From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
 by mx.groups.io with SMTP id smtpd.web11.11890.1636033192435350983
 for <devel@edk2.groups.io>;
 Thu, 04 Nov 2021 06:39:52 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=KvHkT2+E;
 spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: jiewen.yao@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10157"; a="317905922"
X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; 
   d="scan'208,217";a="317905922"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Nov 2021 06:39:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.87,208,1631602800"; 
   d="scan'208,217";a="501542544"
Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17])
  by orsmga008.jf.intel.com with ESMTP; 04 Nov 2021 06:39:51 -0700
Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by
 ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12; Thu, 4 Nov 2021 06:39:50 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by
 orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2242.12 via Frontend Transport; Thu, 4 Nov 2021 06:39:50 -0700
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.168)
 by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2242.12; Thu, 4 Nov 2021 06:39:47 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=IDtgHZM+j/AzxNH5+pobxnZxJ1ufDG9PJSI523OYsTntltFmldmLsgu74r4K3yu/SM79EZQx2t+CNuY2xu3roSxTJd7Pc9UdhlYPZ6owkEnIykPvfigiwgDife6qLlQ9dJ3LisEXOZsfhcyK27TGESAO5plff9P1G3CKe/hPCdo48Bgl3b0IezD/51DvPfmzToIU5vwj3CJZGeuMohpAtgQgepE+RHfHDiJmimJWgR+qwFaoLhaX698D1lE/600W9XSth8yJr3eymFGyTQzrZjYGKoviolck8sGz5sKIDWIDP0C2+n6UuJC8emn9qMrzT8ux8Tsp0NcCvxDkMySkAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=3BBdyZPBHeyJyxEzmixQqQ2+UHvu0sxL/g1AGQExo+M=;
 b=ieu76jDnxgEfVJ+DCNIP7BAuHmjweIrpGK2Y+BsK7ZGUroVgndVM2CqtJDQ5IlNCWChpBV9QnryRNpUje+mU0vEFvZDblJYHMtrCGlBoD6zNMTp4mCOU8yonoyQrt6CYlMATc4/4YlMChsxhLXt3OZzse0LRyAwTxm/LSpjSCcc31nwDzsqCb5D+CuOh6xRAFE4FzA2/Y906p7OGgvn0dm24x2awtW5GE3YERzwAkNK8l21gUVxEmIOVcJuUzLMpyOURTn1ekHG4/FmxYVz6cPYcErx+WRgQ4HUFHr3yNRgePbQPwceex8pZJhegkm+YS5ON++ahE2ZzrVxEv4ao5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=3BBdyZPBHeyJyxEzmixQqQ2+UHvu0sxL/g1AGQExo+M=;
 b=KvHkT2+E6+JqUjnVvp5MSUlsIgC7GepZ/0b5nPG5QsqQXCFvZU4MvFe5ao+iFIe/TE6m8QXe83weLuV0GcdLwmo7Co3h18J9PVA4T9pKxLPei04jcHq/Eg6b8OrRtV0gZkRdKlTkkmTTYHVyJwUZnXW6iRu9M1+ffwm0K/y1B8Y=
Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14)
 by PH0PR11MB4917.namprd11.prod.outlook.com (2603:10b6:510:32::16) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10; Thu, 4 Nov
 2021 13:39:46 +0000
Received: from PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com
 ([fe80::c5cb:e37a:9f3:8f80%5]) with mapi id 15.20.4649.019; Thu, 4 Nov 2021
 13:39:46 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Gonzalez Del Cueto, Rodrigo" <rodrigo.gonzalez.del.cueto@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
CC: "Wang, Jian J" <jian.j.wang@intel.com>
Subject: Re: [PATCH] Reallocate TPM Active PCRs based on platform support.
Thread-Topic: [PATCH] Reallocate TPM Active PCRs based on platform support.
Thread-Index: AQHXiYhseCcYam1TIkqF11JRcPSteatqZH8AgAFIHi+AAiYNgIB9M7KUgAjaVZA=
Date: Thu, 4 Nov 2021 13:39:46 +0000
Message-ID: <PH0PR11MB488571552351C4F15CB97D408C8D9@PH0PR11MB4885.namprd11.prod.outlook.com>
References: <20210804232813.818-1-rodrigo.gonzalez.del.cueto@intel.com>,<PH0PR11MB48853CEE4423537388E0DAC58CF69@PH0PR11MB4885.namprd11.prod.outlook.com>
 <BY5PR11MB418418149A19A4CD6F1E463180F69@BY5PR11MB4184.namprd11.prod.outlook.com>
 <PH0PR11MB4885A8928B01E8AA03D0E6FA8CF89@PH0PR11MB4885.namprd11.prod.outlook.com>
 <BY5PR11MB4184FEC6CEC1738A972F067180879@BY5PR11MB4184.namprd11.prod.outlook.com>
In-Reply-To: <BY5PR11MB4184FEC6CEC1738A972F067180879@BY5PR11MB4184.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.6.200.16
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 244faf09-8f98-419c-5a80-08d99f9890cc
x-ms-traffictypediagnostic: PH0PR11MB4917:
x-microsoft-antispam-prvs: <PH0PR11MB4917A2EDA504B6CCE7917F518C8D9@PH0PR11MB4917.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZK19446fltAIjPhKpjk+m0Hk6HcYX1c5CeSAddjndWWxl7wOhQ6ty70XK2+gBCQ3CgdEp8CTQ7IbyOXVMamip9+w99VBGYFpmpKn6YYUSHJGgbN5emYchR7MJulhyuCy2PeU265IO7yzRWw73yKX/oMFh0TanzN7eJJAVE9eUUlo0ev8EnSEvzCxehbFYQLBBhI5Jm/k2HFvjOLFi3PQbQPBAous9Ne7bFX2Uvh9Zohat84eWtxuHyqGCCvD3wgU6xoSA53RdvWvZjciGd2C0Li0NnL35JhKNUIqCjBuwM7nTRUnmo2k3U5sL/iwgk7fOQZGUqnC3vwLSZkiTcBsnhFP81uAhmGwTkPPZA0HptbZBISu4cOWpXQcfRztpepLnvWWBLCCDFRB1PFA2MEB5yP6rcDFJU6jlcHpN7IghyBBqTjuSUdR1eIIRimFPeGhAWdzuyM+KXbE2t52Xn7K8tJ6pxtVTEEqoBK54AS3dafmw1tmZKE/LpfSsT3JvffSRqcYb764inhzmqMelCj1NeOGuJ7/gx9nRNCGAzYyddV1/16ERyAtqFrSmfsFxpKT48PDJrc7EXp61zZnTRMr2ODXgq/qBtnuiTwLPfQ+M1krmLkzxCSNyXuPGQYxXLm/I7OsuwBaT/v5dcnyINeePbYTsQVwQF4bYo/8Nq93R90lTqF+r4m4J2koG+3AUmeZyz//CT5KDEUswOBgDkK5qlBELLI5HnldA7nyPx4dqugetG2TYsmuaA9VZlkZXZlHsSmMeZ18AtjJr4h++dLjjZvWU8eHKEnX54U3elQe5nU=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(122000001)(8676002)(5660300002)(38100700002)(8936002)(66446008)(76116006)(30864003)(33656002)(66946007)(83380400001)(66476007)(186003)(66556008)(64756008)(6506007)(53546011)(166002)(966005)(7696005)(26005)(86362001)(2906002)(71200400001)(38070700005)(508600001)(110136005)(19627235002)(52536014)(4326008)(316002)(55016002)(107886003)(9686003)(82960400001)(579004);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?zfmYWKo99NQC4+s7iVEFgvymOAHcmqrcxSNY1q40xkULAGyV8rh7E1/ZMkD1?=
 =?us-ascii?Q?gLTS1VvzNR20RKzd0DvGirPg4W0hCnYbRiknq59eeUVBuujpPkFh5UeVOm+9?=
 =?us-ascii?Q?1fhlRGzzF55DYgnGFH2DLwMdyrOVQxMVoIlVf7R+J7FBzf1r/tNwsq1LoADf?=
 =?us-ascii?Q?sJ7vAd6+Z2yqPPGjl+rOX466uvQBFjq73CSq/TKfwJIIjtbi0RTzBwNSLuua?=
 =?us-ascii?Q?c8B7EN+Xn6Pw1gJOExLF2m9Qa0kyCmDDIZ2yDQO8N/g3Emeklxk7m7K3nfl9?=
 =?us-ascii?Q?GElngrfs5A797CGOYAmMIxaA37KJVJlPNZK2VRvATq37p0cNy1LtL8v4y4ma?=
 =?us-ascii?Q?SU5HvWt2HII3xLSoyuCmcyBoACuxEJNwMNh+JiaW9asTkd4JYNSKOjNSA3nQ?=
 =?us-ascii?Q?brddskfaeBLzS+YKWMgCmXOZ6GWynDKbufICRCAfozPcvfaf7B47GDi97JlJ?=
 =?us-ascii?Q?rN5ZQCJ1dh4YMfRfOZSDgWaR11N2TxZnXPSnoKZyjBH1XzLa0v9MCQiDfcdR?=
 =?us-ascii?Q?tD6Rr4TvZtpqC2tuAisxCnzHviPDNtoK05dU0cJob6RYqBS/vADmLv//qkuL?=
 =?us-ascii?Q?wDtJ+s/dtqaOoum+bB+xuvDps11juLUvY69B5D7/NU90FNxdM0gKOxulv3Vq?=
 =?us-ascii?Q?Vddua5zFO3cYStn9mTcmYaTKHg68/3sJG30Za2d/OP+4tXVhIPXGDT+oow3N?=
 =?us-ascii?Q?riYkIP3gZ2Rv8dVP8EUNaWliAWsOvfI+DgsjibHOgO83zel0X/WmtrlwbJtK?=
 =?us-ascii?Q?F+UijyFgbA2QajSmjzseSRXsknhfrDUYgxloWjIUo32TSBFRJJujRIlwndzF?=
 =?us-ascii?Q?LLPVhIfzVqsWQxUY7Pzavbj0uU2jO8Uy20HlonROqLwWXN9vzinr0SykkWmE?=
 =?us-ascii?Q?vMfy44wex7zppEINXQPQSTPXseywXzcZzxoTKersTcIrY7hnBRbNMokt7gVQ?=
 =?us-ascii?Q?h1x6Co82uiu7ygsU1zGmBdnRr55FpsK7rYMlcUB48iKqOakZiP+JKAojAh37?=
 =?us-ascii?Q?X8oGH5DmngFowq9PPpncKodIRp7tpkjxF+p1MwwqONnhgc7/U7oKFvazPMzB?=
 =?us-ascii?Q?dH7uV3hpP1eTIxyYDyNtMCEvs3xQt9a61A7NNv4JvXEa4I/XFIx9uZ5lKWqH?=
 =?us-ascii?Q?z+K/5yzJgbZW4SrahEe0Ddl1kHgxh4aNhhMwltFOeLfL2fZyL1rozjrmZaVS?=
 =?us-ascii?Q?MA0lcSbBp1e8epavL01pie7fEamwjJxvkXex4IlLxJzSnST+8vjlOqeTuv+J?=
 =?us-ascii?Q?4emtJjA/UiN5+lLcHlrnOJj4kjUnfxV3KtWoGC0whNTodjA+OeYHklvjiN38?=
 =?us-ascii?Q?ouV+vXR+Y3T21I6QFChqeF/Wtp7stZw2Zf/xP3w5b77TbrQTQuhycrlVcwY9?=
 =?us-ascii?Q?jUy5fOBaKRSQ0BUWEa4VM99bOffndsZXlxBounZgyhvDcx0qDPgOm9ySBLjN?=
 =?us-ascii?Q?JvO8mzSvp2CTuWaIDiBs5kwcAI3KsIcjLZ2TWHDoXYzq85WIdNZxzU4IpXwB?=
 =?us-ascii?Q?tYYAJJM0i0GDDvGSUrfuSsOkLTfgm/7Nh9H79c/nV7F9qZHaC6WNjBf+y5Zq?=
 =?us-ascii?Q?eWh0HoHyW5H6LPxqJ5eC2Ov4AdHUDPjoYrsQRZ8634RlqSL/vsox5Hz7utfw?=
 =?us-ascii?Q?yavXzQJtiEKEpxec94Pf9JU=3D?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 244faf09-8f98-419c-5a80-08d99f9890cc
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2021 13:39:46.1846
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Lc+nOKxRdSy4poOVBh8hx7cls6jqValNVE+YcAg0ooaThcESNjwkBFDw9AToypEKeP2mGBnnBvUmYR7wUqjfPQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4917
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_PH0PR11MB488571552351C4F15CB97D408C8D9PH0PR11MB4885namp_"

--_000_PH0PR11MB488571552351C4F15CB97D408C8D9PH0PR11MB4885namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks the detail explanation.

I think it makes sense to make "NewTpmActivePcrBanks  =3D TpmActivePcrBanks=
 & PcdTpm2HashMask (hardware config) & PcdTcg2HashAlgorithmBitmap (software=
 config)"

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>


From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>
Sent: Saturday, October 30, 2021 8:26 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
Cc: Wang, Jian J <jian.j.wang@intel.com>
Subject: Re: [PATCH] Reallocate TPM Active PCRs based on platform support.

Hi Jiewen,

In the past most of the TPM devices supported SHA1 and SHA256 hashing algor=
ithms, which we have also supported in BIOS for many years.
What recently changed is the exposure to new TPM devices which support addi=
tional hashing algorithms (SHA384 and SM3) and will have such PCR banks act=
ive by default, but which are not supported by some BIOS implementations.

With the following example configuration, I will illustrate how we would hi=
t the problematic condition I just described:

     *   Using a TPM device supporting SM3 hashing algorithm and with the c=
orresponding PCR bank active by default.
HashLib library classes instances registered for Tcg2Config, Tcg2Pei and Tc=
g2Dxe modules:

     *   SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
     *   SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.in=
f
     *   SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha384.in=
f
PCD Configuration:

     *   gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0xFFFFFFF=
F
     *   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x0000001F
The current implementation of SyncPcrAllocationsAndPcrMask() triggers PCR b=
ank reallocation only based on the intersection between TpmActivePcrBanks a=
nd PcdTpm2HashMask.
When the software HashLibBaseCryptoRouter solution is used, no PCR bank rea=
llocation is occurring based on the supported hashing algorithms registered=
 by the present HashLib instances:
SyncPcrAllocationsAndPcrMask!
Supported PCRs - Count =3D 00000003
GetSupportedAndActivePcrs - Count =3D 00000002
SyncPcrAllocationsAndPcrMask - Updating PcdTpm2HashMask from 0x1F to 0x13.
You can see no reallocation is triggered; the unsupported PCR banks are lef=
t active and no extend operations occur on them, thus leaving them uncapped=
.

With the proposed patch set we are fixing two issues:
a) An additional check for the intersection between the TpmActivePcrBanks a=
nd the PcdTcg2HashAlgorithmBitmap populated by the BIOS' HashLib instances =
at runtime.
b) RegisterHashInterfaceLib correctly handles registering the HashLib insta=
nce supported algorithm bitmap when PcdTpm2HashMask is set to zero.
This is the BIOS behavior with the proposed patch:
SyncPcrAllocationsAndPcrMask!
Supported PCRs - Count =3D 00000003
GetSupportedAndActivePcrs - Count =3D 00000003
Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAlgorithmBitmap: 0x0000001=
3
Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x00000013
TpmHashAlgorithmBitmap: 0x00000013
Tpm2PcrMask 0x0000001F
TpmActivePcrBanks & Tpm2PcrMask =3D 0x00000013
TpmActivePcrBanks & BiosHashAlgorithmBitmap =3D 0x00000003
NewTpmActivePcrBanks 0x00000003
SyncPcrAllocationsAndPcrMask - Reallocating PCR banks from 0x13 to 0x3.
Tpm2PcrAllocateBanks (TpmHashAlgorithmBitmap: 0x00000013, NewTpmActivePcrBa=
nks: 0x00000003)
Tpm2PcrAllocateBanks call Tpm2PcrAllocate - Success
AllocationSuccess - 01
MaxPCR            - 00000018
SizeNeeded        - 000004E0
SizeAvailable     - 00000C60
After the PCR reallocation is triggered, the TPM active PCRs are a strict s=
ubset of the hashing algorithms supported by BIOS.

Please let me know if you need any questions regarding the solution or need=
 any further clarification on the problem statement.

Regards,
-Rodrigo
________________________________
From: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Sent: Tuesday, August 10, 2021 10:36 PM
To: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com<mailt=
o:rodrigo.gonzalez.del.cueto@intel.com>>; devel@edk2.groups.io<mailto:devel=
@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>
Cc: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
Subject: RE: [PATCH] Reallocate TPM Active PCRs based on platform support.


OK, Would you please to share the PCD configuration works before and PCD co=
nfiguration fails now? As well as your DSC file on how to configure the lib=
rary.



I would like to understand the problem statement from real use case, becaus=
e the issue description cannot provide useful information to me.



From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com<mai=
lto:rodrigo.gonzalez.del.cueto@intel.com>>
Sent: Tuesday, August 10, 2021 2:27 PM
To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; devel@=
edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
Subject: Re: [PATCH] Reallocate TPM Active PCRs based on platform support.



Hi Jiewen,



Indeed, this bug has existed for a long time in this code. What recently ch=
anged are the TPM configurations we are testing and exposed the issue; this=
 can be reproduced when the BIOS supported algorithms are a strict subset o=
f the PCRs currently active in the TPM.



Now that we are using TPM configurations with support for additional PCR ba=
nks (ex. SHA384 and SM3) the bug has been exposed when compiling a BIOS wit=
hout support for these PCR banks which are active by default in the some of=
 the TPMs.



Regards,

-Rodrigo



________________________________

From: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Sent: Sunday, August 8, 2021 6:13 PM
To: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com<mailt=
o:rodrigo.gonzalez.del.cueto@intel.com>>; devel@edk2.groups.io<mailto:devel=
@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>
Cc: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
Subject: RE: [PATCH] Reallocate TPM Active PCRs based on platform support.



Hi Rodrigo
I don't understand the problem statement.

This code has been there for long time. What is changed recently ?

Thank you
Yao Jiewen


> -----Original Message-----
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com<m=
ailto:rodrigo.gonzalez.del.cueto@intel.com>>
> Sent: Thursday, August 5, 2021 7:28 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com<mai=
lto:rodrigo.gonzalez.del.cueto@intel.com>>;
> Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Yao, =
Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Subject: [PATCH] Reallocate TPM Active PCRs based on platform support.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3515
>
> In V2: Add case to RegisterHashInterfaceLib logic
>
> RegisterHashInterfaceLib needs to correctly handle registering the HashLi=
b
> instance supported algorithm bitmap when PcdTpm2HashMask is set to zero.
>
> The current implementation of SyncPcrAllocationsAndPcrMask() triggers
> PCR bank reallocation only based on the intersection between
> TpmActivePcrBanks and PcdTpm2HashMask.
>
> When the software HashLibBaseCryptoRouter solution is used, no PCR bank
> reallocation is occurring based on the supported hashing algorithms
> registered by the HashLib instances.
>
> Need to have an additional check for the intersection between the
> TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the
> HashLib instances present on the platform's BIOS.
>
> Signed-off-by: Rodrigo Gonzalez del Cueto
> <rodrigo.gonzalez.del.cueto@intel.com<mailto:rodrigo.gonzalez.del.cueto@i=
ntel.com>>
>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> ---
>  SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
> |  6 +++++-
>  SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c=
 |
> 6 +++++-
>  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c                                       =
 | 18
> +++++++++++++++++-
>  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf                                     =
 |  1 +
>  4 files changed, 28 insertions(+), 3 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
> c
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
> c
> index 7a0f61efbb..0821159120 100644
> ---
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
> c
> +++
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
> c
> @@ -230,13 +230,17 @@ RegisterHashInterfaceLib (
>  {
>    UINTN              Index;
>    UINT32             HashMask;
> +  UINT32             Tpm2HashMask;
>    EFI_STATUS         Status;
>
>    //
>    // Check allow
>    //
>    HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
> -  if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) {
> +  Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask);
> +
> +  if ((Tpm2HashMask !=3D 0) &&
> +      ((HashMask & Tpm2HashMask) =3D=3D 0)) {
>      return EFI_UNSUPPORTED;
>    }
>
> diff --git
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.=
c
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.=
c
> index 42cb562f67..6ae51dbce4 100644
> ---
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.=
c
> +++
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.=
c
> @@ -327,13 +327,17 @@ RegisterHashInterfaceLib (
>    UINTN              Index;
>    HASH_INTERFACE_HOB *HashInterfaceHob;
>    UINT32             HashMask;
> +  UINT32             Tpm2HashMask;
>    EFI_STATUS         Status;
>
>    //
>    // Check allow
>    //
>    HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
> -  if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) {
> +  Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask);
> +
> +  if ((Tpm2HashMask !=3D 0) &&
> +      ((HashMask & Tpm2HashMask) =3D=3D 0)) {
>      return EFI_UNSUPPORTED;
>    }
>
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> index 93a8803ff6..5ad6a45cf3 100644
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
> @@ -262,6 +262,7 @@ SyncPcrAllocationsAndPcrMask (
>  {
>    EFI_STATUS                        Status;
>    EFI_TCG2_EVENT_ALGORITHM_BITMAP   TpmHashAlgorithmBitmap;
> +  EFI_TCG2_EVENT_ALGORITHM_BITMAP   BiosHashAlgorithmBitmap;
>    UINT32                            TpmActivePcrBanks;
>    UINT32                            NewTpmActivePcrBanks;
>    UINT32                            Tpm2PcrMask;
> @@ -273,16 +274,27 @@ SyncPcrAllocationsAndPcrMask (
>    // Determine the current TPM support and the Platform PCR mask.
>    //
>    Status =3D Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
> +
>    ASSERT_EFI_ERROR (Status);
> +
> +  DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -
> TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));
> +  DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -
> TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
>
>    Tpm2PcrMask =3D PcdGet32 (PcdTpm2HashMask);
>    if (Tpm2PcrMask =3D=3D 0) {
>      //
>      // if PcdTPm2HashMask is zero, use ActivePcr setting
>      //
> +    DEBUG ((EFI_D_VERBOSE, "Initializing PcdTpm2HashMask to
> TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
>      PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
> +    DEBUG ((EFI_D_VERBOSE, "Initializing Tpm2PcrMask to TpmActivePcrBank=
s
> 0x%08x\n", Tpm2PcrMask));
>      Tpm2PcrMask =3D TpmActivePcrBanks;
>    }
> +
> +  BiosHashAlgorithmBitmap =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap);
> +  DEBUG ((EFI_D_INFO, "PcdTcg2HashAlgorithmBitmap 0x%08x\n",
> BiosHashAlgorithmBitmap));
> +  DEBUG ((EFI_D_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); // Active
> PCR banks from TPM input
> +  DEBUG ((EFI_D_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =3D
> 0x%08x\n", NewTpmActivePcrBanks));
>
>    //
>    // Find the intersection of Pcd support and TPM support.
> @@ -294,9 +306,12 @@ SyncPcrAllocationsAndPcrMask (
>    // If there are active PCR banks that are not supported by the Platfor=
m mask,
>    // update the TPM allocations and reboot the machine.
>    //
> -  if ((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) {
> +  if (((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) ||
> +      ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) !=3D TpmActivePcrBa=
nks)) {
>      NewTpmActivePcrBanks =3D TpmActivePcrBanks & Tpm2PcrMask;
> +    NewTpmActivePcrBanks &=3D BiosHashAlgorithmBitmap;
>
> +    DEBUG ((EFI_D_INFO, "NewTpmActivePcrBanks 0x%08x\n",
> NewTpmActivePcrBanks));
>      DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\=
n",
> __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));
>      if (NewTpmActivePcrBanks =3D=3D 0) {
>        DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a les=
s
> restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
> @@ -331,6 +346,7 @@ SyncPcrAllocationsAndPcrMask (
>      }
>
>      Status =3D PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
> +    DEBUG ((EFI_D_INFO, "Setting PcdTpm2Hash Mask to 0x%08x\n",
> NewTpm2PcrMask));
>      ASSERT_EFI_ERROR (Status);
>    }
>  }
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> index 06c26a2904..17ad116126 100644
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
> @@ -86,6 +86,7 @@
>    ## SOMETIMES_CONSUMES
>    ## SOMETIMES_PRODUCES
>    gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
> +  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap              =
    ##
> CONSUMES
>
>  [Depex]
>    gEfiPeiMasterBootModePpiGuid AND
> --
> 2.31.1.windows.1

--_000_PH0PR11MB488571552351C4F15CB97D408C8D9PH0PR11MB4885namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:DengXian;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
	{font-family:"\@DengXian";
	panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
	{mso-style-name:x_msonormal;
	margin:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle24
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:393042268;
	mso-list-template-ids:-553906680;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
@list l0:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:1.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:"Courier New";
	mso-bidi-font-family:"Times New Roman";}
@list l0:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:1.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level5
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level8
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l0:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l1
	{mso-list-id:611861460;
	mso-list-type:hybrid;
	mso-list-template-ids:1753092286 -1501412910 67698713 67698715 67698703 67=
698713 67698715 67698703 67698713 67698715;}
@list l1:level1
	{mso-level-text:"%1\)";
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l1:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l1:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l1:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l2
	{mso-list-id:1222399893;
	mso-list-template-ids:1319536682;}
@list l2:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
@list l2:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:1.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:"Courier New";
	mso-bidi-font-family:"Times New Roman";}
@list l2:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:1.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level5
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level8
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l2:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l3
	{mso-list-id:1912540183;
	mso-list-type:hybrid;
	mso-list-template-ids:7893424 -1544023524 67698713 67698715 67698703 67698=
713 67698715 67698703 67698713 67698715;}
@list l3:level1
	{mso-level-text:"%1\)";
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l3:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l3:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l3:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l4
	{mso-list-id:2018578252;
	mso-list-template-ids:-2426688;}
@list l4:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
@list l4:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:1.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:"Courier New";
	mso-bidi-font-family:"Times New Roman";}
@list l4:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:1.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level5
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:2.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:3.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level8
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.0in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
@list l4:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:4.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Wingdings;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple" style=3D"word-wrap:brea=
k-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Thanks the detail explanation.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I think it makes sense to make &#8220;NewTpmActivePc=
rBanks &nbsp;=3D TpmActivePcrBanks &amp; PcdTpm2HashMask (hardware config) =
&amp; PcdTcg2HashAlgorithmBitmap (software config)&#8221;<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Reviewed-by: Jiewen Yao &lt;Jiewen.yao@intel.com&gt;=
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div style=3D"border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt">
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b>From:</b> Gonzalez Del Cueto, Rodrigo &lt;rodrigo=
.gonzalez.del.cueto@intel.com&gt;
<br>
<b>Sent:</b> Saturday, October 30, 2021 8:26 AM<br>
<b>To:</b> Yao, Jiewen &lt;jiewen.yao@intel.com&gt;; devel@edk2.groups.io<b=
r>
<b>Cc:</b> Wang, Jian J &lt;jian.j.wang@intel.com&gt;<br>
<b>Subject:</b> Re: [PATCH] Reallocate TPM Active PCRs based on platform su=
pport.<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">Hi Jiewen,<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black;background:white">In the past most of the TPM devices su=
pported SHA1 and SHA256 hashing algorithms, which we have also supported in=
 BIOS for many years.</span><span style=3D"font-size:12.0pt;color:black"><o=
:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">What recently changed is the exposure to new TPM device=
s which support additional hashing algorithms (SHA384 and SM3) and will hav=
e such PCR banks active by default, but
 which are not supported by some BIOS implementations.<o:p></o:p></span></p=
>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black;background:white">With the following example configurati=
on, I will illustrate how we would hit the problematic condition I just des=
cribed:</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p></spa=
n></p>
</div>
<div>
<ul type=3D"disc">
<ul type=3D"circle">
<li class=3D"MsoNormal" style=3D"color:black;mso-margin-top-alt:auto;mso-ma=
rgin-bottom-alt:auto;mso-list:l4 level2 lfo1;background:white">
<span style=3D"font-size:12.0pt;background:white">Using a TPM device suppor=
ting SM3 hashing algorithm and with the corresponding PCR bank active by de=
fault.</span><span style=3D"font-size:12.0pt"><o:p></o:p></span></li></ul>
</ul>
</div>
<div>
<blockquote>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">HashLib library classes instances registered for&nbsp;<=
b><span style=3D"background:white">Tcg2Config</span></b><span style=3D"back=
ground:white">,&nbsp;</span><b>Tcg2Pei
</b>and&nbsp;<b>Tcg2Dxe </b>modules:<o:p></o:p></span></p>
</blockquote>
<div>
<ul type=3D"disc">
<ul type=3D"circle">
<li class=3D"MsoNormal" style=3D"color:black;mso-margin-top-alt:auto;mso-ma=
rgin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span style=3D"font-size:12.0pt">SecurityPkg/Library/HashInstanceLibSha1/<b=
>HashInstanceLibSha1</b>.inf<o:p></o:p></span></li><li class=3D"MsoNormal" =
style=3D"color:black;mso-list:l2 level2 lfo2;background:white">
<span style=3D"font-size:12.0pt">SecurityPkg/Library/HashInstanceLibSha256/=
<b>HashInstanceLibSha256</b>.inf<o:p></o:p></span></li><li class=3D"MsoNorm=
al" style=3D"color:black;mso-list:l2 level2 lfo2;background:white">
<span style=3D"font-size:12.0pt">SecurityPkg/Library/HashInstanceLibSha256/=
<b>HashInstanceLibSha384</b>.inf<o:p></o:p></span></li></ul>
</ul>
</div>
</div>
<blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">PCD Configuration:<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<ul type=3D"disc">
<ul type=3D"circle">
<li class=3D"MsoNormal" style=3D"color:black;mso-margin-top-alt:auto;mso-ma=
rgin-bottom-alt:auto;mso-list:l0 level2 lfo3;background:white">
<span style=3D"font-size:12.0pt">gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashA=
lgorithmBitmap|0xFFFFFFFF<o:p></o:p></span></li><li class=3D"MsoNormal" sty=
le=3D"color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-li=
st:l0 level2 lfo3;background:white">
<span style=3D"font-size:12.0pt">gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashM=
ask|<b>0x0000001F</b><o:p></o:p></span></li></ul>
</ul>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">The current implementation of
<i>SyncPcrAllocationsAndPcrMask</i>() triggers PCR bank reallocation <b>onl=
y based on the
<span style=3D"background:#FF8000">intersection between <i>TpmActivePcrBank=
s </i>and
<i>PcdTpm2HashMask</i></span></b>.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">When the software
<i>HashLibBaseCryptoRouter </i>solution is used, no PCR bank reallocation i=
s occurring based on the supported hashing algorithms registered by the pre=
sent HashLib instances:<o:p></o:p></span></p>
</div>
<div>
<blockquote style=3D"border:none #C8C8C8 1.0pt;border-left:solid #C8C8C8 2.=
25pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-bo=
ttom:5.0pt">
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SyncPcrAllocationsAndPcrMask!</spa=
n><span style=3D"font-size:12.0pt;color:black">
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Supported PCRs - Count =3D 0000000=
3</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">GetSupportedAndActivePcrs - Count =
=3D 00000002</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p>=
</span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SyncPcrAllocationsAndPcrMask - Upd=
ating PcdTpm2HashMask from 0x1F to 0x13.</span><span style=3D"font-size:12.=
0pt;color:black"><o:p></o:p></span></p>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">You can see no reallocation is triggered; the&nbsp;unsu=
pported PCR banks are left active and no extend operations occur on them, t=
hus leaving them uncapped.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">With the proposed patch set we are fixing two issues:<o=
:p></o:p></span></p>
</div>
<blockquote style=3D"border:none #C8C8C8 1.0pt;border-left:solid #C8C8C8 2.=
25pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">a) An
<b>additional check for the intersection between the <i><span style=3D"back=
ground:yellow">TpmActivePcrBanks
</span></i><span style=3D"background:yellow">and the <i>PcdTcg2HashAlgorith=
mBitmap </i>
</span>populated by the BIOS' HashLib instances</b>&nbsp;at runtime.<o:p></=
o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">b)&nbsp;RegisterHashInterfaceLib correctly handles regi=
stering the HashLib instance supported algorithm bitmap when
<i>PcdTpm2HashMask </i>is set to zero.<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">This is the BIOS behavior with the proposed patch:<o:p>=
</o:p></span></p>
</div>
<div>
<blockquote style=3D"border:none #C8C8C8 1.0pt;border-left:solid #C8C8C8 2.=
25pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-bo=
ttom:5.0pt">
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SyncPcrAllocationsAndPcrMask!</spa=
n><span style=3D"font-size:12.0pt;color:black">
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Supported PCRs - Count =3D 0000000=
3</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">GetSupportedAndActivePcrs - Count =
=3D 00000003</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p>=
</span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Tpm2GetCapabilitySupportedAndActiv=
ePcrs - TpmHashAlgorithmBitmap: 0x00000013</span><span style=3D"font-size:1=
2.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Tpm2GetCapabilitySupportedAndActiv=
ePcrs - TpmActivePcrBanks 0x00000013</span><span style=3D"font-size:12.0pt;=
color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">TpmHashAlgorithmBitmap: 0x00000013=
</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Tpm2PcrMask 0x0000001F</span><span=
 style=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black;background:#FF8000">TpmActivePcrBan=
ks &amp; Tpm2PcrMask =3D 0x00000013</span><span style=3D"font-size:12.0pt;c=
olor:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:Consolas;color:black;background:yellow">TpmActivePcrB=
anks &amp; BiosHashAlgorithmBitmap =3D 0x00000003</span></b><span style=3D"=
font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:Consolas;color:black;background:lime">NewTpmActivePcr=
Banks 0x00000003</span></b><span style=3D"font-size:12.0pt;color:black"><o:=
p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SyncPcrAllocationsAndPcrMask - Rea=
llocating PCR banks from 0x13 to 0x3.</span><span style=3D"font-size:12.0pt=
;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Tpm2PcrAllocateBanks (TpmHashAlgor=
ithmBitmap: 0x00000013, NewTpmActivePcrBanks: 0x00000003)</span><span style=
=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">Tpm2PcrAllocateBanks call Tpm2PcrA=
llocate - Success</span><span style=3D"font-size:12.0pt;color:black"><o:p><=
/o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">AllocationSuccess - 01</span><span=
 style=3D"font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">MaxPCR &nbsp; &nbsp; &nbsp; &nbsp;=
 &nbsp; &nbsp;- 00000018</span><span style=3D"font-size:12.0pt;color:black"=
><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SizeNeeded &nbsp; &nbsp; &nbsp; &n=
bsp;- 000004E0</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:=
p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
10.0pt;font-family:Consolas;color:black">SizeAvailable &nbsp; &nbsp; - 0000=
0C60</span><span style=3D"font-size:12.0pt;color:black"><o:p></o:p></span><=
/p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">After the PCR reallocation is triggered, the TPM active=
 PCRs are a strict subset of the hashing algorithms supported by BIOS.<o:p>=
</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">Please let me know if you need any questions regarding =
the solution or need any further clarification on the problem statement.<o:=
p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">Regards,<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
12.0pt;color:black">-Rodrigo<o:p></o:p></span></p>
</div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center">
<hr size=3D"2" width=3D"98%" align=3D"center">
</div>
<div id=3D"divRplyFwdMsg">
<p class=3D"MsoNormal"><b><span style=3D"color:black">From:</span></b><span=
 style=3D"color:black"> Yao, Jiewen &lt;<a href=3D"mailto:jiewen.yao@intel.=
com">jiewen.yao@intel.com</a>&gt;<br>
<b>Sent:</b> Tuesday, August 10, 2021 10:36 PM<br>
<b>To:</b> Gonzalez Del Cueto, Rodrigo &lt;<a href=3D"mailto:rodrigo.gonzal=
ez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>&gt;;
<a href=3D"mailto:devel@edk2.groups.io">devel@edk2.groups.io</a> &lt;<a hre=
f=3D"mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>&gt;<br>
<b>Cc:</b> Wang, Jian J &lt;<a href=3D"mailto:jian.j.wang@intel.com">jian.j=
.wang@intel.com</a>&gt;<br>
<b>Subject:</b> RE: [PATCH] Reallocate TPM Active PCRs based on platform su=
pport.</span>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"xmsonormal">OK, Would you please to share the PCD configuration=
 works before and PCD configuration fails now? As well as your DSC file on =
how to configure the library.<o:p></o:p></p>
<p class=3D"xmsonormal">&nbsp;<o:p></o:p></p>
<p class=3D"xmsonormal">I would like to understand the problem statement fr=
om real use case, because the issue description cannot provide useful infor=
mation to me.<o:p></o:p></p>
<p class=3D"xmsonormal">&nbsp;<o:p></o:p></p>
<div style=3D"border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt">
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"xmsonormal"><b>From:</b> Gonzalez Del Cueto, Rodrigo &lt;<a hre=
f=3D"mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cuet=
o@intel.com</a>&gt;
<br>
<b>Sent:</b> Tuesday, August 10, 2021 2:27 PM<br>
<b>To:</b> Yao, Jiewen &lt;<a href=3D"mailto:jiewen.yao@intel.com">jiewen.y=
ao@intel.com</a>&gt;;
<a href=3D"mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><br>
<b>Cc:</b> Wang, Jian J &lt;<a href=3D"mailto:jian.j.wang@intel.com">jian.j=
.wang@intel.com</a>&gt;<br>
<b>Subject:</b> Re: [PATCH] Reallocate TPM Active PCRs based on platform su=
pport.<o:p></o:p></p>
</div>
</div>
<p class=3D"xmsonormal">&nbsp;<o:p></o:p></p>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">Hi&nbsp;Jiewen,</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">&nbsp;</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">Indeed, this bug has existed for a long time in this c=
ode. What recently changed are the TPM configurations we are testing and ex=
posed the issue; this can be reproduced
 when the <b>BIOS supported algorithms are a strict&nbsp;subset of the PCRs=
 currently active in the TPM</b>.</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">&nbsp;</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">Now that we are using TPM configurations with support =
for additional PCR banks (ex. SHA384 and SM3) the bug has been exposed when=
 compiling a BIOS without support for
 these PCR banks which are active by default in the some of the TPMs.</span=
><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">Regards,</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">-Rodrigo</span><o:p></o:p></p>
</div>
<div>
<p class=3D"xmsonormal" style=3D"background:white"><span style=3D"font-size=
:12.0pt;color:black">&nbsp;</span><o:p></o:p></p>
</div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center">
<hr size=3D"2" width=3D"98%" align=3D"center">
</div>
<div id=3D"x_divRplyFwdMsg">
<p class=3D"xmsonormal"><b><span style=3D"color:black">From:</span></b><spa=
n style=3D"color:black"> Yao, Jiewen &lt;</span><a href=3D"mailto:jiewen.ya=
o@intel.com">jiewen.yao@intel.com</a><span style=3D"color:black">&gt;<br>
<b>Sent:</b> Sunday, August 8, 2021 6:13 PM<br>
<b>To:</b> Gonzalez Del Cueto, Rodrigo &lt;</span><a href=3D"mailto:rodrigo=
.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a><spa=
n style=3D"color:black">&gt;;
</span><a href=3D"mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><spa=
n style=3D"color:black"> &lt;</span><a href=3D"mailto:devel@edk2.groups.io"=
>devel@edk2.groups.io</a><span style=3D"color:black">&gt;<br>
<b>Cc:</b> Wang, Jian J &lt;</span><a href=3D"mailto:jian.j.wang@intel.com"=
>jian.j.wang@intel.com</a><span style=3D"color:black">&gt;<br>
<b>Subject:</b> RE: [PATCH] Reallocate TPM Active PCRs based on platform su=
pport.</span>
<o:p></o:p></p>
<div>
<p class=3D"xmsonormal">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"xmsonormal" style=3D"margin-bottom:12.0pt">Hi Rodrigo<br>
I don&#8217;t understand the problem statement.<br>
<br>
This code has been there for long time. What is changed recently ?<br>
<br>
Thank you<br>
Yao Jiewen<br>
<br>
<br>
&gt; -----Original Message-----<br>
&gt; From: Gonzalez Del Cueto, Rodrigo &lt;<a href=3D"mailto:rodrigo.gonzal=
ez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>&gt;<br>
&gt; Sent: Thursday, August 5, 2021 7:28 AM<br>
&gt; To: <a href=3D"mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><b=
r>
&gt; Cc: Gonzalez Del Cueto, Rodrigo &lt;<a href=3D"mailto:rodrigo.gonzalez=
.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>&gt;;<br>
&gt; Wang, Jian J &lt;<a href=3D"mailto:jian.j.wang@intel.com">jian.j.wang@=
intel.com</a>&gt;; Yao, Jiewen &lt;<a href=3D"mailto:jiewen.yao@intel.com">=
jiewen.yao@intel.com</a>&gt;<br>
&gt; Subject: [PATCH] Reallocate TPM Active PCRs based on platform support.=
<br>
&gt; <br>
&gt; REF: <a href=3D"https://bugzilla.tianocore.org/show_bug.cgi?id=3D3515"=
>https://bugzilla.tianocore.org/show_bug.cgi?id=3D3515</a><br>
&gt; <br>
&gt; In V2: Add case to RegisterHashInterfaceLib logic<br>
&gt; <br>
&gt; RegisterHashInterfaceLib needs to correctly handle registering the Has=
hLib<br>
&gt; instance supported algorithm bitmap when PcdTpm2HashMask is set to zer=
o.<br>
&gt; <br>
&gt; The current implementation of SyncPcrAllocationsAndPcrMask() triggers<=
br>
&gt; PCR bank reallocation only based on the intersection between<br>
&gt; TpmActivePcrBanks and PcdTpm2HashMask.<br>
&gt; <br>
&gt; When the software HashLibBaseCryptoRouter solution is used, no PCR ban=
k<br>
&gt; reallocation is occurring based on the supported hashing algorithms<br=
>
&gt; registered by the HashLib instances.<br>
&gt; <br>
&gt; Need to have an additional check for the intersection between the<br>
&gt; TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the<=
br>
&gt; HashLib instances present on the platform's BIOS.<br>
&gt; <br>
&gt; Signed-off-by: Rodrigo Gonzalez del Cueto<br>
&gt; &lt;<a href=3D"mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.go=
nzalez.del.cueto@intel.com</a>&gt;<br>
&gt; <br>
&gt; Cc: Jian J Wang &lt;<a href=3D"mailto:jian.j.wang@intel.com">jian.j.wa=
ng@intel.com</a>&gt;<br>
&gt; Cc: Jiewen Yao &lt;<a href=3D"mailto:jiewen.yao@intel.com">jiewen.yao@=
intel.com</a>&gt;<br>
&gt; ---<br>
&gt;&nbsp; SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou=
terDxe.c<br>
&gt; |&nbsp; 6 +++++-<br>
&gt;&nbsp; SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou=
terPei.c |<br>
&gt; 6 +++++-<br>
&gt;&nbsp; SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | 18<br>
&gt; +++++++++++++++++-<br>
&gt;&nbsp; SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |&nbsp; 1 +<br>
&gt;&nbsp; 4 files changed, 28 insertions(+), 3 deletions(-)<br>
&gt; <br>
&gt; diff --git<br>
&gt; a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterD=
xe.<br>
&gt; c<br>
&gt; b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterD=
xe.<br>
&gt; c<br>
&gt; index 7a0f61efbb..0821159120 100644<br>
&gt; ---<br>
&gt; a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterD=
xe.<br>
&gt; c<br>
&gt; +++<br>
&gt; b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterD=
xe.<br>
&gt; c<br>
&gt; @@ -230,13 +230,17 @@ RegisterHashInterfaceLib (<br>
&gt;&nbsp; {<br>
&gt;&nbsp;&nbsp;&nbsp; UINTN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index;<br>
&gt;&nbsp;&nbsp;&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; HashMask;<br>
&gt; +&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp; Tpm2HashMask;<br>
&gt;&nbsp;&nbsp;&nbsp; EFI_STATUS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; Status;<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; // Check allow<br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; HashMask =3D Tpm2GetHashMaskFromAlgo (&amp;HashInter=
face-&gt;HashGuid);<br>
&gt; -&nbsp; if ((HashMask &amp; PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) {<br=
>
&gt; +&nbsp; Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask);<br>
&gt; +<br>
&gt; +&nbsp; if ((Tpm2HashMask !=3D 0) &amp;&amp;<br>
&gt; +&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ((HashMask &amp; Tpm2HashMask) =3D=3D =
0)) {<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return EFI_UNSUPPORTED;<br>
&gt;&nbsp;&nbsp;&nbsp; }<br>
&gt; <br>
&gt; diff --git<br>
&gt; a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterP=
ei.c<br>
&gt; b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterP=
ei.c<br>
&gt; index 42cb562f67..6ae51dbce4 100644<br>
&gt; ---<br>
&gt; a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterP=
ei.c<br>
&gt; +++<br>
&gt; b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterP=
ei.c<br>
&gt; @@ -327,13 +327,17 @@ RegisterHashInterfaceLib (<br>
&gt;&nbsp;&nbsp;&nbsp; UINTN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index;<br>
&gt;&nbsp;&nbsp;&nbsp; HASH_INTERFACE_HOB *HashInterfaceHob;<br>
&gt;&nbsp;&nbsp;&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; HashMask;<br>
&gt; +&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp; Tpm2HashMask;<br>
&gt;&nbsp;&nbsp;&nbsp; EFI_STATUS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; Status;<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; // Check allow<br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; HashMask =3D Tpm2GetHashMaskFromAlgo (&amp;HashInter=
face-&gt;HashGuid);<br>
&gt; -&nbsp; if ((HashMask &amp; PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) {<br=
>
&gt; +&nbsp; Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask);<br>
&gt; +<br>
&gt; +&nbsp; if ((Tpm2HashMask !=3D 0) &amp;&amp;<br>
&gt; +&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ((HashMask &amp; Tpm2HashMask) =3D=3D =
0)) {<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return EFI_UNSUPPORTED;<br>
&gt;&nbsp;&nbsp;&nbsp; }<br>
&gt; <br>
&gt; diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
&gt; b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
&gt; index 93a8803ff6..5ad6a45cf3 100644<br>
&gt; --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
&gt; +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
&gt; @@ -262,6 +262,7 @@ SyncPcrAllocationsAndPcrMask (<br>
&gt;&nbsp; {<br>
&gt;&nbsp;&nbsp;&nbsp; EFI_STATUS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; Status;<br>
&gt;&nbsp;&nbsp;&nbsp; EFI_TCG2_EVENT_ALGORITHM_BITMAP&nbsp;&nbsp; TpmHashA=
lgorithmBitmap;<br>
&gt; +&nbsp; EFI_TCG2_EVENT_ALGORITHM_BITMAP&nbsp;&nbsp; BiosHashAlgorithmB=
itmap;<br>
&gt;&nbsp;&nbsp;&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TpmActivePcrBanks;<br>
&gt;&nbsp;&nbsp;&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NewTpmActivePcrBanks;<br>
&gt;&nbsp;&nbsp;&nbsp; UINT32&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Tpm2PcrMask;<br>
&gt; @@ -273,16 +274,27 @@ SyncPcrAllocationsAndPcrMask (<br>
&gt;&nbsp;&nbsp;&nbsp; // Determine the current TPM support and the Platfor=
m PCR mask.<br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; Status =3D Tpm2GetCapabilitySupportedAndActivePcrs<b=
r>
&gt; (&amp;TpmHashAlgorithmBitmap, &amp;TpmActivePcrBanks);<br>
&gt; +<br>
&gt;&nbsp;&nbsp;&nbsp; ASSERT_EFI_ERROR (Status);<br>
&gt; +<br>
&gt; +&nbsp; DEBUG ((EFI_D_INFO, &quot;Tpm2GetCapabilitySupportedAndActiveP=
crs -<br>
&gt; TpmHashAlgorithmBitmap: 0x%08x\n&quot;, TpmHashAlgorithmBitmap));<br>
&gt; +&nbsp; DEBUG ((EFI_D_INFO, &quot;Tpm2GetCapabilitySupportedAndActiveP=
crs -<br>
&gt; TpmActivePcrBanks 0x%08x\n&quot;, TpmActivePcrBanks));<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp; Tpm2PcrMask =3D PcdGet32 (PcdTpm2HashMask);<br>
&gt;&nbsp;&nbsp;&nbsp; if (Tpm2PcrMask =3D=3D 0) {<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // if PcdTPm2HashMask is zero, use Activ=
ePcr setting<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; //<br>
&gt; +&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_VERBOSE, &quot;Initializing PcdTpm2H=
ashMask to<br>
&gt; TpmActivePcrBanks 0x%08x\n&quot;, TpmActivePcrBanks));<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PcdSet32S (PcdTpm2HashMask, TpmActivePcr=
Banks);<br>
&gt; +&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_VERBOSE, &quot;Initializing Tpm2PcrM=
ask to TpmActivePcrBanks<br>
&gt; 0x%08x\n&quot;, Tpm2PcrMask));<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Tpm2PcrMask =3D TpmActivePcrBanks;<br>
&gt;&nbsp;&nbsp;&nbsp; }<br>
&gt; +<br>
&gt; +&nbsp; BiosHashAlgorithmBitmap =3D PcdGet32 (PcdTcg2HashAlgorithmBitm=
ap);<br>
&gt; +&nbsp; DEBUG ((EFI_D_INFO, &quot;PcdTcg2HashAlgorithmBitmap 0x%08x\n&=
quot;,<br>
&gt; BiosHashAlgorithmBitmap));<br>
&gt; +&nbsp; DEBUG ((EFI_D_INFO, &quot;Tpm2PcrMask 0x%08x\n&quot;, Tpm2PcrM=
ask)); // Active<br>
&gt; PCR banks from TPM input<br>
&gt; +&nbsp; DEBUG ((EFI_D_INFO, &quot;TpmActivePcrBanks &amp; BiosHashAlgo=
rithmBitmap =3D<br>
&gt; 0x%08x\n&quot;, NewTpmActivePcrBanks));<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt;&nbsp;&nbsp;&nbsp; // Find the intersection of Pcd support and TPM supp=
ort.<br>
&gt; @@ -294,9 +306,12 @@ SyncPcrAllocationsAndPcrMask (<br>
&gt;&nbsp;&nbsp;&nbsp; // If there are active PCR banks that are not suppor=
ted by the Platform mask,<br>
&gt;&nbsp;&nbsp;&nbsp; // update the TPM allocations and reboot the machine=
.<br>
&gt;&nbsp;&nbsp;&nbsp; //<br>
&gt; -&nbsp; if ((TpmActivePcrBanks &amp; Tpm2PcrMask) !=3D TpmActivePcrBan=
ks) {<br>
&gt; +&nbsp; if (((TpmActivePcrBanks &amp; Tpm2PcrMask) !=3D TpmActivePcrBa=
nks) ||<br>
&gt; +&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ((TpmActivePcrBanks &amp; BiosHashAlgo=
rithmBitmap) !=3D TpmActivePcrBanks)) {<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NewTpmActivePcrBanks =3D TpmActivePcrBan=
ks &amp; Tpm2PcrMask;<br>
&gt; +&nbsp;&nbsp;&nbsp; NewTpmActivePcrBanks &amp;=3D BiosHashAlgorithmBit=
map;<br>
&gt; <br>
&gt; +&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_INFO, &quot;NewTpmActivePcrBanks 0x%=
08x\n&quot;,<br>
&gt; NewTpmActivePcrBanks));<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_INFO, &quot;%a - Reallocat=
ing PCR banks from 0x%X to 0x%X.\n&quot;,<br>
&gt; __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (NewTpmActivePcrBanks =3D=3D 0) {<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_ERROR, &quot;%=
a - No viable PCRs active! Please set a less<br>
&gt; restrictive value for PcdTpm2HashMask!\n&quot;, __FUNCTION__));<br>
&gt; @@ -331,6 +346,7 @@ SyncPcrAllocationsAndPcrMask (<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
&gt; <br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status =3D PcdSet32S (PcdTpm2HashMask, N=
ewTpm2PcrMask);<br>
&gt; +&nbsp;&nbsp;&nbsp; DEBUG ((EFI_D_INFO, &quot;Setting PcdTpm2Hash Mask=
 to 0x%08x\n&quot;,<br>
&gt; NewTpm2PcrMask));<br>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ASSERT_EFI_ERROR (Status);<br>
&gt;&nbsp;&nbsp;&nbsp; }<br>
&gt;&nbsp; }<br>
&gt; diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
&gt; b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
&gt; index 06c26a2904..17ad116126 100644<br>
&gt; --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
&gt; +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
&gt; @@ -86,6 +86,7 @@<br>
&gt;&nbsp;&nbsp;&nbsp; ## SOMETIMES_CONSUMES<br>
&gt;&nbsp;&nbsp;&nbsp; ## SOMETIMES_PRODUCES<br>
&gt;&nbsp;&nbsp;&nbsp; gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask<br>
&gt; +&nbsp; gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; ##<br>
&gt; CONSUMES<br>
&gt; <br>
&gt;&nbsp; [Depex]<br>
&gt;&nbsp;&nbsp;&nbsp; gEfiPeiMasterBootModePpiGuid AND<br>
&gt; --<br>
&gt; 2.31.1.windows.1<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

--_000_PH0PR11MB488571552351C4F15CB97D408C8D9PH0PR11MB4885namp_--