From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.367.1573103606783049605 for ; Wed, 06 Nov 2019 21:13:26 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jian.j.wang@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2019 21:13:26 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,276,1569308400"; d="scan'208";a="227717236" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga004.fm.intel.com with ESMTP; 06 Nov 2019 21:13:26 -0800 Received: from fmsmsx102.amr.corp.intel.com (10.18.124.200) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 6 Nov 2019 21:13:26 -0800 Received: from shsmsx154.ccr.corp.intel.com (10.239.6.54) by FMSMSX102.amr.corp.intel.com (10.18.124.200) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 6 Nov 2019 21:13:25 -0800 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.63]) by SHSMSX154.ccr.corp.intel.com ([169.254.7.200]) with mapi id 14.03.0439.000; Thu, 7 Nov 2019 13:13:24 +0800 From: "Wang, Jian J" To: Derek Lin , "devel@edk2.groups.io" CC: "jason.spottswood@hpe.com" , "Yao, Jiewen" , "Zhang, Chao B" Subject: Re: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. Thread-Topic: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. Thread-Index: AQHVlD27OsdWJsPUv06fGMghTMhVyqd/K54g Date: Thu, 7 Nov 2019 05:13:23 +0000 Message-ID: References: <20191106010047.489176-1-derek.lin2@hpe.com> In-Reply-To: <20191106010047.489176-1-derek.lin2@hpe.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzU0MmExY2EtOTQzZS00NGFmLWFlOWMtZTg0OWMwMDk5MDQzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRGpTTXdzaGt2YlBhV05RcVwvYVE4MmxoK1l1UDNzV0F5U1lVTXBKWW1EanhmOURtWUk3VzZLSTRsWFdGKzdWWWcifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jian.j.wang@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Pushed at 3a63c17ebc853cbb27d190729d01e27f68e65b94 Regards, Jian > -----Original Message----- > From: Derek Lin > Sent: Wednesday, November 06, 2019 9:01 AM > To: derek.lin2@hpe.com; devel@edk2.groups.io > Cc: jason.spottswood@hpe.com; Yao, Jiewen ; Wang, > Jian J ; Zhang, Chao B > Subject: [PATCH] SecurityPkg: Fix TPM2 ACPI measurement. >=20 > We have discussed in this thread. > https://edk2.groups.io/g/devel/topic/32205028 >=20 > Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because > TPM2 ACPI HID include FW version. >=20 > This change make the measurement before TPM2 HID fixup. So, after TPM FW > upgrade, the ACPI PCR record remains the same. >=20 > Signed-off-by: Derek Lin > --- > SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 30 ++++++++++++++++-------------- > 1 file changed, 16 insertions(+), 14 deletions(-) >=20 > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > index bd786bf479..54966c83ce 100644 > --- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c > @@ -664,7 +664,22 @@ PublishAcpiTable ( > )); >=20 > // > - // Update TPM2 HID before measuring it to PCR > + // Measure to PCR[0] with event EV_POST_CODE ACPI DATA. > + // The measurement has to be done before UpdateHID since TPM2 ACPI HID > + // imply TPM Firmware Version. Otherwise, the PCR record would be > + // different after TPM FW update. > + // > + TpmMeasureAndLogData( > + 0, > + EV_POST_CODE, > + EV_POSTCODE_INFO_ACPI_DATA, > + ACPI_DATA_LEN, > + Table, > + TableSize > + ); > + > + // > + // Update TPM2 HID after measuring it to PCR > // > Status =3D UpdateHID(Table); > if (EFI_ERROR(Status)) { > @@ -694,19 +709,6 @@ PublishAcpiTable ( > } > } >=20 > - // > - // Measure to PCR[0] with event EV_POST_CODE ACPI DATA > - // > - TpmMeasureAndLogData( > - 0, > - EV_POST_CODE, > - EV_POSTCODE_INFO_ACPI_DATA, > - ACPI_DATA_LEN, > - Table, > - TableSize > - ); > - > - > ASSERT (Table->OemTableId =3D=3D SIGNATURE_64 ('T', 'p', 'm', '2', 'T'= , 'a', 'b', 'l')); > CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof (Table- > >OemId) ); > mTcgNvs =3D AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), = (UINT16) > sizeof (TCG_NVS)); > -- > 2.20.1.windows.1