SecurityPkg/TPM2: Sync PcrAllocations and PcrMask

Current TCG2 implementation will set Tpm2HashMask PCD value according to TPM2
PCR bank. However, there might be misconfiguration in BIOS build phase.
The enhanced logic makes sure that the current PCR allocations, the TPM
supported PCRs, and the PcdTpm2HashMask are all in agreement.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 3b36d0f5a77a0341b27e780d6a308071c463a66c..2ebd0a432124e0cb4057707a3289bcc4abfc8299 100644 (file)
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -74,6 +74,7 @@
   TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf\r
   TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf\r
   OpalPasswordSupportLib|SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf\r
+  ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf\r
 \r
 [LibraryClasses.common.PEIM]\r
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf\r

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index a72b8d9bda1f56077abcb53b826185e228d714f8..8bd5f2cfa507b4495775500268b6fd1b514f5185 100644 (file)
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -41,6 +41,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Library/PerformanceLib.h>\r
 #include <Library/MemoryAllocationLib.h>\r
 #include <Library/ReportStatusCodeLib.h>\r
+#include <Library/ResetSystemLib.h>\r
 #include <Library/Tcg2PhysicalPresenceLib.h>\r
 \r
 #define PERF_ID_TCG2_PEI  0x3080\r
@@ -190,60 +191,80 @@ EndofPeiSignalNotifyCallBack (
 }\r
 \r
 /**\r
-  Set Tpm2HashMask PCD value according to TPM2 PCR bank.\r
+  Make sure that the current PCR allocations, the TPM supported PCRs,\r
+  and the PcdTpm2HashMask are all in agreement.\r
 **/\r
 VOID\r
-SetTpm2HashMask (\r
+SyncPcrAllocationsAndPcrMask (\r
   VOID\r
   )\r
 {\r
-  EFI_STATUS           Status;\r
-  UINT32               ActivePcrBanks;\r
-  TPML_PCR_SELECTION   Pcrs;\r
-  UINTN                Index;\r
+  EFI_STATUS                        Status;\r
+  EFI_TCG2_EVENT_ALGORITHM_BITMAP   TpmHashAlgorithmBitmap;\r
+  UINT32                            TpmActivePcrBanks;\r
+  UINT32                            NewTpmActivePcrBanks;\r
+  UINT32                            Tpm2PcrMask;\r
+  UINT32                            NewTpm2PcrMask;\r
 \r
-  DEBUG ((EFI_D_ERROR, "SetTpm2HashMask!\n"));\r
+  DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));\r
 \r
-  Status = Tpm2GetCapabilityPcrs (&Pcrs);\r
-  if (EFI_ERROR (Status)) {\r
-    DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));\r
-    ActivePcrBanks = EFI_TCG2_BOOT_HASH_ALG_SHA1;\r
-  } else {\r
-    DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityPcrs Count - %08x\n", Pcrs.count));\r
-    ActivePcrBanks = 0;\r
-    for (Index = 0; Index < Pcrs.count; Index++) {\r
-      DEBUG ((EFI_D_INFO, "hash - %x\n", Pcrs.pcrSelections[Index].hash));\r
-      switch (Pcrs.pcrSelections[Index].hash) {\r
-      case TPM_ALG_SHA1:\r
-        if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {\r
-          ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA1;\r
-        }        \r
-        break;\r
-      case TPM_ALG_SHA256:\r
-        if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {\r
-          ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA256;\r
-        }\r
-        break;\r
-      case TPM_ALG_SHA384:\r
-        if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {\r
-          ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA384;\r
-        }\r
-        break;\r
-      case TPM_ALG_SHA512:\r
-        if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {\r
-          ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SHA512;\r
-        }\r
-        break;\r
-      case TPM_ALG_SM3_256:\r
-        if (!IsZeroBuffer (Pcrs.pcrSelections[Index].pcrSelect, Pcrs.pcrSelections[Index].sizeofSelect)) {\r
-          ActivePcrBanks |= EFI_TCG2_BOOT_HASH_ALG_SM3_256;\r
-        }\r
-        break;\r
+  //\r
+  // Determine the current TPM support and the Platform PCR mask.\r
+  //\r
+  Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);\r
+  ASSERT_EFI_ERROR (Status);\r
+\r
+  Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);\r
+\r
+  //\r
+  // Find the intersection of Pcd support and TPM support.\r
+  // If banks are missing from the TPM support that are in the PCD, update the PCD.\r
+  // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.\r
+  //\r
+\r
+  //\r
+  // If there are active PCR banks that are not supported by the Platform mask,\r
+  // update the TPM allocations and reboot the machine.\r
+  //\r
+  if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {\r
+    NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;\r
+\r
+    DEBUG ((EFI_D_INFO, __FUNCTION__" - Reallocating PCR banks from 0x%X to 0x%X.\n", TpmActivePcrBanks, NewTpmActivePcrBanks ));\r
+    if (NewTpmActivePcrBanks == 0) {\r
+      DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n"));\r
+      ASSERT (FALSE);\r
+    } else {\r
+      Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);\r
+      if (EFI_ERROR (Status)) {\r
+        //\r
+        // We can't do much here, but we hope that this doesn't happen.\r
+        //\r
+        DEBUG ((EFI_D_ERROR, __FUNCTION__" - Failed to reallocate PCRs!\n"));\r
+        ASSERT_EFI_ERROR (Status);\r
       }\r
+      //\r
+      // Need reset system, since we just called Tpm2PcrAllocateBanks().\r
+      //\r
+      ResetCold();\r
     }\r
   }\r
-  Status = PcdSet32S (PcdTpm2HashMask, ActivePcrBanks);\r
-  ASSERT_EFI_ERROR (Status);\r
+\r
+  //\r
+  // If there are any PCRs that claim support in the Platform mask that are\r
+  // not supported by the TPM, update the mask.\r
+  //\r
+  if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {\r
+    NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;\r
+\r
+    DEBUG ((EFI_D_INFO, __FUNCTION__" - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", Tpm2PcrMask, NewTpm2PcrMask ));\r
+    if (NewTpm2PcrMask == 0) {\r
+      DEBUG ((EFI_D_ERROR, __FUNCTION__" - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n"));\r
+      ASSERT (FALSE);\r
+    }\r
+\r
+    Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);\r
+    ASSERT_EFI_ERROR (Status);\r
+  }\r
 }\r
 \r
 /**\r
@@ -767,7 +788,7 @@ PeimEntryMA (
     //\r
     // Update Tpm2HashMask according to PCR bank.\r
     //\r
-    SetTpm2HashMask ();\r
+    SyncPcrAllocationsAndPcrMask ();\r
 \r
     if (S3ErrorReport) {\r
       //\r

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 007ce918eda9132ccf60b61f60752b528c5764aa..3477d8206a8b9acfa99087f90f926980977cdb69 100644 (file)
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -3,7 +3,7 @@
 #\r
 #  This module will initialize TPM device, measure reported FVs and BIOS version.\r
 #\r
-# Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>\r
+# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>\r
 # This program and the accompanying materials\r
 # are licensed and made available under the terms and conditions of the BSD License\r
 # which accompanies this distribution. The full text of the license may be found at\r
@@ -53,6 +53,7 @@
   MemoryAllocationLib\r
   ReportStatusCodeLib\r
   Tcg2PhysicalPresenceLib\r
+  ResetSystemLib\r
 \r
 [Guids]\r
   gTcgEventEntryHobGuid                                                ## PRODUCES               ## HOB\r