From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.92.42.27]) by mx.groups.io with SMTP id smtpd.web09.1177.1614130846577453040 for ; Tue, 23 Feb 2021 17:40:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=OlSPNY57; spf=pass (domain: outlook.com, ip: 40.92.42.27, mailfrom: kun.q@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JKK/JLAlC5Rl/eQ7kj+HJwaet1GwEAS3mxJrSokj20yNfzi461RrBZ48SCyHO8rbS+sA+IAp4+q7JH5Q/rlqHMam775U8Pt+3GZslNjl8QRPhWn6aBlMYqEqhRoWLBaN+utKDDl8xg0PnuW3ilcz11avNISnL90Q10FJtYHrEUp9S3Q28AYZw0cS+CQ3Nt2IJP7N+400fzR5BWk6jJa5qju+7v9v2vfTOaXUh9OC9B0xo4p7G0SccOhQZUPQwIOjnjY3q/sf850GsQhWxHB91P1MEuoPVBYUy7Ot5yN6/BWb2t2vpI2qKCTSxjD+ln9llOHCcYkYYhXLiec+jwVW3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6NHdK/YbuAyQ6LlWIiE354oiUsGXjRNMoNssyc+dsZQ=; b=GDm8MDQZHDfz3NTmQ/22VFj1W0g6EnPuO3akPif/+TIdCxPLA8//P82EfaXiNqoPnEAjjImjfGCYyammjUfDOEtjoya6Z/6oX8nJ+FwK4qoNY1Y6eGjdw9S4PYJVI3P1sRweWP2K0IT+fDbJZfZ/QyoAkk5hAklC8KkziDjwZTuaI60GQKA0KJPScNNNFX4B3dfj7OmBzZhJV4TCXP89Zfhl7Ze2kCwWW5Ul9NcobcAWe1vot4uXCLgMOMadbJX+/WhJksELZn6hY/Z5e9qq2ceMIzpeuWkn+1t1ZTrjINmUAqVIhR76Qx0dBd1U9xy23Ta9XlDkGQFTmispqO3XuQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6NHdK/YbuAyQ6LlWIiE354oiUsGXjRNMoNssyc+dsZQ=; b=OlSPNY57MUPoiVjr6MponXLsvK/0KJR3CExTEAl6RK39yiKL70NxXCbIKqGWNomW5QWt2Lnmrx9bcITklAvXxXus7jcl3gZ3kaer9IY9kpi24Q/3ifr5WsVE9Dp0EJRupVdbQ/gLlkUHM1iZE6wCVD3bUxBr8mtmDsPBk6bdAVibRb7qFoRAx57lP2STge+XkrJLa+29ld0rNlkHDUAjApKUr+5Giemt78IaToIVFpq9Uil+DreAzRLJ3VHI6UHzUZ5SmoiVkgAqryPHdmZXtrLdaF9lkOKtCB6nrpoHsyz+RP4HHpBfHJlmLAxscEm0bH4x0U/AqPHBqAGoUgafWw== Received: from DM6NAM10FT009.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e86::40) by DM6NAM10HT196.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e86::462) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25; Wed, 24 Feb 2021 01:40:44 +0000 Received: from MWHPR06MB3102.namprd06.prod.outlook.com (2a01:111:e400:7e86::50) by DM6NAM10FT009.mail.protection.outlook.com (2a01:111:e400:7e86::323) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.27 via Frontend Transport; Wed, 24 Feb 2021 01:40:44 +0000 Received: from MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::d4ee:1260:6f53:3f7b]) by MWHPR06MB3102.namprd06.prod.outlook.com ([fe80::d4ee:1260:6f53:3f7b%7]) with mapi id 15.20.3868.032; Wed, 24 Feb 2021 01:40:44 +0000 From: "Kun Qin" To: "devel@edk2.groups.io" , "jiewen.yao@intel.com" CC: "Wang, Jian J" , "Zhang, Qi1" , "Kumar, Rahul1" Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalone Mm Thread-Topic: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalone Mm Thread-Index: AQHW/0uVdX5jcVHuy0aF0opre+szzKpmmaKAgAAARxo= Date: Wed, 24 Feb 2021 01:40:44 +0000 Message-ID: References: <20210210012457.315-1-kun.q@outlook.com> , In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:CF5F3DF1834336542A2529A4C463E6B6147561BD3FDC2013FB9F2226F614A9B9;UpperCasedChecksum:B3CFA6F3473061D5C0C15481F4F558D922BA9CEC8C2A5962C0A6809658FAE4AE;SizeAsReceived:7212;Count:44 x-tmn: [TZUtIjtyd8aqfXCVl8uczSJvTTy52QrP] x-ms-publictraffictype: Email x-incomingheadercount: 44 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 7e00c6bb-5ba5-4ead-11fd-08d8d8653404 x-ms-traffictypediagnostic: DM6NAM10HT196: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: fcaml6jZRthGgZMuVW7JSMr1h3ibuWSODdAm0iFBk+ugGL/D0SJVY3wtTd1JgLGC9qvJAC3z1JAlnooENeo6Hh75WNohyxeQM4BXBEK9KNkJuI9e0GHOTlKrvfo+a1l7ahtsrfdJfh96xTvLjrIsyEB4lHpc7hCg3/XwDCUwe5eHnAMeB6OHq81fZcm7M7Gt9B1ZEhKgEqytIB7zlE6ldl7klUvL25zjavjAP5XrSfWfjEiuv8TwOsA1zp4M3jBhZkOXdQXwzANgPW7zSzo/s7FQUZSEpvP02YsIXiHfLtJcHKZMoIyqaMSmwC5y9O//+KCrByBRLh4TWS3vxSQa0W2Mw5kc6PUpoq6Qo/Y7lQppgrUt/DsKcTnYlHO2SO6qfuajFCv6J7cZlzbdZ1JsRmGIAB+IaEULC4RIbplc8aw= x-ms-exchange-antispam-messagedata: DfXEXY1LqsEsWR83W/7B3ac9pOKkYFNIMUhZ9gZdqtWqc3xNtaJYpIakUwiaPyvWddSgnRiG3KatNFJdPxwhWXB/8jpBVBayg8eku2T0mh8fRWv4dgm860rhs0x2l4utJBKE37bhlndhCVNVDuu24w== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-AuthSource: DM6NAM10FT009.eop-nam10.prod.protection.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 7e00c6bb-5ba5-4ead-11fd-08d8d8653404 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2021 01:40:44.7685 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6NAM10HT196 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MWHPR06MB3102B5D5F97222B14CFEC0D4F39F9MWHPR06MB3102namp_" --_000_MWHPR06MB3102B5D5F97222B14CFEC0D4F39F9MWHPR06MB3102namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Jiewen, This is essentially following the example of VariableStandaloneMm model he= re: StandaloneMmPkg/Library: Install Variable Arch Protocol =B7 tianocore/edk2= @326598e (github.com) The intended usage for this library, in the context of Standalone MM, is t= o link this library to the MM IPL driver (or any other drivers that has a d= ependency on gEfiMmCommunication2ProtocolGuid), which will make sure MM com= municate is ready to use (and all MM drivers dispatched) before DXE core di= spatch Tcg2Acpi driver. I could add an example like below in the commit mes= sage if you think that will help on the intended usage: ``` MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteSmmDxe.in= f { NULL| SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.in= f } ``` Or if you have any other ideas on making sure of the loading order, please= let me know as well. Thanks, Kun From: Yao, Jiewen Sent: Tuesday, February 23, 2021 17:26 To: Kun Qin; devel@edk2.groups.io Cc: Wang, Jian J; Zhang, Qi1; Kumar, Rahul1 Subject: Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added suppo= rt for Standalone Mm I am not sure if Tcg2MmDependencyLib is the best solution. It seems NULL lib instance. But I am not sure how it is used. Can we have an example in SecurityPkg.dsc? > -----Original Message----- > From: Kun Qin > Sent: Wednesday, February 10, 2021 9:25 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Wang, Jian J ; > Zhang, Qi1 ; Kumar, Rahul1 > Subject: [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Standalo= ne > Mm > > https://bugzilla.tianocore.org/show_bug.cgi?id=3D3169 > > This change added Standalone MM instance of Tcg2. The notify function fo= r > Standalone MM instance is left empty. > > A designated dependency library was created for DXE drivers to link as a= n > anonymous library. > > Lastly, the support of CI build for Tcg2 Standalone MM module is added. > > Cc: Jiewen Yao > Cc: Jian J Wang > Cc: Qi Zhang > Cc: Rahul Kumar > > Signed-off-by: Kun Qin > --- > > Notes: > v2: > - Newly added. > > SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c | 48 > ++++++++++++ > SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c | 71 > ++++++++++++++++++ > SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf | 39 > ++++++++++ > SecurityPkg/SecurityPkg.ci.yaml | 1 + > SecurityPkg/SecurityPkg.dec | 1 + > SecurityPkg/SecurityPkg.dsc | 10 ++= + > SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf | 77 > ++++++++++++++++++++ > 7 files changed, 247 insertions(+) > > diff --git > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > new file mode 100644 > index 000000000000..12b23813dce1 > --- /dev/null > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > @@ -0,0 +1,48 @@ > +/** @file > + Runtime DXE part corresponding to StandaloneMM Tcg2 module. > + > +This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness of > +StandaloneMM Tcg2 module. > + > +Copyright (c) 2019 - 2021, Arm Ltd. All rights reserved. > +Copyright (c) Microsoft Corporation. > + > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include > + > +#include > +#include > + > +/** > + The constructor function installs gTcg2MmSwSmiRegisteredGuid to notif= y > + readiness of StandaloneMM Tcg2 module. > + > + @param ImageHandle The firmware allocated handle for the EFI image= . > + @param SystemTable A pointer to the Management mode System Table. > + > + @retval EFI_SUCCESS The constructor always returns EFI_SUCCESS. > + > +**/ > +EFI_STATUS > +EFIAPI > +Tcg2MmDependencyLibConstructor ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + EFI_HANDLE Handle; > + > + Handle =3D NULL; > + Status =3D gBS->InstallProtocolInterface ( > + &Handle, > + &gTcg2MmSwSmiRegisteredGuid, > + EFI_NATIVE_INTERFACE, > + NULL > + ); > + ASSERT_EFI_ERROR (Status); > + return EFI_SUCCESS; > +} > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > new file mode 100644 > index 000000000000..9e0095efbc5e > --- /dev/null > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c > @@ -0,0 +1,71 @@ > +/** @file > + TCG2 Standalone MM driver that updates TPM2 items in ACPI table and > registers > + SMI2 callback functions for Tcg2 physical presence, ClearMemory, and > + sample for dTPM StartMethod. > + > + Caution: This module requires additional review when modified. > + This driver will have external input - variable and ACPINvs data in S= MM mode. > + This external input must be validated carefully to avoid security iss= ue. > + > + PhysicalPresenceCallback() and MemoryClearCallback() will receive unt= rusted > input and do some check. > + > +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) Microsoft Corporation. > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include "Tcg2Smm.h" > +#include > + > +/** > + Notify the system that the SMM variable driver is ready. > +**/ > +VOID > +Tcg2NotifyMmReady ( > + VOID > + ) > +{ > + // Do nothing > +} > + > +/** > + This function is an abstraction layer for implementation specific Mm = buffer > validation routine. > + > + @param Buffer The buffer start address to be checked. > + @param Length The buffer length to be checked. > + > + @retval TRUE This buffer is valid per processor architecture and not= overlap > with SMRAM. > + @retval FALSE This buffer is not valid per processor architecture or = overlap > with SMRAM. > +**/ > +BOOLEAN > +IsBufferOutsideMmValid ( > + IN EFI_PHYSICAL_ADDRESS Buffer, > + IN UINT64 Length > + ) > +{ > + return MmIsBufferOutsideMmValid (Buffer, Length); > +} > + > +/** > + The driver's entry point. > + > + It install callbacks for TPM physical presence and MemoryClear, and l= ocate > + SMM variable to be used in the callback function. > + > + @param[in] ImageHandle The firmware allocated handle for the EFI ima= ge. > + @param[in] SystemTable A pointer to the EFI System Table. > + > + @retval EFI_SUCCESS The entry point is executed successfully. > + @retval Others Some error occurs when executing this entry p= oint. > + > +**/ > +EFI_STATUS > +EFIAPI > +InitializeTcgStandaloneMm ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_MM_SYSTEM_TABLE *SystemTable > + ) > +{ > + return InitializeTcgCommon (); > +} > diff --git > a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > new file mode 100644 > index 000000000000..5533ce2b6e6e > --- /dev/null > +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > @@ -0,0 +1,39 @@ > +## @file > +# Runtime DXE part corresponding to StandaloneMM Tcg2 module. > +# > +# This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness = of > +# StandaloneMM Tcg2 module. > +# > +# Copyright (c) Microsoft Corporation. > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x0001001A > + BASE_NAME =3D Tcg2MmDependencyLib > + FILE_GUID =3D 94C210EA-3113-4563-ADEB-76FE759C2F= 46 > + MODULE_TYPE =3D DXE_DRIVER > + LIBRARY_CLASS =3D NULL > + CONSTRUCTOR =3D Tcg2MmDependencyLibConstructor > + > +# > +# The following information is for reference only and not required by t= he build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 > +# > +# > + > +[Sources] > + Tcg2MmDependencyLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[Guids] > + gTcg2MmSwSmiRegisteredGuid ## PRODUCES ## GUID # = Install > protocol > + > +[Depex] > + TRUE > diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.c= i.yaml > index 03be2e94ca97..d7b9e1f4e239 100644 > --- a/SecurityPkg/SecurityPkg.ci.yaml > +++ b/SecurityPkg/SecurityPkg.ci.yaml > @@ -31,6 +31,7 @@ > "MdePkg/MdePkg.dec", > "MdeModulePkg/MdeModulePkg.dec", > "SecurityPkg/SecurityPkg.dec", > + "StandaloneMmPkg/StandaloneMmPkg.dec", > "CryptoPkg/CryptoPkg.dec" > ], > # For host based unit tests > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > index 0970cae5c75e..dfbbb0365a2b 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -383,6 +383,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, > PcdsDynamic, PcdsDynamicEx] > gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|UINT8|0x0001000E > > ## Guid name to identify TPM instance.

