[edk2] [PATCH 0/1] Refine casting expression result to bigger size

2017-01-21 Thread Hao Wu 
Please note that this patch is maily for feedback collection and the patch
only covers MdePkg. We are working on patches for other packages.


There are cases that the operands of an expression are all with rank less
than UINT64/INT64 and the result of the expression is casted to
UINT64/INT64 to fit the target size.

An example will be:
UINT32 a,b;
// a and b can be any unsigned int type with rank less than UINT64, like
// UINT8, UINT16, etc.
UINT64 c;
c = (UINT64) (a + b);

Some static code checkers may warn that the expression result might
overflow within the rank of int (integer promotions) and the result is
then cast to a bigger size.

For the consideration of generated binaries size, the commit will keep the
size of the operands as the size of int, and explitly add a type cast
before converting the result to UINT64/INT64.

1). When there is no operand with type UINTN
(UINTN)  (a + b) -> (UINTN)(UINT32)  (a + b) or
(UINT64) (a + b) -> (UINT64)(UINT32) (a + b)

2). Otherwise
(UINT64) (a + b) -> (UINT64)(UINTN)  (a + b)

Hao Wu (1):
  MdePkg: Refine casting expression result to bigger size

 MdePkg/Library/BaseLib/String.c  | 4 ++--
 MdePkg/Library/BasePeCoffLib/BasePeCoff.c| 4 ++--
 MdePkg/Library/BaseS3PciLib/S3PciLib.c   | 4 ++--
 MdePkg/Library/SmmMemoryAllocationLib/MemoryAllocationLib.c  | 4 ++--
 MdePkg/Library/UefiMemoryAllocationLib/MemoryAllocationLib.c | 4 ++--
 5 files changed, 10 insertions(+), 10 deletions(-)

-- 
1.9.5.msysgit.0

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

2017-01-21 Thread Subramanian, Sriram 
Reviewed-by: Sriram Subramanian 
Tested-by: Sriram Subramanian 

-Original Message-
From: Zhang Lubo [mailto:lubo.zh...@intel.com] 
Sent: Sunday, January 22, 2017 7:11 AM
To: edk2-devel@lists.01.org
Cc: Subramanian, Sriram ; Ye Ting ; Fu 
Siyuan ; Wu Jiaxin 
Subject: [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

When we create a HTTP driver service binding private
instance, there may be different DriverBindingHandle
for Ipv4 or Ipv6, so it is essential to distinguish
the HttpService image which will be used in open
protocol or close protocol.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo 
Cc: Sriram Subramanian 
Cc: Ye Ting 
Cc: Fu Siyuan 
Cc: Wu Jiaxin 
---
 NetworkPkg/HttpDxe/HttpDns.c| 18 
 NetworkPkg/HttpDxe/HttpDriver.c | 21 +-
 NetworkPkg/HttpDxe/HttpImpl.c   | 11 --
 NetworkPkg/HttpDxe/HttpProto.c  | 48 -
 NetworkPkg/HttpDxe/HttpProto.h  |  5 +++--
 5 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDns.c b/NetworkPkg/HttpDxe/HttpDns.c
index 0f5fe18..59cd7b3 100644
--- a/NetworkPkg/HttpDxe/HttpDns.c
+++ b/NetworkPkg/HttpDxe/HttpDns.c
@@ -1,9 +1,9 @@
 /** @file
   Routines for HttpDxe driver to perform DNS resolution based on UEFI DNS 
protocols.
 
-Copyright (c) 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -86,11 +86,11 @@ HttpDns4 (
   //
   // Create a DNS child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip4DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -98,11 +98,11 @@ HttpDns4 (
 
   Status = gBS->OpenProtocol (
   Dns4Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -194,19 +194,19 @@ Exit:
 Dns4->Configure (Dns4, NULL);
 
 gBS->CloseProtocol (
Dns4Handle,
,
-   Service->ImageHandle,
+   Service->Ip4DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns4Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   ,
   Dns4Handle
   );
   }
 
@@ -288,11 +288,11 @@ HttpDns6 (
   //
   // Create a DNSv6 child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip6DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -300,11 +300,11 @@ HttpDns6 (
   
   Status = gBS->OpenProtocol (
   Dns6Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -391,19 +391,19 @@ Exit:
 Dns6->Configure (Dns6, NULL);
 
 gBS->CloseProtocol (
Dns6Handle,
,
-   Service->ImageHandle,
+   Service->Ip6DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns6Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   ,
   Dns6Handle
   );
   }
 
diff --git a/NetworkPkg/HttpDxe/HttpDriver.c b/NetworkPkg/HttpDxe/HttpDriver.c
index de27635..5727526 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.c
+++ b/NetworkPkg/HttpDxe/HttpDriver.c
@@ -1,9 +1,9 @@
 /** @file
   The driver binding and service binding protocol for HttpDxe driver.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP
 
   This program and the accompanying materials
   are licensed and

Re: [edk2] [Patch] Nt32Pkg FDF: Move StatusCode Handler run earlier in DXE phase

2017-01-21 Thread Ni, Ruiyu 
Reviewed-by: Ruiyu Ni 

Thanks/Ray

> -Original Message-
> From: Gao, Liming
> Sent: Friday, January 20, 2017 5:29 PM
> To: edk2-devel@lists.01.org
> Cc: Ni, Ruiyu 
> Subject: [Patch] Nt32Pkg FDF: Move StatusCode Handler run earlier in DXE
> phase
> 
> Add StatusCode Handler into APRIORI DXE so that they can run early, then
> more DEBUG message can print.
> 
> Cc: Ruiyu Ni 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Liming Gao 
> ---
>  Nt32Pkg/Nt32Pkg.fdf | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/Nt32Pkg/Nt32Pkg.fdf b/Nt32Pkg/Nt32Pkg.fdf index
> c198d73..4b5e03f 100644
> --- a/Nt32Pkg/Nt32Pkg.fdf
> +++ b/Nt32Pkg/Nt32Pkg.fdf
> @@ -171,6 +171,9 @@ APRIORI DXE {
>INF  MdeModulePkg/Universal/DevicePathDxe/DevicePathDxe.inf
>INF  MdeModulePkg/Universal/PCD/Dxe/Pcd.inf
>INF  Nt32Pkg/MetronomeDxe/MetronomeDxe.inf
> +  INF
> +
> MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportSt
> atusC
> + odeRouterRuntimeDxe.inf  INF
> +
> MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHan
> dlerR
> + untimeDxe.inf  INF
> +
> Nt32Pkg/WinNtOemHookStatusCodeHandlerDxe/WinNtOemHookStatusCod
> eHandler
> + Dxe.inf
>}
> 
>  INF  MdeModulePkg/Core/Pei/PeiMain.inf
> --
> 2.8.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH V3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec

2017-01-21 Thread Zeng, Star 
Reviewed-by: Star Zeng 

Thanks,
Star
-Original Message-
From: Zhang, Chao B 
Sent: Sunday, January 22, 2017 12:54 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen ; Zeng, Star ; 
Zhang, Chao B 
Subject: [PATCH V3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG 
spec

Measure DBT into PCR[7] when it is updated between initial measure and 
ExitBootService. Measure "SecureBoot" change after PK update.
Spec version : TCG PC Client PFP 00.37. 
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 .../Universal/Variable/RuntimeDxe/Measurement.c| 82 +-
 .../Universal/Variable/RuntimeDxe/VariableDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 10 ++-
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf  |  7 +-
 5 files changed, 128 insertions(+), 9 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index 2f92fae..309521f 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -1,7 +1,7 @@
 /** @file
   Measure TrEE required variable.
 
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at @@ -36,8 +36,16 @@ 
VARIABLE_TYPE  mVariableType[] = {
   {EFI_KEY_EXCHANGE_KEY_NAME,},
   {EFI_IMAGE_SECURITY_DATABASE,  },
   {EFI_IMAGE_SECURITY_DATABASE1, },
+  {EFI_IMAGE_SECURITY_DATABASE2, },
 };
 
+//
+// "SecureBoot" may update following PK Del/Add //  Cache its value to 
+detect value update //
+UINT8   *mSecureBootVarData= NULL;
+UINTN   mSecureBootVarDataSize = 0;
+
 /**
   This function will return if this variable is SecureBootPolicy Variable.
 
@@ -251,5 +259,77 @@ SecureBootHook (
 FreePool (VariableData);
   }
 
+  //
+  // "SecureBoot" is 8bit & read-only. It can only be changed according 
+ to PK update  //  if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 
+ 0) &&
+   CompareGuid (VendorGuid, )) {
+ Status = InternalGetVariable (
+EFI_SECURE_BOOT_MODE_NAME,
+,
+,
+
+);
+ if (EFI_ERROR (Status)) {
+   return;
+ }
+
+ //
+ // If PK update is successful. "SecureBoot" shall always exist ever since 
variable write service is ready
+ //
+ ASSERT(mSecureBootVarData != NULL);
+
+ if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {
+   FreePool(mSecureBootVarData);
+   mSecureBootVarData = VariableData;
+   mSecureBootVarDataSize = VariableDataSize;
+
+   DEBUG((DEBUG_INFO, "%s variable updated according to PK change. 
Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
+   Status = MeasureVariable (
+  EFI_SECURE_BOOT_MODE_NAME,
+  ,
+  mSecureBootVarData,
+  mSecureBootVarDataSize
+  );
+   DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+ } else {
+   //
+   // "SecureBoot" variable is not changed
+   //
+   FreePool(VariableData);
+ }
+  }
+
   return ;
 }
+
+/**
+  Some Secure Boot Policy Variable may update following other variable 
changes(SecureBoot follows PK change, etc).
+  Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarData(
+  VOID
+  )
+{
+  EFI_STATUS Status;
+
+  //
+  // Record initial "SecureBoot" variable value.
+  // It is used to detect SecureBoot variable change in SecureBootHook.
+  //
+  Status = InternalGetVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ ,
+ (VOID **),
+ 
+ );
+  if (EFI_ERROR(Status)) {
+//
+// Read could fail when Auth Variable solution is not supported
+//
+DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s 
+Status %x\n", EFI_SECURE_BOOT_MODE_NAME, Status));
+  }
+}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 3d3cd24..fe1b2b5 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -3,7 +3,7 @@
   and volatile storage space and

Re: [edk2] [PATCH V3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec

2017-01-21 Thread Yao, Jiewen 
Reviewed-by: jiewen@intel.com

> -Original Message-
> From: Zhang, Chao B
> Sent: Sunday, January 22, 2017 12:54 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen ; Zeng, Star ;
> Zhang, Chao B 
> Subject: [PATCH V3] MdeModulePkg: Variable: Update PCR[7] measure for new
> TCG spec
> 
> Measure DBT into PCR[7] when it is updated between initial measure and
> ExitBootService. Measure "SecureBoot" change after PK update.
> Spec version : TCG PC Client PFP 00.37.
> http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific
> _Platform_Profile_for_TPM_2p0_Systems_v21.pdf
> 
> Cc: Star Zeng 
> Cc: Yao Jiewen 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang 
> ---
>  .../Universal/Variable/RuntimeDxe/Measurement.c| 82
> +-
>  .../Universal/Variable/RuntimeDxe/VariableDxe.c| 19 -
>  .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 10 ++-
>  .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c| 19 -
>  .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf  |  7 +-
>  5 files changed, 128 insertions(+), 9 deletions(-)
> 
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
> b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
> index 2f92fae..309521f 100644
> --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
> +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
> @@ -1,7 +1,7 @@
>  /** @file
>Measure TrEE required variable.
> 
> -Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
> +Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
>  which accompanies this distribution.  The full text of the license may be 
> found
> at
> @@ -36,8 +36,16 @@ VARIABLE_TYPE  mVariableType[] = {
>{EFI_KEY_EXCHANGE_KEY_NAME,},
>{EFI_IMAGE_SECURITY_DATABASE,  },
>{EFI_IMAGE_SECURITY_DATABASE1, },
> +  {EFI_IMAGE_SECURITY_DATABASE2, },
>  };
> 
> +//
> +// "SecureBoot" may update following PK Del/Add
> +//  Cache its value to detect value update
> +//
> +UINT8   *mSecureBootVarData= NULL;
> +UINTN   mSecureBootVarDataSize = 0;
> +
>  /**
>This function will return if this variable is SecureBootPolicy Variable.
> 
> @@ -251,5 +259,77 @@ SecureBootHook (
>  FreePool (VariableData);
>}
> 
> +  //
> +  // "SecureBoot" is 8bit & read-only. It can only be changed according to PK
> update
> +  //
> +  if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&
> +   CompareGuid (VendorGuid, )) {
> + Status = InternalGetVariable (
> +EFI_SECURE_BOOT_MODE_NAME,
> +,
> +,
> +
> +);
> + if (EFI_ERROR (Status)) {
> +   return;
> + }
> +
> + //
> + // If PK update is successful. "SecureBoot" shall always exist ever 
> since
> variable write service is ready
> + //
> + ASSERT(mSecureBootVarData != NULL);
> +
> + if (CompareMem(mSecureBootVarData, VariableData,
> VariableDataSize) != 0) {
> +   FreePool(mSecureBootVarData);
> +   mSecureBootVarData = VariableData;
> +   mSecureBootVarDataSize = VariableDataSize;
> +
> +   DEBUG((DEBUG_INFO, "%s variable updated according to PK change.
> Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
> +   Status = MeasureVariable (
> +  EFI_SECURE_BOOT_MODE_NAME,
> +  ,
> +  mSecureBootVarData,
> +  mSecureBootVarDataSize
> +  );
> +   DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
> + } else {
> +   //
> +   // "SecureBoot" variable is not changed
> +   //
> +   FreePool(VariableData);
> + }
> +  }
> +
>return ;
>  }
> +
> +/**
> +  Some Secure Boot Policy Variable may update following other variable
> changes(SecureBoot follows PK change, etc).
> +  Record their initial State when variable write service is ready.
> +
> +**/
> +VOID
> +EFIAPI
> +RecordSecureBootPolicyVarData(
> +  VOID
> +  )
> +{
> +  EFI_STATUS Status;
> +
> +  //
> +  // Record initial "SecureBoot" variable value.
> +  // It is used to detect SecureBoot variable change in SecureBootHook.
> +  //
> +  Status = InternalGetVariable (
> + EFI_SECURE_BOOT_MODE_NAME,
> + ,
> + (VOID **),
> + 
> + );
> +  if (EFI_ERROR(Status)) {
> +//
> +// Read could fail when Auth Variable solution is not supported
> +//
> +DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s
> Status %x\n", EFI_SECURE_BOOT_MODE_NAME, Status));
> +  }
> +}
> diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
>

[edk2] [PATCH V3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec

2017-01-21 Thread Zhang, Chao B 
Measure DBT into PCR[7] when it is updated between initial measure and
ExitBootService. Measure "SecureBoot" change after PK update.
Spec version : TCG PC Client PFP 00.37. 
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 .../Universal/Variable/RuntimeDxe/Measurement.c| 82 +-
 .../Universal/Variable/RuntimeDxe/VariableDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 10 ++-
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf  |  7 +-
 5 files changed, 128 insertions(+), 9 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index 2f92fae..309521f 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -1,7 +1,7 @@
 /** @file
   Measure TrEE required variable.
 
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
@@ -36,8 +36,16 @@ VARIABLE_TYPE  mVariableType[] = {
   {EFI_KEY_EXCHANGE_KEY_NAME,},
   {EFI_IMAGE_SECURITY_DATABASE,  },
   {EFI_IMAGE_SECURITY_DATABASE1, },
+  {EFI_IMAGE_SECURITY_DATABASE2, },
 };
 
+//
+// "SecureBoot" may update following PK Del/Add
+//  Cache its value to detect value update
+//
+UINT8   *mSecureBootVarData= NULL;
+UINTN   mSecureBootVarDataSize = 0;
+
 /**
   This function will return if this variable is SecureBootPolicy Variable.
 
@@ -251,5 +259,77 @@ SecureBootHook (
 FreePool (VariableData);
   }
 
+  //
+  // "SecureBoot" is 8bit & read-only. It can only be changed according to PK 
update
+  //
+  if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&
+   CompareGuid (VendorGuid, )) {
+ Status = InternalGetVariable (
+EFI_SECURE_BOOT_MODE_NAME,
+,
+,
+
+);
+ if (EFI_ERROR (Status)) {
+   return;
+ }
+
+ //
+ // If PK update is successful. "SecureBoot" shall always exist ever since 
variable write service is ready
+ //
+ ASSERT(mSecureBootVarData != NULL);
+
+ if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {
+   FreePool(mSecureBootVarData);
+   mSecureBootVarData = VariableData;
+   mSecureBootVarDataSize = VariableDataSize;
+
+   DEBUG((DEBUG_INFO, "%s variable updated according to PK change. 
Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
+   Status = MeasureVariable (
+  EFI_SECURE_BOOT_MODE_NAME,
+  ,
+  mSecureBootVarData,
+  mSecureBootVarDataSize
+  );
+   DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+ } else {
+   //
+   // "SecureBoot" variable is not changed
+   //
+   FreePool(VariableData);
+ }
+  }
+
   return ;
 }
+
+/**
+  Some Secure Boot Policy Variable may update following other variable 
changes(SecureBoot follows PK change, etc).
+  Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarData(
+  VOID
+  )
+{
+  EFI_STATUS Status;
+
+  //
+  // Record initial "SecureBoot" variable value.
+  // It is used to detect SecureBoot variable change in SecureBootHook.
+  //
+  Status = InternalGetVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ ,
+ (VOID **),
+ 
+ );
+  if (EFI_ERROR(Status)) {
+//
+// Read could fail when Auth Variable solution is not supported
+//
+DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s Status 
%x\n", EFI_SECURE_BOOT_MODE_NAME, Status));
+  }
+}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 3d3cd24..fe1b2b5 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -3,7 +3,7 @@
   and volatile storage space and install variable architecture protocol.
 
 Copyright (C) 2013, Red Hat, Inc.
-Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
 (C) Copyright 2015 Hewlett Packard Enterprise Development LP
 This program and the accompanying materials
 are licensed and made available under the terms and

[edk2] [PATCH] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec

2017-01-21 Thread Zhang, Chao B 
Measure DBT into PCR[7] when it is updated between initial measure and
ExitBootService. Measure "SecureBoot" change after PK update.
Spec version : TCG PC Client PFP 00.37. 
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 .../Universal/Variable/RuntimeDxe/Measurement.c| 82 +-
 .../Universal/Variable/RuntimeDxe/VariableDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 10 ++-
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c| 19 -
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf  |  7 +-
 5 files changed, 128 insertions(+), 9 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index 2f92fae..309521f 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -1,7 +1,7 @@
 /** @file
   Measure TrEE required variable.
 
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
@@ -36,8 +36,16 @@ VARIABLE_TYPE  mVariableType[] = {
   {EFI_KEY_EXCHANGE_KEY_NAME,},
   {EFI_IMAGE_SECURITY_DATABASE,  },
   {EFI_IMAGE_SECURITY_DATABASE1, },
+  {EFI_IMAGE_SECURITY_DATABASE2, },
 };
 
+//
+// "SecureBoot" may update following PK Del/Add
+//  Cache its value to detect value update
+//
+UINT8   *mSecureBootVarData= NULL;
+UINTN   mSecureBootVarDataSize = 0;
+
 /**
   This function will return if this variable is SecureBootPolicy Variable.
 
@@ -251,5 +259,77 @@ SecureBootHook (
 FreePool (VariableData);
   }
 
+  //
+  // "SecureBoot" is 8bit & read-only. It can only be changed according to PK 
update
+  //
+  if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&
+   CompareGuid (VendorGuid, )) {
+ Status = InternalGetVariable (
+EFI_SECURE_BOOT_MODE_NAME,
+,
+,
+
+);
+ if (EFI_ERROR (Status)) {
+   return;
+ }
+
+ //
+ // If PK update is successful. "SecureBoot" shall always exist ever since 
variable write service is ready
+ //
+ ASSERT(mSecureBootVarData != NULL);
+
+ if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {
+   FreePool(mSecureBootVarData);
+   mSecureBootVarData = VariableData;
+   mSecureBootVarDataSize = VariableDataSize;
+
+   DEBUG((DEBUG_INFO, "%s variable updated according to PK change. 
Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
+   Status = MeasureVariable (
+  EFI_SECURE_BOOT_MODE_NAME,
+  ,
+  mSecureBootVarData,
+  mSecureBootVarDataSize
+  );
+   DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+ } else {
+   //
+   // "SecureBoot" variable is not changed
+   //
+   FreePool(VariableData);
+ }
+  }
+
   return ;
 }
+
+/**
+  Some Secure Boot Policy Variable may update following other variable 
changes(SecureBoot follows PK change, etc).
+  Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarData(
+  VOID
+  )
+{
+  EFI_STATUS Status;
+
+  //
+  // Record initial "SecureBoot" variable value.
+  // It is used to detect SecureBoot variable change in SecureBootHook.
+  //
+  Status = InternalGetVariable (
+ EFI_SECURE_BOOT_MODE_NAME,
+ ,
+ (VOID **),
+ 
+ );
+  if (EFI_ERROR(Status)) {
+//
+// Read could fail when Auth Variable solution is not supported
+//
+DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s Status 
%x\n", EFI_SECURE_BOOT_MODE_NAME, Status));
+  }
+}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 3d3cd24..fe1b2b5 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -3,7 +3,7 @@
   and volatile storage space and install variable architecture protocol.
 
 Copyright (C) 2013, Red Hat, Inc.
-Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
 (C) Copyright 2015 Hewlett Packard Enterprise Development LP
 This program and the accompanying materials
 are licensed and made available under the terms and

Re: [edk2] [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

2017-01-21 Thread Fu, Siyuan 
Reviewed-by: Fu Siyuan 


-Original Message-
From: Zhang, Lubo 
Sent: 2017年1月22日 9:41
To: edk2-devel@lists.01.org
Cc: Sriram Subramanian ; Ye, Ting ; Fu, 
Siyuan ; Wu, Jiaxin 
Subject: [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

When we create a HTTP driver service binding private instance, there may be 
different DriverBindingHandle for Ipv4 or Ipv6, so it is essential to 
distinguish the HttpService image which will be used in open protocol or close 
protocol.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo 
Cc: Sriram Subramanian 
Cc: Ye Ting 
Cc: Fu Siyuan 
Cc: Wu Jiaxin 
---
 NetworkPkg/HttpDxe/HttpDns.c| 18 
 NetworkPkg/HttpDxe/HttpDriver.c | 21 +-
 NetworkPkg/HttpDxe/HttpImpl.c   | 11 --
 NetworkPkg/HttpDxe/HttpProto.c  | 48 -
 NetworkPkg/HttpDxe/HttpProto.h  |  5 +++--
 5 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDns.c b/NetworkPkg/HttpDxe/HttpDns.c index 
0f5fe18..59cd7b3 100644
--- a/NetworkPkg/HttpDxe/HttpDns.c
+++ b/NetworkPkg/HttpDxe/HttpDns.c
@@ -1,9 +1,9 @@
 /** @file
   Routines for HttpDxe driver to perform DNS resolution based on UEFI DNS 
protocols.
 
-Copyright (c) 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at  
http://opensource.org/licenses/bsd-license.php
 
@@ -86,11 +86,11 @@ HttpDns4 (
   //
   // Create a DNS child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip4DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -98,11 +98,11 @@ HttpDns4 (
 
   Status = gBS->OpenProtocol (
   Dns4Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -194,19 +194,19 @@ Exit:
 Dns4->Configure (Dns4, NULL);
 
 gBS->CloseProtocol (
Dns4Handle,
,
-   Service->ImageHandle,
+   Service->Ip4DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns4Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   ,
   Dns4Handle
   );
   }
 
