From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by mx.groups.io with SMTP id smtpd.web11.2069.1639977421525699087
 for <devel@edk2.groups.io>;
 Sun, 19 Dec 2021 21:17:02 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=lMqkCPY6;
 spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: ray.ni@intel.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1639977421; x=1671513421;
  h=from:to:cc:subject:date:message-id:references:
   in-reply-to:content-transfer-encoding:mime-version;
  bh=FCHgTNaFK2Suo/7UeX/c1/4XIhVXaIT3zRmab4UFHvA=;
  b=lMqkCPY681g48QDClm0ND4QVm29IcdLoWyGVlTZEwHZR/TKfcJ5nXrTI
   +nmzD4mlTxiAPtMLxgKH5zqF6gwRDjuhnodrHGZtvMGFKnjUF8rn4Nncb
   VpQC8SzQbZJ1dlFZOyLtgtdR96R0g6xi8n7zLezcYPJXMi2zeFeZNBUZu
   dnX11zPd8Ri+GapaLBzp6k2oPquekNsBK5AmyHt0pPSRuqX9Uh8fb/WZ2
   CIiFeEKLAjXEAfOUG14BtcmQeV/UIAcM98mS/M6F2C1UFKcgqpl0JuZMW
   sO5TRbScpQCsTXlWvKx0BxbpDhQi2W/FjmuMNPXUFxpMNsaf/XK+OCCza
   A==;
X-IronPort-AV: E=McAfee;i="6200,9189,10203"; a="240052777"
X-IronPort-AV: E=Sophos;i="5.88,219,1635231600"; 
   d="scan'208";a="240052777"
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Dec 2021 21:17:00 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.88,219,1635231600"; 
   d="scan'208";a="612945726"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83])
  by fmsmga002.fm.intel.com with ESMTP; 19 Dec 2021 21:17:00 -0800
Received: from fmsmsx611.amr.corp.intel.com (10.18.126.91) by
 fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.20; Sun, 19 Dec 2021 21:16:59 -0800
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by
 fmsmsx611.amr.corp.intel.com (10.18.126.91) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.20 via Frontend Transport; Sun, 19 Dec 2021 21:16:59 -0800
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.169)
 by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2308.20; Sun, 19 Dec 2021 21:16:58 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=e/Q52GKVxeMpHZk4GH5rTZfEXZB2RzjcMCCDQiHtBpWlrywQb3/afa3ApRc463rTkzlCpnCUezCkKQENqg1K1plBTOVtKmbkNVzRyPT73/ZHrTpj1G+K6EuWujNwxLJznQtqasUcGKa2z20z25sU19ogedNnd0MI+lXQicjoB2C8rJDtz7MqIEyoJ2qLHZG8KX4TSCr5jQYUesOn/585+jPJhzTYCwb/BFH6doBJpPtiy8XFqQZmoVxtRFOfahEFmoZQbv+/u4bivPRa6HZ9wJCc5gMmdjxQ9sS+Aqdlty2NYhLY/kktOqjR+5PxuQkgrztFOxEt4OX0xAbuYUQ5ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=94KT0ERdtKYAYnYNzItrLlcr4mu8rQSkLLCoWBMJL+Y=;
 b=ORO+NlzNzk6XCymngRn5HhqHhF6kmtdKL4ShqJkOw24bPEMS5IQInbY6fDh1S2Mo9aWeimqp87Z2pAxbWDGSPZCUyz0GXLWKLiR0QOZMXO1w1GCN6+fhlicpJwlxQe7JNdybS50r7eR4LGvUUiyrYkouf9Mfq2nZtN+NjgLpHM2bwPuvVD8SqrJCawiXdvhFObC2frXFrPCFLNXN8rL+7RkFrxAkRRJB3JW+7inZLsojeYuMij6nb9RIzVWTBllfm8fYV4MgovyzDbarSktougfFNyBdgsXMlYo8pw7rDx8vye86b+AKf6A36kOhralyDp7FtWRWRsztC8XcOukdXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
Received: from MWHPR11MB1631.namprd11.prod.outlook.com (2603:10b6:301:10::10)
 by CO1PR11MB5171.namprd11.prod.outlook.com (2603:10b6:303:95::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.15; Mon, 20 Dec
 2021 05:16:57 +0000
Received: from MWHPR11MB1631.namprd11.prod.outlook.com
 ([fe80::80af:ddc3:7f31:46a5]) by MWHPR11MB1631.namprd11.prod.outlook.com
 ([fe80::80af:ddc3:7f31:46a5%8]) with mapi id 15.20.4801.020; Mon, 20 Dec 2021
 05:16:57 +0000
From: "Ni, Ray" <ray.ni@intel.com>
To: "Yang, Longlong" <longlong.yang@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Dong, Eric" <eric.dong@intel.com>, "Kumar, Rahul1"
	<rahul1.kumar@intel.com>, "Yao, Jiewen" <jiewen.yao@intel.com>, "Xu, Min M"
	<min.m.xu@intel.com>, "Zhang, Qi1" <qi1.zhang@intel.com>
Subject: Re: [PATCH v4 1/1] UefiCpuPkg: Extend measurement of microcode patches to TPM
Thread-Topic: [PATCH v4 1/1] UefiCpuPkg: Extend measurement of microcode
 patches to TPM
Thread-Index: AQHX8LryTGqzFgnONUelihRynvAh7Kw638WQ
Date: Mon, 20 Dec 2021 05:16:56 +0000
Message-ID: <MWHPR11MB163177B0D5D7B88BA1C544F48C7B9@MWHPR11MB1631.namprd11.prod.outlook.com>
References: <cover.1639466246.git.longlong.yang@intel.com>
 <0c4c9dfe09316f5766970418ad750f29b36d008d.1639466246.git.longlong.yang@intel.com>
In-Reply-To: <0c4c9dfe09316f5766970418ad750f29b36d008d.1639466246.git.longlong.yang@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7c583887-43aa-4449-28a2-08d9c377f192
x-ms-traffictypediagnostic: CO1PR11MB5171:EE_
x-microsoft-antispam-prvs: <CO1PR11MB51714BCC8AB086DD8F3115FE8C7B9@CO1PR11MB5171.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KPu9yQcUXCPSmuY8qDimzYG6rdNJUnSX82bleUqAtmFE1CgUAryyZtmcdXG8ZNVANETGWx8dy+hff5G+L//rtGqHEktfoX/nCylK18HNKpwAAUTsp7FjRXv3RdoxPYGiX8r+TbWPlx/EAzbniVzDS4SjMIIozpNglKMCnfk6MJ1P1/2jk3VxNE4aT/XfWs+WAkQwc83YND8/49fYUurNOaulQs10e5iEK6qlLTm6rIBgFnJdhhPJhjPvmhprjMsx27MaXoRBEDzwYsxBEXUPaT7YJuHH8jGUahO+C6MsfnwaFntG3hWEc/XWuvBUdjOIXiC54ajtVYkqYYiWiFTLQrf9fqsJOIL/i3BYxfehT/J8vv4BkMtKvucgCNRBqAyXNXrdIbzgE15ckLeZexuR1MzYHw43Qy3dFy+lS+LdQXYtCbHuqCuC/zi4mtwYGwfqLSQRcDTWVFRo71LdfJ5lLDTyz7ZcllhfLX05k7b9swjSme6cAf3hzdPtCXhw4BM7WSRI+QXMMNvQvS4U/iLvXBGy3WNA2rLX9MhYT9x6ZUn++r4AM9lNHWglMrsWHo6KSzwbZxhKZgapp9lHU62PndnVrp/E7bi69fKaaCRs6T1zdtfR6NYKtANZyaTGe1+lYuQwhrQ3+Qa+BP6CIyYjIRi5GjW0Xb5s5by+1W39ISkOFUt+JNu+JLmsHpUTeEL7uqVr4ww7B5olyOfbz0HAFhhcTq+tXcUOBFuR1uLBLyYSY5KjgX/cyMykUYDMarkLzHAAtmak1EdikMvs4/v5TK9tzQkhLAD4BrAlhe1OPdI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR11MB1631.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(64756008)(66556008)(33656002)(508600001)(4326008)(66476007)(5660300002)(966005)(66446008)(83380400001)(66946007)(7696005)(55016003)(38070700005)(86362001)(8936002)(53546011)(54906003)(76116006)(6506007)(110136005)(316002)(8676002)(71200400001)(9686003)(26005)(186003)(52536014)(122000001)(38100700002)(2906002)(82960400001)(107886003)(30864003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?LWElrsZXjoTMNTod8c6QocGkQWqVSY24yDq9Lyz9CebHbobqleO/aYdx8Otf?=
 =?us-ascii?Q?H5WwUamSKVvglw7gfK/Ij/jVz/Una9AmBW0LBxc8wZjUJkYK42E+feTnsv1J?=
 =?us-ascii?Q?NGRBV3PHfVQ0MaFam9bOBGI52jtOznRklt+vYgNufznMifppMDZAjelXTnCe?=
 =?us-ascii?Q?AHangFgCz6nk6UXo6bFtQSKt4aWwi4x+LI/Z9bhjmmxp7/WI+jdEBrxdDqPb?=
 =?us-ascii?Q?PvXHkamp435zFZlFwsY97EtgDhd0SvS5aytdSh1zni7gux6VDnfnHBvoRHFb?=
 =?us-ascii?Q?vxrjA279h9CKaoDX7uexNeFweKhMm68ZzGfPOceiekzIo6yH+f9xEX8uZFMn?=
 =?us-ascii?Q?CkxNqVhxjYLH+72l9o5Ow8qJo/uaGl1UBXV1vtmI0nvgC+CCaLZNiQdp3ZY9?=
 =?us-ascii?Q?fRQUBoDJoFG7mMDSJwqFDtdhkw91xGWEOv6i25TTeU52c4RledEBqpWfNMFc?=
 =?us-ascii?Q?DNjM26SG7v5C2lBYhrcFdEhHTLB8aaVDPC3cqMtzVwgGsvEn1meCp2YZT6eX?=
 =?us-ascii?Q?/cAaYVLFT4lXEk0dIe/L00GhYGWsA81xpXvzw7+HzDEsd8GhnnC+iKRyaXw4?=
 =?us-ascii?Q?YGAaryl8MeB0Mld2UsVv4qDYk96u6w3IKlIflHdvWfkNSxIeCKNJFUUo1nSM?=
 =?us-ascii?Q?lcPrcofzKqk6h620xRUM0kJFNUC4KH5kuxdpt3uDWVPuHLWZR0SMDcGAH1Tt?=
 =?us-ascii?Q?aaopnLeeSRrZXhpsSzH+1rxfI2MjjgrEeUzKvPLFW5Zvw4u56twB18UvJXOL?=
 =?us-ascii?Q?H5+6f99iKj1Ek616R8koUTI8QklDMn7OREsgWLUZlN1GVWkezH37wQTKqVcl?=
 =?us-ascii?Q?MbclZ407MonndOhe2mDg1U15elYCxeU2pySXnokoLevFr+00ZmCELEoXIPPw?=
 =?us-ascii?Q?5ZV12SxPfTu0hR2djLBnKdXrERLUZtHNPF0zWDQp6luOVOdGNwZq35eQ6jpa?=
 =?us-ascii?Q?N8JyfolJSFQZ3Rtdp0Hxr4E9ej+Yfc9OXT0f5w5SwEmheomIZRe13i0Houbr?=
 =?us-ascii?Q?JSn4hQwnhgXkECFxhdidQsjxFi3oBtRlO9bo7gebEuUyPmtE0939H308T9W/?=
 =?us-ascii?Q?tqoyCxMEsObS9653c0HR+SXGZK6q8O6hzdeBPNhbB1e2J3UDLwxtydRHuS9u?=
 =?us-ascii?Q?xGrWCJh2qaADP/u5kBvpOfoA96y0i7VQQlfJ4uyoUdmoNRsoSxsmSBV/uEb0?=
 =?us-ascii?Q?wjiz2/tStdAvwXLG3ybYgB8m5ml/rrU8CQfjggrpA+o6AapAOsDLfY8P9EUz?=
 =?us-ascii?Q?Zo8t1b6AkfSFGTlllCNmcbh9dsq896s1hzNtwSn2lzy+Afdk0RS/zvLJDtdY?=
 =?us-ascii?Q?l5fly3QEuDus5AYb6ed1Mkcyca1ufTK09adYYM7g6dSBVojFHn/Ryk+5Z+wV?=
 =?us-ascii?Q?ymB5PWhvfrHxRpaRmo7JDPqke/tmlyWluoT5qsrdc3+h7ngqjLTUublMOZlW?=
 =?us-ascii?Q?8yMQL/5j6EY4Jf15ZOvggRdZuDP3DRegLWQ5Yzc/uQQTUx+KQCff5UAG2Hvd?=
 =?us-ascii?Q?fx8g1PmOaEH8LM3iP6z5A43LSzRKyJUBTXJyIvD/1mIrMK1/5y3AjI/b8ZJa?=
 =?us-ascii?Q?RsOwba89bkisVbluqWeVI+1fD1Ud9ACrW4NDZrEEzzxlPEeeQzb5gCVaSKkL?=
 =?us-ascii?Q?MRPB1QAqcy3riiai3hdfBdU=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR11MB1631.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c583887-43aa-4449-28a2-08d9c377f192
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2021 05:16:56.9019
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tan1UMifAijGRKwz31Zw9CRTusDWJHDeZGtanC+U9Ebhtb+OY4HyYtN7Be74AE4AMHPGg6hlV+tYiBzrlnAIXg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5171
Return-Path: ray.ni@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Ray Ni <ray.ni@intel.com>

-----Original Message-----
From: Yang, Longlong <longlong.yang@intel.com>=20
Sent: Tuesday, December 14, 2021 3:19 PM
To: devel@edk2.groups.io
Cc: Yang, Longlong <longlong.yang@intel.com>; Dong, Eric <eric.dong@intel.c=
om>; Ni, Ray <ray.ni@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>; Ya=
o, Jiewen <jiewen.yao@intel.com>; Xu, Min M <min.m.xu@intel.com>; Zhang, Qi=
1 <qi1.zhang@intel.com>
Subject: [PATCH v4 1/1] UefiCpuPkg: Extend measurement of microcode patches=
 to TPM

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3683

TCG specification says BIOS should extend measurement of microcode to TPM.
However, reference BIOS is not doing this. BIOS shall extend measurement of
microcode to TPM.

Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Min M Xu <min.m.xu@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Signed-off-by: Longlong Yang <longlong.yang@intel.com>
---
 .../MicrocodeMeasurementDxe.c                 | 281 ++++++++++++++++++
 .../MicrocodeMeasurementDxe.inf               |  56 ++++
 .../MicrocodeMeasurementDxe.uni               |  15 +
 .../MicrocodeMeasurementDxeExtra.uni          |  12 +
 UefiCpuPkg/UefiCpuPkg.dsc                     |   1 +
 5 files changed, 365 insertions(+)
 create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement=
Dxe.c
 create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement=
Dxe.inf
 create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement=
Dxe.uni
 create mode 100644 UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurement=
DxeExtra.uni

diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c b=
/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c
new file mode 100644
index 000000000000..762ca159ff0e
--- /dev/null
+++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.c
@@ -0,0 +1,281 @@
+/** @file
+  This driver measures microcode patches to TPM.
+
+  This driver consumes gEdkiiMicrocodePatchHobGuid, packs all unique micro=
code patch found in gEdkiiMicrocodePatchHobGuid to a binary blob, and measu=
res the binary blob to TPM.
+
+  Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Guid/EventGroup.h>
+#include <Guid/MicrocodePatchHob.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiDriverEntryPoint.h>
+#include <Library/UefiLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/HobLib.h>
+#include <Library/MicrocodeLib.h>
+#include <Library/TpmMeasurementLib.h>
+
+#define CPU_MICROCODE_MEASUREMENT_DESCRIPTION                "Microcode Me=
asurement"
+#define CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN  sizeof (CPU_M=
ICROCODE_MEASUREMENT_DESCRIPTION)
+
+#pragma pack(1)
+typedef struct {
+  UINT8    Description[CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN=
];
+  UINTN    NumberOfMicrocodePatchesMeasured;
+  UINTN    SizeOfMicrocodePatchesMeasured;
+} CPU_MICROCODE_MEASUREMENT_EVENT_LOG;
+#pragma pack()
+
+/**
+  Helping function.
+
+  The function is called by QuickSort to compare the order of offsets of
+  two microcode patches in RAM relative to their base address. Elements
+  will be in ascending order.
+
+  @param[in] Offset1   The pointer to the offset of first microcode patch.
+  @param[in] Offset2   The pointer to the offset of second microcode patch=
.
+
+  @retval 1                   The offset of first microcode patch is bigge=
r than that of the second.
+  @retval -1                  The offset of first microcode patch is small=
er than that of the second.
+  @retval 0                   The offset of first microcode patch equals t=
o that of the second.
+**/
+INTN
+EFIAPI
+MicrocodePatchOffsetCompareFunction (
+  IN CONST VOID  *Offset1,
+  IN CONST VOID  *Offset2
+  )
+{
+  if (*(UINT64 *)(Offset1) > *(UINT64 *)(Offset2)) {
+    return 1;
+  } else if (*(UINT64 *)(Offset1) < *(UINT64 *)(Offset2)) {
+    return -1;
+  } else {
+    return 0;
+  }
+}
+
+/**
+  This function remove duplicate and invalid offsets in Offsets.
+
+  This function remove duplicate and invalid offsets in Offsets. Invalid o=
ffset means MAX_UINT64 in Offsets.
+
+  @param[in] Offsets        Microcode offset list.
+  @param[in, out] Count          On call as the count of raw microcode off=
set list; On return as count of the clean microcode offset list.
+  **/
+VOID
+RemoveDuplicateAndInvalidOffset (
+  IN     UINT64  *Offsets,
+  IN OUT UINTN   *Count
+  )
+{
+  UINTN   Index;
+  UINTN   NewCount;
+  UINT64  LastOffset;
+  UINT64  QuickSortBuffer;
+
+  //
+  // The order matters when packing all applied microcode patches to a sin=
gle binary blob.
+  // Therefore it is a must to do sorting before packing.
+  // NOTE: Since microcode patches are sorted by their addresses in memory=
, the order of
+  // addresses in memory of all the microcode patches before sorting is re=
quired to be the
+  // same in every boot flow. If any future updates made this assumption u=
ntenable, then
+  // there needs a new solution to measure microcode patches.
+  //
+  QuickSort (
+    Offsets,
+    *Count,
+    sizeof (UINT64),
+    MicrocodePatchOffsetCompareFunction,
+    (VOID *)&QuickSortBuffer
+    );
+
+  NewCount   =3D 0;
+  LastOffset =3D MAX_UINT64;
+  for (Index =3D 0; Index < *Count; Index++) {
+    //
+    // When MAX_UINT64 element is met, all following elements are MAX_UINT=
64.
+    //
+    if (Offsets[Index] =3D=3D MAX_UINT64) {
+      break;
+    }
+
+    //
+    // Remove duplicated offsets
+    //
+    if (Offsets[Index] !=3D LastOffset) {
+      LastOffset        =3D Offsets[Index];
+      Offsets[NewCount] =3D Offsets[Index];
+      NewCount++;
+    }
+  }
+
+  *Count =3D NewCount;
+}
+
+/**
+  Callback function.
+
+  Called after signaling of the Ready to Boot Event. Measure microcode pat=
ches binary blob with event type EV_CPU_MICROCODE to PCR[1] in TPM.
+
+  @param[in] Event      Event whose notification function is being invoked=
.
+  @param[in] Context    Pointer to the notification function's context.
+
+**/
+VOID
+EFIAPI
+MeasureMicrocodePatches (
+  IN      EFI_EVENT  Event,
+  IN      VOID       *Context
+  )
+{
+  EFI_STATUS                           Status;
+  UINT32                               PCRIndex;
+  UINT32                               EventType;
+  CPU_MICROCODE_MEASUREMENT_EVENT_LOG  EventLog;
+  UINT32                               EventLogSize;
+  EFI_HOB_GUID_TYPE                    *GuidHob;
+  EDKII_MICROCODE_PATCH_HOB            *MicrocodePatchHob;
+  UINT64                               *Offsets;
+  UINTN                                Count;
+  UINTN                                Index;
+  UINTN                                TotalMicrocodeSize;
+  UINT8                                *MicrocodePatchesBlob;
+
+  PCRIndex  =3D 1;
+  EventType =3D EV_CPU_MICROCODE;
+  AsciiStrCpyS (
+    (CHAR8 *)(EventLog.Description),
+    CPU_MICROCODE_MEASUREMENT_EVENT_LOG_DESCRIPTION_LEN,
+    CPU_MICROCODE_MEASUREMENT_DESCRIPTION
+    );
+  EventLog.NumberOfMicrocodePatchesMeasured =3D 0;
+  EventLog.SizeOfMicrocodePatchesMeasured   =3D 0;
+  EventLogSize                              =3D sizeof (CPU_MICROCODE_MEAS=
UREMENT_EVENT_LOG);
+  Offsets                                   =3D NULL;
+  TotalMicrocodeSize                        =3D 0;
+  Count                                     =3D 0;
+
+  GuidHob =3D GetFirstGuidHob (&gEdkiiMicrocodePatchHobGuid);
+  if (NULL =3D=3D GuidHob) {
+    DEBUG ((DEBUG_ERROR, "ERROR: GetFirstGuidHob (&gEdkiiMicrocodePatchHob=
Guid) failed.\n"));
+    return;
+  }
+
+  MicrocodePatchHob =3D GET_GUID_HOB_DATA (GuidHob);
+  DEBUG (
+    (DEBUG_INFO,
+     "INFO: Got MicrocodePatchHob with microcode patches starting address:=
0x%x, microcode patches region size:0x%x, processor count:0x%x\n",
+     MicrocodePatchHob->MicrocodePatchAddress, MicrocodePatchHob->Microcod=
ePatchRegionSize,
+     MicrocodePatchHob->ProcessorCount)
+    );
+
+  Offsets =3D AllocateCopyPool (
+              MicrocodePatchHob->ProcessorCount * sizeof (UINT64),
+              MicrocodePatchHob->ProcessorSpecificPatchOffset
+              );
+  Count =3D MicrocodePatchHob->ProcessorCount;
+
+  RemoveDuplicateAndInvalidOffset (Offsets, &Count);
+
+  if (0 =3D=3D Count) {
+    DEBUG ((DEBUG_INFO, "INFO: No microcode patch is ever applied, skip th=
e measurement of microcode!\n"));
+    FreePool (Offsets);
+    return;
+  }
+
+  for (Index =3D 0; Index < Count; Index++) {
+    TotalMicrocodeSize +=3D
+      GetMicrocodeLength ((CPU_MICROCODE_HEADER *)((UINTN)(MicrocodePatchH=
ob->MicrocodePatchAddress + Offsets[Index])));
+  }
+
+  EventLog.NumberOfMicrocodePatchesMeasured =3D Count;
+  EventLog.SizeOfMicrocodePatchesMeasured   =3D TotalMicrocodeSize;
+
+  MicrocodePatchesBlob =3D AllocateZeroPool (TotalMicrocodeSize);
+  if (NULL =3D=3D MicrocodePatchesBlob) {
+    DEBUG ((DEBUG_ERROR, "ERROR: AllocateZeroPool to MicrocodePatchesBlob =
failed!\n"));
+    FreePool (Offsets);
+    return;
+  }
+
+  TotalMicrocodeSize =3D 0;
+  for (Index =3D 0; Index < Count; Index++) {
+    CopyMem (
+      (VOID *)(MicrocodePatchesBlob + TotalMicrocodeSize),
+      (VOID *)((UINTN)(MicrocodePatchHob->MicrocodePatchAddress + Offsets[=
Index])),
+      (UINTN)(GetMicrocodeLength (
+                (CPU_MICROCODE_HEADER *)((UINTN)(MicrocodePatchHob->Microc=
odePatchAddress +
+                                                 Offsets[Index]))
+                ))
+      );
+    TotalMicrocodeSize +=3D
+      GetMicrocodeLength ((CPU_MICROCODE_HEADER *)((UINTN)(MicrocodePatchH=
ob->MicrocodePatchAddress + Offsets[Index])));
+  }
+
+  Status =3D TpmMeasureAndLogData (
+             PCRIndex,                                 // PCRIndex
+             EventType,                                // EventType
+             &EventLog,                                // EventLog
+             EventLogSize,                             // LogLen
+             MicrocodePatchesBlob,                     // HashData
+             TotalMicrocodeSize                        // HashDataLen
+             );
+  if (!EFI_ERROR (Status)) {
+    gBS->CloseEvent (Event);
+    DEBUG (
+      (DEBUG_INFO,
+       "INFO: %d Microcode patches are successfully extended to TPM! The t=
otal size measured to TPM is 0x%x\n",
+       Count,
+       TotalMicrocodeSize)
+      );
+  } else {
+    DEBUG ((DEBUG_ERROR, "ERROR: TpmMeasureAndLogData failed with status %=
a!\n", Status));
+  }
+
+  FreePool (Offsets);
+  FreePool (MicrocodePatchesBlob);
+  return;
+}
+
+/**
+
+  Driver to produce microcode measurement.
+
+  Driver to produce microcode measurement. Which install a callback functi=
on on ready to boot event.
+
+  @param ImageHandle     Module's image handle
+  @param SystemTable     Pointer of EFI_SYSTEM_TABLE
+
+  @return EFI_SUCCESS     This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+MicrocodeMeasurementDriverEntryPoint (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_EVENT  Event;
+
+  //
+  // Measure Microcode patches
+  //
+  EfiCreateEventReadyToBootEx (
+    TPL_CALLBACK,
+    MeasureMicrocodePatches,
+    NULL,
+    &Event
+    );
+
+  return EFI_SUCCESS;
+}
diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf=
 b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf
new file mode 100644
index 000000000000..649fb9403fd2
--- /dev/null
+++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf
@@ -0,0 +1,56 @@
+## @file
+#  This driver measures microcode patches to TPM.
+#
+#  This driver consumes gEdkiiMicrocodePatchHobGuid, packs all unique
+#  microcode patch found in gEdkiiMicrocodePatchHobGuid to a binary blob,
+#  and measures the binary blob to TPM.
+#
+#  Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    =3D 0x00010005
+  BASE_NAME                      =3D MicrocodeMeasurementDxe
+  MODULE_UNI_FILE                =3D MicrocodeMeasurementDxe.uni
+  FILE_GUID                      =3D 0A32A803-ACDF-4C89-8293-91011548CD91
+  MODULE_TYPE                    =3D DXE_DRIVER
+  VERSION_STRING                 =3D 1.0
+  ENTRY_POINT                    =3D MicrocodeMeasurementDriverEntryPoint
+
+#
+# The following information is for reference only and not required by the =
build tools.
+#
+#  VALID_ARCHITECTURES           =3D IA32 X64
+#
+
+[Sources]
+  MicrocodeMeasurementDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  UefiCpuPkg/UefiCpuPkg.dec
+
+[LibraryClasses]
+  UefiBootServicesTableLib
+  MemoryAllocationLib
+  BaseMemoryLib
+  BaseLib
+  UefiLib
+  UefiDriverEntryPoint
+  DebugLib
+  HobLib
+  MicrocodeLib
+  TpmMeasurementLib
+
+[Guids]
+  gEdkiiMicrocodePatchHobGuid           ## CONSUMES ## HOB
+
+[UserExtensions.TianoCore."ExtraFiles"]
+  MicrocodeMeasurementDxeExtra.uni
+
+[Depex]
+  TRUE
diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni=
 b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni
new file mode 100644
index 000000000000..5a21e955fbbf
--- /dev/null
+++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.uni
@@ -0,0 +1,15 @@
+// /** @file
+// This driver measures microcode patches to TPM.
+//
+// This driver consumes gEdkiiMicrocodePatchHobGuid, packs all uniquemicro=
code patch found in gEdkiiMicrocodePatchHobGuid to a binary blob, and measu=
res the binary blob to TPM.
+//
+// Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "This driver measu=
res Microcode Patches to TPM."
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This driver consu=
mes gEdkiiMicrocodePatchHobGuid, packs all microcode patch found in gEdkiiM=
icrocodePatchHobGuid to a binary blob, and measure the binary blob to TPM."
diff --git a/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtr=
a.uni b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtra.uni
new file mode 100644
index 000000000000..6990cee8c6fd
--- /dev/null
+++ b/UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxeExtra.uni
@@ -0,0 +1,12 @@
+// /** @file
+// MicrocodeMeasurementDxe Localized Strings and Content
+//
+// Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+#string STR_PROPERTIES_MODULE_NAME
+#language en-US
+"Microcode Patches Measurement DXE Driver"
diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc
index 870b45284087..d1d61dd6a03b 100644
--- a/UefiCpuPkg/UefiCpuPkg.dsc
+++ b/UefiCpuPkg/UefiCpuPkg.dsc
@@ -119,6 +119,7 @@
   UefiCpuPkg/Library/CpuTimerLib/BaseCpuTimerLib.inf
   UefiCpuPkg/Library/CpuCacheInfoLib/PeiCpuCacheInfoLib.inf
   UefiCpuPkg/Library/CpuCacheInfoLib/DxeCpuCacheInfoLib.inf
+  UefiCpuPkg/MicrocodeMeasurementDxe/MicrocodeMeasurementDxe.inf
=20
 [Components.IA32, Components.X64]
   UefiCpuPkg/CpuDxe/CpuDxe.inf
--=20
2.31.1.windows.1