> + # NOTE: This Pcd must be FixedAtBuild if Standalone MM is used > # TPM_DEVICE_INTERFACE_NONE means disable.
> # TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.
> # TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index 928bff72baa3..37242da93f3d 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -166,6 +166,14 @@ [LibraryClasses.common.DXE_SMM_DRIVER] > > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/S= m > mTcg2PhysicalPresenceLib.inf > SmmIoLib|MdePkg/Library/SmmIoLib/SmmIoLib.inf > > +[LibraryClasses.common.MM_STANDALONE] > + > StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPoin > t/StandaloneMmDriverEntryPoint.inf > + > MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standalo > neMmServicesTableLib.inf > + > Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/S= ta > ndaloneMmTcg2PhysicalPresenceLib.inf > + > MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMe > mLib.inf > + > HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLi > b.inf > + > MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAlloca > tionLib/StandaloneMmMemoryAllocationLib.inf > + > [PcdsDynamicDefault.common.DEFAULT] > gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0xb6, 0xe5, 0x01, 0= x8b, > 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc} > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1 > @@ -183,6 +191,7 @@ [PcdsDynamicHii.common.DEFAULT] > [Components] > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i= nf > > SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticati= on > StatusLib.inf > + SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf > > # > # TPM > @@ -317,6 +326,7 @@ [Components.IA32, Components.X64] > SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf > SecurityPkg/Tcg/TcgSmm/TcgSmm.inf > SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf > + SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf > > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLi= b > .inf > > SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalP > resenceLib.inf > diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > new file mode 100644 > index 000000000000..746eda3e9fed > --- /dev/null > +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf > @@ -0,0 +1,77 @@ > +## @file > +# Provides ACPI methods for TPM 2.0 support > +# > +# Spec Compliance Info: > +# "TCG ACPI Specification Version 1.2 Revision 8" > +# "Physical Presence Interface Specification Version 1.30 Revision = 00.52" > +# along with > +# "Errata Version 0.4 for TCG PC Client Platform Physical Presence = Interface > Specification" > +# "Platform Reset Attack Mitigation Specification Version 1.00" > +# TPM2.0 ACPI device object > +# "TCG PC Client Platform Firmware Profile Specification for TPM Fa= mily 2.0 > Level 00 Revision 1.03 v51" > +# along with > +# "Errata for PC Client Specific Platform Firmware Profile Specific= ation > Version 1.0 Revision 1.03" > +# > +# This driver implements TPM 2.0 definition block in ACPI table and > +# registers SMI callback functions for Tcg2 physical presence and > +# MemoryClear to handle the requests from ACPI method. > +# > +# Caution: This module requires additional review when modified. > +# This driver will have external input - variable and ACPINvs data in = SMM mode. > +# This external input must be validated carefully to avoid security is= sue. > +# > +# Copyright (c) 2015 - 2019, Intel Corporation. All rights reserved. > +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D Tcg2StandaloneMm > + FILE_GUID =3D D40F321F-5349-4724-B667-1316705878= 61 > + MODULE_TYPE =3D MM_STANDALONE > + PI_SPECIFICATION_VERSION =3D 0x00010032 > + VERSION_STRING =3D 1.0 > + ENTRY_POINT =3D InitializeTcgStandaloneMm > + > +[Sources] > + Tcg2Smm.h > + Tcg2Smm.c > + Tcg2StandaloneMm.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + StandaloneMmPkg/StandaloneMmPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + StandaloneMmDriverEntryPoint > + MmServicesTableLib > + DebugLib > + Tcg2PhysicalPresenceLib > + PcdLib > + MemLib > + > +[Guids] > + ## SOMETIMES_PRODUCES ## Variable:L"MemoryOverwriteRequestControl" > + ## SOMETIMES_CONSUMES ## Variable:L"MemoryOverwriteRequestControl" > + gEfiMemoryOverwriteControlDataGuid > + > + gEfiTpmDeviceInstanceTpm20DtpmGuid ## PROD= UCES ## > GUID # TPM device identifier > + gTpmNvsMmGuid ## CONS= UMES > + > +[Protocols] > + gEfiSmmSwDispatch2ProtocolGuid ## CONS= UMES > + gEfiSmmVariableProtocolGuid ## CONS= UMES > + gEfiMmReadyToLockProtocolGuid ## CONS= UMES > + > +[Pcd] > + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## CONS= UMES > + > +[Depex] > + gEfiSmmSwDispatch2ProtocolGuid AND > + gEfiSmmVariableProtocolGuid > -- > 2.30.0.windows.1 --_000_MWHPR06MB3102B5D5F97222B14CFEC0D4F39F9MWHPR06MB3102namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Jiewen,

 

This is essentially following the example of Variab= leStandaloneMm model here:

StandaloneMmPkg/Library: Install Vari= able Arch Protocol =B7 tianocore/edk2@326598e (github.com)

 

The intended usage for this library, in the context= of Standalone MM, is to link this library to the MM IPL driver (or any oth= er drivers that has a dependency on gEfiMmCommunication2ProtocolGuid), whic= h will make sure MM communicate is ready to use (and all MM drivers dispatched) before DXE core dispatch Tcg= 2Acpi driver. I could add an example like below in the commit message if yo= u think that will help on the intended usage:

```

  MdeModulePkg/Universal/FaultTolerantWriteDxe= /FaultTolerantWriteSmmDxe.inf {

    <LibraryClasses>

      NULL| SecurityPkg/Li= brary/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf

  }

```

 

Or if you have any other ideas on making sure of th= e loading order, please let me know as well.

 

Thanks,

Kun

 

 

I am not sure if Tcg= 2MmDependencyLib is the best solution.

It seems NULL lib instance. But I am not sure how it is used.

Can we have an example in SecurityPkg.dsc?



> -----Original Message-----
> From: Kun Qin <kun.q@outlook.com>
> Sent: Wednesday, February 10, 2021 9:25 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j= .wang@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kuma= r@intel.com>
> Subject: [PATCH v2 5/6] SecurityPkg: Tcg2Smm: Added support for Stand= alone
> Mm
>
> htt= ps://bugzilla.tianocore.org/show_bug.cgi?id=3D3169
>
> This change added Standalone MM instance of Tcg2. The notify function= for
> Standalone MM instance is left empty.
>
> A designated dependency library was created for DXE drivers to link a= s an
> anonymous library.
>
> Lastly, the support of CI build for Tcg2 Standalone MM module is adde= d.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
>
> Signed-off-by: Kun Qin <kun.q@outlook.com>
> ---
>
> Notes:
>     v2:
>     - Newly added.
>
>  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c&n= bsp;  | 48
> ++++++++++++
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c   &nb= sp;            =       | 71
> ++++++++++++++++++
>  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf= | 39
> ++++++++++
>  SecurityPkg/SecurityPkg.ci.yaml     &n= bsp;            = ;            &n= bsp;  |  1 +
>  SecurityPkg/SecurityPkg.dec      =             &nb= sp;            =       |  1 +
>  SecurityPkg/SecurityPkg.dsc      =             &nb= sp;            =       | 10 +++
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf   &= nbsp;           &nbs= p;    | 77
> ++++++++++++++++++++
>  7 files changed, 247 insertions(+)
>
> diff --git
> a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c
> b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c
> new file mode 100644
> index 000000000000..12b23813dce1
> --- /dev/null
> +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.c > @@ -0,0 +1,48 @@
> +/** @file
> +  Runtime DXE part corresponding to StandaloneMM Tcg2 module. > +
> +This module installs gTcg2MmSwSmiRegisteredGuid to notify readiness = of
> +StandaloneMM Tcg2 module.
> +
> +Copyright (c) 2019 - 2021, Arm Ltd. All rights reserved.
> +Copyright (c) Microsoft Corporation.
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <PiDxe.h>
> +
> +#include <Library/DebugLib.h>
> +#include <Library/UefiBootServicesTableLib.h>
> +
> +/**
> +  The constructor function installs gTcg2MmSwSmiRegisteredGuid = to notify
> +  readiness of StandaloneMM Tcg2 module.
> +
> +  @param  ImageHandle   The firmware allocated h= andle for the EFI image.
> +  @param  SystemTable   A pointer to the Managem= ent mode System Table.
> +
> +  @retval EFI_SUCCESS   The constructor always return= s EFI_SUCCESS.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +Tcg2MmDependencyLibConstructor (
> +  IN EFI_HANDLE        =             &nb= sp;      ImageHandle,
> +  IN EFI_SYSTEM_TABLE       =             &nb= sp; *SystemTable
> +  )
> +{
> +  EFI_STATUS        &nb= sp;   Status;
> +  EFI_HANDLE        &nb= sp;   Handle;
> +
> +  Handle =3D NULL;
> +  Status =3D gBS->InstallProtocolInterface (
> +           &n= bsp;      &Handle,
> +           &n= bsp;      &gTcg2MmSwSmiRegisteredGuid,
> +           &n= bsp;      EFI_NATIVE_INTERFACE,
> +           &n= bsp;      NULL
> +           &n= bsp;      );
> +  ASSERT_EFI_ERROR (Status);
> +  return EFI_SUCCESS;
> +}
> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
> new file mode 100644
> index 000000000000..9e0095efbc5e
> --- /dev/null
> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.c
> @@ -0,0 +1,71 @@
> +/** @file
> +  TCG2 Standalone MM driver that updates TPM2 items in ACPI tab= le and
> registers
> +  SMI2 callback functions for Tcg2 physical presence, ClearMemo= ry, and
> +  sample for dTPM StartMethod.
> +
> +  Caution: This module requires additional review when modified= .
> +  This driver will have external input - variable and ACPINvs d= ata in SMM mode.
> +  This external input must be validated carefully to avoid secu= rity issue.
> +
> +  PhysicalPresenceCallback() and MemoryClearCallback() will rec= eive untrusted
> input and do some check.
> +
> +Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.&l= t;BR>
> +Copyright (c) Microsoft Corporation.
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include "Tcg2Smm.h"
> +#include <Library/StandaloneMmMemLib.h>
> +
> +/**
> +  Notify the system that the SMM variable driver is ready.
> +**/
> +VOID
> +Tcg2NotifyMmReady (
> +  VOID
> +  )
> +{
> +  // Do nothing
> +}
> +
> +/**
> +  This function is an abstraction layer for implementation spec= ific Mm buffer
> validation routine.
> +
> +  @param Buffer  The buffer start address to be checked. > +  @param Length  The buffer length to be checked.
> +
> +  @retval TRUE  This buffer is valid per processor archite= cture and not overlap
> with SMRAM.
> +  @retval FALSE This buffer is not valid per processor architec= ture or overlap
> with SMRAM.
> +**/
> +BOOLEAN
> +IsBufferOutsideMmValid (
> +  IN EFI_PHYSICAL_ADDRESS  Buffer,
> +  IN UINT64        &nbs= p;       Length
> +  )
> +{
> +  return MmIsBufferOutsideMmValid (Buffer, Length);
> +}
> +
> +/**
> +  The driver's entry point.
> +
> +  It install callbacks for TPM physical presence and MemoryClea= r, and locate
> +  SMM variable to be used in the callback function.
> +
> +  @param[in] ImageHandle  The firmware allocated handle fo= r the EFI image.
> +  @param[in] SystemTable  A pointer to the EFI System Tabl= e.
> +
> +  @retval EFI_SUCCESS     The entry point i= s executed successfully.
> +  @retval Others        = ;  Some error occurs when executing this entry point.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +InitializeTcgStandaloneMm (
> +  IN EFI_HANDLE        =           ImageHandle,
> +  IN EFI_MM_SYSTEM_TABLE      &nb= sp;  *SystemTable
> +  )
> +{
> +  return InitializeTcgCommon ();
> +}
> diff --git
> a/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf
> b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf
> new file mode 100644
> index 000000000000..5533ce2b6e6e
> --- /dev/null
> +++ b/SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.inf=
> @@ -0,0 +1,39 @@
> +## @file
> +#  Runtime DXE part corresponding to StandaloneMM Tcg2 module.<= br> > +#
> +#  This module installs gTcg2MmSwSmiRegisteredGuid to notify re= adiness of
> +#  StandaloneMM Tcg2 module.
> +#
> +# Copyright (c) Microsoft Corporation.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION        &n= bsp;           =3D 0x0001= 001A
> +  BASE_NAME        &nbs= p;             = = =3D Tcg2MmDependencyLib
> +  FILE_GUID        &nbs= p;             = = =3D 94C210EA-3113-4563-ADEB-76FE759C2F46
> +  MODULE_TYPE        &n= bsp;           =3D DXE_DR= IVER
> +  LIBRARY_CLASS        =           =3D NULL
> +  CONSTRUCTOR        &n= bsp;           =3D Tcg2Mm= DependencyLibConstructor
> +
> +#
> +# The following information is for reference only and not required b= y the build
> tools.
> +#
> +#  VALID_ARCHITECTURES       = ;    =3D IA32 X64
> +#
> +#
> +
> +[Sources]
> +  Tcg2MmDependencyLib.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> +  gTcg2MmSwSmiRegisteredGuid      = ;   ## PRODUCES        &n= bsp;    ## GUID # Install
> protocol
> +
> +[Depex]
> +  TRUE
> diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPk= g.ci.yaml
> index 03be2e94ca97..d7b9e1f4e239 100644
> --- a/SecurityPkg/SecurityPkg.ci.yaml
> +++ b/SecurityPkg/SecurityPkg.ci.yaml
> @@ -31,6 +31,7 @@
>           &nbs= p;  "MdePkg/MdePkg.dec",
>           &nbs= p;  "MdeModulePkg/MdeModulePkg.dec",
>           &nbs= p;  "SecurityPkg/SecurityPkg.dec",
> +            &= quot;StandaloneMmPkg/StandaloneMmPkg.dec",
>           &nbs= p;  "CryptoPkg/CryptoPkg.dec"
>          ],
>          # For host base= d unit tests
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.de= c
> index 0970cae5c75e..dfbbb0365a2b 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -383,6 +383,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule,
> PcdsDynamic, PcdsDynamicEx]
>    gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|U= INT8|0x0001000E
>
>    ## Guid name to identify TPM instance.<BR><= ;BR>
> +  #  NOTE: This Pcd must be FixedAtBuild if Standalone MM = is used
>    #  TPM_DEVICE_INTERFACE_NONE means disable.<= ;BR>
>    #  TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DT= PM.<BR>
>    #  TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DT= PM.<BR>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.ds= c
> index 928bff72baa3..37242da93f3d 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -166,6 +166,14 @@ [LibraryClasses.common.DXE_SMM_DRIVER]
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLi= b/Sm
> mTcg2PhysicalPresenceLib.inf
>    SmmIoLib|MdePkg/Library/SmmIoLib/SmmIoLib.inf
>
> +[LibraryClasses.common.MM_STANDALONE]
> +
> StandaloneMmDriverEntryPoint|MdePkg/Library/StandaloneMmDriverEntryPo= in
> t/StandaloneMmDriverEntryPoint.inf
> +
> MmServicesTableLib|MdePkg/Library/StandaloneMmServicesTableLib/Standa= lo
> neMmServicesTableLib.inf
> +
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/SmmTcg2PhysicalPresenceLi= b/Sta
> ndaloneMmTcg2PhysicalPresenceLib.inf
> +
> MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMe
> mLib.inf
> +
> HobLib|StandaloneMmPkg/Library/StandaloneMmHobLib/StandaloneMmHobLi > b.inf
> +
> MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmMemoryAlloca<= br> > tionLib/StandaloneMmMemoryAllocationLib.inf
> +
>  [PcdsDynamicDefault.common.DEFAULT]
>    gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid|{0= xb6, 0xe5, 0x01, 0x8b,
> 0x19, 0x4f, 0xe8, 0x46, 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xc= c}
>    gEfiSecurityPkgTokenSpaceGuid.PcdTpm2Initialization= Policy|1
> @@ -183,6 +191,7 @@ [PcdsDynamicHii.common.DEFAULT]
>  [Components]
>    SecurityPkg/Library/DxeImageVerificationLib/DxeImag= eVerificationLib.inf
>
> SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthentic= ation
> StatusLib.inf
> +  SecurityPkg/Library/Tcg2MmDependencyLib/Tcg2MmDependencyLib.i= nf
>
>    #
>    # TPM
> @@ -317,6 +326,7 @@ [Components.IA32, Components.X64]
>    SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/T= cgMorLockSmm.inf
