* [PATCH] SecurityPkg/TPM2: Sync PcrAllocations and PcrMask
@ 2016-09-20 10:55 Star Zeng
2016-09-21 8:06 ` Zhang, Chao B
0 siblings, 1 reply; 2+ messages in thread
From: Star Zeng @ 2016-09-20 10:55 UTC (permalink / raw)
To: edk2-devel; +Cc: Jiewen Yao, Chao B Zhang
From: Jiewen Yao <jiewen.yao@intel.com>
Current TCG2 implementation will set Tpm2HashMask PCD value according to TPM2
PCR bank. However, there might be misconfiguration in BIOS build phase.
The enhanced logic makes sure that the current PCR allocations, the TPM
supported PCRs, and the PcdTpm2HashMask are all in agreement.
Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
---
SecurityPkg/SecurityPkg.dsc | 1 +
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 111 +++++++++++++++++++++---------------
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 3 +-
3 files changed, 69 insertions(+), 46 deletions(-)
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 3b36d0f5a77a..2ebd0a432124 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -74,6 +74,7 @@ [LibraryClasses]
TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
OpalPasswordSupportLib|SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf
+ ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
[LibraryClasses.common.PEIM]
PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index a72b8d9bda1f..8bd5f2cfa507 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -41,6 +41,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/PerformanceLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/ReportStatusCodeLib.h>
+#include <Library/ResetSystemLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
#define PERF_ID_TCG2_PEI 0x3080
@@ -190,60 +191,80 @@ EndofPeiSignalNotifyCallBack (
}
/**
- Set Tpm2HashMask PCD value according to TPM2 PCR bank.
+ Make sure that the current PCR allocations, the TPM supported PCRs,
+ and the PcdTpm2HashMask are all in agreement.
**/
VOID
-SetTpm2HashMask (
+SyncPcrAllocationsAndPcrMask (
VOID
)
{
- EFI_STATUS Status;
- UINT32 ActivePcrBanks;
- TPML_PCR_SELECTION Pcrs;
- UINTN Index;
+ EFI_STATUS Status;
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
+ UINT32 TpmActivePcrBanks;
+ UINT32 NewTpmActivePcrBanks;
+ UINT32 Tpm2PcrMask;
+ UINT32 NewTpm2PcrMask;
- DEBUG ((EFI_D_ERROR, "SetTpm2HashMask!\n"));
+ DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));
- Status = Tpm2GetCapabilityPcrs (&Pcrs);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- ActivePcrBanks = EFI_TCG2_BOOT_HASH_ALG_SHA1;
- } else {
- DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityPcrs Count - %08x\n", Pcrs.count));
- ActivePcrBanks = 0;
- for (Index = 0; Index < Pcrs.count; Index++) {
- DEBUG ((EFI_D_INFO, "hash - %x\n", Pcrs.pcrSelections[Index].hash));
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA1;
- }
- break;
- case TPM_ALG_SHA256:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA256;
- }
- break;
- case TPM_ALG_SHA384:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA384;
- }
- break;
- case TPM_ALG_SHA512:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA512;
- }
- break;
- case TPM_ALG_SM3_256:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SM3_256;
- }
- break;
+ //
+ // Determine the current TPM support and the Platform PCR mask.
+ //
+ Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+
+ Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
+
+ //
+ // Find the intersection of Pcd support and TPM support.
+ // If banks are missing from the TPM support that are in the PCD, update the PCD.
+ // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.
+ //
+
+ //
+ // If there are active PCR banks that are not supported by the Platform mask,
+ // update the TPM allocations and reboot the machine.
+ //
+ if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {
+ NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;
+
+ DEBUG ((EFI_D_INFO, __FUNCTION__" - Reallocating PCR banks from 0x%X to 0x%X.\n", TpmActivePcrBanks, NewTpmActivePcrBanks ));
+ if (NewTpmActivePcrBanks == 0) {
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n"));
+ ASSERT (FALSE);
+ } else {
+ Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);
+ if (EFI_ERROR (Status)) {
+ //
+ // We can't do much here, but we hope that this doesn't happen.
+ //
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - Failed to reallocate PCRs!\n"));
+ ASSERT_EFI_ERROR (Status);
}
+ //
+ // Need reset system, since we just called Tpm2PcrAllocateBanks().
+ //
+ ResetCold();
}
}
- Status = PcdSet32S (PcdTpm2HashMask, ActivePcrBanks);
- ASSERT_EFI_ERROR (Status);
+
+ //
+ // If there are any PCRs that claim support in the Platform mask that are
+ // not supported by the TPM, update the mask.
+ //
+ if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {
+ NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;
+
+ DEBUG ((EFI_D_INFO, __FUNCTION__" - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", Tpm2PcrMask, NewTpm2PcrMask ));
+ if (NewTpm2PcrMask == 0) {
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n"));
+ ASSERT (FALSE);
+ }
+
+ Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
+ ASSERT_EFI_ERROR (Status);
+ }
}
/**
@@ -767,7 +788,7 @@ PeimEntryMA (
//
// Update Tpm2HashMask according to PCR bank.
//
- SetTpm2HashMask ();
+ SyncPcrAllocationsAndPcrMask ();
if (S3ErrorReport) {
//
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 007ce918eda9..3477d8206a8b 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -3,7 +3,7 @@
#
# This module will initialize TPM device, measure reported FVs and BIOS version.
#
-# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -53,6 +53,7 @@ [LibraryClasses]
MemoryAllocationLib
ReportStatusCodeLib
Tcg2PhysicalPresenceLib
+ ResetSystemLib
[Guids]
gTcgEventEntryHobGuid ## PRODUCES ## HOB
--
2.7.0.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] SecurityPkg/TPM2: Sync PcrAllocations and PcrMask
2016-09-20 10:55 [PATCH] SecurityPkg/TPM2: Sync PcrAllocations and PcrMask Star Zeng
@ 2016-09-21 8:06 ` Zhang, Chao B
0 siblings, 0 replies; 2+ messages in thread
From: Zhang, Chao B @ 2016-09-21 8:06 UTC (permalink / raw)
To: Zeng, Star, edk2-devel@lists.01.org; +Cc: Yao, Jiewen
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Thanks & Best regards
Chao Zhang
-----Original Message-----
From: Zeng, Star
Sent: Tuesday, September 20, 2016 6:56 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen; Zhang, Chao B
Subject: [PATCH] SecurityPkg/TPM2: Sync PcrAllocations and PcrMask
From: Jiewen Yao <jiewen.yao@intel.com>
Current TCG2 implementation will set Tpm2HashMask PCD value according to TPM2
PCR bank. However, there might be misconfiguration in BIOS build phase.
The enhanced logic makes sure that the current PCR allocations, the TPM
supported PCRs, and the PcdTpm2HashMask are all in agreement.
Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
---
SecurityPkg/SecurityPkg.dsc | 1 +
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 111 +++++++++++++++++++++---------------
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 3 +-
3 files changed, 69 insertions(+), 46 deletions(-)
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 3b36d0f5a77a..2ebd0a432124 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -74,6 +74,7 @@ [LibraryClasses]
TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
OpalPasswordSupportLib|SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf
+ ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
[LibraryClasses.common.PEIM]
PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index a72b8d9bda1f..8bd5f2cfa507 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -41,6 +41,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/PerformanceLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/ReportStatusCodeLib.h>
+#include <Library/ResetSystemLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
#define PERF_ID_TCG2_PEI 0x3080
@@ -190,60 +191,80 @@ EndofPeiSignalNotifyCallBack (
}
/**
- Set Tpm2HashMask PCD value according to TPM2 PCR bank.
+ Make sure that the current PCR allocations, the TPM supported PCRs,
+ and the PcdTpm2HashMask are all in agreement.
