From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jian.j.wang@intel.com)
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by groups.io with SMTP; Thu, 13 Jun 2019 17:29:51 -0700
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jun 2019 17:29:51 -0700
X-ExtLoop1: 1
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
  by orsmga007.jf.intel.com with ESMTP; 13 Jun 2019 17:29:50 -0700
Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Thu, 13 Jun 2019 17:29:50 -0700
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.173]) by
 SHSMSX153.ccr.corp.intel.com ([169.254.12.76]) with mapi id 14.03.0439.000;
 Fri, 14 Jun 2019 08:29:48 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Zhang, Chao B" <chao.b.zhang@intel.com>, "Hernandez Beltran, Jorge"
	<jorge.hernandez.beltran@intel.com>, "Han, Harry" <harry.han@intel.com>
Subject: Re: [PATCH v2 0/3] Common OBB verification feature
Thread-Topic: [PATCH v2 0/3] Common OBB verification feature
Thread-Index: AQHVH7tRqAHf081dTEaGJSkKZj+XXKaXZMmQgALMMgA=
Date: Fri, 14 Jun 2019 00:29:47 +0000
Message-ID: <D827630B58408649ACB04F44C51000362592620C@SHSMSX107.ccr.corp.intel.com>
References: <20190610183536.5628-1-jian.j.wang@intel.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F6AB00F@shsmsx102.ccr.corp.intel.com>
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F6AB00F@shsmsx102.ccr.corp.intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMzAwODMyZDQtZDU0Yy00YzdkLTlkMzUtNzgxZWE4NTAxMmFlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiTUF1UXNtaG92amdHNVVybFBJQTFiSGJ1V0FMSXNJYjcxRHlQVkRiUlVzNENnOHk5S0NCSmlybzJiaDVGTU41RyJ9
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.600.7
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Jiewen,

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Wednesday, June 12, 2019 12:49 PM
> To: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io
> Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Hernandez Beltran, Jorge
> <jorge.hernandez.beltran@intel.com>; Han, Harry <harry.han@intel.com>
> Subject: RE: [PATCH v2 0/3] Common OBB verification feature
>=20
> Thanks Jian. Some comment below:
>=20
> 0) Please add what unit test has been done.
>=20
> 1) Can we use UINT64 for Base and Length?
> typedef struct _HASHED_FV_INFO {
>   UINT32                  Base;
>   UINT32                  Length;
>   UINT64                  Flag;
> } HASHED_FV_INFO;
>=20

Yes, we can. But is it necessary? Isn't the flash address always below 4G?

> 2) Can we remove the hard code HASHED_FV_MAX_NUMBER and use more
> flexible way?
> #define HASHED_FV_MAX_NUMBER                  10
> struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI {
>   UINTN                   FvNumber;
>   HASHED_FV_INFO          FvInfo[HASHED_FV_MAX_NUMBER];
>   UINTN                   HashNumber;
>   FV_HASH_INFO            HashInfo[1];
> };
>=20

Yes. I thought we need more than one hash value here. I went through the wh=
ole
logic here. Maybe one hash value is enough (no need to pass the hash value =
not
meant for current boot mode). So we can put the FvInfo at the end of struct=
ure
and remove the hard-coded fv number.

> 3) can we use better way to organize the table? It is weird to have so ma=
ny zero.
> Why not just use TPM_ALG_xxx as the first field and search?
> STATIC CONST HASH_ALG_INFO mHashAlgInfo[] =3D {
>   {0, NULL, NULL, NULL, NULL},                    // 0000 TPM_ALG_ERROR
>   {0, NULL, NULL, NULL, NULL},                    // 0001 TPM_ALG_FIRST
>   {0, NULL, NULL, NULL, NULL},                    // 0002
>   {0, NULL, NULL, NULL, NULL},                    // 0003
>   {0, NULL, NULL, NULL, NULL},                    // 0004 TPM_ALG_SHA1
>   {0, NULL, NULL, NULL, NULL},                    // 0005
>   {0, NULL, NULL, NULL, NULL},                    // 0006 TPM_ALG_AES
>   {0, NULL, NULL, NULL, NULL},                    // 0007
>   {0, NULL, NULL, NULL, NULL},                    // 0008 TPM_ALG_KEYEDHA=
SH
>   {0, NULL, NULL, NULL, NULL},                    // 0009
>   {0, NULL, NULL, NULL, NULL},                    // 000A
>   {SHA256_DIGEST_SIZE, Sha256Init, Sha256Update, Sha256Final,
> Sha256HashAll}, // 000B TPM_ALG_SHA256
>   {SHA384_DIGEST_SIZE, Sha384Init, Sha384Update, Sha384Final,
> Sha384HashAll}, // 000C TPM_ALG_SHA384
>   {SHA512_DIGEST_SIZE, Sha512Init, Sha512Update, Sha512Final,
> Sha512HashAll}, // 000D TPM_ALG_SHA512
>   {0, NULL, NULL, NULL, NULL},                    // 000E
>   {0, NULL, NULL, NULL, NULL},                    // 000F
>   {0, NULL, NULL, NULL, NULL},                    // 0010 TPM_ALG_NULL
> //{0, NULL, NULL, NULL, NULL},                    // 0011
> //{0, NULL, NULL, NULL, NULL},                    // 0012 TPM_ALG_SM3_256
> };
>=20

I prefer the code directly index the algorithm info/methods as array. It
makes code quite simpler.

> 4) Why not just add one bit say: skip in S3 ? Why need such complexity?
> #define HASHED_FV_FLAG_SKIP_BOOT_MODE(Mode)   LShiftU64 (0x100,
> (Mode))
> #define FV_HASH_FLAG_BOOT_MODE(Mode)          LShiftU64 (1, (Mode))
>=20
> I am not sure how that works. Is boot mode bit start from BIT0 or BIT8 ? =
I am
> confused.
>=20
>     if ((StoredHashFvPpi->HashInfo[HashIndex].HashFlag
>          & FV_HASH_FLAG_BOOT_MODE (BootMode)) !=3D 0) {
>       HashInfo =3D &StoredHashFvPpi->HashInfo[HashIndex];
>       break;
>     }
>=20

Boot mode is just a const number less than 64. So 64 bits can hold all diff=
erent
boot mode. Using this way is just to keep the flexibility to avoid code cha=
nge if
we want to support more boot modes besides S3. But if there's never such
possibility at all, you're right that one bit is enough.

> 5) Why the producer want skip both verified boot and measured boot? Is th=
at
> legal or illegal? If it is illegal, I prefer use ASSER() to tell people.
>     if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_VERIFIED_BOOT) =3D=3D 0 &&
>         (FvInfo[FvIndex].Flag & HASHED_FV_FLAG_MEASURED_BOOT) =3D=3D 0) {
>       continue;
>     }

Suppose there's a use case, most likely for developers, which need to disab=
le
security feature temporarily. The BIOS still need to boot. The developers d=
on't
need to remove this driver in order to do it. I think it's legacl.

>=20
> 6) I recommend to add one debug message to tell people this is skipped.
>     //
>     // Skip any FV not meant for current boot mode.
>     //
>     if ((FvInfo[FvIndex].Flag & HASHED_FV_FLAG_SKIP_BOOT_MODE
> (BootMode)) !=3D 0) {
>       continue;
>     }
>=20

Right. I'll add one.

> 7) Would you please clarify why and when a platform need report multiple
> StartedHashFv ?
>   do {
>     Status =3D PeiServicesLocatePpi (
>                &gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid,
>                Instance,
>                NULL,
>                (VOID**)&StoredHashFvPpi
>                );
>     if (!EFI_ERROR(Status) && StoredHashFvPpi !=3D NULL && StoredHashFvPp=
i-
> >FvNumber > 0) {
>=20
> It will be better, if you can those description in StoredHashFvPpi.h file
>=20

I don't know if there's such necessity. It's just trying to keep a certain =
of flexibility.

> 8) Same code above, would you please clarify if it is legal or illegal th=
at
> StoredHashFvPpi->FvNumber =3D=3D 0 ?
> If it is illegal, I prefer use ASSERT()
>=20

Let's call it illegal in case of skipping.

Regards,
Jian

> Thank you
> Yao Jiewen
>=20
>=20
> > -----Original Message-----
> > From: Wang, Jian J
> > Sent: Tuesday, June 11, 2019 2:36 AM
> > To: devel@edk2.groups.io
> > Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Hernandez Beltran, Jorge
> > <jorge.hernandez.beltran@intel.com>; Han, Harry <harry.han@intel.com>
> > Subject: [PATCH v2 0/3] Common OBB verification feature
> >
> > >V2: fix parameter description error found by ECC
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=3D1617
> >
> > Cc: Chao Zhang <chao.b.zhang@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com>
> > Cc: Harry Han <harry.han@intel.com>
> >
> > Jian J Wang (3):
> >   SecurityPkg: add definitions for OBB verification
> >   SecurityPkg/FvReportPei: implement a common FV verifier and reporter
> >   SecurityPkg: add FvReportPei.inf in dsc for build validation
> >
> >  SecurityPkg/FvReportPei/FvReportPei.c         | 418
> > ++++++++++++++++++
> >  SecurityPkg/FvReportPei/FvReportPei.h         | 121 +++++
> >  SecurityPkg/FvReportPei/FvReportPei.inf       |  57 +++
> >  SecurityPkg/FvReportPei/FvReportPei.uni       |  14 +
> >  .../FvReportPei/FvReportPeiPeiExtra.uni       |  12 +
> >  .../Ppi/FirmwareVolumeInfoStoredHashFv.h      |  61 +++
> >  SecurityPkg/SecurityPkg.dec                   |   9 +
> >  SecurityPkg/SecurityPkg.dsc                   |   5 +
> >  8 files changed, 697 insertions(+)
> >  create mode 100644 SecurityPkg/FvReportPei/FvReportPei.c
> >  create mode 100644 SecurityPkg/FvReportPei/FvReportPei.h
> >  create mode 100644 SecurityPkg/FvReportPei/FvReportPei.inf
> >  create mode 100644 SecurityPkg/FvReportPei/FvReportPei.uni
> >  create mode 100644 SecurityPkg/FvReportPei/FvReportPeiPeiExtra.uni
> >  create mode 100644
> > SecurityPkg/Include/Ppi/FirmwareVolumeInfoStoredHashFv.h
> >
> > --
> > 2.17.1.windows.2