From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web09.3877.1635818117242174675 for ; Mon, 01 Nov 2021 18:55:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=chqsqK4K; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: ray.ni@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10155"; a="231120503" X-IronPort-AV: E=Sophos;i="5.87,201,1631602800"; d="scan'208";a="231120503" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Nov 2021 18:55:16 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,201,1631602800"; d="scan'208";a="666930972" Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83]) by orsmga005.jf.intel.com with ESMTP; 01 Nov 2021 18:55:16 -0700 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Mon, 1 Nov 2021 18:55:15 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Mon, 1 Nov 2021 18:55:15 -0700 Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.47) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Mon, 1 Nov 2021 18:55:15 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XEb/oKkm4oESe5PEPvajss1SodAabAqeIc6nT+LgOLRbX1xLPABrhEWS6alrtdfddSZe4M++IC1nowM8sYJsuFAtrssL9DhkdYYRL30nr/s35v6/5xcFuTXgLCadkGiODG4O0FJmfrw31cZH/2YgIs5F4RRehEHf6lrPr0gBNIPpcmlKqX7BlVY+AYq58+9IO0u0EhZqllyOaTtCC6RC8G2kKBl3qIg2cmUjeqDQGPueUathzfIt2loUTqXTkIbDi12DGugDFUe0Lgwidpc5mOLj8UTcdNWsUCJ96eGuVJpxze/h+Isqi34G/NNUpqXL18wvBzjfF8o1RrXN10uR5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dJLPeuboqOfO8XtrlHFsUtdI6NUwGAD77XKLoYAtxVQ=; b=cCJzHUnBYK55xY9n/zmzT6VUlsusdc1sRSsKjxX5JDSlRsl+QB7DioTWN/PmwCIhrqeIrBiYh3uzmUp5j9rX6TnAapfBZ5ttdlyd4IorsNZJIuWamlfcgx/dgiHjdeISQOe+Xua0eG6YJpsjg4A3xodxSz3YluV3M2k/9hekiHu+3pdvhYzjHO1n2th8MmalzpaZEYPmYwuWn3+/1uO/dIcdjVyuyBvQTl3yZ0B9AA/sgbyUVIevYu5hTKOOszmKqMgiGRVHXUZpiG2At5l0rl6C7pYh6v0lfB2itHdwQWQ3/KrKm31KVg0MNB34hLhrw66ijkeFDpjmmXCW5eDhmQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dJLPeuboqOfO8XtrlHFsUtdI6NUwGAD77XKLoYAtxVQ=; b=chqsqK4Kxe0Uiiwtc4ow5NaTLgpI2Xpr7J+evZ91pHYqLjjLQ4KXQVKNBo2dimktDwaToIqVU7FNrpLWGlAajEYEWAWBUGTUzOzbvHAFJtl35IrSFq8vYy3HK8G1g2jas+sQRRlzJ5zMKoL+JpMKVpN62VIeVekxQinH4ow9qek= Received: from BN0PR11MB5696.namprd11.prod.outlook.com (2603:10b6:408:14b::11) by BN8PR11MB3748.namprd11.prod.outlook.com (2603:10b6:408:86::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.14; Tue, 2 Nov 2021 01:55:13 +0000 Received: from BN0PR11MB5696.namprd11.prod.outlook.com ([fe80::317e:de35:e920:7778]) by BN0PR11MB5696.namprd11.prod.outlook.com ([fe80::317e:de35:e920:7778%3]) with mapi id 15.20.4649.020; Tue, 2 Nov 2021 01:55:13 +0000 From: "Ni, Ray" To: "Yang, Longlong" , "devel@edk2.groups.io" CC: "Dong, Eric" , "Kumar, Rahul1" , "Yao, Jiewen" , "Xu, Min M" , "Zhang, Qi1" Subject: Re: [PATCH 1/1] UefiCpuPkg: Extend measurement of microcode patches to TPM Thread-Topic: [PATCH 1/1] UefiCpuPkg: Extend measurement of microcode patches to TPM Thread-Index: AQHXy8ywZnkRFnMUC0S2pt7DmYy3BKvvf1Lg Date: Tue, 2 Nov 2021 01:55:13 +0000 Message-ID: References: <69d53dbbfe4bb2fdd27d5098850a9e91a43d63bb.1635405564.git.longlong.yang@intel.com> In-Reply-To: <69d53dbbfe4bb2fdd27d5098850a9e91a43d63bb.1635405564.git.longlong.yang@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 37cd6d81-cbda-4df9-338b-08d99da3cfaa x-ms-traffictypediagnostic: BN8PR11MB3748: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: EqhHh/Rf0/oEvS1kb+yUYD8Lomrc8xRGDg5HyLzWiRLWXXRcDFkqXM/5fXPWJwy7psgJ5CB15bohIQuBqE/SRakZOhyVSgx7jj91AE1rYmL8JZicAITtNZiMH4Gy3ML70NJ2qHega9/W51SwlyRVlNCboJ6Ojb17c/GZ+LaS7wYtdZADtnWSR0wRHPQP3jy0LDqyiOVtXBBP7KYqJLpfKYOUE5tU+AXMJYrgM2LQYjVoTHtElq7ZXkvnd0qShauFlyhj5JN0a5eEjTxsQieY3oebn+EhClQWjpzqPgukx/RjWGaXrxEE7bACiqiVQADOV6GCEEG5MXmyS9TgEHy2PoIWD+32WHMtDnoujpfmdIssrzsIjNBZxklT9SYj7q7wmw/lTtEbwm1WLGI37z1wqpI+PQfK+OtLjjocTtcNKa4W5nEOvo1fOxfX9w1bP/AHwR7yB/4iU5G67V35WCtFpW9UcEphGIs3XQ+DXtFC1ITYAgX040isCWAVLpy9pBvkskHnxo/Bk6li4lPKGREW+rdMED5uKLBqRrIhZUhQx1savEV4nq+AxEKddhA8/+Ckfo4abM7av/c+KkmbY6H+gEEXR0VFaN8XAgLsZzOrS8NyEJ3nMEU6IaXiWk9S1kV1upY1XRB5NbrF0j+E7j8f0sHcotaDpry8Ho6lJ5iu/zC1tPQ7/aNVUTxpr6wHhGv3ILjRmgauYVPZ2n2hlzqXmazpSMUZav6ZApF70lTJH65BEGjcWn1dZrg++WU+j9bTmwiAzcPhZ9Z31SoNkx/q+SiYka+/fGk7YytvJdtOx1s= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR11MB5696.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(7696005)(5660300002)(76116006)(66946007)(53546011)(110136005)(8676002)(966005)(6506007)(52536014)(71200400001)(66556008)(66476007)(33656002)(66446008)(8936002)(54906003)(64756008)(86362001)(316002)(38100700002)(4326008)(508600001)(9686003)(55016002)(186003)(122000001)(107886003)(30864003)(26005)(38070700005)(83380400001)(82960400001)(2906002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?dGucs2Kr0m4sqh9caOjNbBd0P0H2AwwBnRCfvzj3Qv9ObxCRSf7SQB9poOv7?= =?us-ascii?Q?pjoj4yrsxZzyoY7ulBum3AAEI/Ts/aTMUMVyqhQeM6fAl+gwRUVzNSmX0nwX?= =?us-ascii?Q?ZAxguB8gF6AEZb0ZiOYCQuYyN6H9OzlyNV6yf1CIZyuDAfCt+ea9ApWgAifD?= =?us-ascii?Q?2vEea99ljjFehzeyTfsnKf6JkcGhl8fIp6/L5ERARe/T9KLW/MBr2G1O3BeY?= =?us-ascii?Q?HiUPAccRFv0Xaz/rppf8ntdODieYsbAxnsnleaEwwYvEQiORhI0Kwo3h0aox?= =?us-ascii?Q?of576CtAcvSSmU8MZZs9k1gqjlzkrF+bX+BklXRQKQk7xa1a08JxVqHmTbiX?= =?us-ascii?Q?BkeiOI4xH+2cvm3W9iZCIGrQ6kpw7H9+NcJSLTLt2QzT38Qdb5PVPxVOPxHT?= =?us-ascii?Q?ZzgFYqVaqp0lguaMrCaujKVkpEAFRLibAZ2YMNWQwim85HjtkezTI59z9pyK?= =?us-ascii?Q?5VTaFH7yMWVEsf78mgKa5tRmQpktoehBruDMw0wMTJPQbAxB7V/+v4OXGxHG?= =?us-ascii?Q?g93F13PI6GYzfjtxCzZw0DU8wL1Dl1y+pe3pGBZes0HfiAMNysfP5CqoSJs9?= =?us-ascii?Q?Ou7BtaQlr7HQ+Y/dqVks7RIdk3A9n6HugxGyhQulxD1IJogNP4C7lvhZ6a9J?= =?us-ascii?Q?XUdpq+Jx6OlPZBDXq35n4XtRYbEk/kiXsfVJ1elxN8cdshGl64n+MEtGUbE1?= =?us-ascii?Q?qNf4mp7iW2vOYkHX4CkAG98SUr4HVRRtkholrX2xF2j0ju3e/ePLLtcyKhih?= =?us-ascii?Q?6GYCQA1Wp6EAV6cAlk19lh/oZ9YJeuuIXEgBtqLeG+YlrNM4XomJQebiqTn2?= =?us-ascii?Q?WudPb9MGjklHCrBtiByWf21Ew9uhes2+861MGiIpDAbYlTXkIF1MoFZ4i3Xm?= =?us-ascii?Q?ng1Iz4Ydg1HBjc47AI3tDGq+OkSAnnD8OnZE0NtA+Uv2slv/kEoiiSzQUQl6?= =?us-ascii?Q?64OFLGZkvztEFd92An0Sz080pR+Qt8U8wNaLDmKXSvI1BAz4f3PETP8wZsaK?= =?us-ascii?Q?QtFwJw/pPPgIC0Fkjgsmuq34tfwg9aF0qv7Jve5xJCZgdp8yHgvE0pB4dezQ?= =?us-ascii?Q?ypiERcOiGJ/jLSqYLrSgXKvrKbJ/FFhGBfs8l3x1JBrn4OZ4zwGwHowfDHU6?= =?us-ascii?Q?KxjQSjJy7Ri0IuAVTopwlv+9JJ0pcQ/UiBunvJEuzdEnLSr0bygA2ZUsR1Pg?= =?us-ascii?Q?oULVn162OTLqCnOgxxoEDm9x6wv9Uk1sMQ/wTDXvI65SpsDAbLhOIvgWZxcp?= =?us-ascii?Q?3SXZhF0Yw4jkivz4nNc2OmQFVBBUT5RyJa02KqibxjpV0Xjfl3GmEB9F4ixL?= =?us-ascii?Q?Pk08OqJL9bHg3gnySAhu02CNTY/ebFYfkrS4tqktI/ws6HBtKPIvHq/wyV2+?= =?us-ascii?Q?Yt995wGTDb0DHvmv86IHm+Onh+tjrgyrKKkNq/QCOHaTZRTdwdEDn6vtBbdw?= =?us-ascii?Q?K9A9jsZYlVbxskeyCsxw5JBQDWG4tU87jFy05VE+s0cT/JSUxcIXLEcLU6tR?= =?us-ascii?Q?J4vlAZgvevoN7CsJoyJmIy9iLPgbfJmVslflgnBtPadbNXZR3ovTUf+GCHvf?= =?us-ascii?Q?8OypUaYrpD4yDt297L7A4Ui025hEXHM4Z9eeoJQhosFk/d2Yq+u8ZsFdZ9w5?= =?us-ascii?Q?JALNc6scqt4dhaMM4DWHmDk=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0PR11MB5696.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 37cd6d81-cbda-4df9-338b-08d99da3cfaa X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 01:55:13.7111 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: tYDyzInutKHG3/5BbZmaBhohLJScMKHjw6HqIqJwOYYCwqh4/bUq3iDj963aMKeCKqzhzSVQOZR1GsC/Lhid1A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3748 Return-Path: ray.ni@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Longlong, Your code creates a big buffer that holds microcode data for all threads. MicrocodeCpu[i] =3D MicrocodePatchHob->MicrocodePatchAddress + MicrocodePa= tchHob->ProcessorSpecificPatchOffset[i] BigBuffer =3D GetMicrocodeBuffer (MicrocodeOfCpu[0]) + GetMicrocodeBuffer = (MicrocodeOfCpu[1]) + ... HashValue =3D Hash (BigBuffer) I am not sure if we can do like below: BigBuffer =3D Micro= codePatchAddress> + ProcessorSpecificP= atchOffset[]> HashValue =3D Hash (BigBuffer) The second approach doesn't require sorting, one-by-one-copying. Thanks, Ray -----Original Message----- From: Yang, Longlong =20 Sent: Thursday, October 28, 2021 3:21 PM To: devel@edk2.groups.io Cc: Yang, Longlong ; Dong, Eric ; Ni, Ray ; Kumar, Rahul1 ; Ya= o, Jiewen ; Xu, Min M ; Zhang, Qi= 1 Subject: [PATCH 1/1] UefiCpuPkg: Extend measurement of microcode patches to= TPM REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3683 TCG specification says BIOS should extend measurement of microcode to TPM. However, reference BIOS is not doing this. This patch consumes gEdkiiMicroc= odePatchHobGuid to checkout all applied microcode patches, then all applied= microcode patches are packed in order to form a single binary blob which i= s measured with event type EV_CPU_MICROCODE to PCR[1] in TPM. Cc: Eric Dong Cc: Ray Ni Cc: Rahul Kumar Cc: Jiewen Yao Cc: Min M Xu Cc: Qi Zhang Signed-off-by: Longlong Yang --- .../MicrocodeMeasurementDxe.c | 254 ++++++++++++++++++ .../MicrocodeMeasurementDxe.inf | 58 ++++ .../MicrocodeMeasurementDxe.uni | 15 ++ .../MicrocodeMeasurementDxeExtra.uni | 12 + UefiCpuPkg/UefiCpuPkg.dsc | 2 + 5 files changed, 341 insertions(+) create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement= Dxe.c create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement= Dxe.inf create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement= Dxe.uni create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement= DxeExtra.uni diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c b= /UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c new file mode 100644 index 000000000000..1898a2bff023 --- /dev/null +++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c @@ -0,0 +1,254 @@ +/** @file + This driver measures Microcode Patches to TPM. + +Copyright (c) 2021, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include #include =20 +#include #include =20 +#include #include=20 + +#include +#include +#include +#include +#include + + +#define CPU_MICROCODE_MEASUREMENT_DESCRIPTION "Microcode Measurement" +#define CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN =20 +sizeof(CPU_MICROCODE_MEASUREMENT_DESCRIPTION) + +#pragma pack(1) +typedef struct { + UINTN Address; + UINTN Size; +} MICROCODE_PATCH_TYPE; + +typedef struct { + UINT8 Description[CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN= ]; + UINTN NumberOfMicrocodePatchesMeasured; + UINTN SizeOfMicrocodePatchesMeasured; +} CPU_MICROCODE_MEASUREMENT_EVENT_LOG; +#pragma pack() + +STATIC BOOLEAN mMicrocodeMeasured =3D FALSE; + +/** + The function is called by PerformQuickSort to compare the order of + addresses of two microcode patch in RAM. + + @param[in] MicrocodePatch1 The pointer to the first microcode patch ty= pe structure. + @param[in] MicrocodePatch2 The pointer to the second microcode patch t= ype structure. + + @return 0 The address of MicrocodePatch1 in RAM equal= to that of MicrocodePatch2. + @return <0 The address of MicrocodePatch1 in RAM is le= ss than that of MicrocodePatch2. + @return >0 The address of MicrocodePatch1 in RAM is gr= eater than that of MicrocodePatch2. +**/ +INTN +EFIAPI +MicrocodePatchesListSortFunction ( + IN CONST VOID *MicrocodePatch1, + IN CONST VOID *MicrocodePatch2 + ) +{ + return ((MICROCODE_PATCH_TYPE*)MicrocodePatch2)->Address -=20 +((MICROCODE_PATCH_TYPE*)MicrocodePatch1)->Address; +} + +/** + Callback function, called after signaling of the Ready to Boot Event. + Measure microcode patches binary blob with event type=20 +EV_CPU_MICROCODE + to PCR[1] in TPM. + + @param[in] Event Event whose notification function is being invoked= . + @param[in] Context Pointer to the notification function's context. + +**/ +VOID +EFIAPI +MeasureMicrocodePatches ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + EFI_STATUS Status; + UINT32 PCRIndex; + UINT32 EventType; + CPU_MICROCODE_MEASUREMENT_EVENT_LOG EventLog; + UINT32 EventLogSize; + EFI_HOB_GUID_TYPE *GuidHob; + EDKII_MICROCODE_PATCH_HOB *MicrocodePatchHob; + UINTN SumOfAllPatchesSizeInMicrocodePatc= hHob; + UINT32 Index; + MICROCODE_PATCH_TYPE *MicrocodePatchesList; + UINTN LastPackedMicrocodeAddress; + UINT8 *MicrocodePatchesBlob; + UINT64 MicrocodePatchesBlobSize; + + + PCRIndex =3D 1; + EventType =3D EV_CPU_MICROCODE; + AsciiSPrint ( + (CHAR8 *)EventLog.Description, + CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN, + CPU_MICROCODE_MEASUREMENT_DESCRIPTION + ); + EventLog.NumberOfMicrocodePatchesMeasured =3D 0; + EventLog.SizeOfMicrocodePatchesMeasured =3D 0; + EventLogSize =3D sizeof (CPU_MICROCODE_MEAS= UREMENT_EVENT_LOG); + SumOfAllPatchesSizeInMicrocodePatchHob =3D 0; + LastPackedMicrocodeAddress =3D 0; + MicrocodePatchesBlob =3D NULL; + MicrocodePatchesBlobSize =3D 0; + + + if (TRUE =3D=3D mMicrocodeMeasured) { + DEBUG((DEBUG_INFO, "INFO: mMicrocodeMeasured =3D TRUE, Skip.\n")); + return; + } + + GuidHob =3D GetFirstGuidHob (&gEdkiiMicrocodePatchHobGuid); if (NULL=20 + =3D=3D GuidHob) { + DEBUG((DEBUG_ERROR, "ERROR: GetFirstGuidHob (&gEdkiiMicrocodePatchHobG= uid) failed.\n")); + return; + } + + MicrocodePatchHob =3D GET_GUID_HOB_DATA (GuidHob); DEBUG ((DEBUG_INFO,= =20 + "INFO: Got MicrocodePatchHob with microcode patches starting=20 + address:0x%x, microcode patches region size:0x%x, processor=20 + count:0x%x\n", MicrocodePatchHob->MicrocodePatchAddress,=20 + MicrocodePatchHob->MicrocodePatchRegionSize,=20 + MicrocodePatchHob->ProcessorCount)); + + // + // Extract all microcode patches to a list from MicrocodePatchHob // =20 + MicrocodePatchesList =3D AllocatePool (MicrocodePatchHob->ProcessorCount= =20 + * sizeof (MICROCODE_PATCH_TYPE)); if (NULL =3D=3D MicrocodePatchesList) = { + DEBUG ((DEBUG_ERROR, "ERROR: AllocatePool to MicrocodePatchesList Fail= ed!\n")); + return; + } + for (Index =3D 0; Index < MicrocodePatchHob->ProcessorCount; Index++) { + if (MAX_UINT64 =3D=3D MicrocodePatchHob->ProcessorSpecificPatchOffset[= Index]) { + // + // If no microcode patch was found in a slot, set the address of the= microcode patch + // in that slot to MAX_UINTN, and the size to 0, thus indicates no p= atch in that slot. + // + MicrocodePatchesList[Index].Address =3D MAX_UINTN; + MicrocodePatchesList[Index].Size =3D 0; + + DEBUG ((DEBUG_INFO, "INFO: Processor#%d: detected no microcode patch= \n", Index)); + } else { + MicrocodePatchesList[Index].Address =3D (UINTN)(MicrocodePatchHo= b->MicrocodePatchAddress + MicrocodePatchHob->ProcessorSpecificPatchOffset[= Index]); + MicrocodePatchesList[Index].Size =3D ((CPU_MICROCODE_HEADER*)= ((UINTN)(MicrocodePatchHob->MicrocodePatchAddress + MicrocodePatchHob->Proc= essorSpecificPatchOffset[Index])))->TotalSize; + SumOfAllPatchesSizeInMicrocodePatchHob +=3D=20 + MicrocodePatchesList[Index].Size; + + DEBUG ((DEBUG_INFO, "INFO: Processor#%d: Microcode patch address: 0x= %x, size: 0x%x\n", Index, MicrocodePatchesList[Index].Address, MicrocodePat= chesList[Index].Size)); + } + } + + // + // The order matters when packing all applied microcode patches to a sin= gle binary blob. + // Therefore it is a must to do sorting before packing. + // NOTE: We assumed that the order of address of every microcode=20 + patch in RAM is the same // with the order of those in the Microcode=20 + Firmware Volume. If any future updates made // this assumption untenable= , then there needs a new solution to measure microcode patches. + // + PerformQuickSort ( + MicrocodePatchesList, + MicrocodePatchHob->ProcessorCount, + sizeof (MICROCODE_PATCH_TYPE), + MicrocodePatchesListSortFunction + ); + for (Index =3D 0; Index < MicrocodePatchHob->ProcessorCount; Index++) { + DEBUG ((DEBUG_INFO, "INFO: After sorting: Processor#%d: Microcode=20 + patch address: 0x%x, size: 0x%x\n", Index,=20 + MicrocodePatchesList[Index].Address,=20 + MicrocodePatchesList[Index].Size)); + } + + MicrocodePatchesBlob =3D AllocateZeroPool=20 + (SumOfAllPatchesSizeInMicrocodePatchHob); + if (NULL =3D=3D MicrocodePatchesBlob) { + DEBUG ((DEBUG_ERROR, "ERROR: AllocateZeroPool to MicrocodePatchesBlob = failed!\n")); + FreePool (MicrocodePatchesList); + return; + } + + // + // LastPackedMicrocodeAddress is used to skip duplicate microcode patch. + // + for (Index =3D 0; Index < MicrocodePatchHob->ProcessorCount; Index++) { + if (MicrocodePatchesList[Index].Address !=3D LastPackedMicrocodeAddres= s && + MicrocodePatchesList[Index].Address !=3D MAX_UINTN) { + + CopyMem ( + (VOID *)(MicrocodePatchesBlob + MicrocodePatchesBlobSize), + (VOID *)(MicrocodePatchesList[Index].Address), + (UINTN)(MicrocodePatchesList[Index].Size) + ); + MicrocodePatchesBlobSize +=3D MicrocodePatchesList[= Index].Size; + LastPackedMicrocodeAddress =3D MicrocodePatchesList[I= ndex].Address; + EventLog.NumberOfMicrocodePatchesMeasured +=3D 1; + EventLog.SizeOfMicrocodePatchesMeasured +=3D MicrocodePatchesList[= Index].Size; + + } + } + + if (0 =3D=3D MicrocodePatchesBlobSize) { + DEBUG ((DEBUG_INFO, "INFO: No microcode patch was ever applied!")); + FreePool (MicrocodePatchesList); + FreePool (MicrocodePatchesBlob); + return; + } + + Status =3D TpmMeasureAndLogData ( + PCRIndex, // PCRIndex + EventType, // EventType + &EventLog, // EventLog + EventLogSize, // LogLen + MicrocodePatchesBlob, // HashData + MicrocodePatchesBlobSize // HashDataLen + ); + if (!EFI_ERROR (Status)) { + mMicrocodeMeasured =3D TRUE; + gBS->CloseEvent (Event); + } else { + FreePool (MicrocodePatchesList); + FreePool (MicrocodePatchesBlob); + DEBUG ((DEBUG_ERROR, "ERROR: TpmMeasureAndLogData failed with=20 + %a!\n", Status)); } + + return; +} + +/** + + Driver to produce microcode measurement. + + @param ImageHandle Module's image handle + @param SystemTable Pointer of EFI_SYSTEM_TABLE + + @return EFI_SUCCESS This function always complete successfully. + +**/ +EFI_STATUS +EFIAPI +MicrocodeMeasurementDriverEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_EVENT Event; + + // + // Measure Microcode patches + // + EfiCreateEventReadyToBootEx ( + TPL_CALLBACK, + MeasureMicrocodePatches, + NULL, + &Event + ); + + return EFI_SUCCESS; +} diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf= b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf new file mode 100644 index 000000000000..4b03339b431b --- /dev/null +++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf @@ -0,0 +1,58 @@ +## @file +# This driver measures microcode patches to TPM. +# +# This driver consumes gEdkiiMicrocodePatchHobGuid, packs all unique # =20 +microcode patch found in gEdkiiMicrocodePatchHobGuid to a binary blob,=20 +# and measures the binary blob to TPM. +# +# Copyright (c) 2021, Intel Corporation. All rights reserved.
# # =20 +SPDX-License-Identifier: BSD-2-Clause-Patent # ## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D MicrocodeMeasurementDxe + MODULE_UNI_FILE =3D MicrocodeMeasurementDxe.uni + FILE_GUID =3D 0A32A803-ACDF-4C89-8293-91011548CD91 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MicrocodeMeasurementDriverEntryPoint + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 EBC ARM AARCH64 +# + +[Sources] + MicrocodeMeasurementDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UefiCpuPkg/UefiCpuPkg.dec + +[LibraryClasses] + UefiBootServicesTableLib + MemoryAllocationLib + BaseMemoryLib + BaseLib + UefiLib + UefiDriverEntryPoint + DebugLib + PrintLib + SortLib + HobLib + MicrocodeLib + TpmMeasurementLib + +[Guids] + gEdkiiMicrocodePatchHobGuid ## CONSUMES ## HOB + +[UserExtensions.TianoCore."ExtraFiles"] + MicrocodeMeasurementDxeExtra.uni + +[Depex] + TRUE diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni= b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni new file mode 100644 index 000000000000..5a21e955fbbf --- /dev/null +++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni @@ -0,0 +1,15 @@ +// /** @file +// This driver measures microcode patches to TPM. +// +// This driver consumes gEdkiiMicrocodePatchHobGuid, packs all uniquemicro= code patch found in gEdkiiMicrocodePatchHobGuid to a binary blob, and measu= res the binary blob to TPM. +// +// Copyright (c) 2021, Intel Corporation. All rights reserved.
//=20 +// SPDX-License-Identifier: BSD-2-Clause-Patent // // **/ + + +#string STR_MODULE_ABSTRACT #language en-US "This driver measu= res Microcode Patches to TPM." + +#string STR_MODULE_DESCRIPTION #language en-US "This driver consu= mes gEdkiiMicrocodePatchHobGuid, packs all microcode patch found in gEdkiiM= icrocodePatchHobGuid to a binary blob, and measure the binary blob to TPM." diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtr= a.uni b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtra.uni new file mode 100644 index 000000000000..6990cee8c6fd --- /dev/null +++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtra.uni @@ -0,0 +1,12 @@ +// /** @file +// MicrocodeMeasurementDxe Localized Strings and Content +// +// Copyright (c) 2021, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + +#string STR_PROPERTIES_MODULE_NAME +#language en-US +"Microcode Patches Measurement DXE Driver" diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc index 870b45284087..06d55f780a9c 100644 --- a/UefiCpuPkg/UefiCpuPkg.dsc +++ b/UefiCpuPkg/UefiCpuPkg.dsc @@ -61,6 +61,7 @@ TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf MicrocodeLib|UefiCpuPkg/Library/MicrocodeLib/MicrocodeLib.inf + SortLib|MdeModulePkg/Library/UefiSortLib/UefiSortLib.inf =20 [LibraryClasses.common.SEC] PlatformSecLib|UefiCpuPkg/Library/PlatformSecLibNull/PlatformSecLibNull.= inf @@ -119,6 +120,7 @@ UefiCpuPkg/Library/CpuTimerLib/BaseCpuTimerLib.inf UefiCpuPkg/Library/CpuCacheInfoLib/PeiCpuCacheInfoLib.inf UefiCpuPkg/Library/CpuCacheInfoLib/DxeCpuCacheInfoLib.inf + UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf =20 [Components.IA32, Components.X64] UefiCpuPkg/CpuDxe/CpuDxe.inf --=20 2.31.1.windows.1