**/
VOID
-SetTpm2HashMask (
+SyncPcrAllocationsAndPcrMask (
VOID
)
{
- EFI_STATUS Status;
- UINT32 ActivePcrBanks;
- TPML_PCR_SELECTION Pcrs;
- UINTN Index;
+ EFI_STATUS Status;
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
+ UINT32 TpmActivePcrBanks;
+ UINT32 NewTpmActivePcrBanks;
+ UINT32 Tpm2PcrMask;
+ UINT32 NewTpm2PcrMask;
- DEBUG ((EFI_D_ERROR, "SetTpm2HashMask!\n"));
+ DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));
- Status = Tpm2GetCapabilityPcrs (&Pcrs);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- ActivePcrBanks = EFI_TCG2_BOOT_HASH_ALG_SHA1;
- } else {
- DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityPcrs Count - %08x\n", Pcrs.count));
- ActivePcrBanks = 0;
- for (Index = 0; Index < Pcrs.count; Index++) {
- DEBUG ((EFI_D_INFO, "hash - %x\n", Pcrs.pcrSelections[Index].hash));
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA1;
- }
- break;
- case TPM_ALG_SHA256:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA256;
- }
- break;
- case TPM_ALG_SHA384:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA384;
- }
- break;
- case TPM_ALG_SHA512:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA512;
- }
- break;
- case TPM_ALG_SM3_256:
- if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {
- ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SM3_256;
- }
- break;
+ //
+ // Determine the current TPM support and the Platform PCR mask.
+ //
+ Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
+ ASSERT_EFI_ERROR (Status);
+
+ Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
+
+ //
+ // Find the intersection of Pcd support and TPM support.
+ // If banks are missing from the TPM support that are in the PCD, update the PCD.
+ // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.
+ //
+
+ //
+ // If there are active PCR banks that are not supported by the Platform mask,
+ // update the TPM allocations and reboot the machine.
+ //
+ if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {
+ NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;
+
+ DEBUG ((EFI_D_INFO, __FUNCTION__" - Reallocating PCR banks from 0x%X to 0x%X.\n", TpmActivePcrBanks, NewTpmActivePcrBanks ));
+ if (NewTpmActivePcrBanks == 0) {
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n"));
+ ASSERT (FALSE);
+ } else {
+ Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);
+ if (EFI_ERROR (Status)) {
+ //
+ // We can't do much here, but we hope that this doesn't happen.
+ //
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - Failed to reallocate PCRs!\n"));
+ ASSERT_EFI_ERROR (Status);
}
+ //
+ // Need reset system, since we just called Tpm2PcrAllocateBanks().
+ //
+ ResetCold();
}
}
- Status = PcdSet32S (PcdTpm2HashMask, ActivePcrBanks);
- ASSERT_EFI_ERROR (Status);
+
+ //
+ // If there are any PCRs that claim support in the Platform mask that are
+ // not supported by the TPM, update the mask.
+ //
+ if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {
+ NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;
+
+ DEBUG ((EFI_D_INFO, __FUNCTION__" - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", Tpm2PcrMask, NewTpm2PcrMask ));
+ if (NewTpm2PcrMask == 0) {
+ DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n"));
+ ASSERT (FALSE);
+ }
+
+ Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
+ ASSERT_EFI_ERROR (Status);
+ }
}
/**
@@ -767,7 +788,7 @@ PeimEntryMA (
//
// Update Tpm2HashMask according to PCR bank.
//
- SetTpm2HashMask ();
+ SyncPcrAllocationsAndPcrMask ();
if (S3ErrorReport) {
//
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 007ce918eda9..3477d8206a8b 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -3,7 +3,7 @@
#
# This module will initialize TPM device, measure reported FVs and BIOS version.
#
-# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -53,6 +53,7 @@ [LibraryClasses]
MemoryAllocationLib
ReportStatusCodeLib
Tcg2PhysicalPresenceLib
+ ResetSystemLib
[Guids]
gTcgEventEntryHobGuid ## PRODUCES ## HOB
--
2.7.0.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-09-21 8:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-20 10:55 [PATCH] SecurityPkg/TPM2: Sync PcrAllocations and PcrMask Star Zeng
2016-09-21 8:06 ` Zhang, Chao B
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox