<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"> <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style> </head> <body dir="ltr"> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> Hi Jiewen,</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <span style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); display: inline !important;">In the past most of the TPM devices supported SHA1 and SHA256 hashing algorithms, which we have also supported in BIOS for many years.</span></div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> What recently changed is the exposure to new TPM devices which support additional hashing algorithms (SHA384 and SM3) and will have such PCR banks active by default, but which are not supported by some BIOS implementations.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <span style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); display: inline !important;">With the following example configuration, I will illustrate how we would hit the problematic condition I just described:</span></div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <ul> <ul> <li style=""><span><span style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); display: inline !important;">Using a TPM device supporting SM3 hashing algorithm and with the corresponding PCR bank active by default.</span></span></li></ul> </ul> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <blockquote style="margin-top:0;margin-bottom:0"><span style="margin: 0px; color: rgb(0, 0, 0);">HashLib library classes instances registered for <span style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); display: inline !important;"><b>Tcg2Config</b>, </span><b>Tcg2Pei </b>and <b>Tcg2Dxe </b>modules:</span></blockquote> <div style="margin: 0px; color: rgb(0, 0, 0);"> <ul> <ul> <li>SecurityPkg/Library/HashInstanceLibSha1/<b>HashInstanceLibSha1</b>.inf<br> </li><li style="margin: 0px; color: rgb(0, 0, 0);"><span style="margin:0px">SecurityPkg/Library/HashInstanceLibSha256/<b>HashInstanceLibSha256</b>.inf</span></li><li style="margin: 0px; color: rgb(0, 0, 0);"><span style="margin:0px"><span style="margin:0px">SecurityPkg/Library/HashInstanceLibSha256/<b>HashInstanceLibSha384</b>.inf</span><br> </span></li></ul> </ul> </div> </div> <blockquote style="margin-top:0;margin-bottom:0"> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> PCD Configuration:</div> </blockquote> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <ul> <ul> <li>gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0xFFFFFFFF</li><li>gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|<b>0x0000001F</b></li></ul> </ul> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <div>The current implementation of <i>SyncPcrAllocationsAndPcrMask</i>() triggers PCR bank reallocation <b>only based on the </b><span style="background-color: rgb(255, 128, 0);"><b>intersection between </b></span><span style="background-color: rgb(255, 128, 0);"><b><i>TpmActivePcrBanks </i></b></span><span style="background-color: rgb(255, 128, 0);"><b>and </b></span><span style="background-color: rgb(255, 128, 0);"><b><i>PcdTpm2HashMask</i></b></span>.</div> <div>When the software <i>HashLibBaseCryptoRouter </i>solution is used, no PCR bank reallocation is occurring based on the supported hashing algorithms registered by the present HashLib instances:</div> <div> <blockquote itemscope="" itemtype="https://schemas.microsoft.com/QuotedText" style="border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex;"> <span style="font-family: Consolas, Courier, monospace; font-size: 10pt;">SyncPcrAllocationsAndPcrMask!</span> <div><span style="font-family: Consolas, Courier, monospace; font-size: 10pt;">Supported PCRs - Count = 00000003</span></div> <div><span style="font-family: Consolas, Courier, monospace; font-size: 10pt;">GetSupportedAndActivePcrs - Count = 00000002</span></div> <span style="font-family: Consolas, Courier, monospace; font-size: 10pt;">SyncPcrAllocationsAndPcrMask - Updating PcdTpm2HashMask from 0x1F to 0x13.</span><br> </blockquote> </div> <span></span>You can see no reallocation is triggered; the<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"> unsupported PCR banks are left active and no extend operations occur on them, thus leaving them uncapped.</span></div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> With the proposed patch set we are fixing two issues:</div> <blockquote itemscope="" itemtype="https://schemas.microsoft.com/QuotedText" style="border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex;"> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> a) An <b>additional check for the intersection between the </b><span style="background-color: rgb(255, 255, 0);"><b><i>TpmActivePcrBanks </i></b></span><span style="background-color: rgb(255, 255, 0);"><b>and the </b></span><span style="background-color: rgb(255, 255, 0);"><b><i>PcdTcg2HashAlgorithmBitmap</i></b></span><span style="background-color: rgb(255, 255, 0);"><b><i> </i></b></span><b>populated by the BIOS' HashLib instances</b> at runtime.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> b) RegisterHashInterfaceLib correctly handles registering the HashLib instance supported algorithm bitmap when <i>PcdTpm2HashMask </i>is set to zero.</div> </blockquote> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> This is the BIOS behavior with the proposed patch:</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <blockquote itemscope="" itemtype="https://schemas.microsoft.com/QuotedText" style="border-left: 3px solid rgb(200, 200, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 1ex; margin-left: 0.8ex;"> <span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">SyncPcrAllocationsAndPcrMask!</span> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Supported PCRs - Count = 00000003</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">GetSupportedAndActivePcrs - Count = 00000003</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAlgorithmBitmap: 0x00000013</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x00000013</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">TpmHashAlgorithmBitmap: 0x00000013</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Tpm2PcrMask 0x0000001F</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace; background-color: rgb(255, 128, 0);">TpmActivePcrBanks & Tpm2PcrMask = 0x00000013</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace; background-color: rgb(255, 255, 0);"><b>TpmActivePcrBanks & BiosHashAlgorithmBitmap = 0x00000003</b></span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace; background-color: rgb(0, 255, 0);"><b>NewTpmActivePcrBanks 0x00000003</b></span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">SyncPcrAllocationsAndPcrMask - Reallocating PCR banks from 0x13 to 0x3.</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Tpm2PcrAllocateBanks (TpmHashAlgorithmBitmap: 0x00000013, NewTpmActivePcrBanks: 0x00000003)</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">Tpm2PcrAllocateBanks call Tpm2PcrAllocate - Success</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">AllocationSuccess - 01</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">MaxPCR - 00000018</span></div> <div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">SizeNeeded - 000004E0</span></div> <span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">SizeAvailable - 00000C60</span><br> </blockquote> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> After the PCR reallocation is triggered, the TPM active PCRs are a strict subset of the hashing algorithms supported by BIOS.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> Please let me know if you need any questions regarding the solution or need any further clarification on the problem statement.</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br> </div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> Regards,</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> -Rodrigo</div> <div id="appendonsend"></div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Yao, Jiewen <jiewen.yao@intel.com><br> <b>Sent:</b> Tuesday, August 10, 2021 10:36 PM<br> <b>To:</b> Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; devel@edk2.groups.io <devel@edk2.groups.io><br> <b>Cc:</b> Wang, Jian J <jian.j.wang@intel.com><br> <b>Subject:</b> RE: [PATCH] Reallocate TPM Active PCRs based on platform support.</font> <div> </div> </div> <style>  </style> <div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word"> <div class="x_WordSection1"> <p class="x_MsoNormal">OK, Would you please to share the PCD configuration works before and PCD configuration fails now? As well as your DSC file on how to configure the library.</p> <p class="x_MsoNormal"> </p> <p class="x_MsoNormal">I would like to understand the problem statement from real use case, because the issue description cannot provide useful information to me.</p> <p class="x_MsoNormal"> </p> <div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt"> <div> <div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in"> <p class="x_MsoNormal"><b>From:</b> Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com> <br> <b>Sent:</b> Tuesday, August 10, 2021 2:27 PM<br> <b>To:</b> Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io<br> <b>Cc:</b> Wang, Jian J <jian.j.wang@intel.com><br> <b>Subject:</b> Re: [PATCH] Reallocate TPM Active PCRs based on platform support.</p> </div> </div> <p class="x_MsoNormal"> </p> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black">Hi Jiewen,</span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black"> </span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black">Indeed, this bug has existed for a long time in this code. What recently changed are the TPM configurations we are testing and exposed the issue; this can be reproduced when the <b>BIOS supported algorithms are a strict subset of the PCRs currently active in the TPM</b>.</span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black"> </span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black">Now that we are using TPM configurations with support for additional PCR banks (ex. SHA384 and SM3) the bug has been exposed when compiling a BIOS without support for these PCR banks which are active by default in the some of the TPMs.</span></p> </div> <div> <p class="x_MsoNormal"> </p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black">Regards,</span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black">-Rodrigo</span></p> </div> <div> <p class="x_MsoNormal" style="background:white"><span style="font-size:12.0pt; color:black"> </span></p> </div> <div class="x_MsoNormal" align="center" style="text-align:center"> <hr size="2" width="98%" align="center"> </div> <div id="x_divRplyFwdMsg"> <p class="x_MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Yao, Jiewen <</span><a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a><span style="color:black">><br> <b>Sent:</b> Sunday, August 8, 2021 6:13 PM<br> <b>To:</b> Gonzalez Del Cueto, Rodrigo <</span><a href="mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a><span style="color:black">>; </span><a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><span style="color:black"> <</span><a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><span style="color:black">><br> <b>Cc:</b> Wang, Jian J <</span><a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a><span style="color:black">><br> <b>Subject:</b> RE: [PATCH] Reallocate TPM Active PCRs based on platform support.</span> </p> <div> <p class="x_MsoNormal"> </p> </div> </div> <div> <div> <p class="x_MsoNormal" style="margin-bottom:12.0pt">Hi Rodrigo<br> I don�t understand the problem statement.<br> <br> This code has been there for long time. What is changed recently ?<br> <br> Thank you<br> Yao Jiewen<br> <br> <br> > -----Original Message-----<br> > From: Gonzalez Del Cueto, Rodrigo <<a href="mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>><br> > Sent: Thursday, August 5, 2021 7:28 AM<br> > To: <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><br> > Cc: Gonzalez Del Cueto, Rodrigo <<a href="mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>>;<br> > Wang, Jian J <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>>; Yao, Jiewen <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>><br> > Subject: [PATCH] Reallocate TPM Active PCRs based on platform support.<br> > <br> > REF: <a href="https://bugzilla.tianocore.org/show_bug.cgi?id=3515">https://bugzilla.tianocore.org/show_bug.cgi?id=3515</a><br> > <br> > In V2: Add case to RegisterHashInterfaceLib logic<br> > <br> > RegisterHashInterfaceLib needs to correctly handle registering the HashLib<br> > instance supported algorithm bitmap when PcdTpm2HashMask is set to zero.<br> > <br> > The current implementation of SyncPcrAllocationsAndPcrMask() triggers<br> > PCR bank reallocation only based on the intersection between<br> > TpmActivePcrBanks and PcdTpm2HashMask.<br> > <br> > When the software HashLibBaseCryptoRouter solution is used, no PCR bank<br> > reallocation is occurring based on the supported hashing algorithms<br> > registered by the HashLib instances.<br> > <br> > Need to have an additional check for the intersection between the<br> > TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the<br> > HashLib instances present on the platform's BIOS.<br> > <br> > Signed-off-by: Rodrigo Gonzalez del Cueto<br> > <<a href="mailto:rodrigo.gonzalez.del.cueto@intel.com">rodrigo.gonzalez.del.cueto@intel.com</a>><br> > <br> > Cc: Jian J Wang <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>><br> > Cc: Jiewen Yao <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>><br> > ---<br> > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c<br> > | 6 +++++-<br> > SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c |<br> > 6 +++++-<br> > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 18<br> > +++++++++++++++++-<br> > SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +<br> > 4 files changed, 28 insertions(+), 3 deletions(-)<br> > <br> > diff --git<br> > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br> > c<br> > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br> > c<br> > index 7a0f61efbb..0821159120 100644<br> > ---<br> > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br> > c<br> > +++<br> > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.<br> > c<br> > @@ -230,13 +230,17 @@ RegisterHashInterfaceLib (<br> > {<br> > UINTN Index;<br> > UINT32 HashMask;<br> > + UINT32 Tpm2HashMask;<br> > EFI_STATUS Status;<br> > <br> > //<br> > // Check allow<br> > //<br> > HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);<br> > - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {<br> > + Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);<br> > +<br> > + if ((Tpm2HashMask != 0) &&<br> > + ((HashMask & Tpm2HashMask) == 0)) {<br> > return EFI_UNSUPPORTED;<br> > }<br> > <br> > diff --git<br> > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br> > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br> > index 42cb562f67..6ae51dbce4 100644<br> > ---<br> > a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br> > +++<br> > b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c<br> > @@ -327,13 +327,17 @@ RegisterHashInterfaceLib (<br> > UINTN Index;<br> > HASH_INTERFACE_HOB *HashInterfaceHob;<br> > UINT32 HashMask;<br> > + UINT32 Tpm2HashMask;<br> > EFI_STATUS Status;<br> > <br> > //<br> > // Check allow<br> > //<br> > HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);<br> > - if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {<br> > + Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);<br> > +<br> > + if ((Tpm2HashMask != 0) &&<br> > + ((HashMask & Tpm2HashMask) == 0)) {<br> > return EFI_UNSUPPORTED;<br> > }<br> > <br> > diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br> > b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br> > index 93a8803ff6..5ad6a45cf3 100644<br> > --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br> > +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c<br> > @@ -262,6 +262,7 @@ SyncPcrAllocationsAndPcrMask (<br> > {<br> > EFI_STATUS Status;<br> > EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;<br> > + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap;<br> > UINT32 TpmActivePcrBanks;<br> > UINT32 NewTpmActivePcrBanks;<br> > UINT32 Tpm2PcrMask;<br> > @@ -273,16 +274,27 @@ SyncPcrAllocationsAndPcrMask (<br> > // Determine the current TPM support and the Platform PCR mask.<br> > //<br> > Status = Tpm2GetCapabilitySupportedAndActivePcrs<br> > (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);<br> > +<br> > ASSERT_EFI_ERROR (Status);<br> > +<br> > + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -<br> > TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));<br> > + DEBUG ((EFI_D_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -<br> > TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));<br> > <br> > Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);<br> > if (Tpm2PcrMask == 0) {<br> > //<br> > // if PcdTPm2HashMask is zero, use ActivePcr setting<br> > //<br> > + DEBUG ((EFI_D_VERBOSE, "Initializing PcdTpm2HashMask to<br> > TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));<br> > PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);<br> > + DEBUG ((EFI_D_VERBOSE, "Initializing Tpm2PcrMask to TpmActivePcrBanks<br> > 0x%08x\n", Tpm2PcrMask));<br> > Tpm2PcrMask = TpmActivePcrBanks;<br> > }<br> > +<br> > + BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);<br> > + DEBUG ((EFI_D_INFO, "PcdTcg2HashAlgorithmBitmap 0x%08x\n",<br> > BiosHashAlgorithmBitmap));<br> > + DEBUG ((EFI_D_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask)); // Active<br> > PCR banks from TPM input<br> > + DEBUG ((EFI_D_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =<br> > 0x%08x\n", NewTpmActivePcrBanks));<br> > <br> > //<br> > // Find the intersection of Pcd support and TPM support.<br> > @@ -294,9 +306,12 @@ SyncPcrAllocationsAndPcrMask (<br> > // If there are active PCR banks that are not supported by the Platform mask,<br> > // update the TPM allocations and reboot the machine.<br> > //<br> > - if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {<br> > + if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||<br> > + ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks)) {<br> > NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;<br> > + NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;<br> > <br> > + DEBUG ((EFI_D_INFO, "NewTpmActivePcrBanks 0x%08x\n",<br> > NewTpmActivePcrBanks));<br> > DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n",<br> > __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));<br> > if (NewTpmActivePcrBanks == 0) {<br> > DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a less<br> > restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));<br> > @@ -331,6 +346,7 @@ SyncPcrAllocationsAndPcrMask (<br> > }<br> > <br> > Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);<br> > + DEBUG ((EFI_D_INFO, "Setting PcdTpm2Hash Mask to 0x%08x\n",<br> > NewTpm2PcrMask));<br> > ASSERT_EFI_ERROR (Status);<br> > }<br> > }<br> > diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br> > b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br> > index 06c26a2904..17ad116126 100644<br> > --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br> > +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf<br> > @@ -86,6 +86,7 @@<br> > ## SOMETIMES_CONSUMES<br> > ## SOMETIMES_PRODUCES<br> > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask<br> > + gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ##<br> > CONSUMES<br> > <br> > [Depex]<br> > gEfiPeiMasterBootModePpiGuid AND<br> > --<br> > 2.31.1.windows.1</p> </div> </div> </div> </div> </div> </body> </html> <div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/82950">View/Reply Online (#82950)</a> | | <a target="_blank" href="https://groups.io/mt/84674454/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>