[edk2-devel] [PATCH v1 1/1] SecurityPkg : Sync PcdTpm2HashMask to the active PCR banks in the TPM

Snehal Kangralkar snehal.kangralkar at intel.com
Fri Jul 1 17:42:13 UTC 2022 

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3923
According to definition of PcdTpm2HashMask, the mask reflects the PCR
banks which need to be extended.
In the Tcg2Pei SyncPcrAllocationsAndPcrMask function, we are setting
PcdTpm2HashMask to match the active PCR banks, but this will only occur
if the mask was originally set to 0.
Always syncing the PcdTpm2HashMask to the active PCR banks in the TPM.
Only then we do see the computed hashes are limited to those PCRs
which are active.

Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Qi Zhang <qi1.zhang at intel.com>
Signed-off-by: Snehal Kangralkar <snehal.kangralkar at intel.com>
---
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 26bb5282a58b..a77d8c0a083c 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -279,15 +279,10 @@ SyncPcrAllocationsAndPcrMask (
   DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
 
   Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
-  if (Tpm2PcrMask == 0) {
-    //
-    // If PcdTpm2HashMask is zero, use ActivePcr setting.
-    // Only when PcdTpm2HashMask is initialized to 0, will it be updated to current Active Pcrs.
-    //
-    PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
-    Tpm2PcrMask = TpmActivePcrBanks;
-  }
 
+  // Sync the PcdTpm2HashMask to the active PCR banks.
+  PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
+  Tpm2PcrMask = TpmActivePcrBanks;
   DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));
 
   //
-- 
2.36.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#91019): https://edk2.groups.io/g/devel/message/91019
Mute This Topic: https://groups.io/mt/92157477/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list