4 files changed, 47 insertions, 17 deletions

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
index 59639d0538..ee8fe6e06e 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
@@ -3,7 +3,7 @@
   hash handler registered, such as SHA1, SHA256.

   Platform can use PcdTpm2HashMask to mask some hash engines.

 

-Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -234,13 +234,18 @@ RegisterHashInterfaceLib (
 {

   UINTN       Index;

   UINT32      HashMask;

+  UINT32      Tpm2HashMask;

   EFI_STATUS  Status;

 

   //

   // Check allow

   //

-  HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);

-  if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {

+  HashMask     = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);

+  Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);

+

+  if ((Tpm2HashMask != 0) &&

+      ((HashMask & Tpm2HashMask) == 0))

+  {

     return EFI_UNSUPPORTED;

   }

 

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
index e21103d371..eeb424b6c3 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
@@ -3,7 +3,7 @@
   hash handler registered, such as SHA1, SHA256.

   Platform can use PcdTpm2HashMask to mask some hash engines.

 

-Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -330,13 +330,18 @@ RegisterHashInterfaceLib (
   UINTN               Index;

   HASH_INTERFACE_HOB  *HashInterfaceHob;

   UINT32              HashMask;

+  UINT32              Tpm2HashMask;

   EFI_STATUS          Status;

 

   //

   // Check allow

   //

-  HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);

-  if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {

+  HashMask     = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);

+  Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);

+

+  if ((Tpm2HashMask != 0) &&

+      ((HashMask & Tpm2HashMask) == 0))

+  {

     return EFI_UNSUPPORTED;

   }

 

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 622989aff3..26bb5282a5 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -252,7 +252,7 @@ EndofPeiSignalNotifyCallBack (
 

 /**

   Make sure that the current PCR allocations, the TPM supported PCRs,

-  and the PcdTpm2HashMask are all in agreement.

+  PcdTcg2HashAlgorithmBitmap and the PcdTpm2HashMask are all in agreement.

 **/

 VOID

 SyncPcrAllocationsAndPcrMask (

@@ -261,6 +261,7 @@ SyncPcrAllocationsAndPcrMask (
 {

   EFI_STATUS                       Status;

   EFI_TCG2_EVENT_ALGORITHM_BITMAP  TpmHashAlgorithmBitmap;

+  EFI_TCG2_EVENT_ALGORITHM_BITMAP  BiosHashAlgorithmBitmap;

   UINT32                           TpmActivePcrBanks;

   UINT32                           NewTpmActivePcrBanks;

   UINT32                           Tpm2PcrMask;

@@ -274,33 +275,50 @@ SyncPcrAllocationsAndPcrMask (
   Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);

   ASSERT_EFI_ERROR (Status);

 

+  DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));

+  DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));

+

   Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);

   if (Tpm2PcrMask == 0) {

     //

-    // if PcdTPm2HashMask is zero, use ActivePcr setting

+    // If PcdTpm2HashMask is zero, use ActivePcr setting.

+    // Only when PcdTpm2HashMask is initialized to 0, will it be updated to current Active Pcrs.

     //

     PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);

     Tpm2PcrMask = TpmActivePcrBanks;

   }

 

-  //

-  // Find the intersection of Pcd support and TPM support.

-  // If banks are missing from the TPM support that are in the PCD, update the PCD.

-  // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.

-  //

+  DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));

 

   //

-  // If there are active PCR banks that are not supported by the Platform mask,

-  // update the TPM allocations and reboot the machine.

+  // The Active PCRs in the TPM need to be a strict subset of the hashing algorithms supported by BIOS.

   //

-  if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {

-    NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;

+  // * Find the intersection of Pcd support and TPM active PCRs. If banks are missing from the TPM support

+  // that are in the PCD, update the PCD.

+  // * Find intersection of TPM Active PCRs and BIOS supported algorithms. If there are active PCR banks

+  // that are not supported by the platform, update the TPM allocations and reboot.

+  // Note: When the HashLibBaseCryptoRouter solution is used, the hash algorithm support from BIOS is reported

+  //       by Tcg2HashAlgorithmBitmap, which is populated by HashLib instances at runtime.

+  BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);

+  DEBUG ((DEBUG_INFO, "Tcg2HashAlgorithmBitmap: 0x%08x\n", BiosHashAlgorithmBitmap));

+

+  if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||

+      ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks))

+  {

+    DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & Tpm2PcrMask = 0x%08x\n", (TpmActivePcrBanks & Tpm2PcrMask)));

+    DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap = 0x%08x\n", (TpmActivePcrBanks & BiosHashAlgorithmBitmap)));

+    NewTpmActivePcrBanks  = TpmActivePcrBanks;

+    NewTpmActivePcrBanks &= Tpm2PcrMask;

+    NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;

+    DEBUG ((DEBUG_INFO, "NewTpmActivePcrBanks 0x%08x\n", NewTpmActivePcrBanks));

 

     DEBUG ((DEBUG_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n", __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));

+

     if (NewTpmActivePcrBanks == 0) {

       DEBUG ((DEBUG_ERROR, "%a - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));

       ASSERT (FALSE);

     } else {

+      DEBUG ((DEBUG_ERROR, "Tpm2PcrAllocateBanks (TpmHashAlgorithmBitmap: 0x%08x, NewTpmActivePcrBanks: 0x%08x)\n", TpmHashAlgorithmBitmap, NewTpmActivePcrBanks));

       Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);

       if (EFI_ERROR (Status)) {

         //

@@ -331,6 +349,7 @@ SyncPcrAllocationsAndPcrMask (
     }

 

     Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);

+    DEBUG ((DEBUG_ERROR, "Set PcdTpm2Hash Mask to 0x%08x\n", NewTpm2PcrMask));

     ASSERT_EFI_ERROR (Status);

   }

 }

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 06c26a2904..17ad116126 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -86,6 +86,7 @@
   ## SOMETIMES_CONSUMES

   ## SOMETIMES_PRODUCES

   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask

+  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap                  ## CONSUMES

 

 [Depex]

   gEfiPeiMasterBootModePpiGuid AND