tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-04-08 17:05:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg/TPM2: Sync PcrAllocations and PcrMask

Browse Source 
Current TCG2 implementation will set Tpm2HashMask PCD value according to TPM2
PCR bank. However, there might be misconfiguration in BIOS build phase.
The enhanced logic makes sure that the current PCR allocations, the TPM
supported PCRs, and the PcdTpm2HashMask are all in agreement.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
This commit is contained in:
Jiewen Yao 2016-09-14 16:54:50 +08:00 committed by Star Zeng
parent 07cdba18cd
commit 5919a9600e
3 changed files with 69 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SecurityPkg/SecurityPkg.dsc
View File

@ -74,6 +74,7 @@
TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
OpalPasswordSupportLib|SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf OpalPasswordSupportLib|SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf
ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
[LibraryClasses.common.PEIM] [LibraryClasses.common.PEIM]
PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf

111
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
View File

@ -41,6 +41,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Library/PerformanceLib.h> #include <Library/PerformanceLib.h>
#include <Library/MemoryAllocationLib.h> #include <Library/MemoryAllocationLib.h>
#include <Library/ReportStatusCodeLib.h> #include <Library/ReportStatusCodeLib.h>
#include <Library/ResetSystemLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h> #include <Library/Tcg2PhysicalPresenceLib.h>
#define PERF_ID_TCG2_PEI 0x3080 #define PERF_ID_TCG2_PEI 0x3080
@ -190,60 +191,80 @@ EndofPeiSignalNotifyCallBack (
} }
/** /**
Set Tpm2HashMask PCD value according to TPM2 PCR bank. Make sure that the current PCR allocations, the TPM supported PCRs,
and the PcdTpm2HashMask are all in agreement.
**/ **/
VOID VOID
SetTpm2HashMask ( SyncPcrAllocationsAndPcrMask (
VOID VOID
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
UINT32 ActivePcrBanks; EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
TPML_PCR_SELECTION Pcrs; UINT32 TpmActivePcrBanks;
UINTN Index; UINT32 NewTpmActivePcrBanks;
UINT32 Tpm2PcrMask;
UINT32 NewTpm2PcrMask;
DEBUG ((EFI_D_ERROR, "SetTpm2HashMask!\n")); DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));
Status = Tpm2GetCapabilityPcrs (&Pcrs); //
if (EFI_ERROR (Status)) { // Determine the current TPM support and the Platform PCR mask.
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); //
ActivePcrBanks = EFI_TCG2_BOOT_HASH_ALG_SHA1; Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
} else { ASSERT_EFI_ERROR (Status);
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityPcrs Count - %08x\n", Pcrs.count));
ActivePcrBanks = 0; Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
for (Index = 0; Index < Pcrs.count; Index++) {
DEBUG ((EFI_D_INFO, "hash - %x\n", Pcrs.pcrSelections[Index].hash)); //
switch (Pcrs.pcrSelections[Index].hash) { // Find the intersection of Pcd support and TPM support.
case TPM_ALG_SHA1: // If banks are missing from the TPM support that are in the PCD, update the PCD.
if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) { // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.
ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA1; //
}
break; //
case TPM_ALG_SHA256: // If there are active PCR banks that are not supported by the Platform mask,
if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) { // update the TPM allocations and reboot the machine.
ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA256; //
} if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {
break; NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;
case TPM_ALG_SHA384:
if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) { DEBUG ((EFI_D_INFO, __FUNCTION__" - Reallocating PCR banks from 0x%X to 0x%X.\n", TpmActivePcrBanks, NewTpmActivePcrBanks ));
ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA384; if (NewTpmActivePcrBanks == 0) {
} DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n"));
break; ASSERT (FALSE);
case TPM_ALG_SHA512: } else {
if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) { Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);
ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA512; if (EFI_ERROR (Status)) {
} //
break; // We can't do much here, but we hope that this doesn't happen.
case TPM_ALG_SM3_256: //
if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) { DEBUG ((EFI_D_ERROR, __FUNCTION__" - Failed to reallocate PCRs!\n"));
ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SM3_256; ASSERT_EFI_ERROR (Status);
}
break;
} }
//
// Need reset system, since we just called Tpm2PcrAllocateBanks().
//
ResetCold();
} }
} }
Status = PcdSet32S (PcdTpm2HashMask, ActivePcrBanks);
ASSERT_EFI_ERROR (Status); //
// If there are any PCRs that claim support in the Platform mask that are
// not supported by the TPM, update the mask.
//
if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {
NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;
DEBUG ((EFI_D_INFO, __FUNCTION__" - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", Tpm2PcrMask, NewTpm2PcrMask ));
if (NewTpm2PcrMask == 0) {
DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n"));
ASSERT (FALSE);
}
Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
ASSERT_EFI_ERROR (Status);
}
} }
/** /**
@ -767,7 +788,7 @@ PeimEntryMA (
// //
// Update Tpm2HashMask according to PCR bank. // Update Tpm2HashMask according to PCR bank.
// //
SetTpm2HashMask (); SyncPcrAllocationsAndPcrMask ();
if (S3ErrorReport) { if (S3ErrorReport) {
// //

3
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
View File

@ -3,7 +3,7 @@
# #
# This module will initialize TPM device, measure reported FVs and BIOS version. # This module will initialize TPM device, measure reported FVs and BIOS version.
# #
# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR> # Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials # This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License # are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at # which accompanies this distribution. The full text of the license may be found at
@ -53,6 +53,7 @@
MemoryAllocationLib MemoryAllocationLib
ReportStatusCodeLib ReportStatusCodeLib
Tcg2PhysicalPresenceLib Tcg2PhysicalPresenceLib
ResetSystemLib
[Guids] [Guids]
gTcgEventEntryHobGuid ## PRODUCES ## HOB gTcgEventEntryHobGuid ## PRODUCES ## HOB