<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hi Jiewen,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Indeed, this bug has existed for a long time in this code. What recently changed are the TPM configurations we are testing and exposed the issue; this can be reproduced when the
<b>BIOS supported algorithms are a strict </b><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"><b>subset of the PCRs currently active in the TPM</b>.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">Now that we are using TPM configurations with support for additional PCR banks (ex. SHA384 and SM3) the bug has been exposed when compiling a BIOS without support for these PCR
banks which are active by default in the some of the TPMs.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"></span></div>
<div><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">Regards,</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">-Rodrigo</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Yao, Jiewen <jiewen.yao@intel.com><br>
<b>Sent:</b> Sunday, August 8, 2021 6:13 PM<br>
<b>To:</b> Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; devel@edk2.groups.io <devel@edk2.groups.io><br>
<b>Cc:</b> Wang, Jian J <jian.j.wang@intel.com><br>
<b>Subject:</b> RE: [PATCH] Reallocate TPM Active PCRs based on platform support.</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi Rodrigo<br>
I don’t understand the problem statement.<br>
<br>
This code has been there for long time. What is changed recently ?<br>
<br>
Thank you<br>
Yao Jiewen<br>
<br>
<br>
> -----Original Message-----<br>
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com><br>
> Sent: Thursday, August 5, 2021 7:28 AM<br>
> To: devel@edk2.groups.io<br>
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>;<br>
> Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com><br>
> Subject: [PATCH] Reallocate TPM Active PCRs based on platform support.<br>
> <br>
> REF: <a href="https://bugzilla.tianocore.org/show_bug.cgi?id=3515">https://bugzilla.tianocore.org/show_bug.cgi?id=3515</a><br>
> <br>
> In V2: Add case to RegisterHashInterfaceLib logic<br>
> <br>
> RegisterHashInterfaceLib needs to correctly handle registering the HashLib<br>
> instance supported algorithm bitmap when PcdTpm2HashMask is set to zero.<br>
> <br>
> The current implementation of SyncPcrAllocationsAndPcrMask() triggers<br>
> PCR bank reallocation only based on the intersection between<br>
> TpmActivePcrBanks and PcdTpm2HashMask.<br>
> <br>
> When the software HashLibBaseCryptoRouter solution is used, no PCR bank<br>
> reallocation is occurring based on the supported hashing algorithms<br>
> registered by the HashLib instances.<br>
> <br>
> Need to have an additional check for the intersection between the<br>
> TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the<br>
> HashLib instances present on the platform's BIOS.<br>
> <br>
> Signed-off-by: Rodrigo Gonzalez del Cueto<br>
> <rodrigo.gonzalez.del.cueto@intel.com><br>
> <br>
> Cc: Jian J Wang <jian.j.wang@intel.com><br>
> Cc: Jiewen Yao <jiewen.yao@intel.com><br>
> ---<br>
> SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c<br>
> | 6 +++++-<br>
> SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c |<br>
> 6 +++++-<br>
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 18<br>
> +++++++++++++++++-<br>
> SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +<br>
> 4 files changed, 28 insertions(+), 3 deletions(-)<br>
> <br>
> diff --git<br>
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br>
> c<br>
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br>
> c<br>
> index 7a0f61efbb..0821159120 100644<br>
> ---<br>
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br>
> c<br>
> +++<br>
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br>
> c<br>
> @@ -230,13 +230,17 @@ RegisterHashInterfaceLib (<br>
> {<br>
> UINTN Index;<br>
> UINT32 HashMask;<br>
> + UINT32 Tpm2HashMask;<br>
> EFI_STATUS Status;<br>
> <br>
> //<br>
> // Check allow<br>
> //<br>
> HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);<br>
> - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {<br>
> + Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);<br>
> +<br>
> + if ((Tpm2HashMask != 0) &&<br>
> + ((HashMask & Tpm2HashMask) == 0)) {<br>
> return EFI_UNSUPPORTED;<br>
> }<br>
> <br>
> diff --git<br>
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br>
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br>
> index 42cb562f67..6ae51dbce4 100644<br>
> ---<br>
> a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br>
> +++<br>
> b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br>
> @@ -327,13 +327,17 @@ RegisterHashInterfaceLib (<br>
> UINTN Index;<br>
> HASH_INTERFACE_HOB *HashInterfaceHob;<br>
> UINT32 HashMask;<br>
> + UINT32 Tpm2HashMask;<br>
> EFI_STATUS Status;<br>
> <br>
> //<br>
> // Check allow<br>
> //<br>
> HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);<br>
> - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {<br>
> + Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);<br>
> +<br>
> + if ((Tpm2HashMask != 0) &&<br>
> + ((HashMask & Tpm2HashMask) == 0)) {<br>
> return EFI_UNSUPPORTED;<br>
> }<br>
> <br>
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
> index 93a8803ff6..5ad6a45cf3 100644<br>
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br>
> @@ -262,6 +262,7 @@ SyncPcrAllocationsAndPcrMask (<br>
> {<br>
> EFI_STATUS Status;<br>
> EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;<br>
> + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap;<br>
> UINT32 TpmActivePcrBanks;<br>
> UINT32 NewTpmActivePcrBanks;<br>
> UINT32 Tpm2PcrMask;<br>
> @@ -273,16 +274,27 @@ SyncPcrAllocationsAndPcrMask (<br>
> // Determine the current TPM support and the Platform PCR mask.<br>
> //<br>
> Status = Tpm2GetCapabilitySupportedAndActivePcrs<br>
> (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);<br>
> +<br>
> ASSERT_EFI_ERROR (Status);<br>
> +<br>
> + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -<br>
> TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));<br>
> + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -<br>
> TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));<br>
> <br>
> Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);<br>
> if (Tpm2PcrMask == 0) {<br>
> //<br>
> // if PcdTPm2HashMask is zero, use ActivePcr setting<br>
> //<br>
> + DEBUG ((EFI_D_VERBOSE, "Initializing PcdTpm2HashMask to<br>
> TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));<br>
> PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);<br>
> + DEBUG ((EFI_D_VERBOSE, "Initializing Tpm2PcrMask to TpmActivePcrBanks<br>
> 0x%08x\n", Tpm2PcrMask));<br>
> Tpm2PcrMask = TpmActivePcrBanks;<br>
> }<br>
> +<br>
> + BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);<br>
> + DEBUG ((EFI_D_INFO, "PcdTcg2HashAlgorithmBitmap 0x%08x\n",<br>
> BiosHashAlgorithmBitmap));<br>
> + DEBUG ((EFI_D_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); // Active<br>
> PCR banks from TPM input<br>
> + DEBUG ((EFI_D_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =<br>
> 0x%08x\n", NewTpmActivePcrBanks));<br>
> <br>
> //<br>
> // Find the intersection of Pcd support and TPM support.<br>
> @@ -294,9 +306,12 @@ SyncPcrAllocationsAndPcrMask (<br>
> // If there are active PCR banks that are not supported by the Platform mask,<br>
> // update the TPM allocations and reboot the machine.<br>
> //<br>
> - if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {<br>
> + if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||<br>
> + ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks)) {<br>
> NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;<br>
> + NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;<br>
> <br>
> + DEBUG ((EFI_D_INFO, "NewTpmActivePcrBanks 0x%08x\n",<br>
> NewTpmActivePcrBanks));<br>
> DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n",<br>
> __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));<br>
> if (NewTpmActivePcrBanks == 0) {<br>
> DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a less<br>
> restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));<br>
> @@ -331,6 +346,7 @@ SyncPcrAllocationsAndPcrMask (<br>
> }<br>
> <br>
> Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);<br>
> + DEBUG ((EFI_D_INFO, "Setting PcdTpm2Hash Mask to 0x%08x\n",<br>
> NewTpm2PcrMask));<br>
> ASSERT_EFI_ERROR (Status);<br>
> }<br>
> }<br>
> diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
> b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
> index 06c26a2904..17ad116126 100644<br>
> --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
> +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br>
> @@ -86,6 +86,7 @@<br>
> ## SOMETIMES_CONSUMES<br>
> ## SOMETIMES_PRODUCES<br>
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask<br>
> + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ##<br>
> CONSUMES<br>
> <br>
> [Depex]<br>
> gEfiPeiMasterBootModePpiGuid AND<br>
> --<br>
> 2.31.1.windows.1<br>
<br>
</div>
</span></font></div>
</body>
</html>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/79019">View/Reply Online (#79019)</a> | | <a target="_blank" href="https://groups.io/mt/84674454/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>