From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
 by mx.groups.io with SMTP id smtpd.web11.7288.1639753744609009798
 for <devel@edk2.groups.io>;
 Fri, 17 Dec 2021 07:09:05 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=gVV3NXBf;
 spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: jiewen.yao@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1639753744; x=1671289744;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=P3XTe/iv6gVwS0AL2oHQZ86j5JbfQxLKTOn7D2v5ThA=;
  b=gVV3NXBfR88ePTPAUdMQ3eLeG545mDeSyaJVhD7SxTKf/be0v1OJEdnI
   4hTW/zPPmqzRyRYScENRRCudT4ZYJgkgjGS+a/gzmBJx4eGrBKr5Rg6MK
   gD9uC9e0Z+58bYJf4sTmIsLMPbk9EwjMvIDs7onSSp36mEbYYmaFIP853
   Q7hR43wCFwPmzf0g5PB0L1KTg6XYSujW9kznpwEHEKm9dII+ybyUjzy3K
   wZ7SOCeM+1B1unBD5yQh2pzN0mf0OXD4fZA6jwA8jVM+GeUxQPM5AwuLn
   Qvesy4aVBHxERMbyyehHAJ3wnDmkaeIQv8tJk32bH2/Xo+Ih1HBadsS0U
   A==;
X-IronPort-AV: E=McAfee;i="6200,9189,10200"; a="219783995"
X-IronPort-AV: E=Sophos;i="5.88,213,1635231600"; 
   d="scan'208";a="219783995"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Dec 2021 07:09:03 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.88,213,1635231600"; 
   d="scan'208";a="506794767"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83])
  by orsmga007.jf.intel.com with ESMTP; 17 Dec 2021 07:09:03 -0800
Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by
 fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.20; Fri, 17 Dec 2021 07:09:02 -0800
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by
 fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.20 via Frontend Transport; Fri, 17 Dec 2021 07:09:02 -0800
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.108)
 by edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.20; Fri, 17 Dec 2021 07:09:02 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=mfIDtKNSADN0QPnuDzLiP5Q8/mVY1nwue3ZH6GsOukWsRSMMmEHV/iAeauGK/FD5iOj1b+5asrXZK4EmrHpGENMQ2jS4tMHLVbpf294P91zWyoKefRaIQTivoaYFNbd0T7GXCI+1/CPsW3pCTVR4RLyWjqcGG2chniNQVANz+Y2PbMr/B2kFqTRcaEWgN9D5Q9J6dL21x+F4Vs//gR6ZYJyrPeMY971b9WQG2M6YgEWYR/psjjo9CsKLew3a6MXbvQO9vfhmCYiZmrGYFf8xIwKf/8q32jrxnukFUaX9uG6QlVhjinGCq2qDdbFRGZwlNIe/vKYgtpIc8q7Oq1m4CQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=hiZ4iTRDKHug4QCRk3BTrAfmBCQSWoqrIMf7FMfJAjE=;
 b=KwmoaHKvbXaNhs8z3ZNnq22CIdz5H8ceGNUjzPcw0hkoHtaGYCq66J6xNPt1JnuE763FhI2rzlOuPeYcbd++3LuoUhlV+hMRfAp1RuHLtd3ZkmlhCHGUzvTiFKbPZPzJld9nxNeHj9CKtU9yXzbpV6wG9+Sh+ArWipZUdcYE3z4HKdvkOi2SgsSI1xdDdgg/4sgxcReP2uVOynvkoiUyaljcQhXoKTI6bfgVxPEP7R6Urjzhqvmwm87oMscDkcF15KE7QYvf3DpWeuEukLExET0CJbt/PzWfD7LvI5vQXozY/ds9/II+0kU15cva+5cCVMhmLqpMzszNo8mi/1whkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14)
 by CO1PR11MB5011.namprd11.prod.outlook.com (2603:10b6:303:6d::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.14; Fri, 17 Dec
 2021 15:08:58 +0000
Received: from MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::447f:7fbc:72f5:fbae]) by MW4PR11MB5872.namprd11.prod.outlook.com
 ([fe80::447f:7fbc:72f5:fbae%7]) with mapi id 15.20.4801.015; Fri, 17 Dec 2021
 15:08:58 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Gonzalez Del Cueto, Rodrigo" <rodrigo.gonzalez.del.cueto@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
CC: "Wang, Jian J" <jian.j.wang@intel.com>
Subject: Re: [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend operations
Thread-Topic: [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend
 operations
Thread-Index: AQHX8vBq2tkChZc5ykSJFNmM6xde4aw2yhSw
Date: Fri, 17 Dec 2021 15:08:58 +0000
Message-ID: <MW4PR11MB5872F797216BF4ECBCDA20598C789@MW4PR11MB5872.namprd11.prod.outlook.com>
References: <20211217024707.1598-1-rodrigo.gonzalez.del.cueto@intel.com>
In-Reply-To: <20211217024707.1598-1-rodrigo.gonzalez.del.cueto@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.6.200.16
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a554931c-e8fe-48c3-c600-08d9c16f26eb
x-ms-traffictypediagnostic: CO1PR11MB5011:EE_
x-microsoft-antispam-prvs: <CO1PR11MB501114A6D8D0FFBEA2CDBDCA8C789@CO1PR11MB5011.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5ha3yj+k7wtehv50RHb5vS93FFHlgTZAXNl6pUatGknjjD/EQ2KKBt7si7BC15eNzi8/U6FTRxJ2u7Ckf+jOAeQHH5a44zFna/fqfyVWa1imIrygtHG5JWiIkEcaEkIFO6Ri1oKgOTN6xW82NfE83CcTMvbFWnbvfyuxGaz/8KvVrDB+UD8QrYpHphjKHt95ZxozCSyM/+fGfmF/dHRa//KRhv53rvpN52Qyr2xySAIEwibawFeT2OohIjE7Tz1GdXr9DEx6GPx1hLTl13k/6epas4lfrV66L6JorSg0tzIamWYa5XWM4jUZ5Q09hZFqldLgCJT5qBxg4tmEwuFb0Xm8+xDV/Q5lIFxpUXtQKftYgQT/B1orkhbPRzioxqY/fMub0bT0LGsjwirg7ayI7AXp5cEoHZrMe0HpvU26ICkuZ2YrKC8vliPdj0iLO5TO8nyw3JfddoLokUxr1FuivdyJ+qNeYoGc52v080UwsOTi+S62eFp1Mxn5Ej2padCja2Fm26xTrXtTBd57kaBSU5cQpAOd9oQRDHVJMBIOUyke4kM34ayK6QHUesiPdfzjrLalwaQKGdumNmvvhebY+ZTR5C3L76mL4PeY7sVuSMJc6lOtzXGfT7+1jNN2mj8lbjpqX/hs5x0WqtgtHoDJseZUsUgNPMskWfzve6Kt7Y3RiFX+IfMbFD2rBIW38Iyb4bv25MAkhGXpweyNDPL6/UwZinCO6rRuw393nKkRZ9A1/pvXKwgxAOjxWqSTErqGqGnL1aozwZN0vjEa6QsIro0jZmtTQEtKp1oGTY/nwD0=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(82960400001)(38100700002)(107886003)(186003)(26005)(64756008)(9686003)(45080400002)(15650500001)(38070700005)(76116006)(966005)(66476007)(2906002)(66946007)(66556008)(30864003)(71200400001)(7696005)(8676002)(4326008)(66446008)(122000001)(8936002)(53546011)(83380400001)(19627235002)(5660300002)(316002)(33656002)(55016003)(86362001)(110136005)(6506007)(52536014)(508600001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?+F1QebEp6H59XLkPzLJoWE6e4kD0jTxB7lfL2yOJfonlwU5fJIB5BbpHrnHG?=
 =?us-ascii?Q?bBDjGgUSCiGwmv4DTY0Ngvc9k1epDA27YOtzM3N9g2v1IKaR3geFJeWoHoev?=
 =?us-ascii?Q?6L+aJxGHKgJYu2TR03m5k20sRxuAAN3buuuQTUEnI42Kk/SnoI3vY9yN1oSO?=
 =?us-ascii?Q?S3q9LTdU3sRQKx/MN8V/lcZ8z2K5Gk7y2vZ1gqfy6aAPFTg9gnreScU2J6jC?=
 =?us-ascii?Q?7X9DlJLNjXJ7xQt5E4vqd4pkkbSn/RECRDjFuKyhmxssrN/iu/d7XvJprBsC?=
 =?us-ascii?Q?RZmgdd64HLZHiAoLYbnS+VZRYkkGKZKuKxtMz4bRMxKT0NVtaD7mvRazjoOE?=
 =?us-ascii?Q?6YX8QX8vlfmBP1Xs3+LxFnGnqw/FT6djto4AIzioguCVFqUVZr7R4Y2jC43v?=
 =?us-ascii?Q?Ontxoi+Zrwt15vH329jRDz2O9Klnetvlwy2FlfzYfNYb/8xzj6o9HK8kKnHt?=
 =?us-ascii?Q?6qhoSTYaPVaTX6v+MVfFj1OM6exyX1qJSEfVoLZH6Dz/cBD+K/FznY1IKfzi?=
 =?us-ascii?Q?hX4lH6pfFkEXCwUb/xZTAH3F3KKWWmijnS8SyNQbtZJ98w3b0fp4yEVfaKAl?=
 =?us-ascii?Q?CB9Bvphg/CIgs1IxadPnV1ja84FvIFiWzWfQm5EZxR24Kp7mxCpqjJ+1Y+KL?=
 =?us-ascii?Q?NP7D6S5Gzaz30/v64I4NprpF0GfYpp0wvFCMQ9RNFyVpM4iuoandHKIf3U0b?=
 =?us-ascii?Q?FK/70/7Bd4+ClOJm+a7HIXmVvzyUWlHmim8AvjdaA5vioWdY8kKK4tnDcYUg?=
 =?us-ascii?Q?3pdRVrCgxfeIbfjMeOlpNfYBmPyNvnhDwLURXiBrZJ7XdRFRQQlBRajk/HHr?=
 =?us-ascii?Q?lKA/J7/exRcbmdFcFmhHLJrpRcT3DH8CFm1GyNRpELzYdhhFOIpwtt88+AR7?=
 =?us-ascii?Q?Cs8A2wPwNKLweNMCt0K2RXD3WxNeRtGc0pXJ57RmMnXLcPs2y5mv3l2YaQPo?=
 =?us-ascii?Q?4YQPbhjue9l5T7c6RnBCFAH/2ug0+UeO9uqJiWQQx852OudkBHB1CkTaO5p7?=
 =?us-ascii?Q?m0qyYBPKVPA+4u00bQArg3oP1/dIAXQ8LU9j+lXhXvPzrWSs1LoXwDQN3XQH?=
 =?us-ascii?Q?LcQvO9DmGA19SV3AEUktmHZonXq9pv+zHylSj0KhPX9YqQV/wf1/hPpeuKAT?=
 =?us-ascii?Q?GPPvDKgYGd7PMh7Y5v+hvoGaiUwO6JUUAKnVWgSSk+i+JE4XnDfnqsd0ATMG?=
 =?us-ascii?Q?oHJynxT/pPiQZc9l2zIzcV9VWefEK1lW+KvivrhxfockDwcyMdL42fA09z9R?=
 =?us-ascii?Q?EdtCpt5CFRVQ+2kvRI+4ckO5yzX86QesrxD314bYaRRyWnoiNW0BNO7DjbqO?=
 =?us-ascii?Q?83itMPDUWD4sE7CzFFwJbdfddDh7uGHEcvONHhtaq3XLG5F3t6HgSCGiaNmm?=
 =?us-ascii?Q?ngt+5FyZeHbJ2M9POwQv01D/KX8slTTSYDCuQ+y+ir3VnphlbHtA1bd6wsHu?=
 =?us-ascii?Q?Dp4iv/JZtcTCGX5g8Qj1e+8fzGEzK6Aj27L0eJfp6x4M9gpEU1TzkM+dfiYv?=
 =?us-ascii?Q?2T/HJ8t7Z32tIrBu5w2eWAo2RlXESVfJcN0xryf8hLP23/1DQhsnmS3xJ0vD?=
 =?us-ascii?Q?KQnG2FpmAsQsV/vmaZLUlj4hElkccFbYynnCSusbNZlx4C8rxWHize+oxXCi?=
 =?us-ascii?Q?+bptkNSJgn9mugMDc0+IcTc=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a554931c-e8fe-48c3-c600-08d9c16f26eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2021 15:08:58.7058
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M4Ta6aTe/Xh4T67TeHVjqusQEk/JVWibijWu5BO+AQljNBFwK5tv8tyoqZf7NlphQ/A+yyNDwaWfcXSML8OZQw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5011
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Pushed: 8ed8568922be9b5f7111fc1297317106aba7ab52

> -----Original Message-----
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>
> Sent: Friday, December 17, 2021 10:47 AM
> To: devel@edk2.groups.io
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; Y=
ao,
> Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
> Subject: [PATCH] SecurityPkg: Debug code to audit BIOS TPM extend operati=
ons
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2858
>=20
> In V2: Fixed patch format and uncrustify cleanup
>=20
> In V1: Add debug functionality to examine TPM extend operations
> performed by BIOS and inspect the PCR 00 value prior to
> any BIOS measurements.
>=20
> Signed-off-by: Rodrigo Gonzalez del Cueto
> <rodrigo.gonzalez.del.cueto@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> ---
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  33
> +++++++++++++++++++++++++--------
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 190
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c                  |   9 ++++++++-
>  3 files changed, 222 insertions(+), 10 deletions(-)
>=20
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index 2e83a2f474..a2fb97f18d 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -1,7 +1,7 @@
>  /** @file
>    This library is used by other modules to send TPM2 command.
>=20
> -Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
>=20
>  **/
> @@ -503,9 +503,9 @@ Tpm2PcrExtend (
>  EFI_STATUS
>  EFIAPI
>  Tpm2PcrEvent (
> -  IN      TPMI_DH_PCR      PcrHandle,
> -  IN      TPM2B_EVENT      *EventData,
> -  OUT  TPML_DIGEST_VALUES  *Digests
> +  IN      TPMI_DH_PCR         PcrHandle,
> +  IN      TPM2B_EVENT         *EventData,
> +  OUT     TPML_DIGEST_VALUES  *Digests
>    );
>=20
>  /**
> @@ -522,10 +522,10 @@ Tpm2PcrEvent (
>  EFI_STATUS
>  EFIAPI
>  Tpm2PcrRead (
> -  IN      TPML_PCR_SELECTION  *PcrSelectionIn,
> -  OUT  UINT32                 *PcrUpdateCounter,
> -  OUT  TPML_PCR_SELECTION     *PcrSelectionOut,
> -  OUT  TPML_DIGEST            *PcrValues
> +  IN   TPML_PCR_SELECTION  *PcrSelectionIn,
> +  OUT  UINT32              *PcrUpdateCounter,
> +  OUT  TPML_PCR_SELECTION  *PcrSelectionOut,
> +  OUT  TPML_DIGEST         *PcrValues
>    );
>=20
>  /**
> @@ -1113,4 +1113,21 @@ GetDigestFromDigestList (
>    OUT VOID               *Digest
>    );
>=20
> +/**
> +   This function will query the TPM to determine which hashing algorithm=
s and
> +   get the digests of all active and supported PCR banks of a specific P=
CR
> register.
> +
> +   @param[in]     PcrHandle     The index of the PCR register to be read=
.
> +   @param[out]    HashList      List of digests from PCR register being =
read.
> +
> +   @retval EFI_SUCCESS           The Pcr was read successfully.
> +   @retval EFI_DEVICE_ERROR      The command was unsuccessful.
> +**/
> +EFI_STATUS
> +EFIAPI
> +Tpm2PcrReadForActiveBank (
> +  IN      TPMI_DH_PCR  PcrHandle,
> +  OUT     TPML_DIGEST  *HashList
> +  );
> +
>  #endif
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> index 8dde5f34a2..94e93b2642 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c
> @@ -1,7 +1,7 @@
>  /** @file
>    Implement TPM2 Integrity related command.
>=20
> -Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>
> +Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
>=20
>  **/
> @@ -138,6 +138,23 @@ Tpm2PcrExtend (
>        &Digests->digests[Index].digest,
>        DigestSize
>        );
> +
> +    DEBUG_CODE_BEGIN ();
> +    UINTN  Index2;
> +    DEBUG ((
> +      DEBUG_VERBOSE,
> +      "Tpm2PcrExtend - Hash =3D 0x%04x, Pcr[%02d], digest =3D ",
> +      Digests->digests[Index].hashAlg,
> +      (UINT8)PcrHandle
> +      ));
> +
> +    for (Index2 =3D 0; Index2 < DigestSize; Index2++) {
> +      DEBUG ((DEBUG_VERBOSE, "%02x ", Buffer[Index2]));
> +    }
> +
> +    DEBUG ((DEBUG_VERBOSE, "\n"));
> +    DEBUG_CODE_END ();
> +
>      Buffer +=3D DigestSize;
>    }
>=20
> @@ -172,6 +189,11 @@ Tpm2PcrExtend (
>      return EFI_DEVICE_ERROR;
>    }
>=20
> +  DEBUG_CODE_BEGIN ();
> +  DEBUG ((DEBUG_VERBOSE, "Tpm2PcrExtend: PCR read after extend...\n"));
> +  Tpm2PcrReadForActiveBank (PcrHandle, NULL);
> +  DEBUG_CODE_END ();
> +
>    //
>    // Unmarshal the response
>    //
> @@ -705,3 +727,169 @@ Done:
>    ZeroMem (&LocalAuthSession.hmac, sizeof (LocalAuthSession.hmac));
>    return Status;
>  }
> +
> +/**
> +   This function will query the TPM to determine which hashing algorithm=
s and
> +   get the digests of all active and supported PCR banks of a specific P=
CR
> register.
> +
> +   @param[in]     PcrHandle     The index of the PCR register to be read=
.
> +   @param[out]    HashList      List of digests from PCR register being =
read.
> +
> +   @retval EFI_SUCCESS           The Pcr was read successfully.
> +   @retval EFI_DEVICE_ERROR      The command was unsuccessful.
> +**/
> +EFI_STATUS
> +EFIAPI
> +Tpm2PcrReadForActiveBank (
> +  IN      TPMI_DH_PCR  PcrHandle,
> +  OUT     TPML_DIGEST  *HashList
> +  )
> +{
> +  EFI_STATUS          Status;
> +  TPML_PCR_SELECTION  Pcrs;
> +  TPML_PCR_SELECTION  PcrSelectionIn;
> +  TPML_PCR_SELECTION  PcrSelectionOut;
> +  TPML_DIGEST         PcrValues;
> +  UINT32              PcrUpdateCounter;
> +  UINT8               PcrIndex;
> +  UINT32              TpmHashAlgorithmBitmap;
> +  TPMI_ALG_HASH       CurrentPcrBankHash;
> +  UINT32              ActivePcrBanks;
> +  UINT32              TcgRegistryHashAlg;
> +  UINTN               Index;
> +  UINTN               Index2;
> +
> +  PcrIndex =3D (UINT8)PcrHandle;
> +
> +  if ((PcrIndex < 0) ||
> +      (PcrIndex >=3D IMPLEMENTATION_PCR))
> +  {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  ZeroMem (&PcrSelectionIn, sizeof (PcrSelectionIn));
> +  ZeroMem (&PcrUpdateCounter, sizeof (UINT32));
> +  ZeroMem (&PcrSelectionOut, sizeof (PcrSelectionOut));
> +  ZeroMem (&PcrValues, sizeof (PcrValues));
> +  ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> +
> +  DEBUG ((DEBUG_INFO, "ReadPcr - %02d\n", PcrIndex));
> +
> +  //
> +  // Read TPM capabilities
> +  //
> +  Status =3D Tpm2GetCapabilityPcrs (&Pcrs);
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "ReadPcr: Unable to read TPM capabilities\n"));
> +    return EFI_DEVICE_ERROR;
> +  }
> +
> +  //
> +  // Get Active Pcrs
> +  //
> +  Status =3D Tpm2GetCapabilitySupportedAndActivePcrs (
> +             &TpmHashAlgorithmBitmap,
> +             &ActivePcrBanks
> +             );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "ReadPcr: Unable to read TPM capabilities and
> active PCRs\n"));
> +    return EFI_DEVICE_ERROR;
> +  }
> +
> +  //
> +  // Select from Active PCRs
> +  //
> +  for (Index =3D 0; Index < Pcrs.count; Index++) {
> +    CurrentPcrBankHash =3D Pcrs.pcrSelections[Index].hash;
> +
> +    switch (CurrentPcrBankHash) {
> +      case TPM_ALG_SHA1:
> +        DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA1 Present\n"));
> +        TcgRegistryHashAlg =3D HASH_ALG_SHA1;
> +        break;
> +      case TPM_ALG_SHA256:
> +        DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA256 Present\n"));
> +        TcgRegistryHashAlg =3D HASH_ALG_SHA256;
> +        break;
> +      case TPM_ALG_SHA384:
> +        DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA384 Present\n"));
> +        TcgRegistryHashAlg =3D HASH_ALG_SHA384;
> +        break;
> +      case TPM_ALG_SHA512:
> +        DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SHA512 Present\n"));
> +        TcgRegistryHashAlg =3D HASH_ALG_SHA512;
> +        break;
> +      case TPM_ALG_SM3_256:
> +        DEBUG ((DEBUG_VERBOSE, "HASH_ALG_SM3 Present\n"));
> +        TcgRegistryHashAlg =3D HASH_ALG_SM3_256;
> +        break;
> +      default:
> +        //
> +        // Unsupported algorithm
> +        //
> +        DEBUG ((DEBUG_VERBOSE, "Unknown algorithm present\n"));
> +        TcgRegistryHashAlg =3D 0;
> +        break;
> +    }
> +
> +    //
> +    // Skip unsupported and inactive PCR banks
> +    //
> +    if ((TcgRegistryHashAlg & ActivePcrBanks) =3D=3D 0) {
> +      DEBUG ((DEBUG_VERBOSE, "Skipping unsupported or inactive bank:
> 0x%04x\n", CurrentPcrBankHash));
> +      continue;
> +    }
> +
> +    //
> +    // Select PCR from current active bank
> +    //
> +    PcrSelectionIn.pcrSelections[PcrSelectionIn.count].hash         =3D
> Pcrs.pcrSelections[Index].hash;
> +    PcrSelectionIn.pcrSelections[PcrSelectionIn.count].sizeofSelect =3D
> PCR_SELECT_MAX;
> +    PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[0] =3D =
(PcrIndex <
> 8) ? 1 << PcrIndex : 0;
> +    PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[1] =3D =
(PcrIndex >
> 7) && (PcrIndex < 16) ? 1 << (PcrIndex - 8) : 0;
> +    PcrSelectionIn.pcrSelections[PcrSelectionIn.count].pcrSelect[2] =3D =
(PcrIndex >
> 15) ? 1 << (PcrIndex - 16) : 0;
> +    PcrSelectionIn.count++;
> +  }
> +
> +  //
> +  // Read PCRs
> +  //
> +  Status =3D Tpm2PcrRead (
> +             &PcrSelectionIn,
> +             &PcrUpdateCounter,
> +             &PcrSelectionOut,
> +             &PcrValues
> +             );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Tpm2PcrRead failed Status =3D %r \n", Status))=
;
> +    return EFI_DEVICE_ERROR;
> +  }
> +
> +  for (Index =3D 0; Index < PcrValues.count; Index++) {
> +    DEBUG ((
> +      DEBUG_INFO,
> +      "ReadPcr - HashAlg =3D 0x%04x, Pcr[%02d], digest =3D ",
> +      PcrSelectionOut.pcrSelections[Index].hash,
> +      PcrIndex
> +      ));
> +
> +    for (Index2 =3D 0; Index2 < PcrValues.digests[Index].size; Index2++)=
 {
> +      DEBUG ((DEBUG_INFO, "%02x ", PcrValues.digests[Index].buffer[Index=
2]));
> +    }
> +
> +    DEBUG ((DEBUG_INFO, "\n"));
> +  }
> +
> +  if (HashList !=3D NULL) {
> +    CopyMem (
> +      HashList,
> +      &PcrValues,
> +      sizeof (TPML_DIGEST)
> +      );
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> index a97a4e7f2d..622989aff3 100644
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> @@ -1,7 +1,7 @@
>  /** @file
>    Initialize TPM2 device and measure FVs before handing off control to D=
XE.
>=20
> -Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
>  Copyright (c) 2017, Microsoft Corporation.  All rights reserved. <BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
>=20
> @@ -1106,6 +1106,13 @@ PeimEntryMA (
>        }
>      }
>=20
> +    DEBUG_CODE_BEGIN ();
> +    //
> +    // Peek into TPM PCR 00 before any BIOS measurement.
> +    //
> +    Tpm2PcrReadForActiveBank (00, NULL);
> +    DEBUG_CODE_END ();
> +
>      //
>      // Only install TpmInitializedPpi on success
>      //
> --
> 2.26.2.windows.1