\r
/**\r
Make sure that the current PCR allocations, the TPM supported PCRs,\r
- and the PcdTpm2HashMask are all in agreement.\r
+ PcdTcg2HashAlgorithmBitmap and the PcdTpm2HashMask are all in agreement.\r
**/\r
VOID\r
SyncPcrAllocationsAndPcrMask (\r
{\r
EFI_STATUS Status;\r
EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;\r
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap;\r
UINT32 TpmActivePcrBanks;\r
UINT32 NewTpmActivePcrBanks;\r
UINT32 Tpm2PcrMask;\r
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);\r
ASSERT_EFI_ERROR (Status);\r
\r
+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));\r
+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));\r
+\r
Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);\r
if (Tpm2PcrMask == 0) {\r
//\r
- // if PcdTPm2HashMask is zero, use ActivePcr setting\r
+ // If PcdTpm2HashMask is zero, use ActivePcr setting.\r
+ // Only when PcdTpm2HashMask is initialized to 0, will it be updated to current Active Pcrs.\r
//\r
PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);\r
Tpm2PcrMask = TpmActivePcrBanks;\r
}\r
\r
- //\r
- // Find the intersection of Pcd support and TPM support.\r
- // If banks are missing from the TPM support that are in the PCD, update the PCD.\r
- // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.\r
- //\r
+ DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));\r
\r
//\r
- // If there are active PCR banks that are not supported by the Platform mask,\r
- // update the TPM allocations and reboot the machine.\r
+ // The Active PCRs in the TPM need to be a strict subset of the hashing algorithms supported by BIOS.\r
//\r
- if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {\r
- NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;\r
+ // * Find the intersection of Pcd support and TPM active PCRs. If banks are missing from the TPM support\r
+ // that are in the PCD, update the PCD.\r
+ // * Find intersection of TPM Active PCRs and BIOS supported algorithms. If there are active PCR banks\r
+ // that are not supported by the platform, update the TPM allocations and reboot.\r
+ // Note: When the HashLibBaseCryptoRouter solution is used, the hash algorithm support from BIOS is reported\r
+ // by Tcg2HashAlgorithmBitmap, which is populated by HashLib instances at runtime.\r
+ BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);\r
+ DEBUG ((DEBUG_INFO, "Tcg2HashAlgorithmBitmap: 0x%08x\n", BiosHashAlgorithmBitmap));\r
+\r
+ if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||\r
+ ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks))\r
+ {\r
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & Tpm2PcrMask = 0x%08x\n", (TpmActivePcrBanks & Tpm2PcrMask)));\r
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap = 0x%08x\n", (TpmActivePcrBanks & BiosHashAlgorithmBitmap)));\r
+ NewTpmActivePcrBanks = TpmActivePcrBanks;\r
+ NewTpmActivePcrBanks &= Tpm2PcrMask;\r
+ NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;\r
+ DEBUG ((DEBUG_INFO, "NewTpmActivePcrBanks 0x%08x\n", NewTpmActivePcrBanks));\r
\r
DEBUG ((DEBUG_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n", __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));\r
+\r
if (NewTpmActivePcrBanks == 0) {\r
DEBUG ((DEBUG_ERROR, "%a - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));\r
ASSERT (FALSE);\r
} else {\r
+ DEBUG ((DEBUG_ERROR, "Tpm2PcrAllocateBanks (TpmHashAlgorithmBitmap: 0x%08x, NewTpmActivePcrBanks: 0x%08x)\n", TpmHashAlgorithmBitmap, NewTpmActivePcrBanks));\r
Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);\r
if (EFI_ERROR (Status)) {\r
//\r
}\r
\r
Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);\r
+ DEBUG ((DEBUG_ERROR, "Set PcdTpm2Hash Mask to 0x%08x\n", NewTpm2PcrMask));\r
ASSERT_EFI_ERROR (Status);\r
}\r
}\r
projects / mirror_edk2.git / commitdiff