From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Gonzalez Del Cueto,
Rodrigo" <rodrigo.gonzalez.del.cueto@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wang, Jian J" <jian.j.wang@intel.com>
Subject: Re: [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend operations
Date: Fri, 17 Dec 2021 15:08:58 +0000 [thread overview]
Message-ID: <MW4PR11MB5872F797216BF4ECBCDA20598C789@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20211217024707.1598-1-rodrigo.gonzalez.del.cueto@intel.com>
Pushed: 8ed8568922be9b5f7111fc1297317106aba7ab52
> -----Original Message-----
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>
> Sent: Friday, December 17, 2021 10:47 AM
> To: devel@edk2.groups.io
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend operations
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2858
>
> In V2: Fixed patch format and uncrustify cleanup
>
> In V1: Add debug functionality to examine TPM extend operations
> performed by BIOS and inspect the PCR 00 value prior to
> any BIOS measurements.
>
> Signed-off-by: Rodrigo Gonzalez del Cueto
> <rodrigo.gonzalez.del.cueto@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> ---
> SecurityPkg/Include/Library/Tpm2CommandLib.h | 33
> +++++++++++++++++++++++++--------
> SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 190
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 9 ++++++++-
> 3 files changed, 222 insertions(+), 10 deletions(-)
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index 2e83a2f474..a2fb97f18d 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -1,7 +1,7 @@
> /** @file
> This library is used by other modules to send TPM2 command.
>
> -Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -503,9 +503,9 @@ Tpm2PcrExtend (
> EFI_STATUS
> EFIAPI
> Tpm2PcrEvent (
> - IN TPMI_DH_PCR PcrHandle,
> - IN TPM2B_EVENT *EventData,
> - OUT TPML_DIGEST_VALUES *Digests
> + IN TPMI_DH_PCR PcrHandle,
> + IN TPM2B_EVENT *EventData,
> + OUT TPML_DIGEST_VALUES *Digests
> );
>
> /**
> @@ -522,10 +522,10 @@ Tpm2PcrEvent (
> EFI_STATUS
> EFIAPI
> Tpm2PcrRead (
> - IN TPML_PCR_SELECTION *PcrSelectionIn,
> - OUT UINT32 *PcrUpdateCounter,
> - OUT TPML_PCR_SELECTION *PcrSelectionOut,
> - OUT TPML_DIGEST *PcrValues
> + IN TPML_PCR_SELECTION *PcrSelectionIn,
> + OUT UINT32 *PcrUpdateCounter,
> + OUT TPML_PCR_SELECTION *PcrSelectionOut,
> + OUT TPML_DIGEST *PcrValues
> );
>
> /**
> @@ -1113,4 +1113,21 @@ GetDigestFromDigestList (
> OUT VOID *Digest
> );
>
> +/**
> + This function will query the TPM to determine which hashing algorithms and
> + get the digests of all active and supported PCR banks of a specific PCR
> register.
> +
> + @param[in] PcrHandle The index of the PCR register to be read.
> + @param[out] HashList List of digests from PCR register being read.
> +
> + @retval EFI_SUCCESS The Pcr was read successfully.
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
> +**/
> +EFI_STATUS
> +EFIAPI
> +Tpm2PcrReadForActiveBank (
> + IN TPMI_DH_PCR PcrHandle,
> + OUT TPML_DIGEST *HashList
> + );
> +
> #endif
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> index 8dde5f34a2..94e93b2642 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> @@ -1,7 +1,7 @@
> /** @file
> Implement TPM2 Integrity related command.
>
> -Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> **/
> @@ -138,6 +138,23 @@ Tpm2PcrExtend (
> &Digests->digests[Index].digest,
> DigestSize
> );
> +
> + DEBUG_CODE_BEGIN ();
> + UINTN Index2;
> + DEBUG ((
> + DEBUG_VERBOSE,
> + "Tpm2PcrExtend - Hash = 0x%04x, Pcr[%02d], digest = ",
> + Digests->digests[Index].hashAlg,
> + (UINT8)PcrHandle
> + ));
> +
> + for (Index2 = 0; Index2 < DigestSize; Index2++) {
> + DEBUG ((DEBUG_VERBOSE, "%02x ", Buffer[Index2]));
> + }
> +
> + DEBUG ((DEBUG_VERBOSE, "\n"));
> + DEBUG_CODE_END ();
> +
> Buffer += DigestSize;
> }
>
> @@ -172,6 +189,11 @@ Tpm2PcrExtend (
> return EFI_DEVICE_ERROR;
> }
>
> + DEBUG_CODE_BEGIN ();
> + DEBUG ((DEBUG_VERBOSE, "Tpm2PcrExtend: PCR read after extend...\n"));
> + Tpm2PcrReadForActiveBank (PcrHandle, NULL);
> + DEBUG_CODE_END ();
> +
> //
> // Unmarshal the response
> //
> @@ -705,3 +727,169 @@ Done:
> ZeroMem (&LocalAuthSession.hmac, sizeof (LocalAuthSession.hmac));
> return Status;
> }
> +
> +/**
> + This function will query the TPM to determine which hashing algorithms and
> + get the digests of all active and supported PCR banks of a specific PCR
> register.
> +
> + @param[in] PcrHandle The index of the PCR register to be read.
> + @param[out] HashList List of digests from PCR register being read.
> +
> + @retval EFI_SUCCESS The Pcr was read successfully.
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
> +**/
> +EFI_STATUS
> +EFIAPI
> +Tpm2PcrReadForActiveBank (
> + IN TPMI_DH_PCR PcrHandle,
> + OUT TPML_DIGEST *HashList
> + )
> +{
> + EFI_STATUS Status;
> + TPML_PCR_SELECTION Pcrs;
> + TPML_PCR_SELECTION PcrSelectionIn;
> + TPML_PCR_SELECTION PcrSelectionOut;
> + TPML_DIGEST PcrValues;
> + UINT32 PcrUpdateCounter;
> + UINT8 PcrIndex;
> + UINT32 TpmHashAlgorithmBitmap;
> + TPMI_ALG_HASH CurrentPcrBankHash;
> + UINT32 ActivePcrBanks;
> + UINT32 TcgRegistryHashAlg;
> + UINTN Index;
> + UINTN Index2;
> +
> + PcrIndex = (UINT8)PcrHandle;
> +
> + if ((PcrIndex < 0) ||
> + (PcrIndex >= IMPLEMENTATION_PCR))
> + {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + ZeroMem (&PcrSelectionIn, sizeof (PcrSelectionIn));
> + ZeroMem (&PcrUpdateCounter, sizeof (UINT32));
> + ZeroMem (&PcrSelectionOut, sizeof (PcrSelectionOut));
> + ZeroMem (&PcrValues, sizeof (PcrValues));
> + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> +
> + DEBUG ((DEBUG_INFO, "ReadPcr - %02d\n", PcrIndex));
> +
> + //
> + // Read TPM capabilities
> + //
> + Status = Tpm2GetCapabilityPcrs (&Pcrs);
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "ReadPcr: Unable to read TPM capabilities\n"));
> + return EFI_DEVICE_ERROR;
> + }
> +
> + //
> + // Get Active Pcrs
> + //
> + Status = Tpm2GetCapabilitySupportedAndActivePcrs (
> + &TpmHashAlgorithmBitmap,
> + &ActivePcrBanks
> + );
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "ReadPcr: Unable to read TPM capabilities and
> active PCRs\n"));
> + return EFI_DEVICE_ERROR;
> + }
> +
> + //
> + // Select from Active PCRs
> + //
> + for (Index = 0; Index < Pcrs.count; Index++) {
> + CurrentPcrBankHash = Pcrs.pcrSelections[Index].hash;
> +
> + switch (CurrentPcrBankHash) {
> + case TPM_ALG_SHA1:
> + DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA1 Present\n"));
> + TcgRegistryHashAlg = HASH_ALG_SHA1;
> + break;
> + case TPM_ALG_SHA256:
> + DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA256 Present\n"));
> + TcgRegistryHashAlg = HASH_ALG_SHA256;
> + break;
> + case TPM_ALG_SHA384:
> + DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA384 Present\n"));
> + TcgRegistryHashAlg = HASH_ALG_SHA384;
> + break;
> + case TPM_ALG_SHA512:
> + DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA512 Present\n"));
> + TcgRegistryHashAlg = HASH_ALG_SHA512;
> + break;
> + case TPM_ALG_SM3_256:
> + DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SM3 Present\n"));
> + TcgRegistryHashAlg = HASH_ALG_SM3_256;
> + break;
> + default:
> + //
> + // Unsupported algorithm
> + //
> + DEBUG ((DEBUG_VERBOSE, "Unknown algorithm present\n"));
> + TcgRegistryHashAlg = 0;
> + break;
> + }
> +
> + //
> + // Skip unsupported and inactive PCR banks
> + //
> + if ((TcgRegistryHashAlg & ActivePcrBanks) == 0) {
> + DEBUG ((DEBUG_VERBOSE, "Skipping unsupported or inactive bank:
> 0x%04x\n", CurrentPcrBankHash));
> + continue;
> + }
> +
> + //
> + // Select PCR from current active bank
> + //
> + PcrSelectionIn.pcrSelections[PcrSelectionIn.count].hash =
> Pcrs.pcrSelections[Index].hash;
> + PcrSelectionIn.pcrSelections[PcrSelectionIn.count].sizeofSelect =
> PCR_SELECT_MAX;
> + PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[0] = (PcrIndex <
> 8) ? 1 << PcrIndex : 0;
> + PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[1] = (PcrIndex >
> 7) && (PcrIndex < 16) ? 1 << (PcrIndex - 8) : 0;
> + PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[2] = (PcrIndex >
> 15) ? 1 << (PcrIndex - 16) : 0;
> + PcrSelectionIn.count++;
> + }
> +
> + //
> + // Read PCRs
> + //
> + Status = Tpm2PcrRead (
> + &PcrSelectionIn,
> + &PcrUpdateCounter,
> + &PcrSelectionOut,
> + &PcrValues
> + );
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Tpm2PcrRead failed Status = %r \n", Status));
> + return EFI_DEVICE_ERROR;
> + }
> +
> + for (Index = 0; Index < PcrValues.count; Index++) {
> + DEBUG ((
> + DEBUG_INFO,
> + "ReadPcr - HashAlg = 0x%04x, Pcr[%02d], digest = ",
> + PcrSelectionOut.pcrSelections[Index].hash,
> + PcrIndex
> + ));
> +
> + for (Index2 = 0; Index2 < PcrValues.digests[Index].size; Index2++) {
> + DEBUG ((DEBUG_INFO, "%02x ", PcrValues.digests[Index].buffer[Index2]));
> + }
> +
> + DEBUG ((DEBUG_INFO, "\n"));
> + }
> +
> + if (HashList != NULL) {
> + CopyMem (
> + HashList,
> + &PcrValues,
> + sizeof (TPML_DIGEST)
> + );
> + }
> +
> + return EFI_SUCCESS;
> +}
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> index a97a4e7f2d..622989aff3 100644
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> @@ -1,7 +1,7 @@
> /** @file
> Initialize TPM2 device and measure FVs before handing off control to DXE.
>
> -Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
> Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
> SPDX-License-Identifier: BSD-2-Clause-Patent
>
> @@ -1106,6 +1106,13 @@ PeimEntryMA (
> }
> }
>
> + DEBUG_CODE_BEGIN ();
> + //
> + // Peek into TPM PCR 00 before any BIOS measurement.
> + //
> + Tpm2PcrReadForActiveBank (00, NULL);
> + DEBUG_CODE_END ();
> +
> //
> // Only install TpmInitializedPpi on success
> //
> --
> 2.26.2.windows.1
next prev parent reply other threads:[~2021-12-17 15:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 2:47 [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend operations Rodrigo Gonzalez del Cueto
2021-12-17 4:23 ` [edk2-devel] " Rodrigo Gonzalez del Cueto
2021-12-17 15:08 ` Yao, Jiewen [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-07-29 22:43 Rodrigo Gonzalez del Cueto
2021-08-09 1:24 ` Yao, Jiewen
2021-08-10 6:40 ` Rodrigo Gonzalez del Cueto
2021-08-11 5:39 ` Yao, Jiewen
2020-07-20 22:28 Rodrigo Gonzalez del Cueto
2020-07-23 2:06 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB5872F797216BF4ECBCDA20598C789@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox