 2.0 TPM (device-id 0x1A, rev-id 16) [ 0.399957] tpm tpm0: A TPM error (2314) occurred attempting the self test but I don't know yet what the reason... I', using linux 4.17.1 Regards Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: miércoles, 26 de septiembre de 2018 14:17:12 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-27 6:11 ` Jorge Fernandez Monteagudo @ 2018-09-27 6:22 ` Yao, Jiewen 2018-09-27 6:36 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Yao, Jiewen @ 2018-09-27 6:22 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org May I know who does the self test? coreboot ? or SeaBIOS? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Thursday, September 27, 2018 2:12 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi, the only remaining issue is this dmesg TPM error trace I get when booting with the UEFI payload but not present when SeaBIOS is used: [ 0.390995] tpm_tis 00:02: 2.0 TPM (device-id 0x1A, rev-id 16) [ 0.399957] tpm tpm0: A TPM error (2314) occurred attempting the self test but I don't know yet what the reason... I', using linux 4.17.1 Regards Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 14:17:12 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-27 6:22 ` Yao, Jiewen @ 2018-09-27 6:36 ` Jorge Fernandez Monteagudo 2018-09-27 6:52 ` Jorge Fernandez Monteagudo 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-27 6:36 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org The selftest is done by the kernel but I suspect he expect something to be done before the selftest but I'm not sure what... The coreboot code is the same for the test I've done with SeaBIOS and Tianocore. >From the kernel code: /** * tpm2_do_selftest() - ensure that all self tests have passed * * @chip: TPM chip to use * * Return: Same as with tpm_transmit_cmd. * * The TPM can either run all self tests synchronously and then return * RC_SUCCESS once all tests were successful. Or it can choose to run the tests * asynchronously and return RC_TESTING immediately while the self tests still * execute in the background. This function handles both cases and waits until * all tests have completed. */ static int tpm2_do_selftest(struct tpm_chip *chip) { struct tpm_buf buf; int full; int rc; for (full = 0; full < 2; full++) { rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SELF_TEST); if (rc) return rc; tpm_buf_append_u8(&buf, full); rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, "attempting the self test"); tpm_buf_destroy(&buf); if (rc == TPM2_RC_TESTING) rc = TPM2_RC_SUCCESS; if (rc == TPM2_RC_INITIALIZE || rc == TPM2_RC_SUCCESS) return rc; } return rc; } ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: jueves, 27 de septiembre de 2018 8:22:56 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values May I know who does the self test? coreboot ? or SeaBIOS? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Thursday, September 27, 2018 2:12 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi, the only remaining issue is this dmesg TPM error trace I get when booting with the UEFI payload but not present when SeaBIOS is used: [ 0.390995] tpm_tis 00:02: 2.0 TPM (device-id 0x1A, rev-id 16) [ 0.399957] tpm tpm0: A TPM error (2314) occurred attempting the self test but I don't know yet what the reason... I', using linux 4.17.1 Regards Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 14:17:12 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-27 6:36 ` Jorge Fernandez Monteagudo @ 2018-09-27 6:52 ` Jorge Fernandez Monteagudo 2018-09-27 6:56 ` Yao, Jiewen 0 siblings, 1 reply; 18+ messages in thread From: Jorge Fernandez Monteagudo @ 2018-09-27 6:52 UTC (permalink / raw) To: Yao, Jiewen, Zhang, Chao B, edk2-devel@lists.01.org Studying the kernel code it seems that it's a warning. The error 2314 (TPM2_RC_TESTING) is a warning because a testing is already running and it's detected and it returns immediately to shorten boot time. ________________________________ De: Jorge Fernandez Monteagudo Enviado: jueves, 27 de septiembre de 2018 8:36:12 Para: Yao, Jiewen; Zhang, Chao B; edk2-devel@lists.01.org Asunto: Re: Tianocore and TPM2 pcr values The selftest is done by the kernel but I suspect he expect something to be done before the selftest but I'm not sure what... The coreboot code is the same for the test I've done with SeaBIOS and Tianocore. >From the kernel code: /** * tpm2_do_selftest() - ensure that all self tests have passed * * @chip: TPM chip to use * * Return: Same as with tpm_transmit_cmd. * * The TPM can either run all self tests synchronously and then return * RC_SUCCESS once all tests were successful. Or it can choose to run the tests * asynchronously and return RC_TESTING immediately while the self tests still * execute in the background. This function handles both cases and waits until * all tests have completed. */ static int tpm2_do_selftest(struct tpm_chip *chip) { struct tpm_buf buf; int full; int rc; for (full = 0; full < 2; full++) { rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SELF_TEST); if (rc) return rc; tpm_buf_append_u8(&buf, full); rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, "attempting the self test"); tpm_buf_destroy(&buf); if (rc == TPM2_RC_TESTING) rc = TPM2_RC_SUCCESS; if (rc == TPM2_RC_INITIALIZE || rc == TPM2_RC_SUCCESS) return rc; } return rc; } ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com> Enviado: jueves, 27 de septiembre de 2018 8:22:56 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org Asunto: RE: Tianocore and TPM2 pcr values May I know who does the self test? coreboot ? or SeaBIOS? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Thursday, September 27, 2018 2:12 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Hi, the only remaining issue is this dmesg TPM error trace I get when booting with the UEFI payload but not present when SeaBIOS is used: [ 0.390995] tpm_tis 00:02: 2.0 TPM (device-id 0x1A, rev-id 16) [ 0.399957] tpm tpm0: A TPM error (2314) occurred attempting the self test but I don't know yet what the reason... I', using linux 4.17.1 Regards Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 14:17:12 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: Tianocore and TPM2 pcr values 2018-09-27 6:52 ` Jorge Fernandez Monteagudo @ 2018-09-27 6:56 ` Yao, Jiewen 0 siblings, 0 replies; 18+ messages in thread From: Yao, Jiewen @ 2018-09-27 6:56 UTC (permalink / raw) To: Jorge Fernandez Monteagudo, Zhang, Chao B, edk2-devel@lists.01.org Good to know. From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Thursday, September 27, 2018 2:53 PM To: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; edk2-devel@lists.01.org Subject: Re: Tianocore and TPM2 pcr values Studying the kernel code it seems that it's a warning. The error 2314 (TPM2_RC_TESTING) is a warning because a testing is already running and it's detected and it returns immediately to shorten boot time. ________________________________ De: Jorge Fernandez Monteagudo Enviado: jueves, 27 de septiembre de 2018 8:36:12 Para: Yao, Jiewen; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: Re: Tianocore and TPM2 pcr values The selftest is done by the kernel but I suspect he expect something to be done before the selftest but I'm not sure what... The coreboot code is the same for the test I've done with SeaBIOS and Tianocore. >From the kernel code: /** * tpm2_do_selftest() - ensure that all self tests have passed * * @chip: TPM chip to use * * Return: Same as with tpm_transmit_cmd. * * The TPM can either run all self tests synchronously and then return * RC_SUCCESS once all tests were successful. Or it can choose to run the tests * asynchronously and return RC_TESTING immediately while the self tests still * execute in the background. This function handles both cases and waits until * all tests have completed. */ static int tpm2_do_selftest(struct tpm_chip *chip) { struct tpm_buf buf; int full; int rc; for (full = 0; full < 2; full++) { rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_SELF_TEST); if (rc) return rc; tpm_buf_append_u8(&buf, full); rc = tpm_transmit_cmd(chip, NULL, buf.data, PAGE_SIZE, 0, 0, "attempting the self test"); tpm_buf_destroy(&buf); if (rc == TPM2_RC_TESTING) rc = TPM2_RC_SUCCESS; if (rc == TPM2_RC_INITIALIZE || rc == TPM2_RC_SUCCESS) return rc; } return rc; } ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: jueves, 27 de septiembre de 2018 8:22:56 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values May I know who does the self test? coreboot ? or SeaBIOS? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Thursday, September 27, 2018 2:12 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values Hi, the only remaining issue is this dmesg TPM error trace I get when booting with the UEFI payload but not present when SeaBIOS is used: [ 0.390995] tpm_tis 00:02: 2.0 TPM (device-id 0x1A, rev-id 16) [ 0.399957] tpm tpm0: A TPM error (2314) occurred attempting the self test but I don't know yet what the reason... I', using linux 4.17.1 Regards Jorge ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 14:17:12 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. So no issue in UEFI payload, right? Thank you Yao Jiewen From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] Sent: Wednesday, September 26, 2018 5:06 PM To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Subject: Re: Tianocore and TPM2 pcr values > You still cannot get the right PCR hardware value? Sorry, what do you mean? I think the only remaining thing is extending the tianocore payload from the coreboot once is loaded in order to detect changes in the payload but it's related to coreboot no edk2... ________________________________ De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> Enviado: miércoles, 26 de septiembre de 2018 10:56:05 Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> Asunto: RE: Tianocore and TPM2 pcr values OK. That means the PCR is extended successfully. You still cannot get the right PCR hardware value? > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Jorge Fernandez Monteagudo > Sent: Wednesday, September 26, 2018 4:54 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > I've added the Tcg2GetEventLog at the end of OnReadyToBoot from > Tcg2Dxe.c and I can see: > > > TPM2 Tcg2Dxe Measure Data when ReadyToBoot > Tcg2GetEventLog ... (0x2) > Tcg2GetEventLog (EventLogLocation - 8F3D2000) > Tcg2GetEventLog (EventLogLastEntry - 8F3D27AE) > Tcg2GetEventLog (EventLogTruncated - 0) > Tcg2GetEventLog - Success > EventLogFormat: (0x2) > Event: > PCRIndex - 0 > EventType - 0x00000003 > Digest - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 > EventSize - 0x00000025 > 0000: > 53706563204944204576656E74303300000000000002000202000000040014 > 00 > 0020: 0B00200000 > TCG_EfiSpecIDEventStruct: > signature - 'Spec ID Event03 ' > platformClass - 0x00000000 > specVersion - 2.00 > uintnSize - 0x02 > NumberOfAlgorithms - 0x00000002 > digest(0) > algorithmId - 0x0004 > digestSize - 0x0014 > digest(1) > algorithmId - 0x000B > digestSize - 0x0020 > VendorInfoSize - 0x00 > VendorInfo - > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2F 20 11 2A 3F 55 39 8B 20 8E 0C 42 68 13 89 B4 CB 5B 18 > 23 > HashAlgo : 0x000B > Digest(1): CE 9C E3 86 B5 2E 09 9F 30 19 E5 12 A0 D6 06 2D 6B 56 0E > FE 4F F3 E5 66 1C 75 25 E2 F9 C2 63 DF > > EventSize - 0x00000034 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C0A00000000000000000000000000 > 0000 > 0020: 53006500630075007200650042006F006F007400 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9B 13 87 30 6E BB 7F F8 E7 95 E7 BE 77 56 36 66 BB F4 51 > 6E > HashAlgo : 0x000B > Digest(1): DE A7 B8 0A B5 3A 3D AA A2 4D 5C C4 6C 64 E1 FA 9F FD 03 > 73 9F 90 AA DB D8 C0 86 7C 4A 5B 48 90 > > EventSize - 0x00000024 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C02000000000000000000000000000 > 000 > 0020: 50004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 9A FA 86 C5 07 41 9B 85 70 C6 21 67 CB 94 86 D9 FC 80 97 > 58 > HashAlgo : 0x000B > Digest(1): E6 70 E1 21 FC EB D4 73 B8 BC 41 BB 80 13 01 FC 1D 9A FA > 33 90 4F 06 F7 14 9B 74 F1 2C 47 A6 8F > > EventSize - 0x00000026 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C03000000000000000000000000000 > 000 > 0020: 4B0045004B00 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 5B F8 FA A0 78 D4 0F FB D0 33 17 C9 33 98 B0 12 29 A0 E1 > E0 > HashAlgo : 0x000B > Digest(1): BA F8 9A 3C CA CE 52 75 0C 5F 01 28 35 1E 04 22 A4 15 97 > A1 AD FD 50 82 2A A3 63 B9 D1 24 EA 7C > > EventSize - 0x00000024 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0200000000000000000000000000 > 0000 > 0020: 64006200 > Event: > PCRIndex - 7 > EventType - 0x80000001 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 73 44 24 C9 FE 8F C7 17 16 C4 20 96 F4 B7 4C 88 73 3B 17 > 5E > HashAlgo : 0x000B > Digest(1): 9F 75 B6 82 3B FF 6A F1 02 4A 4E 20 36 71 9C DD 54 8D 3C > BC 2B F1 DE 8E 7E F4 D0 ED 01 F9 4B F9 > > EventSize - 0x00000026 > 0000: > CBB219D73A3D9645A3BCDAD00E67656F0300000000000000000000000000 > 0000 > 0020: 640062007800 > Event: > PCRIndex - 7 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 1B 24 F7 F4 BB 84 00 03 02 20 9D 12 98 D6 2F 57 79 A9 4F > 45 > HashAlgo : 0x000B > Digest(1): 90 C2 69 89 21 CA 9F D0 29 50 BE 35 3F 72 18 88 76 0E 33 > AB 50 95 A2 1E 50 F1 E4 36 0B 6D E1 A0 > > EventSize - 0x00000038 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C09000000000000000600000000000 > 000 > 0020: 42006F006F0074004F007200640065007200000001000200 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): E9 44 11 C7 28 F4 14 4F 9F 49 9D DE 4A BB F8 F0 48 3A BB > 66 > HashAlgo : 0x000B > Digest(1): 1F 7F 14 CE 8C 8E 85 5B 56 A0 FF 0D 87 FB 6E E6 78 98 37 > 76 FA BE 83 C4 9F E5 1F 07 36 D3 0E 9C > > EventSize - 0x00000070 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004000000000000 > 000 > 0020: > 42006F006F0074003000300030003000010000001C00450046004900200055 > 00 > 0040: > 530042002000440065007600690063006500000002010C00D041030A00000 > 000 > 0060: 0101060000100305060001007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 2D 60 53 82 1E 28 AC 45 A6 64 84 57 06 57 48 7A C3 8B 9E > 3A > HashAlgo : 0x000B > Digest(1): A0 39 4A 61 B8 1E 84 4E 1C 13 6C 74 EC 15 56 0A CF 5C 69 > 0F 22 3E C3 22 1F F5 1E 18 3C 72 AF DA > > EventSize - 0x00000074 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004400000000000 > 000 > 0020: > 42006F006F0074003000300030003100010000002000450046004900200048 > 00 > 0040: > 610072006400200044007200690076006500000002010C00D041030A00000 > 000 > 0060: 01010600001103120A000100FFFF00007FFF0400 > Event: > PCRIndex - 1 > EventType - 0x80000002 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CF A3 CA 37 28 69 A8 3E 5A 0A 29 2D 94 D9 03 32 3D F7 1E > 86 > HashAlgo : 0x000B > Digest(1): C1 B5 4E 82 C6 8B 86 A7 ED 70 DF E9 CB AC A8 1E 99 C0 8A > 42 13 DD FD 13 7A 54 12 45 C8 33 13 22 > > EventSize - 0x00000079 > 0000: > 61DFE48BCA93D211AA0D00E098032B8C08000000000000004900000000000 > 000 > 0020: > 42006F006F007400300030003000320001000000230045004600490020004D > 00 > 0040: > 6900730063002000440065007600690063006500000002010C00D041030A0 > 000 > 0060: 0000010106000714031D05000001050800000000007FFF0400 > Event: > PCRIndex - 4 > EventType - 0x80000007 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): CD 0F DB 45 31 A6 EC 41 BE 27 53 BA 04 26 37 D6 E5 F7 F2 > 56 > HashAlgo : 0x000B > Digest(1): 3D 67 72 B4 F8 4E D4 75 95 D7 2A 2C 4C 5F FD 15 F5 BB 72 > C7 50 7F E2 6F 2A AE E2 C6 9D 56 33 BA > > EventSize - 0x00000028 > 0000: > 43616C6C696E6720454649204170706C69636174696F6E2066726F6D20426F > 6F > 0020: 74204F7074696F6E > Event: > PCRIndex - 0 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 1 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 2 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 3 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 4 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 5 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > Event: > PCRIndex - 6 > EventType - 0x00000004 > DigestCount: 0x00000002 > HashAlgo : 0x0004 > Digest(0): 90 69 CA 78 E7 45 0A 28 51 73 43 1B 3E 52 C5 C2 52 99 E4 > 73 > HashAlgo : 0x000B > Digest(1): DF 3F 61 98 04 A9 2F DB 40 57 19 2D C4 3D D7 48 EA 77 8A > DC 52 BC 49 8C E8 05 24 C0 14 B8 11 19 > > EventSize - 0x00000004 > 0000: 00000000 > FinalEventsTable: (0x8F408000) > Version: (0x1) > NumberOfEvents: (0x0) > PROGRESS CODE: V03051001 I0 > > > > > ________________________________ > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> > Enviado: miércoles, 26 de septiembre de 2018 8:58:26 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Asunto: RE: Tianocore and TPM2 pcr values > > > That means the TPM2 device works well. > > > > We have code to dump the final event log at Tcg2GetEventLog(). > > // Dump Event Log for debug purpose > > if ((EventLogLocation != NULL) && (EventLogLastEntry != NULL)) { > > DumpEventLog (EventLogFormat, *EventLogLocation, > *EventLogLastEntry, mTcgDxeData.FinalEventsTable[Index]); > > } > > > > If your OS need consume the event log, I expect OS loader calls > Tcg2GetEventLog(). > > > > If you don't have such OS, then you can add Tcg2GetEventLog() call in the > end of OnReadyToBoot() - just for debug purpose to dump the event log. > > > > As such we can know how many events are extended. > > > > Thank you > > Yao Jiewen > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:48 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > Subject: Re: Tianocore and TPM2 pcr values > > > > Yes, from log I see: > > > > Loading driver at 0x0008F3F2000 EntryPoint=0x0008F3F2240 Tcg2Dxe.efi > InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF > 8F410C18 > ProtectUefiImageCommon - 0x8F4107C0 > - 0x000000008F3F2000 - 0x000000000000D800 > PROGRESS CODE: V03040002 I0 > InterfaceId - 0xFFFFFFFF > InterfaceType - 0x0F > InterfaceCapability - 0x300000FF > InterfaceVersion - 0x3 > StatusEx - 0xFF > TpmFamily - 0x3 > PtpInterface - 0 > VID - 0x15D1 > DID - 0x001A > RID - 0x10 > Tcg2.ProtocolVersion - 01.01 > Tcg2.StructureVersion - 01.01 > Tpm2GetCapabilityManufactureID - 00584649 > Tpm2GetCapabilityFirmwareVersion - 00050000 00044102 > Tpm2GetCapabilityMaxCommandResponseSize - 00000500, 00000500 > GetSupportedAndActivePcrs - Count = 00000002 > Tcg2.SupportedEventLogs - 0x00000003 > Tcg2.HashAlgorithmBitmap - 0x00000003 > Tcg2.NumberOfPCRBanks - 0x00000002 > Tcg2.ActivePcrBanks - 0x00000003 > ... > > > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:44:54 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > ProtectUefiImageCommon is not related. > > > > Below code is the Tcg2Dxe entrypoint, I expect you can see some message > there: > > > > ==================================== > > DriverEntry() > > if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceNoneGuid) || > > CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), > &gEfiTpmDeviceInstanceTpm12Guid)){ > > DEBUG ((DEBUG_INFO, "No TPM2 instance required!\n")); > > return EFI_UNSUPPORTED; > > } > > > > if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) { > > DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > > return EFI_DEVICE_ERROR; > > } > > > > Status = Tpm2RequestUseTpm (); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "TPM2 not detected!\n")); > > return Status; > > } > > > > // > > // Fill information > > // > > ASSERT (TCG_EVENT_LOG_AREA_COUNT_MAX == > sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0])); > > > > mTcgDxeData.BsCap.Size = > sizeof(EFI_TCG2_BOOT_SERVICE_CAPABILITY); > > mTcgDxeData.BsCap.ProtocolVersion.Major = 1; > > mTcgDxeData.BsCap.ProtocolVersion.Minor = 1; > > mTcgDxeData.BsCap.StructureVersion.Major = 1; > > mTcgDxeData.BsCap.StructureVersion.Minor = 1; > > > > DEBUG ((EFI_D_INFO, "Tcg2.ProtocolVersion - %02x.%02x\n", > mTcgDxeData.BsCap.ProtocolVersion.Major, > mTcgDxeData.BsCap.ProtocolVersion.Minor)); > > DEBUG ((EFI_D_INFO, "Tcg2.StructureVersion - %02x.%02x\n", > mTcgDxeData.BsCap.StructureVersion.Major, > mTcgDxeData.BsCap.StructureVersion.Minor)); > > > > Status = Tpm2GetCapabilityManufactureID > (&mTcgDxeData.BsCap.ManufacturerID); > > if (EFI_ERROR (Status)) { > > DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n")); > > } else { > > DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", > mTcgDxeData.BsCap.ManufacturerID)); > > } > > > > > > > > > > > > From: Jorge Fernandez Monteagudo [mailto:jorgefm@cirsa.com] > Sent: Wednesday, September 26, 2018 2:40 PM > To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>>; > Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Subject: Re: Tianocore and TPM2 pcr values > > > > Hi Yao > > > > > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > > > From the log I've been able to see that "measure" messages start once > Tcg2Dxe.efi. From the beggining I can only see "ProtectUefiImageCommon" > > messages but I don't know if they are related. > > > > >In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should > be >responsible to extend coreboot image from flash, and who should > extend UEFI payload? > > > > I think nothing is implemented in coreboot because when TPM2 was not > activated in edk2 PCR0-10 were all 0. It's only checking what device > > is available and sending the tpm2_startup command. I'll try to investigate the > coreboot project to see if the tianocore payload could be extended > > before loading because coreboot should be the CRTM. > > > > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > > > First notice. No I don't have such case in my platform. > > > > Thanks! > > Jorge > > ________________________________ > > De: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com<mailto:jiewen.yao@intel.com%3cmailto:jiewen.yao@intel.com>>> > Enviado: miércoles, 26 de septiembre de 2018 8:11:58 > Para: Jorge Fernandez Monteagudo; Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge > Yes, it is always good to enable serial port debug. There are lots of debug > message in Tcg2Dxe driver. We can know what is wrong. > > In pure UEFI BIOS, the PEI driver extends to PCR0, and DXE image > measurement lib extend to PCR2, PCR4, PCR5. The DXE driver extends > variable to PCR1/7, and exposes the TCG2 protocol to let OS use it. > > In your patch, since we are using UEFI as payload, and there is no PEI, I am > not clear which driver you expect will extend something to PCR0. Do you > think coreboot is CRTM? Or the UEFI payload is the CRTM? Who should be > responsible to extend coreboot image from flash, and who should extend > UEFI payload? > > Also, only *3rd part* image will change PCR2 and PCR4. Do you have such > case in your platform? > > Anyway, there should still be something measured - boot variable (PCR1), > secure boot variable (PCR7), GPT (5), action (4,5), separator (1~7), if you > include Tcg2Dxe driver. > > I am not clear if coreboot already extends something to separator according > to TCG PFP spec. If that is the case, we probably need a special handing in > DXE driver. > > > I look forward to your serial debug message and design discussion. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Wednesday, September 26, 2018 1:46 PM > > To: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>>; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > Maybe the traces I get from the debug build and > > > > > > gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 > > gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x800A044F > > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2F > > > > can help. > > > > > > ________________________________ > > De: edk2-devel > <edk2-devel-bounces@lists.01.org<mailto:edk2-devel-bounces@lists.01.org <mailto:edk2-devel-bounces@lists.01.org%3cmailto:edk2-devel-bounces@lists.01.org%0b>> >> en nombre de Jorge > > Fernandez Monteagudo > <jorgefm@cirsa.com<mailto:jorgefm@cirsa.com<mailto:jorgefm@cirsa.com%3cmailto:jorgefm@cirsa.com>>> > > Enviado: martes, 25 de septiembre de 2018 16:09:31 > > Para: Zhang, Chao B; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Asunto: Re: [edk2] Tianocore and TPM2 pcr values > > > > Hi Chao! > > > > > > PCR0 has not changed in any of the test I've done! What info do you need? > > > > > > I'm using: > > > > coreboot: ae05d095b36ac835a6b1a221e6858065e5486888, master > branch > > > > tianocore: 07ecd98ac18d6792181856faca7d4bed1b587261, coreboot > > branch > > > > Attached are the changes I've done to tianocore to get TPM2 support and > no > > console. > > PCR0 is always > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > > > Thanks! > > ________________________________ > > De: Zhang, Chao B > <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com%3cmailto:chao.b.zhang@intel.com>>> > > Enviado: martes, 25 de septiembre de 2018 15:41:45 > > Para: Jorge Fernandez Monteagudo; > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Cc: You, Benjamin > > Asunto: RE: Tianocore and TPM2 pcr values > > > > Hi Jorge: > > PCR 0 should change if you use different core boot payload + UEFI. > So > > your case seems to be an issue. Can you provide more detailed info? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Jorge Fernandez Monteagudo > > Sent: Monday, September 24, 2018 5:57 PM > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > Subject: [edk2] Tianocore and TPM2 pcr values > > > > Hi all, > > > > > > This is my first message in this list. I'm using tianocore as a payload for a > > Coreboot in order to > > > > boot a custom board I'm working on it. Finally I've been able to enable the > > TPM2 support in > > > > coreboot and in tianocore but I have some questions regarding the values > > I'm seeing in the PCRs. > > > > > > I'm using Tianocore master branch as is selected by coreboot menuconfig > > and x64 architecture. > > > > Once the system is running I can read the PCRs and, if I'm not wrong, PCRs > 0 > > to 7 are handled > > > > by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release > > mode and a coreboot+ > > > > tianocore in debug mode and the PCRs are the same. Is it ok? I thought > that > > any change in the > > > > coreboot.rom will made the PCR values to change... > > > > > > pcr0: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr1: > > > a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28 > > pcr2: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr3: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr4: > > > 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871 > > f > > pcr5: > > > dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad > > 8 > > pcr6: > > > 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969 > > pcr7: > > > b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439 > > > > Another test I've done is using the Tianocore stable branch as selected by > > coreboot > > (STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) > and > > I get the same values from release and build coreboot.roms except that > > PCR1 has the same value as PCR0, 2, 3 and 6, it seems it's not used in this > > version. > > > > Is this the expected behavior? > > > > Thanks! > > Jorge > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>> > > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org> > https://lists.01.org/mailman/listinfo/edk2-devel ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2018-09-27 6:56 UTC | newest] Thread overview: 18+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-09-24 9:57 Tianocore and TPM2 pcr values Jorge Fernandez Monteagudo 2018-09-25 13:41 ` Zhang, Chao B 2018-09-25 14:09 ` Jorge Fernandez Monteagudo 2018-09-26 5:46 ` Jorge Fernandez Monteagudo 2018-09-26 6:11 ` Yao, Jiewen 2018-09-26 6:39 ` Jorge Fernandez Monteagudo 2018-09-26 6:44 ` Yao, Jiewen 2018-09-26 6:48 ` Jorge Fernandez Monteagudo 2018-09-26 6:58 ` Yao, Jiewen 2018-09-26 8:53 ` Jorge Fernandez Monteagudo 2018-09-26 8:56 ` Yao, Jiewen 2018-09-26 9:06 ` Jorge Fernandez Monteagudo 2018-09-26 12:17 ` Yao, Jiewen 2018-09-27 6:11 ` Jorge Fernandez Monteagudo 2018-09-27 6:22 ` Yao, Jiewen 2018-09-27 6:36 ` Jorge Fernandez Monteagudo 2018-09-27 6:52 ` Jorge Fernandez Monteagudo 2018-09-27 6:56 ` Yao, Jiewen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox