From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.92.22.91]) by mx.groups.io with SMTP id smtpd.web09.10438.1614591935444452720 for ; Mon, 01 Mar 2021 01:45:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=YmiPnlAx; spf=pass (domain: outlook.com, ip: 40.92.22.91, mailfrom: kun.q@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gXjvjWmklhESvLxgi4sEBbmAnJdpLK81CAMlrVtaVHUWNLz/HCKsopFvt0CjgKvmy2cWPvUO4tmlYYPh2p0K+C2Vi2Ad8MHWm3r0m5Rle3cCo+1zD65O21tU5TyCa3cB7t/OIRYwuLdHLiIYHab1974wiqGcGQA5sIacuWJMz2bI8xGV8+Tls19wanbjaej7Dv+jGddJv0ge0j6/2JBz/ED/uopWiiSA0qa/g8r7BaZDqycbTUZ/vV5Hf2zTHsUDleqvYHW2B57yQ/Ia2DM+dA96FkD802BHOdBmRvgLcV/anS872baDk1J2nK0E8t1Eu9XQ3mnZ5pNuQ2X4Ile5BA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aM3RQXFNxwTDknhd+6Q8XDFnhgJTQ56vNc8KtVdMEAM=; b=cg89EkJdeWEBn5wONivMEBhOERFyMIzGvqCKcfGwCz7Pmpytgmo7NGJETDfrMRe6dGVRWQlAdVoJSPeo23kvqvR4rHvPpEEAt+ucG/vyGQBhq3bPImvq6DAc2KDlHA5Oq8pohgi5BYk/vqgj3ojH0/+XYSCumgbST3DrxWAzmajBzmZ+yX721OTcUiRyemm136h12X7wVdeIyaSEBq1f9eLdHt+Yja3kU7/0h74+LFgCsZSar381Z1gaBTX2UChoWdFKbOHUuzBMkhLZNSAsYXgeq3XEzUG/F1B1WgO5q2g/SC70NbB0WhClPtjG7vI5tOnyya3S/ae4YMHU44DrTg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aM3RQXFNxwTDknhd+6Q8XDFnhgJTQ56vNc8KtVdMEAM=; b=YmiPnlAxTGNwW1P5Os+VsafS0Fc4ZmYySHYCJOjqUJdkFpfoDCZw3baeAOEHZHfH1lLaRhlklkrc+vTf2l0SCczd1w0yO37F1ruZfXZYHaohsYG7Pha1rJM9vYmc4O5v5Whg75+U+OUx5dDSNWpAsBT4PGerY70Vk1R+2lATxk/9RD4W89JZ01x/0KYx/tG1d7k5/5GEhNwzfQ07/nkUQ4fBBenOvw3zpuxAbAj6zNUvhoLKQkJ3G7IiIsG4Mv/KpoUA1frbC7MFJsNawZexMdF753rqgYqaF9ro2Re7dPp3oVZuWJdFgwYNjS/0TtXduQl941NM0hs62r5m7we/eQ== Received: from BN8NAM12FT019.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc66::45) by BN8NAM12HT051.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc66::182) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Mon, 1 Mar 2021 09:45:33 +0000 Received: from MWHPR06MB3102.namprd06.prod.outlook.com (2a01:111:e400:fc66::40) by BN8NAM12FT019.mail.protection.outlook.com (2a01:111:e400:fc66::416) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9 via Frontend Transport; Mon, 1 Mar 2021 09:45:33 +0000 Received: from MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::d4ee:1260:6f53:3f7b]) by MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::d4ee:1260:6f53:3f7b%7]) with mapi id 15.20.3890.028; Mon, 1 Mar 2021 09:45:32 +0000 From: "Kun Qin" To: "Yao, Jiewen" , "devel@edk2.groups.io" CC: "Wang, Jian J" , "Zhang, Qi1" , "Kumar, Rahul1" , "Yao, Jiewen" Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalone Mm Thread-Topic: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalone Mm Thread-Index: AQHW/0uVdX5jcVHuy0aF0opre+szzKpmmaKAgAAARxqAAaFLWIAGr/yAgAABQ3qAAA8NAIAABF0Y Date: Mon, 1 Mar 2021 09:45:32 +0000 Message-ID: References: <20210210012457.315-1-kun.q@outlook.com> ,,<16668B740798D6CC.26818@groups.io> , , In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:8BA80BBED57D07FED9429C8676DD9959C063956D06138BF9A86E60624650B004;UpperCasedChecksum:E793385AC59A8C72CFCA9BE0AB4BB020B0EFC87E2642B302B51AE494AEF61ED5;SizeAsReceived:7636;Count:44 x-tmn: [aY8G4D+pojQL3cY8+ezd/kP2+iZvbuIg] x-ms-publictraffictype: Email x-incomingheadercount: 44 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: ef16fd98-9167-49b5-43b6-08d8dc96c19c x-ms-traffictypediagnostic: BN8NAM12HT051: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ifDY4t0grD67wIziZJ62SIXVGFwp48otBOTA4WT/RFuciI8GMH7QG8azpQmlgwJg7MLyU27n/xIQzOZY+uEI821WWj9BAIHPCJNrzoR5xDlHCxMd1S/iHp8pEgfa2vFLXX0Vb9mnSYDXiQcBan4lzfB3GrM+9IDGg/EI5gYpsOePcQNcH2EndG49TL+9mmM88ER2gg+C1JP+HcDRppfjT+cazIdlE9hIsjIERdfNlpFedpzUfzUyHWVbzKri7McyKZCyM76c8NlbWia6HPOf3tJ5XJ8t5TbyYnwhuydI/UV3sz1M7IlIqGzQJ9GHK/0ISjvKnV6DNie4i76qW2Z2iKjak/spPVkFklXmjHIMcEd7+nwfVlWLFUBhk+FWv9mYFe1Z6Rv1vT7S3VxMSIXNNPvoYfCjmWhZ256xfk+2pFNHqq5cXVWhpgA/zb0LXFLO x-ms-exchange-antispam-messagedata: 3VqrF5U9KPOVi1Wegm7sVsFvgfispe1eAQnhRx+iRXptuZK+HV2+LkFr6HULVhSfWSnxl+ADGYecu49nQTVlMZ2dwOgutWjLITaMDV0KTbqaGhme0An3hfndq82X4MPStMcJxTelsgHJOM42+Sewng== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-AuthSource: BN8NAM12FT019.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: ef16fd98-9167-49b5-43b6-08d8dc96c19c X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2021 09:45:32.3804 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8NAM12HT051 X-Groupsio-MsgNum: 72272 Content-Language: en-US Content-Type: multipart/related; boundary="_004_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_"; type="multipart/alternative" --_004_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_ Content-Type: multipart/alternative; boundary="_000_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_" --_000_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Thanks for the explanation. I will update Tcg2Smm support in v4 to your sug= gested pattern and follow up on variable smm update in a separate patch ser= ies. Regards, Kun From: Yao, Jiewen Sent: Monday, March 1, 2021 01:27 To: Kun Qin; devel@edk2.groups.io Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1; Yao, Jiewen Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm Personally, I prefer a separate DXE driver at this moment. The reason is that: It will be easy that we have a flexible feature ON/OFF= in the binary level in the future. Linking different feature lib into one common driver will cause a big prob= lem in such case. Sorry, I did not catch that in VariableStandaloneMM enabling time. I am not worried about too much on size, because the DXE FV will be compre= ssed. The compression algo should be smart enough to catch the same code pa= ttern. I prefer we use this patter for TcgSmm support in V4. And another patch for VariableSmm update. Thank you Yao Jiewen From: Kun Qin Sent: Monday, March 1, 2021 4:57 PM To: Yao, Jiewen ; devel@edk2.groups.io Cc: Wang, Jian J ; Zhang, Qi1 = ; Kumar, Rahul1 ; Yao, Jiewen Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm Hi Jiewen, Sure, I can send the update with moving VariableMmDependency to MdeModuleP= kg for consistency. It will be my first time to move a module from one pack= age to another, could you please let me know if I should make 2 patches for= this purpose? (one patch for deleting the current instance, and a subseque= nt patch that adds the same instance to new location?) Or a single patch wi= ll be good enough? As per dependency library, do you mean you prefer to publish these dummy p= rotocols from a DXE driver instead of anonymous library? Yes, that should w= ork as well and it does seem cleaner and more flexible than linked library.= The only drawback I could think of is the code size will be potentially la= rger than current solution due to library code linkages. Would you prefer m= e to make this change for both Tcg2Mm and VariableMm? I can send them in v4= patches. Thanks, Kun From: Yao, Jiewen Sent: Monday, March 1, 2021 00:28 To: devel@edk2.groups.io; kun.q@outlook.com Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1; Yao, Jiewen Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm Sorry for late response. I am thinking what is the best way to address such dependency issue. 1. If we take similar design, we need add XxxMmDependency in any Standa= loneMm module with DXE communication capability, right? Now we have different rules: 1. The VariableMmDependency is in StandaloneMmPkg instead of MdeModuleP= kg 2. The Tcg2MmDependency is in SecurityPkg instead of StandaloneMmPkg. I think we have a consistence way to add the dependency module. I prefer to put it to the same package as the StandaloneMm module. Can we move VariableMmDependency to MdeModulePkg ? 1. Also, I don=92t think a Library is absolutely needed. It could be a DXE driver with gEfiMmCommunication2ProtocolGuid in dependen= cy section, right? E.g. a Tcg2MmDependencyDxe in SecurityPkg/Tcg/Smm, and VariableMmDependenc= yDxe in MdeModulePkg/Universal/Variable Thank you Yao Jiewen From: devel@edk2.groups.io > On Behalf Of Kun Qin Sent: Thursday, February 25, 2021 10:26 AM To: devel@edk2.groups.io; Yao, Jiewen > Cc: Wang, Jian J >; Zh= ang, Qi1 >; Kumar, Rahul1 <= rahul1.kumar@intel.com> Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm Hi Jiewen, Do you have any feedback on this patch based on my previous reply? By the way, the reason I did not add this dependency library in Standalone= MmPkg was because it will make standalone package to depend on SecurityPkg,= which does not seem adequate. Please let me know how you think. Thanks in = advance. Regards, Kun From: Kun Qin Sent: Tuesday, February 23, 2021 17:40 To: devel@edk2.groups.io; jiewen.yao@intel.co= m Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1 Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm Hi Jiewen, This is essentially following the example of VariableStandaloneMm model he= re: StandaloneMmPkg/Library: Install Variable Arch Protocol =B7 tianocore/edk2= @326598e (github.com) The intended usage for this library, in the context of Standalone MM, is t= o link this library to the MM IPL driver (or any other drivers that has a d= ependency on gEfiMmCommunication2ProtocolGuid), which will make sure MM com= municate is ready to use (and all MM drivers dispatched) before DXE core di= spatch Tcg2Acpi driver. I could add an example like below in the commit mes= sage if you think that will help on the intended usage: ``` MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmmDxe.in= f { NULL| SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.in= f } ``` Or if you have any other ideas on making sure of the loading order, please= let me know as well. Thanks, Kun From: Yao, Jiewen Sent: Tuesday, February 23, 2021 17:26 To: Kun Qin; devel@edk2.groups.io Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1 Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm I am not sure if Tcg2MmDependencyLib is the best solution. It seems NULL lib instance. But I am not sure how it is used. Can we have an example in SecurityPkg.dsc? > -----Original Message----- > From: Kun Qin > > Sent: Wednesday, February 10, 2021 9:25 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen >; Wan= g, Jian J >; > Zhang, Qi1 >; Kumar, Rah= ul1 > > Subject: [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalo= ne > Mm > > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3169 > > This change added Standalone MM instance of Tcg2. The notify function fo= r > Standalone MM instance is left empty. > > A designated dependency library was created for DXE drivers to link as a= n > anonymous library. > > Lastly, the support of CI build for Tcg2 Standalone MM module is added. > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Qi Zhang > > Cc: Rahul Kumar > > > Signed-off-by: Kun Qin > > --- > > Notes: > v2: > - Newly added. > > SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c | 48 > ++++++++++++ > SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c | 71 > ++++++++++++++++++ > SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf | 39 > ++++++++++ > SecurityPkg/SecurityPkg.ci.yaml | 1 + > SecurityPkg/SecurityPkg.dec | 1 + > SecurityPkg/SecurityPkg.dsc | 10 ++= + > SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf | 77 > ++++++++++++++++++++ > 7 files changed, 247 insertions(+) > > diff --git > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > new file mode 100644 > index 000000000000..12b23813dce1 > --- /dev/null > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > @@ -0,0 +1,48 @@ > +/** @file > + Runtime DXE part corresponding to StandaloneMM Tcg2 module. > + > +This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness of > +StandaloneMM Tcg2 module. > + > +Copyright (c) 2019 - 2021, Arm Ltd. All rights reserved. > +Copyright (c) Microsoft Corporation. > + > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > + > +#include > +#include > + > +/** > + The constructor function installs gTcg2MmSwSmiRegisteredGuid to notif= y > + readiness of StandaloneMM Tcg2 module. > + > + @param ImageHandle The firmware allocated handle for the EFI image= . > + @param SystemTable A pointer to the Management mode System Table. > + > + @retval EFI_SUCCESS The constructor always returns EFI_SUCCESS. > + > +**/ > +EFI_STATUS > +EFIAPI > +Tcg2MmDependencyLibConstructor ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + EFI_HANDLE Handle; > + > + Handle =3D NULL; > + Status =3D gBS->InstallProtocolInterface ( > + &Handle, > + &gTcg2MmSwSmiRegisteredGuid, > + EFI_NATIVE_INTERFACE, > + NULL > + ); > + ASSERT_EFI_ERROR (Status); > + return EFI_SUCCESS; > +} > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > new file mode 100644 > index 000000000000..9e0095efbc5e > --- /dev/null > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > @@ -0,0 +1,71 @@ > +/** @file > + TCG2 Standalone MM driver that updates TPM2 items in ACPI table and > registers > + SMI2 callback functions for Tcg2 physical presence, ClearMemory, and > + sample for dTPM StartMethod. > + > + Caution: This module requires additional review when modified. > + This driver will have external input - variable and ACPINvs data in S= MM mode. > + This external input must be validated carefully to avoid security iss= ue. > + > + PhysicalPresenceCallback() and MemoryClearCallback() will receive unt= rusted > input and do some check. > + > +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) Microsoft Corporation. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "Tcg2Smm.h" > +#include > + > +/** > + Notify the system that the SMM variable driver is ready. > +**/ > +VOID > +Tcg2NotifyMmReady ( > + VOID > + ) > +{ > + // Do nothing > +} > + > +/** > + This function is an abstraction layer for implementation specific Mm = buffer > validation routine. > + > + @param Buffer The buffer start address to be checked. > + @param Length The buffer length to be checked. > + > + @retval TRUE This buffer is valid per processor architecture and not= overlap > with SMRAM. > + @retval FALSE This buffer is not valid per processor architecture or = overlap > with SMRAM. > +**/ > +BOOLEAN > +IsBufferOutsideMmValid ( > + IN EFI_PHYSICAL_ADDRESS Buffer, > + IN UINT64 Length > + ) > +{ > + return MmIsBufferOutsideMmValid (Buffer, Length); > +} > + > +/** > + The driver's entry point. > + > + It install callbacks for TPM physical presence and MemoryClear, and l= ocate > + SMM variable to be used in the callback function. > + > + @param[in] ImageHandle The firmware allocated handle for the EFI ima= ge. > + @param[in] SystemTable A pointer to the EFI System Table. > + > + @retval EFI_SUCCESS The entry point is executed successfully. > + @retval Others Some error occurs when executing this entry p= oint. > + > +**/ > +EFI_STATUS > +EFIAPI > +InitializeTcgStandaloneMm ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_MM_SYSTEM_TABLE *SystemTable > + ) > +{ > + return InitializeTcgCommon (); > +} > diff --git > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > new file mode 100644 > index 000000000000..5533ce2b6e6e > --- /dev/null > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > @@ -0,0 +1,39 @@ > +## @file > +# Runtime DXE part corresponding to StandaloneMM Tcg2 module. > +# > +# This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness = of > +# StandaloneMM Tcg2 module. > +# > +# Copyright (c) Microsoft Corporation. > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x0001001A > + BASE_NAME =3D Tcg2MmDependencyLib > + FILE_GUID =3D 94C210EA-3113-4563-ADEB-76FE759C2F= 46 > + MODULE_TYPE =3D DXE_DRIVER > + LIBRARY_CLASS =3D NULL > + CONSTRUCTOR =3D Tcg2MmDependencyLibConstructor > + > +# > +# The following information is for reference only and not required by t= he build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > +# > + > +[Sources] > + Tcg2MmDependencyLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[Guids] > + gTcg2MmSwSmiRegisteredGuid ## PRODUCES ## GUID # = Install > protocol > + > +[Depex] > + TRUE > diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.c= i.yaml > index 03be2e94ca97..d7b9e1f4e239 100644 > --- a/SecurityPkg/SecurityPkg.ci.yaml > +++ b/SecurityPkg/SecurityPkg.ci.yaml > @@ -31,6 +31,7 @@ > "MdePkg/MdePkg.dec", > "MdeModulePkg/MdeModulePkg.dec", > "SecurityPkg/SecurityPkg.dec", > + "StandaloneMmPkg/StandaloneMmPkg.dec", > "CryptoPkg/CryptoPkg.dec" > ], > # For host based unit tests > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index 0970cae5c75e..dfbbb0365a2b 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -383,6 +383,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, > PcdsDynamic, PcdsDynamicEx] > gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|UINT8|0x0001000E > > ## Guid name to identify TPM instance.

> + # NOTE: This Pcd must be FixedAtBuild if Standalone MM is used > # TPM_DEVICE_INTERFACE_NONE means disable.
> # TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.
> # TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index 928bff72baa3..37242da93f3d 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -166,6 +166,14 @@ [LibraryClasses.common.DXE_SMM_DRIVER] > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/S= m > mTcg2PhysicalPresenceLib.inf > SmmIoLib|MdePkg/Library/SmmIoLib/SmmIoLib.inf > > +[LibraryClasses.common.MM_STANDALONE] > + > StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoin > t/StandaloneMmDriverEntryPoint.inf > + > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standalo > neMmServicesTableLib.inf > + > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/S= ta > ndaloneMmTcg2PhysicalPresenceLib.inf > + > MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMe > mLib.inf > + > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLi > b.inf > + > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAlloca > tionLib/StandaloneMmMemoryAllocationLib.inf > + > [PcdsDynamicDefault.common.DEFAULT] > gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0xb6, 0xe5, 0x01, 0= x8b, > 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc} > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1 > @@ -183,6 +191,7 @@ [PcdsDynamicHii.common.DEFAULT] > [Components] > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i= nf > > SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticati= on > StatusLib.inf > + SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > > # > # TPM > @@ -317,6 +326,7 @@ [Components.IA32, Components.X64] > SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf > SecurityPkg/Tcg/TcgSmm/TcgSmm.inf > SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf > + SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf > > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLi= b > .inf > > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalP > resenceLib.inf > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > new file mode 100644 > index 000000000000..746eda3e9fed > --- /dev/null > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > @@ -0,0 +1,77 @@ > +## @file > +# Provides ACPI methods for TPM 2.0 support > +# > +# Spec Compliance Info: > +# "TCG ACPI Specification Version 1.2 Revision 8" > +# "Physical Presence Interface Specification Version 1.30 Revision = 00.52" > +# along with > +# "Errata Version 0.4 for TCG PC Client Platform Physical Presence = Interface > Specification" > +# "Platform Reset Attack Mitigation Specification Version 1.00" > +# TPM2.0 ACPI device object > +# "TCG PC Client Platform Firmware Profile Specification for TPM Fa= mily 2.0 > Level 00 Revision 1.03 v51" > +# along with > +# "Errata for PC Client Specific Platform Firmware Profile Specific= ation > Version 1.0 Revision 1.03" > +# > +# This driver implements TPM 2.0 definition block in ACPI table and > +# registers SMI callback functions for Tcg2 physical presence and > +# MemoryClear to handle the requests from ACPI method. > +# > +# Caution: This module requires additional review when modified. > +# This driver will have external input - variable and ACPINvs data in = SMM mode. > +# This external input must be validated carefully to avoid security is= sue. > +# > +# Copyright (c) 2015 - 2019, Intel Corporation. All rights reserved. > +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D Tcg2StandaloneMm > + FILE_GUID =3D D40F321F-5349-4724-B667-1316705878= 61 > + MODULE_TYPE =3D MM_STANDALONE > + PI_SPECIFICATION_VERSION =3D 0x00010032 > + VERSION_STRING =3D 1.0 > + ENTRY_POINT =3D InitializeTcgStandaloneMm > + > +[Sources] > + Tcg2Smm.h > + Tcg2Smm.c > + Tcg2StandaloneMm.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + StandaloneMmPkg/StandaloneMmPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + StandaloneMmDriverEntryPoint > + MmServicesTableLib > + DebugLib > + Tcg2PhysicalPresenceLib > + PcdLib > + MemLib > + > +[Guids] > + ## SOMETIMES_PRODUCES ## Variable:L"MemoryOverwriteRequestControl" > + ## SOMETIMES_CONSUMES ## Variable:L"MemoryOverwriteRequestControl" > + gEfiMemoryOverwriteControlDataGuid > + > + gEfiTpmDeviceInstanceTpm20DtpmGuid ## PROD= UCES ## > GUID # TPM device identifier > + gTpmNvsMmGuid ## CONS= UMES > + > +[Protocols] > + gEfiSmmSwDispatch2ProtocolGuid ## CONS= UMES > + gEfiSmmVariableProtocolGuid ## CONS= UMES > + gEfiMmReadyToLockProtocolGuid ## CONS= UMES > + > +[Pcd] > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## CONS= UMES > + > +[Depex] > + gEfiSmmSwDispatch2ProtocolGuid AND > + gEfiSmmVariableProtocolGuid > -- > 2.30.0.windows.1 --_000_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Thanks for the explanation. I will update Tcg2Smm s= upport in v4 to your suggested pattern and follow up on variable smm update= in a separate patch series.

 

Regards,

Kun

 

From: Yao, Jiewen
Sent: Monday, March 1, 2021 01:27
To: Kun Qin; devel@edk2.groups.io
Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1; Yao, Jiewen
Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Adde= d support for Standalone Mm

 

Personally, I prefer a separate DXE driver at this = moment.

 

The reason is that: It will be easy that we have a = flexible feature ON/OFF in the binary level in the future.

Linking different feature lib into one common drive= r will cause a big problem in such case.

Sorry, I did not catch that in VariableStandaloneMM= enabling time.

 

I am not worried about too much on size, because th= e DXE FV will be compressed. The compression algo should be smart enough to= catch the same code pattern.

 

I prefer we use this patter for TcgSmm support in V= 4.

And another patch for VariableSmm update.

 

Thank you

Yao Jiewen

 

From: Kun Qin <kun.q@outlook.com>
Sent: Monday, March 1, 2021 4:57 PM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io<= br> Cc: Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.= zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>; Yao, Jie= wen <jiewen.yao@intel.com>
Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Adde= d support for Standalone Mm

 

Hi Jiewen,

 

Sure, I can send the update with moving VariableMmD= ependency to MdeModulePkg for consistency. It will be my first time to move= a module from one package to another, could you please let me know if I sh= ould make 2 patches for this purpose? (one patch for deleting the current instance, and a subsequent patch that= adds the same instance to new location?) Or a single patch will be good en= ough?

 

As per dependency library, do you mean you prefer t= o publish these dummy protocols from a DXE driver instead of anonymous libr= ary? Yes, that should work as well and it does seem cleaner and more flexib= le than linked library. The only drawback I could think of is the code size will be potentially larger than current= solution due to library code linkages. Would you prefer me to make this ch= ange for both Tcg2Mm and VariableMm? I can send them in v4 patches.

 

Thanks,

Kun

 

From: Yao, Jiewen
Sent: Monday, March 1, 2021 00:28
To: devel@edk2.groups.io; kun.q@outlook.com
Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1; Yao, Jiewen
Subject: RE: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Adde= d support for Standalone Mm

 

Sorry for late response.

I am thinking what is the best way to address such = dependency issue.

 

  1. If we take similar design, we need add XxxMmDependency in any Standa= loneMm module with DXE communication capability, right?

    2.  

    Now we have different rules:

    1. The VariableMmDependency is in StandaloneMmPkg instead of MdeModuleP= kg
    2. The Tcg2MmDependency is in SecurityPkg instead of S= tandaloneMmPkg.

     

    I think we have a consistence way to add the depend= ency module.

    I prefer to put it to the same package as the Stand= aloneMm module.

    Can we move VariableMmDependency to MdeModulePkg ?<= o:p>

     

    1. Also, I don=92t think a Library is absolutely needed.

    It could be a DXE driver with gEfiMmCommunication2P= rotocolGuid in dependency section, right?

    E.g. a Tcg2MmDependencyDxe in SecurityPkg/Tcg/Smm, = and VariableMmDependencyDxe in MdeModulePkg/Universal/Variable

     

    Thank you

    Yao Jiewen

     

     

    From: devel@edk2.groups.io <deve= l@edk2.groups.io> On Behalf Of Kun Qin
    Sent: Thursday, February 25, 2021 10:26 AM
    To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel= .com>
    Cc: Wang, Jian J <jian.= j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
    Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Adde= d support for Standalone Mm

     

    Hi Jiewen,

     

    Do you have any feedback on this patch based on my = previous reply?

     

    By the way, the reason I did not add this dependenc= y library in StandaloneMmPkg was because it will make standalone package to= depend on SecurityPkg, which does not seem adequate. Please let me know ho= w you think. Thanks in advance.

     

    Regards,

    Kun

     

     

    Hi Jiewen,

     

    This is essentially following the example of Variab= leStandaloneMm model here:

    StandaloneMmPkg/Library: Install Vari= able Arch Protocol =B7 tianocore/edk2@326598e (github.com)

     

    The intended usage for this library, in the context= of Standalone MM, is to link this library to the MM IPL driver (or any oth= er drivers that has a dependency on gEfiMmCommunication2ProtocolGuid), whic= h will make sure MM communicate is ready to use (and all MM drivers dispatched) before DXE core dispatch Tcg= 2Acpi driver. I could add an example like below in the commit message if yo= u think that will help on the intended usage:

    ```

      MdeModulePkg/Universal/FaultTolerantWriteDxe= /FaultTolerantWriteSmmDxe.inf {

        <LibraryClasses>

          NULL| SecurityPkg/Li= brary/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf

      }

    ```

     

    Or if you have any other ideas on making sure of th= e loading order, please let me know as well.

     

    Thanks,

    Kun

     

     

    I am not sure if Tcg= 2MmDependencyLib is the best solution.

    It seems NULL lib instance. But I am not sure how it is used.

    Can we have an example in SecurityPkg.dsc?



    > -----Original Message-----
    > From: Kun Qin <    kun.q@outlook.= com>
    > Sent: Wednesday, February 10, 2021 9:25 AM
    > To: devel@edk2.groups.io<= br> > Cc: Yao, Jiewen <jiewen.ya= o@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
    > Zhang, Qi1 <qi1.zhang@intel= .com>; Kumar, Rahul1 <r= ahul1.kumar@intel.com>
    > Subject: [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Stand= alone
    > Mm
    >
    > htt= ps://bugzilla.tianocore.org/show_bug.cgi?id=3D3169
    >
    > This change added Standalone MM instance of Tcg2. The notify function= for
    > Standalone MM instance is left empty.
    >
    > A designated dependency library was created for DXE drivers to link a= s an
    > anonymous library.
    >
    > Lastly, the support of CI build for Tcg2 Standalone MM module is adde= d.
    >
    > Cc: Jiewen Yao <jiewen.yao= @intel.com>
    > Cc: Jian J Wang <jian.j.w= ang@intel.com>
    > Cc: Qi Zhang <qi1.zhang@int= el.com>
    > Cc: Rahul Kumar <rahul1.= kumar@intel.com>
    >
    > Signed-off-by: Kun Qin <kun.q= @outlook.com>
    > ---
    >
    > Notes:
    >     v2:
    >     - Newly added.
    >
    >  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c&n= bsp;  | 48
    > ++++++++++++
    >  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c   &nb= sp;            =       | 71
    > ++++++++++++++++++
    >  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf= | 39
    > ++++++++++
    >  SecurityPkg/SecurityPkg.ci.yaml     &n= bsp;            = ;            &n= bsp;  |  1 +
    >  SecurityPkg/SecurityPkg.dec      =             &nb= sp;            =       |  1 +
    >  SecurityPkg/SecurityPkg.dsc      =             &nb= sp;            =       | 10 +++
    >  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf   &= nbsp;           &nbs= p;    | 77
    > ++++++++++++++++++++
    >  7 files changed, 247 insertions(+)
    >
    > diff --git
    > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c
    > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c
    > new file mode 100644
    > index 000000000000..12b23813dce1
    > --- /dev/null
    > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > @@ -0,0 +1,48 @@
    > +/** @file
    > +  Runtime DXE part corresponding to StandaloneMM Tcg2 module. > +
    > +This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness = of
    > +StandaloneMM Tcg2 module.
    > +
    > +Copyright (c) 2019 - 2021, Arm Ltd. All rights reserved.
    > +Copyright (c) Microsoft Corporation.
    > +
    > +SPDX-License-Identifier: BSD-2-Clause-Patent
    > +
    > +**/
    > +
    > +#include <PiDxe.h>
    > +
    > +#include <Library/DebugLib.h>
    > +#include <Library/UefiBootServicesTableLib.h>
    > +
    > +/**
    > +  The constructor function installs gTcg2MmSwSmiRegisteredGuid = to notify
    > +  readiness of StandaloneMM Tcg2 module.
    > +
    > +  @param  ImageHandle   The firmware allocated h= andle for the EFI image.
    > +  @param  SystemTable   A pointer to the Managem= ent mode System Table.
    > +
    > +  @retval EFI_SUCCESS   The constructor always return= s EFI_SUCCESS.
    > +
    > +**/
    > +EFI_STATUS
    > +EFIAPI
    > +Tcg2MmDependencyLibConstructor (
    > +  IN EFI_HANDLE        =             &nb= sp;      ImageHandle,
    > +  IN EFI_SYSTEM_TABLE       =             &nb= sp; *SystemTable
    > +  )
    > +{
    > +  EFI_STATUS        &nb= sp;   Status;
    > +  EFI_HANDLE        &nb= sp;   Handle;
    > +
    > +  Handle =3D NULL;
    > +  Status =3D gBS->InstallProtocolInterface (
    > +           &n= bsp;      &Handle,
    > +           &n= bsp;      &gTcg2MmSwSmiRegisteredGuid,
    > +           &n= bsp;      EFI_NATIVE_INTERFACE,
    > +           &n= bsp;      NULL
    > +           &n= bsp;      );
    > +  ASSERT_EFI_ERROR (Status);
    > +  return EFI_SUCCESS;
    > +}
    > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
    > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
    > new file mode 100644
    > index 000000000000..9e0095efbc5e
    > --- /dev/null
    > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
    > @@ -0,0 +1,71 @@
    > +/** @file
    > +  TCG2 Standalone MM driver that updates TPM2 items in ACPI tab= le and
    > registers
    > +  SMI2 callback functions for Tcg2 physical presence, ClearMemo= ry, and
    > +  sample for dTPM StartMethod.
    > +
    > +  Caution: This module requires additional review when modified= .
    > +  This driver will have external input - variable and ACPINvs d= ata in SMM mode.
    > +  This external input must be validated carefully to avoid secu= rity issue.
    > +
    > +  PhysicalPresenceCallback() and MemoryClearCallback() will rec= eive untrusted
    > input and do some check.
    > +
    > +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.&l= t;BR>
    > +Copyright (c) Microsoft Corporation.
    > +SPDX-License-Identifier: BSD-2-Clause-Patent
    > +
    > +**/
    > +
    > +#include "Tcg2Smm.h"
    > +#include <Library/StandaloneMmMemLib.h>
    > +
    > +/**
    > +  Notify the system that the SMM variable driver is ready.
    > +**/
    > +VOID
    > +Tcg2NotifyMmReady (
    > +  VOID
    > +  )
    > +{
    > +  // Do nothing
    > +}
    > +
    > +/**
    > +  This function is an abstraction layer for implementation spec= ific Mm buffer
    > validation routine.
    > +
    > +  @param Buffer  The buffer start address to be checked. > +  @param Length  The buffer length to be checked.
    > +
    > +  @retval TRUE  This buffer is valid per processor archite= cture and not overlap
    > with SMRAM.
    > +  @retval FALSE This buffer is not valid per processor architec= ture or overlap
    > with SMRAM.
    > +**/
    > +BOOLEAN
    > +IsBufferOutsideMmValid (
    > +  IN EFI_PHYSICAL_ADDRESS  Buffer,
    > +  IN UINT64        &nbs= p;       Length
    > +  )
    > +{
    > +  return MmIsBufferOutsideMmValid (Buffer, Length);
    > +}
    > +
    > +/**
    > +  The driver's entry point.
    > +
    > +  It install callbacks for TPM physical presence and MemoryClea= r, and locate
    > +  SMM variable to be used in the callback function.
    > +
    > +  @param[in] ImageHandle  The firmware allocated handle fo= r the EFI image.
    > +  @param[in] SystemTable  A pointer to the EFI System Tabl= e.
    > +
    > +  @retval EFI_SUCCESS     The entry point i= s executed successfully.
    > +  @retval Others        = ;  Some error occurs when executing this entry point.
    > +
    > +**/
    > +EFI_STATUS
    > +EFIAPI
    > +InitializeTcgStandaloneMm (
    > +  IN EFI_HANDLE        =           ImageHandle,
    > +  IN EFI_MM_SYSTEM_TABLE      &nb= sp;  *SystemTable
    > +  )
    > +{
    > +  return InitializeTcgCommon ();
    > +}
    > diff --git
    > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf
    > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf
    > new file mode 100644
    > index 000000000000..5533ce2b6e6e
    > --- /dev/null
    > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf=
    > @@ -0,0 +1,39 @@
    > +## @file
    > +#  Runtime DXE part corresponding to StandaloneMM Tcg2 module.<= br> > +#
    > +#  This module installs gTcg2MmSwSmiRegisteredGuid to notify re= adiness of
    > +#  StandaloneMM Tcg2 module.
    > +#
    > +# Copyright (c) Microsoft Corporation.
    > +# SPDX-License-Identifier: BSD-2-Clause-Patent
    > +#
    > +##
    > +
    > +[Defines]
    > +  INF_VERSION        &n= bsp;           =3D 0x0001= 001A
    > +  BASE_NAME        &nbs= p;             = = =3D Tcg2MmDependencyLib
    > +  FILE_GUID        &nbs= p;             = = =3D 94C210EA-3113-4563-ADEB-76FE759C2F46
    > +  MODULE_TYPE        &n= bsp;           =3D DXE_DR= IVER
    > +  LIBRARY_CLASS        =           =3D NULL
    > +  CONSTRUCTOR        &n= bsp;           =3D Tcg2Mm= DependencyLibConstructor
    > +
    > +#
    > +# The following information is for reference only and not required b= y the build
    > tools.
    > +#
    > +#  VALID_ARCHITECTURES       = ;    =3D IA32 X64
    > +#
    > +#
    > +
    > +[Sources]
    > +  Tcg2MmDependencyLib.c
    > +
    > +[Packages]
    > +  MdePkg/MdePkg.dec
    > +  MdeModulePkg/MdeModulePkg.dec
    > +  SecurityPkg/SecurityPkg.dec
    > +
    > +[Guids]
    > +  gTcg2MmSwSmiRegisteredGuid      = ;   ## PRODUCES        &n= bsp;    ## GUID # Install
    > protocol
    > +
    > +[Depex]
    > +  TRUE
    > diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPk= g.ci.yaml
    > index 03be2e94ca97..d7b9e1f4e239 100644
    > --- a/SecurityPkg/SecurityPkg.ci.yaml
    > +++ b/SecurityPkg/SecurityPkg.ci.yaml
    > @@ -31,6 +31,7 @@
    >           &nbs= p;  "MdePkg/MdePkg.dec",
    >           &nbs= p;  "MdeModulePkg/MdeModulePkg.dec",
    >           &nbs= p;  "SecurityPkg/SecurityPkg.dec",
    > +            &= quot;StandaloneMmPkg/StandaloneMmPkg.dec",
    >           &nbs= p;  "CryptoPkg/CryptoPkg.dec"
    >          ],
    >          # For host base= d unit tests
    > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.de= c
    > index 0970cae5c75e..dfbbb0365a2b 100644
    > --- a/SecurityPkg/SecurityPkg.dec
    > +++ b/SecurityPkg/SecurityPkg.dec
    > @@ -383,6 +383,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule,
    > PcdsDynamic, PcdsDynamicEx]
    >    gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|U= INT8|0x0001000E
    >
    >    ## Guid name to identify TPM instance.<BR><= ;BR>
    > +  #  NOTE: This Pcd must be FixedAtBuild if Standalone MM = is used
    >    #  TPM_DEVICE_INTERFACE_NONE means disable.<= ;BR>
    >    #  TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DT= PM.<BR>
    >    #  TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DT= PM.<BR>
    > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.ds= c
    > index 928bff72baa3..37242da93f3d 100644
    > --- a/SecurityPkg/SecurityPkg.dsc
    > +++ b/SecurityPkg/SecurityPkg.dsc
    > @@ -166,6 +166,14 @@ [LibraryClasses.common.DXE_SMM_DRIVER]
    >
    > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLi= b/Sm
    > mTcg2PhysicalPresenceLib.inf
    >    SmmIoLib|MdePkg/Library/SmmIoLib/SmmIoLib.inf
    >
    > +[LibraryClasses.common.MM_STANDALONE]
    > +
    > StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPo= in
    > t/StandaloneMmDriverEntryPoint.inf
    > +
    > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standa= lo
    > neMmServicesTableLib.inf
    > +
    > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLi= b/Sta
    > ndaloneMmTcg2PhysicalPresenceLib.inf
    > +
    > MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMe
    > mLib.inf
    > +
    > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLi > b.inf
    > +
    > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAlloca<= br> > tionLib/StandaloneMmMemoryAllocationLib.inf
    > +
    >  [PcdsDynamicDefault.common.DEFAULT]
    >    gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0= xb6, 0xe5, 0x01, 0x8b,
    > 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xc= c}
    >    gEfiSecurityPkgTokenSpaceGuid.PcdTpm2Initialization= Policy|1
    > @@ -183,6 +191,7 @@ [PcdsDynamicHii.common.DEFAULT]
    >  [Components]
    >    SecurityPkg/Library/DxeImageVerificationLib/DxeImag= eVerificationLib.inf
    >
    > SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthentic= ation
    > StatusLib.inf
    > +  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.i= nf
    >
    >    #
    >    # TPM
    > @@ -317,6 +326,7 @@ [Components.IA32, Components.X64]
    >    SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/T= cgMorLockSmm.inf
    >    SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
    >    SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
    > +  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
    >    SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
    >
    > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenc= eLib
    > .inf
    >
    > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2Physic= alP
    > resenceLib.inf
    > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
    > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
    > new file mode 100644
    > index 000000000000..746eda3e9fed
    > --- /dev/null
    > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
    > @@ -0,0 +1,77 @@
    > +## @file
    > +#  Provides ACPI methods for TPM 2.0 support
    > +#
    > +#  Spec Compliance Info:
    > +#     "TCG ACPI Specification Version 1.2 R= evision 8"
    > +#     "Physical Presence Interface Specific= ation Version 1.30 Revision 00.52"
    > +#       along with
    > +#     "Errata Version 0.4 for TCG PC Client= Platform Physical Presence Interface
    > Specification"
    > +#     "Platform Reset Attack Mitigation Spe= cification Version 1.00"
    > +#    TPM2.0 ACPI device object
    > +#     "TCG PC Client Platform Firmware Prof= ile Specification for TPM Family 2.0
    > Level 00 Revision 1.03 v51"
    > +#       along with
    > +#     "Errata for PC Client Specific Platfo= rm Firmware Profile Specification
    > Version 1.0 Revision 1.03"
    > +#
    > +#  This driver implements TPM 2.0 definition block in ACPI tabl= e and
    > +#  registers SMI callback functions for Tcg2 physical presence = and
    > +#  MemoryClear to handle the requests from ACPI method.
    > +#
    > +#  Caution: This module requires additional review when modifie= d.
    > +#  This driver will have external input - variable and ACPINvs = data in SMM mode.
    > +#  This external input must be validated carefully to avoid sec= urity issue.
    > +#
    > +# Copyright (c) 2015 - 2019, Intel Corporation. All rights reserved.= <BR>
    > +# Copyright (c) Microsoft Corporation.<BR>
    > +# SPDX-License-Identifier: BSD-2-Clause-Patent
    > +#
    > +##
    > +
    > +[Defines]
    > +  INF_VERSION        &n= bsp;           =3D 0x0001= 0005
    > +  BASE_NAME        &nbs= p;             = = =3D Tcg2StandaloneMm
    > +  FILE_GUID        &nbs= p;             = = =3D D40F321F-5349-4724-B667-131670587861
    > +  MODULE_TYPE        &n= bsp;           =3D MM_STA= NDALONE
    > +  PI_SPECIFICATION_VERSION       = = =3D 0x00010032
    > +  VERSION_STRING        = ;         =3D 1.0
    > +  ENTRY_POINT        &n= bsp;           =3D Initia= lizeTcgStandaloneMm
    > +
    > +[Sources]
    > +  Tcg2Smm.h
    > +  Tcg2Smm.c
    > +  Tcg2StandaloneMm.c
    > +
    > +[Packages]
    > +  MdePkg/MdePkg.dec
    > +  MdeModulePkg/MdeModulePkg.dec
    > +  SecurityPkg/SecurityPkg.dec
    > +  StandaloneMmPkg/StandaloneMmPkg.dec
    > +
    > +[LibraryClasses]
    > +  BaseLib
    > +  BaseMemoryLib
    > +  StandaloneMmDriverEntryPoint
    > +  MmServicesTableLib
    > +  DebugLib
    > +  Tcg2PhysicalPresenceLib
    > +  PcdLib
    > +  MemLib
    > +
    > +[Guids]
    > +  ## SOMETIMES_PRODUCES ## Variable:L"MemoryOverwriteReque= stControl"
    > +  ## SOMETIMES_CONSUMES ## Variable:L"MemoryOverwriteReque= stControl"
    > +  gEfiMemoryOverwriteControlDataGuid
    > +
    > +  gEfiTpmDeviceInstanceTpm20DtpmGuid    &nb= sp;            =            ## PRODUCES&nb= sp;          ##
    > GUID       # TPM device identifier
    > +  gTpmNvsMmGuid        =             &nb= sp;            =             &nb= sp;   ## CONSUMES
    > +
    > +[Protocols]
    > +  gEfiSmmSwDispatch2ProtocolGuid     &= nbsp;           &nbs= p;            &= nbsp; ## CONSUMES
    > +  gEfiSmmVariableProtocolGuid     &nbs= p;            &= nbsp;           &nbs= p;    ## CONSUMES
    > +  gEfiMmReadyToLockProtocolGuid     &n= bsp;            = ;            &n= bsp;  ## CONSUMES
    > +
    > +[Pcd]
    > +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid  &= nbsp;           ## CONSUM= ES
    > +
    > +[Depex]
    > +  gEfiSmmSwDispatch2ProtocolGuid AND
    > +  gEfiSmmVariableProtocolGuid
    > --
    > 2.30.0.windows.1

     

     

     

     

--_000_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_-- --_004_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_ Content-Type: image/png; name="3FAE16B3ACF649468D32B69A97510483.png" Content-Description: 3FAE16B3ACF649468D32B69A97510483.png Content-Disposition: inline; filename="3FAE16B3ACF649468D32B69A97510483.png"; size=153; creation-date="Mon, 01 Mar 2021 09:45:31 GMT"; modification-date="Mon, 01 Mar 2021 09:45:31 GMT" Content-ID: Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAsQAAAADCAYAAACUJxmmAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAuSURBVGhD7dYBDQAwDMOw8id1BEMwMB+QOpI5 JG/2AwBAK0MMAEC1SJIkSb0lB4fKzT8T4eFTAAAAAElFTkSuQmCC --_004_MWHPR06MB3102313B11E3A1B96A3BA768F39A9MWHPR06MB3102namp_--