From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web11.5207.1573021050407741553 for ; Tue, 05 Nov 2019 22:17:30 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Nov 2019 22:17:29 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,272,1569308400"; d="scan'208";a="201013861" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga007.fm.intel.com with ESMTP; 05 Nov 2019 22:17:29 -0800 Received: from FMSMSX110.amr.corp.intel.com (10.18.116.10) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 5 Nov 2019 22:17:29 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx110.amr.corp.intel.com (10.18.116.10) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 5 Nov 2019 22:17:29 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.63]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.60]) with mapi id 14.03.0439.000; Wed, 6 Nov 2019 14:17:24 +0800 From: "Wang, Jian J" To: Derek Lin , "devel@edk2.groups.io" CC: "jason.spottswood@hpe.com" , "Yao, Jiewen" , "Zhang, Chao B" Subject: Re: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. Thread-Topic: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. Thread-Index: AQHVlD27OsdWJsPUv06fGMghTMhVyqd9qxpA Date: Wed, 6 Nov 2019 06:17:24 +0000 Message-ID: References: <20191106010047.489176-1-derek.lin2@hpe.com> In-Reply-To: <20191106010047.489176-1-derek.lin2@hpe.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiM2FkYjRiYTAtNTRkNS00Y2FhLTk3OWQtODhiYzEzZWFhNTM1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSEs0ODBIUnRDb0szVU5iNFVFWkhDcjBlOHdpYURaM1JCcDVpTk1Sc1ZnU2h4MllKUm9IY1QzcGIrUGdmTE83aSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jian J Wang Regards, Jian > -----Original Message----- > From: Derek Lin > Sent: Wednesday, November 06, 2019 9:01 AM > To: derek.lin2@hpe.com; devel@edk2.groups.io > Cc: jason.spottswood@hpe.com; Yao, Jiewen ; Wang, > Jian J ; Zhang, Chao B > Subject: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. >=20 > We have discussed in this thread. > https://edk2.groups.io/g/devel/topic/32205028 >=20 > Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because > TPM2 ACPI HID include FW version. >=20 > This change make the measurement before TPM2 HID fixup. So, after TPM FW > upgrade, the ACPI PCR record remains the same. >=20 > Signed-off-by: Derek Lin > --- > SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++-------------- > 1 file changed, 16 insertions(+), 14 deletions(-) >=20 > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > index bd786bf479..54966c83ce 100644 > --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > @@ -664,7 +664,22 @@ PublishAcpiTable ( > )); >=20 > // > - // Update TPM2 HID before measuring it to PCR > + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA. > + // The measurement has to be done before UpdateHID since TPM2 ACPI HID > + // imply TPM Firmware Version. Otherwise, the PCR record would be > + // different after TPM FW update. > + // > + TpmMeasureAndLogData( > + 0, > + EV_POST_CODE, > + EV_POSTCODE_INFO_ACPI_DATA, > + ACPI_DATA_LEN, > + Table, > + TableSize > + ); > + > + // > + // Update TPM2 HID after measuring it to PCR > // > Status =3D UpdateHID(Table); > if (EFI_ERROR(Status)) { > @@ -694,19 +709,6 @@ PublishAcpiTable ( > } > } >=20 > - // > - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA > - // > - TpmMeasureAndLogData( > - 0, > - EV_POST_CODE, > - EV_POSTCODE_INFO_ACPI_DATA, > - ACPI_DATA_LEN, > - Table, > - TableSize > - ); > - > - > ASSERT (Table->OemTableId =3D=3D SIGNATURE_64 ('T', 'p', 'm', '2', 'T'= , 'a', 'b', 'l')); > CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table- > >OemId) ); > mTcgNvs =3D AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), = (UINT16) > sizeof (TCG_NVS)); > -- > 2.20.1.windows.1