>    SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
>    SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
> +  SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
>    SecurityPkg/Tcg/Tcg2Acpi/Tcg2Acpi.inf
>
> SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenc= eLib
> .inf
>
> SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2Physic= alP
> resenceLib.inf
> diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
> b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
> new file mode 100644
> index 000000000000..746eda3e9fed
> --- /dev/null
> +++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2StandaloneMm.inf
> @@ -0,0 +1,77 @@
> +## @file
> +#  Provides ACPI methods for TPM 2.0 support
> +#
> +#  Spec Compliance Info:
> +#     "TCG ACPI Specification Version 1.2 R= evision 8"
> +#     "Physical Presence Interface Specific= ation Version 1.30 Revision 00.52"
> +#       along with
> +#     "Errata Version 0.4 for TCG PC Client= Platform Physical Presence Interface
> Specification"
> +#     "Platform Reset Attack Mitigation Spe= cification Version 1.00"
> +#    TPM2.0 ACPI device object
> +#     "TCG PC Client Platform Firmware Prof= ile Specification for TPM Family 2.0
> Level 00 Revision 1.03 v51"
> +#       along with
> +#     "Errata for PC Client Specific Platfo= rm Firmware Profile Specification
> Version 1.0 Revision 1.03"
> +#
> +#  This driver implements TPM 2.0 definition block in ACPI tabl= e and
> +#  registers SMI callback functions for Tcg2 physical presence = and
> +#  MemoryClear to handle the requests from ACPI method.
> +#
> +#  Caution: This module requires additional review when modifie= d.
> +#  This driver will have external input - variable and ACPINvs = data in SMM mode.
> +#  This external input must be validated carefully to avoid sec= urity issue.
> +#
> +# Copyright (c) 2015 - 2019, Intel Corporation. All rights reserved.= <BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION        &n= bsp;           =3D 0x0001= 0005
> +  BASE_NAME        &nbs= p;             = = =3D Tcg2StandaloneMm
> +  FILE_GUID        &nbs= p;             = = =3D D40F321F-5349-4724-B667-131670587861
> +  MODULE_TYPE        &n= bsp;           =3D MM_STA= NDALONE
> +  PI_SPECIFICATION_VERSION       = = =3D 0x00010032
> +  VERSION_STRING        = ;         =3D 1.0
> +  ENTRY_POINT        &n= bsp;           =3D Initia= lizeTcgStandaloneMm
> +
> +[Sources]
> +  Tcg2Smm.h
> +  Tcg2Smm.c
> +  Tcg2StandaloneMm.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  StandaloneMmPkg/StandaloneMmPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  StandaloneMmDriverEntryPoint
> +  MmServicesTableLib
> +  DebugLib
> +  Tcg2PhysicalPresenceLib
> +  PcdLib
> +  MemLib
> +
> +[Guids]
> +  ## SOMETIMES_PRODUCES ## Variable:L"MemoryOverwriteReque= stControl"
> +  ## SOMETIMES_CONSUMES ## Variable:L"MemoryOverwriteReque= stControl"
> +  gEfiMemoryOverwriteControlDataGuid
> +
> +  gEfiTpmDeviceInstanceTpm20DtpmGuid    &nb= sp;            =            ## PRODUCES&nb= sp;          ##
> GUID       # TPM device identifier
> +  gTpmNvsMmGuid        =             &nb= sp;            =             &nb= sp;   ## CONSUMES
> +
> +[Protocols]
> +  gEfiSmmSwDispatch2ProtocolGuid     &= nbsp;           &nbs= p;            &= nbsp; ## CONSUMES
> +  gEfiSmmVariableProtocolGuid     &nbs= p;            &= nbsp;           &nbs= p;    ## CONSUMES
> +  gEfiMmReadyToLockProtocolGuid     &n= bsp;            = ;            &n= bsp;  ## CONSUMES
> +
> +[Pcd]
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid  &= nbsp;           ## CONSUM= ES
> +
> +[Depex]
> +  gEfiSmmSwDispatch2ProtocolGuid AND
> +  gEfiSmmVariableProtocolGuid
> --
> 2.30.0.windows.1





 

--_000_MWHPR06MB3102B5D5F97222B14CFEC0D4F39F9MWHPR06MB3102namp_--