* [edk2-devel] [PATCH v2 0/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI
@ 2024-04-12 7:14 Xu, Wei6
2024-04-12 7:14 ` [edk2-devel] [PATCH v2 1/1] " Xu, Wei6
0 siblings, 1 reply; 3+ messages in thread
From: Xu, Wei6 @ 2024-04-12 7:14 UTC (permalink / raw)
To: devel; +Cc: Wei6 Xu, Rahul Kumar, Jiewen Yao, Michael D Kinney
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731
V1:
The patch is to hide BIOS unsupported hash algorithm from UI to avoid user to the select wrong hash algorithm which may cause an assert.
V2:
Rename BiosHashAlgBitmap to Tcg2HashAlgBitmap to avoid confusion. Beacuse it not legacy BIOS related.
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Wei6 Xu (1):
SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++-------
1 file changed, 41 insertions(+), 20 deletions(-)
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117644): https://edk2.groups.io/g/devel/message/117644
Mute This Topic: https://groups.io/mt/105478365/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 3+ messages in thread
* [edk2-devel] [PATCH v2 1/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI
2024-04-12 7:14 [edk2-devel] [PATCH v2 0/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI Xu, Wei6
@ 2024-04-12 7:14 ` Xu, Wei6
2024-04-15 16:00 ` Yao, Jiewen
0 siblings, 1 reply; 3+ messages in thread
From: Xu, Wei6 @ 2024-04-12 7:14 UTC (permalink / raw)
To: devel; +Cc: Wei6 Xu, Rahul Kumar, Jiewen Yao
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731
TCG2 configuration UI shows all the hash algorithms that TPM hardware
supports in the checkbox. If user only selects one algorithm that is
supported by TPM hardware but not supported by BIOS and uncheck the
others, the SyncPcrAllocationsAndPcrMask in Tcg2Pei will not be able
to decide a viable PCR to activate, then an assert occurs.
Add check against PcdTcg2HashAlgorithmBitmap when deciding whether
to suppress the hash algorithm checkbox to avoid user to select the
hash algorithm which may cause an assert.
Cc: Rahul Kumar <rahul1.kumar@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
Reviewed-by: Rahul Kumar <rahul1.kumar@intel.com>
---
SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++-------
1 file changed, 41 insertions(+), 20 deletions(-)
diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
index 6eb04c014448..aec7a903cf89 100644
--- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
+++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
@@ -722,33 +722,50 @@ FillBufferWithBootHashAlg (
}
/**
- Set ConfigInfo according to TpmAlgHash.
+ Set ConfigInfo according to TpmAlgHash and Tcg2HashAlgBitmap.
@param[in,out] Tcg2ConfigInfo TCG2 config info.
@param[in] TpmAlgHash TpmAlgHash.
+ @param[in] Tcg2HashAlgBitmap TCG2 Hash Algorithm Bitmap.
**/
VOID
SetConfigInfo (
IN OUT TCG2_CONFIGURATION_INFO *Tcg2ConfigInfo,
- IN UINT32 TpmAlgHash
+ IN UINT32 TpmAlgHash,
+ IN UINT32 Tcg2HashAlgBitmap
)
{
switch (TpmAlgHash) {
case TPM_ALG_SHA1:
- Tcg2ConfigInfo->Sha1Supported = TRUE;
+ if ((Tcg2HashAlgBitmap & HASH_ALG_SHA1) != 0) {
+ Tcg2ConfigInfo->Sha1Supported = TRUE;
+ }
+
break;
case TPM_ALG_SHA256:
- Tcg2ConfigInfo->Sha256Supported = TRUE;
+ if ((Tcg2HashAlgBitmap & HASH_ALG_SHA256) != 0) {
+ Tcg2ConfigInfo->Sha256Supported = TRUE;
+ }
+
break;
case TPM_ALG_SHA384:
- Tcg2ConfigInfo->Sha384Supported = TRUE;
+ if ((Tcg2HashAlgBitmap & HASH_ALG_SHA384) != 0) {
+ Tcg2ConfigInfo->Sha384Supported = TRUE;
+ }
+
break;
case TPM_ALG_SHA512:
- Tcg2ConfigInfo->Sha512Supported = TRUE;
+ if ((Tcg2HashAlgBitmap & HASH_ALG_SHA512) != 0) {
+ Tcg2ConfigInfo->Sha512Supported = TRUE;
+ }
+
break;
case TPM_ALG_SM3_256:
- Tcg2ConfigInfo->Sm3Supported = TRUE;
+ if ((Tcg2HashAlgBitmap & HASH_ALG_SM3_256) != 0) {
+ Tcg2ConfigInfo->Sm3Supported = TRUE;
+ }
+
break;
}
}
@@ -809,16 +826,17 @@ InstallTcg2ConfigForm (
IN OUT TCG2_CONFIG_PRIVATE_DATA *PrivateData
)
{
- EFI_STATUS Status;
- EFI_HII_HANDLE HiiHandle;
- EFI_HANDLE DriverHandle;
- EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
- UINTN Index;
- TPML_PCR_SELECTION Pcrs;
- CHAR16 TempBuffer[1024];
- TCG2_CONFIGURATION_INFO Tcg2ConfigInfo;
- TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected;
- BOOLEAN IsCmdImp = FALSE;
+ EFI_STATUS Status;
+ EFI_HII_HANDLE HiiHandle;
+ EFI_HANDLE DriverHandle;
+ EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
+ UINTN Index;
+ TPML_PCR_SELECTION Pcrs;
+ CHAR16 TempBuffer[1024];
+ TCG2_CONFIGURATION_INFO Tcg2ConfigInfo;
+ TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected;
+ BOOLEAN IsCmdImp;
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP Tcg2HashAlgorithmBitmap;
DriverHandle = NULL;
ConfigAccess = &PrivateData->ConfigAccess;
@@ -879,6 +897,8 @@ InstallTcg2ConfigForm (
break;
}
+ Tcg2HashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
+
ZeroMem (&Tcg2ConfigInfo, sizeof (Tcg2ConfigInfo));
Status = Tpm2GetCapabilityPcrs (&Pcrs);
if (EFI_ERROR (Status)) {
@@ -897,20 +917,21 @@ InstallTcg2ConfigForm (
TempBuffer[0] = 0;
for (Index = 0; Index < Pcrs.count; Index++) {
AppendBufferWithTpmAlgHash (TempBuffer, sizeof (TempBuffer), Pcrs.pcrSelections[Index].hash);
- SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash);
+ SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash, Tcg2HashAlgorithmBitmap);
}
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TPM2_SUPPORTED_HASH_ALGO_CONTENT), TempBuffer, NULL);
}
- Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp);
+ IsCmdImp = FALSE;
+ Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityIsCmdImpl fails %r\n", Status));
}
Tcg2ConfigInfo.ChangeEPSSupported = IsCmdImp;
- FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), PcdGet32 (PcdTcg2HashAlgorithmBitmap));
+ FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), Tcg2HashAlgorithmBitmap);
HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_BIOS_HASH_ALGO_CONTENT), TempBuffer, NULL);
//
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117645): https://edk2.groups.io/g/devel/message/117645
Mute This Topic: https://groups.io/mt/105478366/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI
2024-04-12 7:14 ` [edk2-devel] [PATCH v2 1/1] " Xu, Wei6
@ 2024-04-15 16:00 ` Yao, Jiewen
0 siblings, 0 replies; 3+ messages in thread
From: Yao, Jiewen @ 2024-04-15 16:00 UTC (permalink / raw)
To: Xu, Wei6, devel@edk2.groups.io; +Cc: Kumar, Rahul R
Merged https://github.com/tianocore/edk2/pull/5556
> -----Original Message-----
> From: Xu, Wei6 <wei6.xu@intel.com>
> Sent: Friday, April 12, 2024 3:15 PM
> To: devel@edk2.groups.io
> Cc: Xu, Wei6 <wei6.xu@intel.com>; Kumar, Rahul R <rahul.r.kumar@intel.com>;
> Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH v2 1/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash
> algorithm from UI
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731
>
> TCG2 configuration UI shows all the hash algorithms that TPM hardware
> supports in the checkbox. If user only selects one algorithm that is
> supported by TPM hardware but not supported by BIOS and uncheck the
> others, the SyncPcrAllocationsAndPcrMask in Tcg2Pei will not be able
> to decide a viable PCR to activate, then an assert occurs.
>
> Add check against PcdTcg2HashAlgorithmBitmap when deciding whether
> to suppress the hash algorithm checkbox to avoid user to select the
> hash algorithm which may cause an assert.
>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
> Reviewed-by: Rahul Kumar <rahul1.kumar@intel.com>
> ---
> SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++-------
> 1 file changed, 41 insertions(+), 20 deletions(-)
>
> diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
> b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
> index 6eb04c014448..aec7a903cf89 100644
> --- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
> +++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
> @@ -722,33 +722,50 @@ FillBufferWithBootHashAlg (
> }
>
> /**
> - Set ConfigInfo according to TpmAlgHash.
> + Set ConfigInfo according to TpmAlgHash and Tcg2HashAlgBitmap.
>
> @param[in,out] Tcg2ConfigInfo TCG2 config info.
> @param[in] TpmAlgHash TpmAlgHash.
> + @param[in] Tcg2HashAlgBitmap TCG2 Hash Algorithm Bitmap.
>
> **/
> VOID
> SetConfigInfo (
> IN OUT TCG2_CONFIGURATION_INFO *Tcg2ConfigInfo,
> - IN UINT32 TpmAlgHash
> + IN UINT32 TpmAlgHash,
> + IN UINT32 Tcg2HashAlgBitmap
> )
> {
> switch (TpmAlgHash) {
> case TPM_ALG_SHA1:
> - Tcg2ConfigInfo->Sha1Supported = TRUE;
> + if ((Tcg2HashAlgBitmap & HASH_ALG_SHA1) != 0) {
> + Tcg2ConfigInfo->Sha1Supported = TRUE;
> + }
> +
> break;
> case TPM_ALG_SHA256:
> - Tcg2ConfigInfo->Sha256Supported = TRUE;
> + if ((Tcg2HashAlgBitmap & HASH_ALG_SHA256) != 0) {
> + Tcg2ConfigInfo->Sha256Supported = TRUE;
> + }
> +
> break;
> case TPM_ALG_SHA384:
> - Tcg2ConfigInfo->Sha384Supported = TRUE;
> + if ((Tcg2HashAlgBitmap & HASH_ALG_SHA384) != 0) {
> + Tcg2ConfigInfo->Sha384Supported = TRUE;
> + }
> +
> break;
> case TPM_ALG_SHA512:
> - Tcg2ConfigInfo->Sha512Supported = TRUE;
> + if ((Tcg2HashAlgBitmap & HASH_ALG_SHA512) != 0) {
> + Tcg2ConfigInfo->Sha512Supported = TRUE;
> + }
> +
> break;
> case TPM_ALG_SM3_256:
> - Tcg2ConfigInfo->Sm3Supported = TRUE;
> + if ((Tcg2HashAlgBitmap & HASH_ALG_SM3_256) != 0) {
> + Tcg2ConfigInfo->Sm3Supported = TRUE;
> + }
> +
> break;
> }
> }
> @@ -809,16 +826,17 @@ InstallTcg2ConfigForm (
> IN OUT TCG2_CONFIG_PRIVATE_DATA *PrivateData
> )
> {
> - EFI_STATUS Status;
> - EFI_HII_HANDLE HiiHandle;
> - EFI_HANDLE DriverHandle;
> - EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
> - UINTN Index;
> - TPML_PCR_SELECTION Pcrs;
> - CHAR16 TempBuffer[1024];
> - TCG2_CONFIGURATION_INFO Tcg2ConfigInfo;
> - TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected;
> - BOOLEAN IsCmdImp = FALSE;
> + EFI_STATUS Status;
> + EFI_HII_HANDLE HiiHandle;
> + EFI_HANDLE DriverHandle;
> + EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
> + UINTN Index;
> + TPML_PCR_SELECTION Pcrs;
> + CHAR16 TempBuffer[1024];
> + TCG2_CONFIGURATION_INFO Tcg2ConfigInfo;
> + TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected;
> + BOOLEAN IsCmdImp;
> + EFI_TCG2_EVENT_ALGORITHM_BITMAP Tcg2HashAlgorithmBitmap;
>
> DriverHandle = NULL;
> ConfigAccess = &PrivateData->ConfigAccess;
> @@ -879,6 +897,8 @@ InstallTcg2ConfigForm (
> break;
> }
>
> + Tcg2HashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
> +
> ZeroMem (&Tcg2ConfigInfo, sizeof (Tcg2ConfigInfo));
> Status = Tpm2GetCapabilityPcrs (&Pcrs);
> if (EFI_ERROR (Status)) {
> @@ -897,20 +917,21 @@ InstallTcg2ConfigForm (
> TempBuffer[0] = 0;
> for (Index = 0; Index < Pcrs.count; Index++) {
> AppendBufferWithTpmAlgHash (TempBuffer, sizeof (TempBuffer),
> Pcrs.pcrSelections[Index].hash);
> - SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash);
> + SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash,
> Tcg2HashAlgorithmBitmap);
> }
>
> HiiSetString (PrivateData->HiiHandle, STRING_TOKEN
> (STR_TPM2_SUPPORTED_HASH_ALGO_CONTENT), TempBuffer, NULL);
> }
>
> - Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS,
> &IsCmdImp);
> + IsCmdImp = FALSE;
> + Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS,
> &IsCmdImp);
> if (EFI_ERROR (Status)) {
> DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityIsCmdImpl fails %r\n", Status));
> }
>
> Tcg2ConfigInfo.ChangeEPSSupported = IsCmdImp;
>
> - FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), PcdGet32
> (PcdTcg2HashAlgorithmBitmap));
> + FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer),
> Tcg2HashAlgorithmBitmap);
> HiiSetString (PrivateData->HiiHandle, STRING_TOKEN
> (STR_BIOS_HASH_ALGO_CONTENT), TempBuffer, NULL);
>
> //
> --
> 2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#117793): https://edk2.groups.io/g/devel/message/117793
Mute This Topic: https://groups.io/mt/105478366/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-04-15 16:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-12 7:14 [edk2-devel] [PATCH v2 0/1] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI Xu, Wei6
2024-04-12 7:14 ` [edk2-devel] [PATCH v2 1/1] " Xu, Wei6
2024-04-15 16:00 ` Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox