From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web09.11702.1636032941942658133
 for <devel@edk2.groups.io>;
 Thu, 04 Nov 2021 06:35:42 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=YlNs+oKs;
 spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: min.m.xu@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10157"; a="211754935"
X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; 
   d="scan'208";a="211754935"
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Nov 2021 06:35:31 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; 
   d="scan'208";a="578589992"
Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19])
  by FMSMGA003.fm.intel.com with ESMTP; 04 Nov 2021 06:35:31 -0700
Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by
 ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Thu, 4 Nov 2021 06:35:30 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Thu, 4 Nov 2021 06:35:30 -0700
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by
 orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12 via Frontend Transport; Thu, 4 Nov 2021 06:35:30 -0700
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.168)
 by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.12; Thu, 4 Nov 2021 06:35:27 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=FJSShvMan0f74aousPnprT1llt1VljyrwlAltkcWmcdrMS1KEC4i71jyW2kTnFTRtYvh4h6jgMEiw6ZBRYHG2Lx418RZ5T7irBgu1xXw9aajIdW6PK/QL78jp+DnojhzbzUiQJ25hEHVeFsyA5pV3IPF6A9/z/Ho/sSPBVLlDT4jeD64yU0K3eip4dOW0SeOy9hes4RO4xAkpDnJnb9j82BhUB86dPbIH57uLgFraZkyJeNRnPPHMf72RYZ9noC5WsEFzufbiJeU37TEwJqz376/7CV5PqoM8qPifHSLxu8Orb+9zUztJjjluFEhyryqPozLwF+uXdepmadQr0QCoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=vBM0TKpUwzfdyBsNkeWB2530eJ3NX+grW/WYcYsh4ao=;
 b=nKK/x8F7YIzgXo/jTpvfSIw2bubRy+0BIwChG3Qbz3GuN+NqtQt9Vj5rO5tgz/EeTCqTju3iZdkk+7Ld0KSoVEmRjX3RbGW26JmUIYTqei8gK2OeqsLRmMKFTw/lVMLGOd0lRyEOeYTvdkaz3e4ZaRwg441nnmJJAGy/PcNN9tKBx10WTAIbeIgrmBedacnniXGJAyZcFNBpThnTjJSpA2b/M0CYUQwHrHxr0+lz+SQtiOuYiHmd/qbgGHUK36rKW4VcrdT0dU/Y9alt+BkG7kumyQe0CryMCe7vhgyqtG3vXDRMYhlwbdod2RekHSGh/7IlomVrLQZJoLBkCehezg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=vBM0TKpUwzfdyBsNkeWB2530eJ3NX+grW/WYcYsh4ao=;
 b=YlNs+oKsJ1T5TrRkVw+xPkXWewIsP4emvw7l+xRpCqraDxASGb+KCZuW2xwgkYv/iHDVBqYsa7kuc6KGogngpmQgGcjVA3jD2aVMb97KUkc/qoJToPjv8EL7CnPgj6PU+AHhzIPuNufIEy4+3IAJwTyevyRxYirRYwg51gz1Ja0=
Received: from CO1PR11MB5058.namprd11.prod.outlook.com (2603:10b6:303:99::17)
 by MWHPR11MB1261.namprd11.prod.outlook.com (2603:10b6:300:28::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Thu, 4 Nov
 2021 13:35:27 +0000
Received: from CO1PR11MB5058.namprd11.prod.outlook.com
 ([fe80::49d5:fe9f:6dd9:8f95]) by CO1PR11MB5058.namprd11.prod.outlook.com
 ([fe80::49d5:fe9f:6dd9:8f95%9]) with mapi id 15.20.4649.020; Thu, 4 Nov 2021
 13:35:27 +0000
From: "Min Xu" <min.m.xu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "kraxel@redhat.com"
	<kraxel@redhat.com>, Sami Mujawar <sami.mujawar@arm.com>
CC: "Kinney, Michael D" <michael.d.kinney@intel.com>, Liming Gao
	<gaoliming@byosoft.com.cn>, "Liu, Zhiguang" <zhiguang.liu@intel.com>, "Yao,
 Jiewen" <jiewen.yao@intel.com>, "Wang, Jian J" <jian.j.wang@intel.com>, nd
	<nd@arm.com>
Subject: Re: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib
Thread-Topic: [edk2-devel] [PATCH V4 3/3] SecurityPkg: Support
 CcMeasurementProtocol in DxeTpmMeasurementLib
Thread-Index: AQHXz5SmojD6GbzRp0y3RJnUfRBf5avv/XWAgAMNF4CAAFa2gA==
Date: Thu, 4 Nov 2021 13:35:26 +0000
Message-ID: <CO1PR11MB5058471578870897AB97FA03C58D9@CO1PR11MB5058.namprd11.prod.outlook.com>
References: <cover.1635818903.git.min.m.xu@intel.com>
 <44a80d4605e02dcf5fed85c5669aedbff3a283a1.1635818903.git.min.m.xu@intel.com>
 <3f1ba671-cb5f-7849-9439-9af6326de84a@arm.com>
 <20211104082041.dlkl52izdlo7c4uh@sirius.home.kraxel.org>
In-Reply-To: <20211104082041.dlkl52izdlo7c4uh@sirius.home.kraxel.org>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-reaction: no-action
dlp-version: 11.6.200.16
authentication-results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 65cd77a3-9db8-4d95-21d3-08d99f97f652
x-ms-traffictypediagnostic: MWHPR11MB1261:
x-microsoft-antispam-prvs: <MWHPR11MB126197DF341A7771DBD80CFEC58D9@MWHPR11MB1261.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wd258W4h/xwCmFIVQIpH9mi6njejP0AHRfW4qKORUn/Z4wrXJldPO5yG0vXBKRMndFfDeTL/unv8Dsp1y4EA9UKRp5N7wCVDpaQ/ckd7CdoTwhoTDFR92O5MKYxQkNgj2N1vnOyiME3ZyDDvV5feOWAOcAcwzcOMpTVx1NPzmy9GM4F5Rpbtl9A5syzCIH7e4r9k1wWQzA98N8NNy/Bg2wQ3wzb7Jktr7X2OEfspaJm4xr6vv5od36GU81hB/MZVzarXwecDYauH97QGtoOe95QrDGdRQjIUfOwcmjNcVRkjjdcl4VXYU8/KrGiiK8DBxhauCgV0L26BdA4YAf27b/dv0nQQuudRlV18SmDYwNimTaivUbdRA6/3pPtSeDNBv00g7MfTb8XhnN5KC7awAWwFmB3n0lN/M/KoK4rVt7dFm6iGN0TM3mx8o5I2epqmA1AAXyitgJ2iH3sphbjkdu9Do0ERxNNEgcvGs0/TFltK6qU5Xd4oHR/jd52hmjAhDqgsSikTcvaKPnkckFhHvrMZN6qqkofQpVw/Nj2WLgv2CuVpF9hyadfIDhT0WW0F+Nbt36sDkvqGI9BaMEIrrdC+i+PlZj461NnJxd1ONRguzLtvkLAbIEgfz4LSfFTJolx49t/iuF2mGpI0Trm0ZIK5SBgavyJlY/Tq5sGPJDW4XmrRReYROTN2YhnDPq9BRuH1NvY82pBH70dUP8y+2Q==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB5058.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(6029001)(366004)(66946007)(7696005)(64756008)(83380400001)(8936002)(2906002)(66446008)(55016002)(66556008)(66476007)(52536014)(110136005)(86362001)(316002)(54906003)(8676002)(71200400001)(6506007)(15650500001)(76116006)(5660300002)(38070700005)(508600001)(4326008)(82960400001)(122000001)(26005)(19627235002)(33656002)(9686003)(38100700002)(186003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?cOEBICnbfO8CBhmf4lEvSab9Q6x9DpCiIIWiH+i7fX1b4RKpb2tu9mVezN5C?=
 =?us-ascii?Q?v8vVVmxnX3hOxQGui8TE+HCWn8C1U1i8YsRFleWrpp5J6ZPHXwvEX+24mlvo?=
 =?us-ascii?Q?TwVJehOOXU6yY1tG1CCUQGEHrSSQq/2AtBCPzRBkZSRNa6Az+OYWdCXlvzVU?=
 =?us-ascii?Q?IzT6Sd6v/eHn8C+q0JZd9FoWpXhDgMs0iu6v+x86SHVC6DpqGF30I+2cKgvT?=
 =?us-ascii?Q?iIdRSxeoU9jDUwGaEQ4HhanHi+SDfAK51OpU26UBkpOo2L9U2bZjCShRqX6g?=
 =?us-ascii?Q?p9JrxcTuI9aI4QVPDBJwuxizXddIJuz12pVxnJ/OYMR7ELoWWugb7XB7UGs0?=
 =?us-ascii?Q?69QRibSSe8BkLU0SBwHH5B6JoL9hp/HiaZXqCnSdXJqS4766zPXCpBtglnPb?=
 =?us-ascii?Q?JDG1u+ADnLj/3CzBVWx0OHuHR64ehzjvObKR2T19Qdz4FXwaR+b909SSzGxZ?=
 =?us-ascii?Q?Wo4oArdnEErO62aex3/QIgFo21kk//Xvi9/tTsWAgm1i3X35kV8ImY5YdEdQ?=
 =?us-ascii?Q?E3Vyugdf6prHB6N9wtfDi0g1XWfpVJqAJ53AHLgk4Lolv7+TvyKHAoy6RvRQ?=
 =?us-ascii?Q?Vn8rvSI7NWVHmeqEugC+6tRmjLOPxqPWUa6li6ceRQIG/VHaQvjikEkw26va?=
 =?us-ascii?Q?R6WkvEcm1r0x6PcbHPsrfdI2aYFnGVAAppOD4ckTMiQq5rgJLrebrxMeJDor?=
 =?us-ascii?Q?FJ7nx+mL6AzCKamq7Q8mD/PdRamo8b4261V5nkSakC9UBkfIijy2X1/Kj38x?=
 =?us-ascii?Q?X8a3UMZC/YAX2m3Ru9+1YpLvxqM8EMgtOl/LedPKKifEXVBs5vOPetlWKWPc?=
 =?us-ascii?Q?VHkLZj4LyJMwyFL2STgEZyFbGgRjIPWKYjRGSgszzKtNmynK0mg/NOJkGxbO?=
 =?us-ascii?Q?aYkmoRUgbDXNUp4cfRnloJ0+1rrL7CCJSgEngz/NicHJd1RFRBcHptpOBFvq?=
 =?us-ascii?Q?AUORFQgY3tTTZ6+noY4/kZT1Kvsn/3e9J5vtMMkYXfdQsXvp4PJ7KieCdF70?=
 =?us-ascii?Q?C6pOOji/p2JV+cDRHyCnbN8oAWA+tFMm3qiAYI8wrEPUG+8MOjZEv2Gp0t8w?=
 =?us-ascii?Q?npGc8EEYUktcy5hmqq1fV4u5JEoeB9J3Pv0IAqtEacIhXaWEMx722dAvllOU?=
 =?us-ascii?Q?2r5TfwCQE+UrE9Mh4Eurk1c6l3xpH0RqewOtU7eQhzH4H4c4hc9ECNc9Kq8O?=
 =?us-ascii?Q?X59f7I7pbJCn5ckAJNqs1UEc/rIugNil0qCjiyjz88bsNqQNaYjSmuXkG9zQ?=
 =?us-ascii?Q?tRfievWZVgg2UzlocKRxflxKER6ZzaPcMHptR1gkxMl46lMIgmxYCoL/oezd?=
 =?us-ascii?Q?92RHeBeuSX51SDeA6RWTyEIlLhFS9PSljcLoxRvwjyGZ9pObOIy1s6cQho2w?=
 =?us-ascii?Q?TE2qPDyEhC2KZy8RwQZVvQ7rWyXv24V2Sy0eOV50KQ/mjZE8Cu399igESSAK?=
 =?us-ascii?Q?g/CfR+8Gq9U+amJWAyQI9RYvqlKzi5Y8cPXNfjxrWC8sAOrBwC92/xE0+eqN?=
 =?us-ascii?Q?yG3cPcHJSxQjs7VZxFrimt/2eBHtnW8VYUYoKxcUOoy1aSWPMaScFBhBMgF5?=
 =?us-ascii?Q?Q6pHKSJA63if7ndLWVl5zVsbfAI6S98gc1FvwtkaZ+rqu9UzaGZPDRSk52NC?=
 =?us-ascii?Q?Tg=3D=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5058.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 65cd77a3-9db8-4d95-21d3-08d99f97f652
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2021 13:35:26.9747
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0JTcAXCOppDyhuDlQ1LWgOEIt2qtJBbCmGjWn+mFy7SjCy4u/BXPONbCXc2C76C6P9h7K7HrzN4NEd9P+lQj2Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1261
Return-Path: min.m.xu@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

On November 4, 2021 4:21 PM, Gerd Hoffmann wrote:
>   Hi,
>=20
> > [SAMI] Apologies, I missed this in my previous review. I think the
> > behaviour if both the TCG2 and CC measurement protocols are installed
> > would be inconsistent between DxeTpmMeasurementLib and
> > DxeTpm2MeasureBootLib. The main difference being in the later, the
> > TCG2 protocol takes precedence for extending the measurement.
>=20
> Yes, we should have consistent behavior in both cases.
In DxeTpmMeasurementLib, Cc measurement protocol is used as the first try. =
If it fails, then it try to measure with TCG2 / TCG protocol in turn.
In DxeTpm2MeasureBootLib, TCG2 protocol is used the as the first try. If it=
 fails, CC measurement protocol is tried in turn.
Yes, this is inconsistent. I will update DxeTpm2MeasureBootLib to try Cc me=
asurement protocol first, then try TCG2 protocol if Cc measurement protocol=
 fails. In this way, only one protocol will be called to do the measurement=
. But TCG2 protocol is the first try, CC measurement protocol is the second=
 try.

>=20
> > I think it would be good to modify DxeTpm2MeasureBootLib so that the
> > CC measurement protocol is used if both protocols are installed. What
> > do you think?
>=20
> Does it makes sense to use both protocols?
Agree with Gerd. I don't think we should use both protocols to do the measu=
rement.=20
My suggestion is that, first try CC protocol, if it fails, then try TCG2 pr=
otocol. Just as I explained above.

Sami, what's your thought?

Thanks
Min