summaryrefslogtreecommitdiffstats
path: root/SecurityPkg
Commit message (Collapse)AuthorAgeFilesLines
* SecurityPkg: TPM must go to Idle state on CRB command completionRodrigo Gonzalez del Cueto2021-12-171-12/+2
| | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3463 In V2: Fixed patch format and uncrustify cleanup In V1: To follow the TCG CRB protocol specification, on every CRB TPM command completion the TPM should return to Idle state, regardless of the CRB Idle Bypass capability reported by the TPM device. See: TCG PC Client Device Driver Design Principles for TPM 2.0, Version 1.0, Rev 0.27 Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Reallocate TPM Active PCRs based on platform supportRodrigo Gonzalez del Cueto2021-12-174-17/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3515 In V4: Fixed patch format and uncrustify cleanup In V3: Cleaned up comments, debug prints and updated patch to use the new debug ENUM definitions. - Replaced EFI_D_INFO with DEBUG_INFO. - Replaced EFI_D_VERBOSE with DEBUG_VERBOSE. In V2: Add case to RegisterHashInterfaceLib logic RegisterHashInterfaceLib needs to correctly handle registering the HashLib instance supported algorithm bitmap when PcdTpm2HashMask is set to zero. The current implementation of SyncPcrAllocationsAndPcrMask() triggers PCR bank reallocation only based on the intersection between TpmActivePcrBanks and PcdTpm2HashMask. When the software HashLibBaseCryptoRouter solution is used, no PCR bank reallocation is occurring based on the supported hashing algorithms registered by the HashLib instances. Need to have an additional check for the intersection between the TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the HashLib instances present on the platform's BIOS. Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Debug code to audit BIOS TPM extend operationsRodrigo Gonzalez del Cueto2021-12-173-10/+222
| | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2858 In V2: Fixed patch format and uncrustify cleanup In V1: Add debug functionality to examine TPM extend operations performed by BIOS and inspect the PCR 00 value prior to any BIOS measurements. Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLibMin Xu2021-12-112-20/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625 DxeTpmMeasurementLib supports TPM based measurement in DXE phase. After CcMeasurementProtocol is introduced, CC based measurement needs to be supported in DxeTpmMeasurementLib as well. A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2, (virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL, TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed. In this library when do measurement only one of above 3 protocols will be called. Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* SecurityPkg: Support CcMeasurementProtocol in DxeTpm2MeasureBootLibMin Xu2021-12-112-77/+265
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3625 DxeTpm2MeasureBootLib supports TPM2 based measure boot. After CcMeasurementProtocol is introduced, CC based measure boot needs to be supported in DxeTpm2MeasureBootLib as well. There are 2 major changes in this commit. 1. A platform should have only one RTS/RTR. Only one of (virtual)TPM1.2, (virtual)TPM2.0 and CC MR exists. Then only one TCG_SERVICE_PROTOCOL, TCG2_PROTOCOL, CC_MEASUREMENT_PROTOCOL is exposed. In this library when do measure boot only one of TCG2_PROTOCOL / CC_MEASUREMENT_PROTOCOL will be called. MEASURE_BOOT_PROTOCOLS is defined to store the instances of TCG2 protocol and CC Measurement protocol. 2. CcEvent is similar to Tcg2Event except the MrIndex and PcrIndex. So in the code Tcg2Event will be first created and intialized. If CcMeasurementProtocol is called to do the measure boot, then CcEvent points to Tcg2Event and the MrIndex is adjusted. Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Zhiguang Liu <zhiguang.liu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
* SecurityPkg: Apply uncrustify changesMichael Kubacki2021-12-07185-14487/+15319
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3737 Apply uncrustify changes to .c/.h files in the SecurityPkg package Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Change complex DEBUG_CODE() to DEBUG_CODE_BEGIN/END()Michael D Kinney2021-12-074-20/+20
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3767 Update use of DEBUG_CODE(Expression) if Expression is a complex code block with if/while/for/case statements that use {}. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Change OPTIONAL keyword usage styleMichael D Kinney2021-12-0720-31/+31
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3760 Update all use of ', OPTIONAL' to ' OPTIONAL,' for function params. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Change use of EFI_D_* to DEBUG_*Michael D Kinney2021-12-0742-375/+368
| | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3739 Update all use of EFI_D_* defines in DEBUG() macros to DEBUG_* defines. Cc: Andrew Fish <afish@apple.com> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Update YAML to ignore specific ECC files/errorsMichael D Kinney2021-11-301-0/+3
| | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3749 Update package YAML files to ignore ECC errors that are already present. These issues must be fixed in the future, but should not block source code changes for these known issues. Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Qi Zhang <qi1.zhang@intel.com>
* SecurityPkg: Reproduce builds across source format changesMichael D Kinney2021-11-081-13/+13
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3688 Use DEBUG_LINE_NUMBER instead of __LINE__. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Michael Kubacki <michael.kubacki@microsoft.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Tested-by: Michael Kubacki <michael.kubacki@microsoft.com>
* SecurityPkg/SecurityPkg.dsc: Add missing RngLib for ARM and RISCV64Michael D Kinney2021-11-051-1/+8
| | | | | | | | | | | | | | | Fix SecurityPkg build breaks for ARM and RISCV64 by adding RngLib mapping. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Abner Chang <abner.chang@hpe.com> Cc: Daniel Schaefer <daniel.schaefer@hpe.com> Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Abner Chang <abner.chang@hpe.com> Reviewed-by: Daniel Schaefer <daniel.schaefer@hpe.com>
* SecurityPkg/FvReportPei: Remove the ASSERT to allow neither M nor VGuomin Jiang2021-10-311-3/+5
| | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2673 M mean that Measured Boot, V mean that Verified Boot. The FvReport do below: 1. Do nothing if neither M nor V 2. Allocate pages to save the firmware volume and use it to install firmware info Ppi 3. Install PreHashFv Ppi if the FV need measurement. 4. Verify the Hash if the FV need verification Notes: 1. The component is used to verify the FV or measure the FV 2. Copy action is just for security purpose but not main purpose. 3. If you use this component, Doesn't need to copy in other compoent which result time consumption. Signed-off-by: Guomin Jiang <guomin.jiang@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLibStefan Berger2021-10-053-0/+54
| | | | | | | | | | | | Add a NULL implementation of the library class TpmPlatformHierarchyLib. Link: https://bugzilla.tianocore.org/show_bug.cgi?id=3510 Cc: Ard Biesheuvel <ardb+tianocore@kernel.org> Cc: Leif Lindholm <leif@nuviainc.com> Cc: Sami Mujawar <sami.mujawar@arm.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
* SecurityPkg: Fix SecureBootDefaultKeysDxe failed to startNhi Pham2021-09-301-7/+14
| | | | | | | | | | | | | The dbt and dbx keys are optional, the driver entry should return EFI_SUCCESS to start if they are not found in the firmware flash. This patch is to fix it and update the description of retval as well. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Grzegorz Bernacki <gjb@semihalf.com> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com> Reviewed-by: Grzegorz Bernacki <gjb@semihalf.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Add debug log for indicating IBB verified OBB successfullyYang, Longlong2021-09-181-0/+2
| | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3615 Debug message should be added for indicating IBB is successfully verifying the OBB. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min M Xu <min.m.xu@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Signed-off-by: Longlong Yang <longlong.yang@intel.com> Reviewed-by: Min M Xu <min.m.xu@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Add references to header and inf files to SecurityPkgStefan Berger2021-09-132-0/+16
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/Tcg: Make Tcg2PlatformPei buildable and fix style issuesStefan Berger2021-09-132-7/+8
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/Tcg: Import Tcg2PlatformPei from edk2-platformsStefan Berger2021-09-132-0/+159
| | | | | | | Import Tcg2PlatformPei from edk2-platforms without any modifications. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchyStefan Berger2021-09-132-2/+7
| | | | | | | | | Introduce the new PCD gEfiSecurityPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy. We need it for TpmPlatformHierarchyLib. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/Tcg: Make Tcg2PlatformDxe buildable and fix style issuesStefan Berger2021-09-133-5/+4
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecrutiyPkg/Tcg: Import Tcg2PlatformDxe from edk2-platformsStefan Berger2021-09-132-0/+129
| | | | | | | Import Tcg2PlatformDxe from edk2-platforms without any modifications. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLibStefan Berger2021-09-132-20/+8
| | | | | | | Fix some bugs in the original PeiDxeTpmPlatformHierarchyLib.c. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platformsStefan Berger2021-09-133-0/+338
| | | | | | | Import PeiDxeTpmPlatformHierarchyLib from edk2-platforms without any modifications. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
* SecurityPkg/MemoryOverwriteControl: Add missing argument to DEBUG printMichael Kubacki2021-09-041-1/+1
| | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3605 The error message is missing the argument for the status code print specifier. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg: Fix GetSupportedAndActivePcrs counter calculationRodrigo Gonzalez del Cueto2021-08-091-17/+29
| | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2855 The Tpm2GetCapabilitySupportedAndActivePcrs function prints a count number that should reflect the *supported and currently active* PCR banks, but the implementation in place displays instead the count of the *supported PCR banks* retrieved directly from the Tpm2GetCapabilityPcrs() TPML_PCR_SELECTION output. The counter should only take into account those PCRs banks which are active. Replaced usage of EFI_D_* for DEBUG_* definitions in debug messages. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Add option to reset secure boot keys.Grzegorz Bernacki2021-08-035-0/+166
| | | | | | | | | | | This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Pete Batard <pete@akeo.ie> Tested-by: Pete Batard <pete@akeo.ie> # on Raspberry Pi 4
* SecurityPkg: Add new modules to Security package.Grzegorz Bernacki2021-08-032-1/+20
| | | | | | | | | | | | This commits adds modules and dependencies related to initialization and usage of default Secure Boot key variables to SecurityPkg. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Pete Batard <pete@akeo.ie> Tested-by: Pete Batard <pete@akeo.ie> # on Raspberry Pi 4
* SecurityPkg: Add EnrollFromDefaultKeys application.Grzegorz Bernacki2021-08-032-0/+163
| | | | | | | | | This application allows user to force key enrollment from Secure Boot default variables. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
* SecurityPkg: Add SecureBootDefaultKeysDxe driverGrzegorz Bernacki2021-08-033-0/+131
| | | | | | | | | | | This driver initializes default Secure Boot keys and databases based on keys embedded in flash. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Pete Batard <pete@akeo.ie> Tested-by: Pete Batard <pete@akeo.ie> # on Raspberry Pi 4 Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.Grzegorz Bernacki2021-08-032-188/+4
| | | | | | | | | | This commit removes functions which were added to SecureBootVariableLib. It also adds dependecy on that library. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
* SecurityPkg: Create library for enrolling Secure Boot variables.Grzegorz Bernacki2021-08-036-0/+715
| | | | | | | | | | | This commits add library, which consist functions to enrolll Secure Boot keys and initialize Secure Boot default variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Create SecureBootVariableLib.Grzegorz Bernacki2021-08-036-0/+763
| | | | | | | | | | This commits add library, which consist helper functions related to creation/removal Secure Boot variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: TcgStorageOpalLib: Initialize SupportedAttributes parameter.Scottie Kuo2021-06-151-1/+2
| | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3408 The value of SupportedAttributes in OpalGetSupportedAttributesInfo () is left undetermined, if the caller doesn't initialize it. Initialize it in the function entry. Signed-off-by: Scottie Kuo <scottie.kuo@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Maggie Chu <maggie.chu@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Acked-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg: Add support for RngDxe on AARCH64Rebecca Cran2021-05-1111-175/+480
| | | | | | | | | | | | | AARCH64 support has been added to BaseRngLib via the optional ARMv8.5 FEAT_RNG. Refactor RngDxe to support AARCH64, note support for it in the VALID_ARCHITECTURES line of RngDxe.inf and enable it in SecurityPkg.dsc. Signed-off-by: Rebecca Cran <rebecca@nuviainc.com> Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
* SecurityPkg: Add constraints on PK strengthJiaqi Gao2021-04-262-30/+161
| | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3293 Add constraints on the key strength of enrolled platform key(PK), which must be greater than or equal to 2048 bit. PK key strength is required by Intel SDL and MSFT, etc. This limitation prevents user from using weak keys as PK. The original code to check the certificate file type is placed in a new function CheckX509Certificate(), which checks if the X.509 certificate meets the requirements of encode type, RSA-Key strengh, etc. Cc: Min Xu <min.m.xu@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Jiaqi Gao <jiaqi.gao@intel.com> Reviewed-by: Min Xu <min.m.xu@intel.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
* SecurityPkg/FvReportPei: remove redundant sizeofWenyi Xie2021-04-161-1/+1
| | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3333 In function InstallPreHashFvPpi, when calculating the size of struct HASH_INFO, sizeof is used twice. This bug does not lead to buffer overflow, "sizeof (HASH_INFO)" is 4, whereas "sizeof (sizeof (HASH_INFO))" is 4 or 8. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com> Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg/Tcg2Smm: Initialize local Status variableMichael Kubacki2021-04-131-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3277 Initializes the Status variable in TcgMmReadyToLock(). Fixes a Clang build failure: Tcg2Smm.c - SecurityPkg\Tcg\Tcg2Smm\Tcg2Smm.c:254:7: error: variable 'Status' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] Initializing this variable is required to address a practical scenario in which the return value of TcgMmReadyToLock() is undefined based on conditional evaluation in the function. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Cc: Kun Qin <kun.q@outlook.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* SecurityPkg: Consume MdeLibs.dsc.inc for RegisterFilterLibDandan Bi2021-03-311-1/+3
| | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3246 MdeLibs.dsc.inc was added for some basic/default library instances provided by MdePkg and RegisterFilterLibNull Library was also added into it as the first version of MdeLibs.dsc.inc. So update platform dsc to consume MdeLibs.dsc.inc for RegisterFilterLibNull which will be consumed by IoLib and BaseLib. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Dandan Bi <dandan.bi@intel.com> Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Tcg2Acpi: Added unblock memory interface for NVS regionKun Qin2021-03-053-0/+8
| | | | | | | | | | | | | | | | This changes added usage of MmUnblockMemoryLib to explicitly request allocated NVS region to be accessible from MM environment. It will bring in compatibility with architectures that supports full memory blockage inside MM. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB31026F3F8C3FAA39D74CE4BAF3969@MWHPR06MB3102.namprd06.prod.outlook.com>
* SecurityPkg: Tcg2Smm: Added support for Standalone MmKun Qin2021-03-057-0/+251
| | | | | | | | | | | | | | | | | | | | | https://bugzilla.tianocore.org/show_bug.cgi?id=3169 This change added Standalone MM instance of Tcg2. The notify function for Standalone MM instance is left empty. A dependency DXE driver with a Depex of gEfiMmCommunication2ProtocolGuid was created to indicate the readiness of Standalone MM Tcg2 driver. Lastly, the support of CI build for Tcg2 Standalone MM module is added. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB3102C3F99CBADFCC5F8A821CF3969@MWHPR06MB3102.namprd06.prod.outlook.com>
* SecurityPkg: Tcg2Smm: Separate Tcg2Smm into 2 modulesKun Qin2021-03-0510-787/+1351
| | | | | | | | | | | | | | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3169 This change separated the original Tcg2Smm module into 2 drivers: the SMM driver that registers callback for physical presence and memory clear; the Tcg2Acpi driver that patches and publishes ACPI table for runtime use. Tcg2Smm introduced an SMI root handler to allow Tcg2Acpi to communicate the NVS region used by Tpm.asl and exchange the registered SwSmiValue. Lastly, Tcg2Smm driver will publish gTcg2MmSwSmiRegisteredGuid at the end of entrypoint to ensure Tcg2Acpi to load after Tcg2Smm is ready to communicate. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB310295CC623EF7C062844DFFF3969@MWHPR06MB3102.namprd06.prod.outlook.com>
* SecurityPkg: Tcg2Smm: Switching from gSmst to gMmstKun Qin2021-03-053-4/+4
| | | | | | | | | | | | | | This change replaced gSmst with gMmst to support broader compatibility under MM environment for Tcg2Smm driver. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <MWHPR06MB310218F28C7AAF8DB375E963F3969@MWHPR06MB3102.namprd06.prod.outlook.com>
* SecurityPkg: Tpm2DeviceLibDTpm: Introduce StandaloneMm instanceKun Qin2021-02-0110-84/+275
| | | | | | | | | | | | | | This change added a new instance of Tpm2DeviceLibDTpm to support drivers of type MM_STANDALONE. It abstracts dynamic Pcd access into separate file for different instances to avoid dynamic usage for StandaloneMm modules. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Tcg2PpVendorLibNull: Added support for MM_STANDALONE typeKun Qin2021-02-011-1/+1
| | | | | | | | | | | | | This change extends this null instance of Tcg2PpVendorLib to support MM_STANDALONE drivers. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Tcg2PhysicalPresenceLib: Introduce StandaloneMm instanceKun Qin2021-02-017-367/+545
| | | | | | | | | | | | | | | This change added a new instance of Tcg2PhysicalPresenceLib to support MM_STANDALONE type drivers. It centralizes the common routines into shared files and abstract the library constructor into corresponding files to implement each constructor function prototypes. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Qi Zhang <qi1.zhang@intel.com> Cc: Rahul Kumar <rahul1.kumar@intel.com> Signed-off-by: Kun Qin <kun.q@outlook.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* Revert "SecurityPkg: Add RPMC Index to the RpmcLib"gaoliming2020-11-262-10/+2
| | | | | | | | | | | | | | | | This reverts commit 6c8dd15c4ae42501438a525ec41299f365f223cb. Based on the discussion https://edk2.groups.io/g/devel/message/67764, this change is regarded as the feature request. But, it doesn't pass reviewed before 202011 stable tag soft feature freeze. So, it should not be merged into 202011 stable tag. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Nishant C Mistry <nishant.c.mistry@intel.com> Signed-off-by: Liming Gao <gaoliming@byosoft.com.cn> Acked-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
* SecurityPkg: Add RPMC Index to the RpmcLibNishant Mistry2020-11-192-2/+10
| | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 The re-design requires multiple RPMC counter usages. The consumer will be capable of selecting amongst multiple counters. Signed-off-by: Nishant C Mistry <nishant.c.mistry@intel.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
* SecurityPkg/Hash2DxeCrypto: Remove SHA1 supportGao, Zhichao2020-11-172-2/+0
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027 Remove the deprecated SHA1 support of Hash2DxeCrypto driver. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <20201112055558.2348-3-zhichao.gao@intel.com>
* SecurityPkg/Hash2DxeCrypto: Remove MD5 supportGao, Zhichao2020-11-172-3/+1
| | | | | | | | | | | | | REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027 Remove the deprecated MD5 support of Hash2DxeCrypto driver. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Message-Id: <20201112055558.2348-2-zhichao.gao@intel.com>