@@ -288,11 +288,11 @@ HttpDns6 (
   //
   // Create a DNSv6 child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip6DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -300,11 +300,11 @@ HttpDns6 (
   
   Status = gBS->OpenProtocol (
   Dns6Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -391,19 +391,19 @@ Exit:
 Dns6->Configure (Dns6, NULL);
 
 gBS->CloseProtocol (
Dns6Handle,
,
-   Service->ImageHandle,
+   Service->Ip6DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns6Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   ,
   Dns6Handle
   );
   }
 
diff --git a/NetworkPkg/HttpDxe/HttpDriver.c b/NetworkPkg/HttpDxe/HttpDriver.c 
index de27635..5727526 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.c
+++ b/NetworkPkg/HttpDxe/HttpDriver.c
@@ -1,9 +1,9 @@
 /** @file
   The driver binding and service binding protocol for HttpDxe driver.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+  Copyright (c) 2015 - 2017, Intel Corporation. All rights 
+ reserved.
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD 
License
   which accompanies

[edk2] [Patch] BaseTools: Convert incomplete expression with dangling while()

2017-01-21 Thread Yonghong Zhu 
From: Nikolai SAOUKH  

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Nikolai SAOUKH  
Reviewed-by: Yonghong Zhu 
---
 BaseTools/Source/C/VfrCompile/VfrSyntax.g | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/BaseTools/Source/C/VfrCompile/VfrSyntax.g 
b/BaseTools/Source/C/VfrCompile/VfrSyntax.g
index 4b42d3c..406dbc5 100644
--- a/BaseTools/Source/C/VfrCompile/VfrSyntax.g
+++ b/BaseTools/Source/C/VfrCompile/VfrSyntax.g
@@ -1,9 +1,9 @@
 /*++ @file
 Vfr Syntax
 
-Copyright (c) 2004 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2004 - 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -31,12 +31,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #include "DLexerBase.h"
 #include "VfrLexer.h"
 #include "AToken.h"
 
 #define GET_LINENO(Obj)   ((Obj)->getLine())
-#define SET_LINE_INFO(Obj, L) {(Obj).SetLineNo((L)->getLine());} while (0)
-#define CRT_END_OP(Obj)   {CIfrEnd EObj; if (Obj != NULL) EObj.SetLineNo 
((Obj)->getLine());} while (0)
+#define SET_LINE_INFO(Obj, L) do {(Obj).SetLineNo((L)->getLine());} while (0)
+#define CRT_END_OP(Obj)   do {CIfrEnd EObj; if (Obj != NULL) 
EObj.SetLineNo ((Obj)->getLine());} while (0)
 
 typedef ANTLRCommonToken ANTLRToken;
 
 class CVfrDLGLexer : public VfrLexer
 {
-- 
2.6.1.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] BaseTools: Extend the Macro used in the FDF !include statement

2017-01-21 Thread Yonghong Zhu 
Current it only support the system environment variables in the !include
statement, $(WORKSPACE), $(PACKAGES_PATH), $(EFI_SOURCE), $(EDK_SOURCE),
$(ECP_SOURCE), this patch extend the usage to support the Global macros
and the macro which defined before the statement.

Cc: Liming Gao 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yonghong Zhu 
---
 BaseTools/Source/Python/GenFds/FdfParser.py | 41 +
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/BaseTools/Source/Python/GenFds/FdfParser.py 
b/BaseTools/Source/Python/GenFds/FdfParser.py
index e1295f2..27688e2 100644
--- a/BaseTools/Source/Python/GenFds/FdfParser.py
+++ b/BaseTools/Source/Python/GenFds/FdfParser.py
@@ -618,31 +618,50 @@ class FdfParser:
 #   @param  selfThe object pointer
 #
 def PreprocessIncludeFile(self):
# nested include support
 Processed = False
+MacroDict = {}
 while self.__GetNextToken():
 
