From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web09.11879.1636033771217437432 for ; Thu, 04 Nov 2021 06:49:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=ski/WZgd; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: min.m.xu@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10157"; a="218900448" X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; d="scan'208";a="218900448" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Nov 2021 06:49:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; d="scan'208";a="667911601" Received: from fmsmsx606.amr.corp.intel.com ([10.18.126.86]) by orsmga005.jf.intel.com with ESMTP; 04 Nov 2021 06:49:09 -0700 Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 4 Nov 2021 06:49:08 -0700 Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 4 Nov 2021 06:49:08 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 4 Nov 2021 06:49:08 -0700 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.108) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 4 Nov 2021 06:49:05 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZixEnHmKEeVliPtQFRFuzWoHCmwgs/+SAsOWRSUggRAW72TfO9OYyj7jhnI8ThSKPYvWHR1tTmPo63o6OxRKWzg+GwKvzt4eGMRqNheXJ4p8xn6gRrtisK/E6zWewUGztl2K/BzH9EW8P/o4x5xXraHmGl/0v5tDeFoEYqmDfvquBC981Ydk1bSsI5FNg8+axpEZeju0c3DUvMa+k7cTxzMt3S0jntNvbj+iuNAlzkzi8f5vIleuhZ9CuKX9ZsCuJxLGNYM+JPvdDQUbXPF5+V5q5Kj+AJsvKjkvdgHDgixP3G1wZzhASFhnhIzbLn8W+4E97HNJU+vfPKyYsoTF8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tmb+QLjSHlmZdIW+rRQBiek+rOxK+jst6J33nNIkr9o=; b=OzLQ9pWvyHQy5YzSjwP8wY8Pq5aNNFD8AqJG4UBRDoKnfR9iM4AF73fxhR+Xjo4+ryRXUrSFS1ZYexzv2xm+iJPb717GQlMyWB9VxnDOZKNp29lRSl9233fPsy6/QL4os8ZRaxRPhlWRAIr+QJKCetmUw/RxAGfvvkn7PK+S+oqkVyC0St9Ut+RbU/G339WutuuOPBuHVm9D9ilisCT1s3wk4mE2qTRszfBJ+iwCgj18QxbOmHxjAhi/iOFpyYX6J6mPPMnAEAh9OLdbhdSqY9uTIH35LKeyeUffmTOlopEROQjKsOOHqMDeDzBMbOjxR+JAfWq77TaCBaqlx9aMPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tmb+QLjSHlmZdIW+rRQBiek+rOxK+jst6J33nNIkr9o=; b=ski/WZgdfPXUuzhYeViof7LQkEGUsVNJng5/bZgdLeMxrfuzmqRT+z7BsCBQgHRWvOXZK470MwIKB00hJW3r+NVDmim6My6deM8k8YIQEsILHsA/RowkP/FI3V82RcC/EDZHRCoKa6geFWNkK6HljlPGrCCabwuKcouN2jWgI4k= Received: from CO1PR11MB5058.namprd11.prod.outlook.com (2603:10b6:303:99::17) by MWHPR1101MB2350.namprd11.prod.outlook.com (2603:10b6:300:75::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Thu, 4 Nov 2021 13:49:04 +0000 Received: from CO1PR11MB5058.namprd11.prod.outlook.com ([fe80::49d5:fe9f:6dd9:8f95]) by CO1PR11MB5058.namprd11.prod.outlook.com ([fe80::49d5:fe9f:6dd9:8f95%9]) with mapi id 15.20.4649.020; Thu, 4 Nov 2021 13:49:04 +0000 From: "Min Xu" To: "devel@edk2.groups.io" , "kraxel@redhat.com" , Sami Mujawar CC: "Kinney, Michael D" , Liming Gao , "Liu, Zhiguang" , "Yao, Jiewen" , "Wang, Jian J" , nd Subject: Re: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib Thread-Topic: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib Thread-Index: AQHXz5SmojD6GbzRp0y3RJnUfRBf5avv/XWAgAMNF4CAAFa2gIAAAeEg Date: Thu, 4 Nov 2021 13:49:04 +0000 Message-ID: References: <44a80d4605e02dcf5fed85c5669aedbff3a283a1.1635818903.git.min.m.xu@intel.com> <3f1ba671-cb5f-7849-9439-9af6326de84a@arm.com> <20211104082041.dlkl52izdlo7c4uh@sirius.home.kraxel.org> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.6.200.16 authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d58b0a33-5b5c-49ef-e01a-08d99f99dd5d x-ms-traffictypediagnostic: MWHPR1101MB2350: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: YcYRvfhB3vSp4qEoXzMWv2nYrDKDzslGZ4WrNgtEatZSYktOWjxsrlGsFXbUXCRxF0/p3VjOYdvzRDVaIhVrZfkWgzI3TssTx7CTtLV3qs+I4i0N0y20Qzdpbbx+vFSkbUf2AMUH5OYYGoySPuMK1wJyupPg+OgPeivOsxvG64ng8eE19pVujXV1rqxlcBwGX3mUSYROhJsXeSeUKZfxcrKg7gnY0ac3hfabo+xmQP83zMhFSnS4/V5K8u/vQWeKeSzd15YO9PpArMPJXEthmGQVAUskG/b+QO1qXd0M77nksG4OmCI66d0LV6mi2msjON08/1qUXU0rhrtrn1qoAyxgRukxyk0SqtOf4m+oPzR2gQNeeHonvytMGqXHfkWox79vbmz9BAsmwUZkiBq18Vs92f4hzUqk6j3y7T/KGmH75jZglTbScV1ECs0VhQizQQdcGuq5rv7DjXZSRKj9LCQq/x52p9D3cnojLqqDgFyjHgR/jo8OEIt7/h+hTsg5MNled5fLfb/IprnOzZGv2zitw280ZzHeQlbDoQOuBrX5+sF+FEJBK4OKAMaZLlnQGEtFzLMa6nVrNy4GFmEfHWSTcpMMHEZd1axXla19PVUbXhmiU//QuAeFI+W5vtbfayXzYT1HNnvRggQ8Y582zfpqIf6VOkLRhCtW9Wc1HXrsbP8kh/NB2zqkBN40UT9myvjN+PGiOFHVEUwE6n+YLw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB5058.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(366004)(5660300002)(19627235002)(33656002)(52536014)(6506007)(86362001)(26005)(76116006)(316002)(122000001)(66446008)(64756008)(66556008)(66946007)(83380400001)(8676002)(7696005)(9686003)(508600001)(55016002)(2906002)(66476007)(38100700002)(82960400001)(15650500001)(8936002)(71200400001)(110136005)(54906003)(2940100002)(186003)(4326008)(38070700005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/MXQH6ivB/3ozgOimAqUd6ixRNMVMsgEiPJs7S7jbdkw3tLT7a06GHJUaOKv?= =?us-ascii?Q?C4UJ6VPxtLZVUjjzoTT2wYOH/yG0OS83oF6Ky2jz6YIC51niFpS/NBH7k85E?= =?us-ascii?Q?nEtB9thOxIEGWg4pth02wgAfzCH3/pnScrC57QS9fIAugMhLJV8nsVG9aQM4?= =?us-ascii?Q?ppQyQxHxaKyn/dr2OEK1Y8co65fEGk0LTu+wD6vB1egkaftaBlTDbYvVQz76?= =?us-ascii?Q?q1aeZW1uVSTnF//WFOwri6BiJ9R7YEkikcP/U4PVVl9wOOtUVgZH+YNQgdmk?= =?us-ascii?Q?gPq77nI8MU+VmhYSpOw2j/fBJxZs3Ot7HDgM9ubsK59znpHoCm6juCfwjfAL?= =?us-ascii?Q?fxL/MP0XMo+jn/VFuSD4bi+C0XiUklhqVn61ZXrBjgb9zHiNYCVcFoG9DaUo?= =?us-ascii?Q?4709GobZ5AxykWP5CPkAORXzggxsrKMt7Xxuic2KxLgJCz1ObE20sD0/Pbqx?= =?us-ascii?Q?MX05Rr498EU3Dilw2/TLNfM++iKThuB+bKwc6VXgfYZRwRiFO+c1CQbTpG7o?= =?us-ascii?Q?JWPD9flmjF93yNabE0t87bMWKuAKgNVVqPrFMkzjU8o6GjHHOL/DQcU8jfG4?= =?us-ascii?Q?NYUQOD2if4H92gBtrIGcnhwdrf+Qn3SqeJ6lft6WKCd4h1blyZbMUzmJHRKy?= =?us-ascii?Q?C2AFHy9MukKKmnaSi+eGsJ+81XtVTKOLphek1rb0TiCov0lb0sB6Td5UsTZt?= =?us-ascii?Q?oLr9WaD1FFSZtEsKn2pkMm5vx4RaZo5/5yvqQaEHYJfSRcy9x6q44i2N4yCX?= =?us-ascii?Q?HFSuG8lAtR9eQReXGG74UcZbjT2qPbiiJlOjHOo+RCmKKaz1/xk9B9nvLsfY?= =?us-ascii?Q?8wi0P7mku5rGBkQ01Dyk/B5dYLu4UwIVjJDxeDgIXCxkY6WIX7kLwKsdwaRT?= =?us-ascii?Q?EsLt0SF1Y3ehWovObXYcUfBxLuc+Igvs40NyGL6e8BoWF09XZmV1UlqlEjr4?= =?us-ascii?Q?XglQGa9JmDN2Y+zbfVO1Q74DjURoSjmOiKIcuCVfJJCOn/bhxAH5kwfobXrB?= =?us-ascii?Q?vjZ+iRe53fvWhwsRl5SqrFIBE5zMUO6KHXFKY7wVtsBKRZxqDZ6xsqW43ePm?= =?us-ascii?Q?e6uliP3qYRzzGMIJCfwey1C+2UVymuLwa8Mj75RsKJR30NYR01Db+d313MUr?= =?us-ascii?Q?fPYVzf/mtP++pKPh+Eouib1DdN8OJLjXc6d4DGWdKxBHOEZDpbAbuPz9AA/8?= =?us-ascii?Q?adLyfZkgatWWB65Qqa6IqxkAp4Hn78dIHz91spNXlQLL0joJxewpqhOfmh+o?= =?us-ascii?Q?YPMzq90rhh25ViofqPppxmJRVeqh9+cgyAcGF7pqZMpf+MVJu17u7iwX/4Ah?= =?us-ascii?Q?U0u6w3q6GSBaj3T+1XYUgK0aEnEDMJFuU5NmTruQ4uoDmxC2gwijyxSakh/I?= =?us-ascii?Q?TCO2/knjUWuoIYgdhBKfRLjqsTgKZwT06TgT6QSvN9Vg1XukZOhL8Fo1InMH?= =?us-ascii?Q?mZyVN8iSAgZ22qK5bGzKbFVsORHOYwhB2T+1di/LJiZy8JpfzN8DyNVVDArS?= =?us-ascii?Q?FzJUU0xyC9CmE/BuJL2hFebn7NdImzcuVdwAOEc7S+julgjl41RJGmpEIBuq?= =?us-ascii?Q?nhwqUKrZnqMoLQV2IywMU/xAYF0cq0/B4N0gz7utHWPrXEQJ8ibQi+DCpzJq?= =?us-ascii?Q?pA=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5058.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d58b0a33-5b5c-49ef-e01a-08d99f99dd5d X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2021 13:49:04.0981 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: lox1mKmpkQSiybXOVpKsqwSC+SceFO94H+cRuLTI9nHzvkBk1hzIX6LWzXf9eb2LCDdaxk3h3714RhQ5WVAicw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2350 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On November 4, 2021 9:35 PM, Xu Min wrote: > On November 4, 2021 4:21 PM, Gerd Hoffmann wrote: > > Hi, > > > > > [SAMI] Apologies, I missed this in my previous review. I think the > > > behaviour if both the TCG2 and CC measurement protocols are > > > installed would be inconsistent between DxeTpmMeasurementLib and > > > DxeTpm2MeasureBootLib. The main difference being in the later, the > > > TCG2 protocol takes precedence for extending the measurement. > > > > Yes, we should have consistent behavior in both cases. > In DxeTpmMeasurementLib, Cc measurement protocol is used as the first try= . If > it fails, then it try to measure with TCG2 / TCG protocol in turn. > In DxeTpm2MeasureBootLib, TCG2 protocol is used the as the first try. If = it fails, > CC measurement protocol is tried in turn. > Yes, this is inconsistent. I will update DxeTpm2MeasureBootLib to try Cc > measurement protocol first, then try TCG2 protocol if Cc measurement prot= ocol > fails. In this way, only one protocol will be called to do the measuremen= t. But > TCG2 protocol is the first try, CC measurement protocol is the second try= . >=20 > > > > > I think it would be good to modify DxeTpm2MeasureBootLib so that the > > > CC measurement protocol is used if both protocols are installed. > > > What do you think? > > > > Does it makes sense to use both protocols? > Agree with Gerd. I don't think we should use both protocols to do the > measurement. > My suggestion is that, first try CC protocol, if it fails, then try TCG2 = protocol. Just > as I explained above. Another option will be that: In DxeTpmMeasurementLib the pseudo would look like: If (CC Protocol is installed) { Status =3D CcMeasureAndLogData (...) } else { // below is the original code Status =3D Tpm20MeasureAndLogData (...) =20 If (EFI_ERROR (Status)) {=20 Status =3D Tpm12MeasureAndLogData (...)=20 } } In DxeTpm2MeasureBootLib, the pseudo would look like: If (CC Protocol is installed) { Status =3D DoCcMeasureBoot(...) } else if (TCG2 protocol is installed) { Status =3D DoTcg2MeasureBoot(...) } Sami & Gerd What's your thougth? Thanks Min