From d02a848e3246213edddb69cfb2360830eb058ab3 Mon Sep 17 00:00:00 2001 From: "Zhang, Chao B" Date: Sat, 13 Jan 2018 16:52:48 +0800 Subject: SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation According to TCG PP1.3 spec, error PCR bank allocation input should be rejected by Physical Presence. Firmware has to ensure that at least one PCR banks is active. Cc: Long Qin Cc: Yao Jiewen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang Reviewed-by: Long Qin Reviewed-by: Yao Jiewen --- .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'SecurityPkg/Library') diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c index 5bf95a18fc..5ece8e513a 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c @@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence ( case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); ASSERT_EFI_ERROR (Status); + + // + // PP spec requirements: + // Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks. + // Firmware has to ensure that at least one PCR banks is active. + // If not, an error is returned and no action is taken. + // + if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) { + DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter)); + return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; + } + Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter); if (EFI_ERROR (Status)) { return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; -- cgit v1.2.3