From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Mon, 20 May 2019 09:24:02 -0700 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 28BB430862BE; Mon, 20 May 2019 16:23:48 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-124-154.rdu2.redhat.com [10.10.124.154]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7D6D8608A7; Mon, 20 May 2019 16:23:43 +0000 (UTC) Subject: Re: [edk2-devel] [Enable measured boot with SM3 digest algorithm 0/4] To: imran.desai@intel.com References: <20190517183127.38140-1-imran.desai@intel.com> From: "Laszlo Ersek" Cc: devel@edk2.groups.io, Michael D Kinney , Liming Gao , Chao Zhang , Jiewen Yao , Jian Wang , Jordan Justen , Ard Biesheuvel , =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , Stefan Berger Message-ID: Date: Mon, 20 May 2019 18:23:42 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190517183127.38140-1-imran.desai@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Mon, 20 May 2019 16:23:53 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi Imran, On 05/17/19 20:31, Imran Desai wrote: > https://github.com/idesai/edk2/tree/enable_sm3_measured_boot > > Support for SM3 digest algorithm is needed for TPM with SM3 PCR banks. > This digest algorithm is part of the China Crypto algorithm suite. > Support for these algorithms is needed to enable platforms for the PRC > market. > This integration has dependency on the openssl_1_1_1b integration into > edk2. > > Imran Desai (4): > sm3_enabling: Augment crypt interface with calls into openssl to > calculate sm3 digest prior to exercising TPM2 calls for PCR extend > sm3-enabling: Add SM3 TCG algorithm registry value to the > PcdTpm2HashMask > sm3-enabling: Add SM3 guid reference in the TPM2 hash mask structure > in HashLibBaseCryptoRouterCommon.c > sm3-enabling: Add SM3 hashinstance library information to all > OvmfPkg and SecurityPkg > > SecurityPkg/SecurityPkg.dec | 5 +- > OvmfPkg/OvmfPkgIa32.dsc | 2 + > OvmfPkg/OvmfPkgIa32X64.dsc | 2 + > OvmfPkg/OvmfPkgX64.dsc | 2 + > SecurityPkg/SecurityPkg.dsc | 3 + > .../HashInstanceLibSm3/HashInstanceLibSm3.inf | 46 ++++++ > MdePkg/Include/Protocol/Hash.h | 5 + > SecurityPkg/Include/Library/HashLib.h | 1 + > .../HashInstanceLibSm3/HashInstanceLibSm3.c | 155 ++++++++++++++++++ > .../HashLibBaseCryptoRouterCommon.c | 1 + > .../HashInstanceLibSm3/HashInstanceLibSm3.uni | 21 +++ > 11 files changed, 241 insertions(+), 2 deletions(-) > create mode 100644 SecurityPkg/Library/HashInstanceLibSm3/HashInstance= LibSm3.inf > create mode 100644 SecurityPkg/Library/HashInstanceLibSm3/HashInstance= LibSm3.c > create mode 100644 SecurityPkg/Library/HashInstanceLibSm3/HashInstance= LibSm3.uni > (1) Please refer to: https://github.com/tianocore/tianocore.github.io/wiki/Commit-Message-Fo= rmat for the commit message format. In particular, - the subject prefix should simply be [PATCH] - the bugzilla URL should be referenced in every commit message - you should have a subject line on each patch that's not longer than 72-74 characters - you should have a non-empty commit message body (similarly wrapped to 72-74 characters) in every patch - you should add your Signed-off-by to every patch. (2) Any given patch should not cross module or package directories, if possible. In addition, the patch series should be built logically, in stages. First, the foundation should be laid, and the rest should be built upon the foundation. Thus, below, I suggest a (hopefully better) structure for your patch series. Note that this is only a structural overview; I'll have more comments at the bottom. (2a) PATCH v2 1/5: Subject: MdePkg/Protocol/Hash: introduce GUID for SM3 digest algorithm Package maintainers to CC (see "MdePkg" in "Maintainers.txt"): Cc: Michael D Kinney Cc: Liming Gao Modify only the following files in this patch: MdePkg/Include/Protocol/Hash.h (2b) PATCH v2 2/5: Subject: SecurityPkg: introduce the SM3 digest algorithm Package maintainers to CC: Cc: Chao Zhang Cc: Jiewen Yao Cc: Jian Wang Modify only the following files in this patch: SecurityPkg/Include/Library/HashLib.h SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.c SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.inf SecurityPkg/Library/HashInstanceLibSm3/HashInstanceLibSm3.uni SecurityPkg/SecurityPkg.dsc (2c) PATCH v2 3/5: Subject: SecurityPkg/HashLibBaseCryptoRouter: recognize the SM3 digest algorithm Package maintainers to CC: see (2b) Modify only the following files in this patch: SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterComm= on.c (2d) PATCH v2 4/5: Subject: SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default Package maintainers to CC: see (2b) Modify only the following files in this patch: SecurityPkg/SecurityPkg.dec (2e) PATCH v2 5/5: Subject: OvmfPkg: link SM3 support into Tcg2Pei and Tcg2Dxe Package maintainers to CC: Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Marc-Andr=C3=A9 Lureau Cc: Stefan Berger Modify only the following files in this patch: OvmfPkg/OvmfPkgIa32.dsc OvmfPkg/OvmfPkgIa32X64.dsc OvmfPkg/OvmfPkgX64.dsc (3) Now, let's see what the series actually does. (3a) For modifying a protocol include header under MdePkg, you first need to go through the standardization process with the USWG. Once a UEFI spec version has been released with the new feature, you can submit the patches. Until then, you can implement such API changes only under "MdeModulePkg/Include/Protocol", as an edk2 extension. The MdePkg maintainers can explain in more detail. (3b) You extend the "mTpm2HashMask" array with SM3 in "HashLibBaseCryptoRouter". But such an array exists in "HashLibTpm2" as well. The SecurityPkg maintainers can advise you on keeping these in sync. It is likely that you will need to add yet another patch, similarly to (2c) above. (3c) This comment is akin to (3a). The documentation on "PcdTpm2HashMask" in "SecurityPkg.dec" says, "Bit definition strictly follows TCG Algorithm Registry". Therefore, in patch (2d), you need to show that the TCG Algorithm Registry includes the SM3 hash algorithm (link to released TCG PDF). For now, I would normally suggest that you please submit a v2 with only these structural and formal fixes, so that MdePkg and SecurityPkg maintainers can comment on your work at all. Right now the patch series is poorly structured, which makes it hard for package maintainers to determine their review jurisdictions, and to make comments on the semantics. Luckily, this aspect can be improved quite easily -- just rearrange the files between the patches (see above), write to-the-point subject lines, and good commit messages. ... However: in the cover letter, you mention that SM3 depends on OpenSSL-1.1.1b. That work has not been merged into edk2 yet. So I suggest holding the present series in your private tree, until OpenSSL-1.1.1b is upstreamed. (Other package maintainers may disagree of course, if they prefer to review this work in parallel!) Thanks Laszlo