From c2fe66bf62c4430dcff7002b88dfc5be464efdcb Mon Sep 17 00:00:00 2001 From: "Yao, Jiewen" Date: Tue, 10 Nov 2015 02:03:40 +0000 Subject: Add error handling for TPM in S3 resume failure. If TPM2_Startup(TPM_SU_STATE) to return an error, the system firmware that resumes from S3 MUST deal with a TPM2_Startup error appropriately. For example, issuing a TPM2_Startup(TPM_SU_CLEAR) command and configuring the device securely by taking actions like extending a separator with an error digest (0x01) into PCRs 0 through 7. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" Reviewed-by: "Zhang, Chao B" git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18760 6f19259b-4bc3-4df7-8a09-765794883524 --- SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c index 4ecfbe3b84..63045f1c59 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -828,6 +828,33 @@ PeimEntryMP ( return Status; } +/** + Measure and log Separator event with error, and extend the measurement result into a specific PCR. + + @param[in] PCRIndex PCR index. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. + +**/ +EFI_STATUS +MeasureSeparatorEventWithError ( + IN TPM_PCRINDEX PCRIndex + ) +{ + TCG_PCR_EVENT_HDR TcgEvent; + UINT32 EventData; + + // + // Use EventData 0x1 to indicate there is error. + // + EventData = 0x1; + TcgEvent.PCRIndex = PCRIndex; + TcgEvent.EventType = EV_SEPARATOR; + TcgEvent.EventSize = (UINT32)sizeof (EventData); + return HashLogExtendEvent(0,(UINT8 *)&EventData, TcgEvent.EventSize, &TcgEvent,(UINT8 *)&EventData); +} + /** Entry point of this module. @@ -847,6 +874,8 @@ PeimEntryMA ( EFI_STATUS Status; EFI_STATUS Status2; EFI_BOOT_MODE BootMode; + TPM_PCRINDEX PcrIndex; + BOOLEAN S3ErrorReport; if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceNoneGuid) || CompareGuid (PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)){ @@ -885,11 +914,15 @@ PeimEntryMA ( goto Done; } + S3ErrorReport = FALSE; if (PcdGet8 (PcdTpm2InitializationPolicy) == 1) { if (BootMode == BOOT_ON_S3_RESUME) { Status = Tpm2Startup (TPM_SU_STATE); if (EFI_ERROR (Status) ) { Status = Tpm2Startup (TPM_SU_CLEAR); + if (!EFI_ERROR(Status)) { + S3ErrorReport = TRUE; + } } } else { Status = Tpm2Startup (TPM_SU_CLEAR); @@ -903,6 +936,23 @@ PeimEntryMA ( // Update Tpm2HashMask according to PCR bank. // SetTpm2HashMask (); + + if (S3ErrorReport) { + // + // The system firmware that resumes from S3 MUST deal with a + // TPM2_Startup error appropriately. + // For example, issue a TPM2_Startup(TPM_SU_CLEAR) command and + // configuring the device securely by taking actions like extending a + // separator with an error digest (0x01) into PCRs 0 through 7. + // + for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) { + Status = MeasureSeparatorEventWithError (PcrIndex); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "Separator Event with Error not Measured. Error!\n")); + } + } + } + // // TpmSelfTest is optional on S3 path, skip it to save S3 time // -- cgit v1.2.3