From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web10.1717.1636090503561486304 for ; Thu, 04 Nov 2021 22:35:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=czs1CiIM; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10158"; a="230571898" X-IronPort-AV: E=Sophos;i="5.87,210,1631602800"; d="scan'208";a="230571898" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Nov 2021 22:35:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,210,1631602800"; d="scan'208";a="450696991" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga003.jf.intel.com with ESMTP; 04 Nov 2021 22:35:02 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 4 Nov 2021 22:35:02 -0700 Received: from orsmsx604.amr.corp.intel.com (10.22.229.17) by ORSMSX610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Thu, 4 Nov 2021 22:35:01 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Thu, 4 Nov 2021 22:35:01 -0700 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.168) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Thu, 4 Nov 2021 22:35:01 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oGYhUvSCmjLVBj1KDTgXqgzNc+zl47e2vpVXGLD01ALPmbUcNwCfEbA62E/VOo9aSoQ1rf10eUG+HwzNbqSskmL4YnMp9NFwmoO6VbqpgoJSF/wQVTaOvcTWNZOufCGvRbQGtgBBCQUqhYvKh53nBUrmGQepot/H0BRgiqQBi8F16Ntb74dWJVAPBEqp3VgmC4+kxZ0/dKDhb1VIpSMvdz/SQjUFQ6bl+k9/AdZl98C50WZbOj5eNI4XQo1rMu7bSwBcerUzq2862BCU7XBWkDGYKhNyWwe+Yhnlp30fjU1iReZ9w08gYh8q4l9/Lb36fZOC7KHR8ZZx9Ouv+1nZlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EuowtN5JztOMHJFaHA8CxG422TDwBw5P4NmW11/PWB8=; b=dQS9V8ZKHeUwEKtXc7xFhzGC812tAfKUON42T+6dSOy0Ebt+37D8vyc0XLoNduKfmeXgWSIu4+CNGcHmC3rqrxhXI0atzj6gSpuZlpIPmPfem995tFnEz+U7f6fSh5LX4V+zZ+61jWA8z65HmtniuA5d35toNDas7Scgv1SQIlmjN4SLEve0kB45Ch8Rw+qVn1ydYinN4oMUXoBPpqtgN9VSjsoeHg8U9Kckzk3d2Bv/zQ276AJ6AF9KCSzNB4H7/djrviOFPykacAACv0vCreOBydUXj5WjBLeUlElOBAVBtYkHt+zmb0YthaVjF+05jXH4QJU4L7O+ruHa48dPlw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EuowtN5JztOMHJFaHA8CxG422TDwBw5P4NmW11/PWB8=; b=czs1CiIMmtJBVX5WBRONF1NlBdxBswaoZLkuEAbM2alS2qE9ZcuhF/l6QBp4xM0frWnCBjEgvKWtBMNevnBnZ+Up82YXnC60UqoySlf1lBq7vMJsERDwEi3lgSVfUYYNtK9zsGzrT2kM/ten1GgKyVE/yvECGuMYy78WYl3gRsc= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB5111.namprd11.prod.outlook.com (2603:10b6:510:3c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10; Fri, 5 Nov 2021 05:35:01 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::c5cb:e37a:9f3:8f80%5]) with mapi id 15.20.4649.019; Fri, 5 Nov 2021 05:35:00 +0000 From: "Yao, Jiewen" To: "Gonzalez Del Cueto, Rodrigo" , "devel@edk2.groups.io" CC: "Wang, Jian J" Subject: Re: [PATCH] Reallocate TPM Active PCRs based on platform support. Thread-Topic: [PATCH] Reallocate TPM Active PCRs based on platform support. Thread-Index: AQHX0abOerwMvvRJfkShUs3nZItUM6v0alLQ Date: Fri, 5 Nov 2021 05:35:00 +0000 Message-ID: References: <20211104180648.1553-1-rodrigo.gonzalez.del.cueto@intel.com> In-Reply-To: <20211104180648.1553-1-rodrigo.gonzalez.del.cueto@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 20f17947-800b-40c7-5d6e-08d9a01e0303 x-ms-traffictypediagnostic: PH0PR11MB5111: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: a4gwfNtA/jzDgqIqiQpveWz/yNZdkrko6VFphgBkO0jfaz63QrS1WkDdm6BNePO/trgP1/Nhkq9lWsHLj4rbtSfbJ8LNtRdc7WpUupS8goBOi9+FZlYlYyHIOM8NyypOGH3KvBGpQ0GeRayfhtDK8LpImoOV4W1z6snPPAAYrNlTLcs2Wiv4P28QezMIRBzZEo5uLNosXiaeufKuXSpJZBE1Lw4o2VKDa+6TYKuCVRsBrb6JhDMMb3HktxBVQ2g0drIUIHLkl8OCFpaD9TOC6vBz/RdRzyj9OPQHl31ZOpIMWjZ2Iergzb/4q8VKror4FWV+oUDj30EE23paWx26If7hk0+/ApNMp6RsLU5Ns+0hdUow7IayZEop5smZuUEInNh11HWPSE3gb8rNspbi4d29bejs4dbh8Q+8HyhXgv2TBjjlTAb5UVxaS2nPBXIraHSojCTf0fP6YGpPOUU/nYkKpjBWDYPDAprAoHA/8QOvgGz3kHLekOhax8efir498PIujzRMTEmz+HbLSVOZKluib3KMEwIz6WvrnVhQ+TUTnyNVk6LxWGb4838DypNfItB5+d1BeDBXj+niB5SLzY8DDas6exfQH5PbtHyxJFdtKPvJiLl0Lm+356i4neAftin6n8eOKnKdll6zuwkDp4u6CSupmUq0jyiGtSQrAAajuXEqsPfVslqDMpNJT4rCm+2puiiefdw1q9Y++lQstDoWQAlBB98Lvoqka0iCi3NOIDmq/yDQsIhqDBf10sT9TALsamq82mPaE8FSEPnqRLj433vXob17lk5LYKDRHPA= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(76116006)(966005)(5660300002)(33656002)(4326008)(26005)(53546011)(38070700005)(6506007)(38100700002)(186003)(508600001)(71200400001)(66946007)(110136005)(9686003)(122000001)(30864003)(83380400001)(66556008)(55016002)(45080400002)(64756008)(86362001)(8936002)(19627235002)(66446008)(82960400001)(66476007)(107886003)(316002)(8676002)(2906002)(52536014)(7696005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?VxYtdMV5Fc5vNcXlcvsk0ZoW/PhZUiMKaCSpzn31kTlO7PXj4CWeO/oKSbXW?= =?us-ascii?Q?4PElzPHfWrJnCQ10aYvZ5atCUxQQKmPqfvp27h257iiap7fE2bVa0LtgnBBR?= =?us-ascii?Q?nlPCKlpmomfBTWCjmlqHexaPeP7sJu/fiaq0chPGuQ2I8TZgGUxcnpf/7Era?= =?us-ascii?Q?NHQT522/MaNuI7Yrk3qpoTuoob/Wz6i6Ctwc9B5/NrjVGcKeG/X5wdZUadly?= =?us-ascii?Q?7PPkOqDCgGcms4goX6nub8NLEeu5oL7xdO36qv7lRVIcCUhwTmDm9MVdAQYE?= =?us-ascii?Q?yMsGburRyHqCsGsP3j1TqwjFacL7M2CagCPPD7lAlWuxlM1FFzK1XKJoGEfB?= =?us-ascii?Q?hYHJQ99BlWlnRO4m5F3rS52zAeOUGNaVlK7JspU5HS9A1IUquZlvxLPURC0+?= =?us-ascii?Q?NBtNAowb6rbeCBpeb/ywWpMM/8TrsJqMc1gHIooqhNtiLK+bDQvfVoM2ZSyI?= =?us-ascii?Q?5MkKppsYedAGzcv6sxQU9As9ku8VFNU3TxUmydTAfLVu4QePeVHdzm/Yiy2n?= =?us-ascii?Q?edhQf58Qo6b9JI9jHjoStWRhGDCdTlHivvzGfZj3NsxNLljHxoF6JmY4sYFb?= =?us-ascii?Q?Mgo/2MYGtjggkMWfN0SjZcVGCjIySmh82vUz9xGCNBUlhTC3QfZv5zOqOqgu?= =?us-ascii?Q?9nwMWd/KbqkGNgJhVdZ8TUoVpL23xIARr2+4jdd91v+oVncXse0rCxxKyQy8?= =?us-ascii?Q?7aK7ZonowuS7dZkGXLhZuUhf+1q5zaMFDQ6Akos1ZXvNltg0k1O2Yr2k60/Q?= =?us-ascii?Q?cGzGVL5z2MzhtP6WatZviwKwYlo7dpGzS4jhHvvm2Hm3Dibcmz1WPizRP/ut?= =?us-ascii?Q?QWlv8tYlXl/QssAMbT56RfmLiCnMxFQhG3B0KGxsj20PbAKm+B8XIT6oA/6K?= =?us-ascii?Q?otERCZjIutwY4WJARblWbjS3+WWv4uHQvrpAt+SjtWy+cSyFAXLbISrcVf0t?= =?us-ascii?Q?2zy/wqMYPRYXy9uIyx4x08IUGJD74yG0wXEPb22fu5CQf0YZN+jkVbpFA++8?= =?us-ascii?Q?YtgwxdmjCDKv/d61wAVsuBlth4R6yXKInIgN0bxdXu6m7hm0vgj+2jwokqQH?= =?us-ascii?Q?OPxn3H/Qgi6ao3oiUzUrXd+anux4z5/5xtjM7qgtiTtYV4gZ5L9cD/siFbjs?= =?us-ascii?Q?ASqv1Oawm0QJkkYsWqISg30i3TfyCX6yflHcVVDl9Elkj5sd1M7zsOULGVwd?= =?us-ascii?Q?tFq0diP1Rk73+WXuhcWEAcWUTtqVz6yDygLVdPbZTmUkg9VcjRTvF508rXSI?= =?us-ascii?Q?18dHwmp5dH/MiqDnPj98mmFVo2uwzdhsPYhYYENo3B9O7CTuXOxgt2KAAuXf?= =?us-ascii?Q?v2tBZaDljN2JauWwpkjq4u0y3C3aLjqt6IoPQ3Dkvd+YQfv52ZkURFGzhviL?= =?us-ascii?Q?E8Wco+b5x6icvwaUKWeouLO10Ec4s54GchauCkML2ItBP87MqKrGQG96V2aV?= =?us-ascii?Q?87NwdGKa03DBln5OTQo2lYL3+MFM+WlON7vK7uxZ9OF90sh7ZS0iL8jaFshb?= =?us-ascii?Q?djZnl1Y/rLZij85w/fkhz/sB15XqpG9bv2LvQmBh+t7ml2s/2/fCZQVqhZ1m?= =?us-ascii?Q?PfdiYehHqs6T3pbCxE9grSRyZp1Nr5mZMlQ6FDh7NsTWzgGr5+cur1GhfVsC?= =?us-ascii?Q?y9eH/Mp8D/LUm8g5MidcTgg=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20f17947-800b-40c7-5d6e-08d9a01e0303 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2021 05:35:00.8287 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: YLHDsOW2RqkNntbNSWe8anC4R1OcHBNlSKLnLX96LbvlZg5zVajacpBCMGfacVw96alPpamw1OJkuk05rEL9MQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5111 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Would you please confirm if you have run CI and got a PASS result? > -----Original Message----- > From: Gonzalez Del Cueto, Rodrigo > Sent: Friday, November 5, 2021 2:07 AM > To: devel@edk2.groups.io > Cc: Gonzalez Del Cueto, Rodrigo ; > Wang, Jian J ; Yao, Jiewen > Subject: [PATCH] Reallocate TPM Active PCRs based on platform support. >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3515 >=20 > In V3: Cleaned up comments, debug prints and updated patch to use the > new debug ENUM definitions. >=20 > - Replaced EFI_D_INFO with DEBUG_INFO. > - Replaced EFI_D_VERBOSE with DEBUG_VERBOSE. >=20 > In V2: Add case to RegisterHashInterfaceLib logic >=20 > RegisterHashInterfaceLib needs to correctly handle registering the HashLi= b > instance supported algorithm bitmap when PcdTpm2HashMask is set to zero. >=20 > The current implementation of SyncPcrAllocationsAndPcrMask() triggers > PCR bank reallocation only based on the intersection between > TpmActivePcrBanks and PcdTpm2HashMask. >=20 > When the software HashLibBaseCryptoRouter solution is used, no PCR bank > reallocation is occurring based on the supported hashing algorithms > registered by the HashLib instances. >=20 > Need to have an additional check for the intersection between the > TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the > HashLib instances present on the platform's BIOS. >=20 > Signed-off-by: Rodrigo Gonzalez del Cueto > >=20 > Cc: Jian J Wang > Cc: Jiewen Yao > --- > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c > | 6 +++++- > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c= | > 6 +++++- > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c = | 67 > ++++++++++++++++++++++++++++++++++++++++++------------------------- > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf = | 1 + > 4 files changed, 53 insertions(+), 27 deletions(-) >=20 > diff --git > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe. > c > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe. > c > index 7a0f61efbb..0821159120 100644 > --- > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe. > c > +++ > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe. > c > @@ -230,13 +230,17 @@ RegisterHashInterfaceLib ( > { > UINTN Index; > UINT32 HashMask; > + UINT32 Tpm2HashMask; > EFI_STATUS Status; >=20 > // > // Check allow > // > HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid); > - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { > + Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask); > + > + if ((Tpm2HashMask !=3D 0) && > + ((HashMask & Tpm2HashMask) =3D=3D 0)) { > return EFI_UNSUPPORTED; > } >=20 > diff --git > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.= c > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.= c > index 42cb562f67..6ae51dbce4 100644 > --- > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.= c > +++ > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.= c > @@ -327,13 +327,17 @@ RegisterHashInterfaceLib ( > UINTN Index; > HASH_INTERFACE_HOB *HashInterfaceHob; > UINT32 HashMask; > + UINT32 Tpm2HashMask; > EFI_STATUS Status; >=20 > // > // Check allow > // > HashMask =3D Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid); > - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) =3D=3D 0) { > + Tpm2HashMask =3D PcdGet32 (PcdTpm2HashMask); > + > + if ((Tpm2HashMask !=3D 0) && > + ((HashMask & Tpm2HashMask) =3D=3D 0)) { > return EFI_UNSUPPORTED; > } >=20 > diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > index 93a8803ff6..582b9377e5 100644 > --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c > @@ -1,7 +1,7 @@ > /** @file > Initialize TPM2 device and measure FVs before handing off control to D= XE. >=20 > -Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.
> +Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.
> Copyright (c) 2017, Microsoft Corporation. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > @@ -253,7 +253,7 @@ EndofPeiSignalNotifyCallBack ( >=20 > /** > Make sure that the current PCR allocations, the TPM supported PCRs, > - and the PcdTpm2HashMask are all in agreement. > + PcdTcg2HashAlgorithmBitmap and the PcdTpm2HashMask are all in > agreement. > **/ > VOID > SyncPcrAllocationsAndPcrMask ( > @@ -262,52 +262,68 @@ SyncPcrAllocationsAndPcrMask ( > { > EFI_STATUS Status; > EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; > + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap; > UINT32 TpmActivePcrBanks; > UINT32 NewTpmActivePcrBanks; > UINT32 Tpm2PcrMask; > UINT32 NewTpm2PcrMask; >=20 > - DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n")); > + DEBUG ((DEBUG_ERROR, "SyncPcrAllocationsAndPcrMask!\n")); >=20 > // > // Determine the current TPM support and the Platform PCR mask. > // > Status =3D Tpm2GetCapabilitySupportedAndActivePcrs > (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks); > + > ASSERT_EFI_ERROR (Status); >=20 > + DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - > TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap)); > + DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - > TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks)); > + > Tpm2PcrMask =3D PcdGet32 (PcdTpm2HashMask); > if (Tpm2PcrMask =3D=3D 0) { > // > - // if PcdTPm2HashMask is zero, use ActivePcr setting > + // If PcdTpm2HashMask is zero, use ActivePcr setting. > + // Only when PcdTpm2HashMask is initialized to 0, will it be updated= to > current Active Pcrs. > // > PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks); > Tpm2PcrMask =3D TpmActivePcrBanks; > } > + DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); >=20 > // > - // Find the intersection of Pcd support and TPM support. > - // If banks are missing from the TPM support that are in the PCD, upda= te the > PCD. > - // If banks are missing from the PCD that are active in the TPM, reall= ocate the > banks and reboot. > - // > - > - // > - // If there are active PCR banks that are not supported by the Platfor= m mask, > - // update the TPM allocations and reboot the machine. > + // The Active PCRs in the TPM need to be a strict subset of the hashin= g > algorithms supported by BIOS. > // > - if ((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) { > - NewTpmActivePcrBanks =3D TpmActivePcrBanks & Tpm2PcrMask; > - > - DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\= n", > __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks)); > + // * Find the intersection of Pcd support and TPM active PCRs. If bank= s are > missing from the TPM support > + // that are in the PCD, update the PCD. > + // * Find intersection of TPM Active PCRs and BIOS supported algorithm= s. If > there are active PCR banks > + // that are not supported by the platform, update the TPM allocations = and > reboot. > + // Note: When the HashLibBaseCryptoRouter solution is used, the hash > algorithm support from BIOS is reported > + // by Tcg2HashAlgorithmBitmap, which is populated by HashLib ins= tances > at runtime. > + BiosHashAlgorithmBitmap =3D PcdGet32 (PcdTcg2HashAlgorithmBitmap); > + DEBUG ((DEBUG_INFO, "Tcg2HashAlgorithmBitmap: 0x%08x\n", > BiosHashAlgorithmBitmap)); > + > + if (((TpmActivePcrBanks & Tpm2PcrMask) !=3D TpmActivePcrBanks) || > + ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) !=3D TpmActivePcrBa= nks)) { > + DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & Tpm2PcrMask =3D 0x%08x\n", > (TpmActivePcrBanks & Tpm2PcrMask))); > + DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =3D > 0x%08x\n", (TpmActivePcrBanks & BiosHashAlgorithmBitmap))); > + NewTpmActivePcrBanks =3D TpmActivePcrBanks; > + NewTpmActivePcrBanks &=3D Tpm2PcrMask; > + NewTpmActivePcrBanks &=3D BiosHashAlgorithmBitmap; > + DEBUG ((DEBUG_INFO, "NewTpmActivePcrBanks 0x%08x\n", > NewTpmActivePcrBanks)); > + > + DEBUG ((DEBUG_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\= n", > __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks)); > if (NewTpmActivePcrBanks =3D=3D 0) { > - DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a les= s > restrictive value for PcdTpm2HashMask!\n", __FUNCTION__)); > + DEBUG ((DEBUG_ERROR, "%a - No viable PCRs active! Please set a les= s > restrictive value for PcdTpm2HashMask!\n", __FUNCTION__)); > ASSERT (FALSE); > } else { > + DEBUG ((DEBUG_ERROR, "Tpm2PcrAllocateBanks > (TpmHashAlgorithmBitmap: 0x%08x, NewTpmActivePcrBanks: 0x%08x)\n", > TpmHashAlgorithmBitmap, NewTpmActivePcrBanks)); > Status =3D Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBit= map, > NewTpmActivePcrBanks); > if (EFI_ERROR (Status)) { > // > // We can't do much here, but we hope that this doesn't happen. > // > - DEBUG ((EFI_D_ERROR, "%a - Failed to reallocate PCRs!\n", > __FUNCTION__)); > + DEBUG ((DEBUG_ERROR, "%a - Failed to reallocate PCRs!\n", > __FUNCTION__)); > ASSERT_EFI_ERROR (Status); > } > // > @@ -324,13 +340,14 @@ SyncPcrAllocationsAndPcrMask ( > if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) !=3D Tpm2PcrMask) { > NewTpm2PcrMask =3D Tpm2PcrMask & TpmHashAlgorithmBitmap; >=20 > - DEBUG ((EFI_D_INFO, "%a - Updating PcdTpm2HashMask from 0x%X to > 0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask)); > + DEBUG ((DEBUG_ERROR, "%a - Updating PcdTpm2HashMask from 0x%X to > 0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask)); > if (NewTpm2PcrMask =3D=3D 0) { > - DEBUG ((EFI_D_ERROR, "%a - No viable PCRs supported! Please set a = less > restrictive value for PcdTpm2HashMask!\n", __FUNCTION__)); > + DEBUG ((DEBUG_ERROR, "%a - No viable PCRs supported! Please set a = less > restrictive value for PcdTpm2HashMask!\n", __FUNCTION__)); > ASSERT (FALSE); > } >=20 > Status =3D PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask); > + DEBUG ((DEBUG_ERROR, "Set PcdTpm2Hash Mask to 0x%08x\n", > NewTpm2PcrMask)); > ASSERT_EFI_ERROR (Status); > } > } > @@ -365,7 +382,7 @@ LogHashEvent ( > RetStatus =3D EFI_SUCCESS; > for (Index =3D 0; Index < sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo= [0]); > Index++) { > if ((SupportedEventLogs & mTcg2EventInfo[Index].LogFormat) !=3D 0) { > - DEBUG ((EFI_D_INFO, " LogFormat - 0x%08x\n", > mTcg2EventInfo[Index].LogFormat)); > + DEBUG ((DEBUG_INFO, " LogFormat - 0x%08x\n", > mTcg2EventInfo[Index].LogFormat)); > switch (mTcg2EventInfo[Index].LogFormat) { > case EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2: > Status =3D GetDigestFromDigestList (TPM_ALG_SHA1, DigestList, > &NewEventHdr->Digest); > @@ -476,7 +493,7 @@ HashLogExtendEvent ( > } >=20 > if (Status =3D=3D EFI_DEVICE_ERROR) { > - DEBUG ((EFI_D_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n", Stat= us)); > + DEBUG ((DEBUG_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n", > Status)); > BuildGuidHob (&gTpmErrorHobGuid,0); > REPORT_STATUS_CODE ( > EFI_ERROR_CODE | EFI_ERROR_MINOR, > @@ -1011,7 +1028,7 @@ PeimEntryMA ( > } >=20 > if (GetFirstGuidHob (&gTpmErrorHobGuid) !=3D NULL) { > - DEBUG ((EFI_D_ERROR, "TPM2 error!\n")); > + DEBUG ((DEBUG_ERROR, "TPM2 error!\n")); > return EFI_DEVICE_ERROR; > } >=20 > @@ -1075,7 +1092,7 @@ PeimEntryMA ( > for (PcrIndex =3D 0; PcrIndex < 8; PcrIndex++) { > Status =3D MeasureSeparatorEventWithError (PcrIndex); > if (EFI_ERROR (Status)) { > - DEBUG ((EFI_D_ERROR, "Separator Event with Error not Measured. > Error!\n")); > + DEBUG ((DEBUG_ERROR, "Separator Event with Error not Measured. > Error!\n")); > } > } > } > @@ -1106,7 +1123,7 @@ PeimEntryMA ( >=20 > Done: > if (EFI_ERROR (Status)) { > - DEBUG ((EFI_D_ERROR, "TPM2 error! Build Hob\n")); > + DEBUG ((DEBUG_ERROR, "TPM2 error! Build Hob\n")); > BuildGuidHob (&gTpmErrorHobGuid,0); > REPORT_STATUS_CODE ( > EFI_ERROR_CODE | EFI_ERROR_MINOR, > diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > index 06c26a2904..17ad116126 100644 > --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf > @@ -86,6 +86,7 @@ > ## SOMETIMES_CONSUMES > ## SOMETIMES_PRODUCES > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask > + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap = ## > CONSUMES >=20 > [Depex] > gEfiPeiMasterBootModePpiGuid AND > -- > 2.33.1.windows.1