-if self.__Token == '!include':
+if self.__Token == 'DEFINE':
+if not self.__GetNextToken():
+raise Warning("expected Macro name", self.FileName, 
self.CurrentLineNumber)
+Macro = self.__Token
+if not self.__IsToken( "="):
+raise Warning("expected '='", self.FileName, 
self.CurrentLineNumber)
+Value = self.__GetExpression()
+MacroDict[Macro] = Value
+
+elif self.__Token == '!include':
 Processed = True
 IncludeLine = self.CurrentLineNumber
 IncludeOffset = self.CurrentOffsetWithinLine - len('!include')
 if not self.__GetNextToken():
 raise Warning("expected include file name", self.FileName, 
self.CurrentLineNumber)
 IncFileName = self.__Token
-__IncludeMacros = {}
-for Macro in ['WORKSPACE', 'ECP_SOURCE', 'EFI_SOURCE', 
'EDK_SOURCE']:
+PreIndex = 0
+StartPos = IncFileName.find('$(', PreIndex)
+EndPos = IncFileName.find(')', StartPos+2)
+while StartPos != -1 and EndPos != -1:
+Macro = IncFileName[StartPos+2 : EndPos]
 MacroVal = self.__GetMacroValue(Macro)
-if MacroVal:
-__IncludeMacros[Macro] = MacroVal
+if not MacroVal:
+if Macro in MacroDict:
+MacroVal = MacroDict[Macro]
+if MacroVal != None:
+IncFileName = IncFileName.replace('$(' + Macro + ')', 
MacroVal, 1)
+if MacroVal.find('$(') != -1:
+PreIndex = StartPos
+else:
+PreIndex = StartPos + len(MacroVal)
+else:
+raise Warning("The Macro %s is not defined" %Macro, 
self.FileName, self.CurrentLineNumber)
+StartPos = IncFileName.find('$(', PreIndex)
+EndPos = IncFileName.find(')', StartPos+2)
 
-try:
-IncludedFile = NormPath(ReplaceMacro(IncFileName, 
__IncludeMacros, RaiseError=True))
-except:
-raise Warning("only these system environment variables are 
permitted to start the path of the included file: "
-  "$(WORKSPACE), $(ECP_SOURCE), $(EFI_SOURCE), 
$(EDK_SOURCE)",
-  self.FileName, self.CurrentLineNumber)
+IncludedFile = NormPath(IncFileName)
 #
 # First search the include file under the same directory as 
FDF file
 #
 IncludedFile1 = PathClass(IncludedFile, 
os.path.dirname(self.FileName))
 ErrorCode = IncludedFile1.Validate()[0]
-- 
2.6.1.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

2017-01-21 Thread Wu, Jiaxin 
Reviewed-by: Wu Jiaxin 

Thanks,
Jiaxin

> -Original Message-
> From: Zhang, Lubo
> Sent: Sunday, January 22, 2017 9:41 AM
> To: edk2-devel@lists.01.org
> Cc: Sriram Subramanian ; Ye, Ting ;
> Fu, Siyuan ; Wu, Jiaxin 
> Subject: [patch] NetworkPkg: Fix protocol handler service in HttpDxe.
> 
> When we create a HTTP driver service binding private
> instance, there may be different DriverBindingHandle
> for Ipv4 or Ipv6, so it is essential to distinguish
> the HttpService image which will be used in open
> protocol or close protocol.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Zhang Lubo 
> Cc: Sriram Subramanian 
> Cc: Ye Ting 
> Cc: Fu Siyuan 
> Cc: Wu Jiaxin 
> ---
>  NetworkPkg/HttpDxe/HttpDns.c| 18 
>  NetworkPkg/HttpDxe/HttpDriver.c | 21 +-
>  NetworkPkg/HttpDxe/HttpImpl.c   | 11 --
>  NetworkPkg/HttpDxe/HttpProto.c  | 48 ---
> --
>  NetworkPkg/HttpDxe/HttpProto.h  |  5 +++--
>  5 files changed, 55 insertions(+), 48 deletions(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpDns.c b/NetworkPkg/HttpDxe/HttpDns.c
> index 0f5fe18..59cd7b3 100644
> --- a/NetworkPkg/HttpDxe/HttpDns.c
> +++ b/NetworkPkg/HttpDxe/HttpDns.c
> @@ -1,9 +1,9 @@
>  /** @file
>Routines for HttpDxe driver to perform DNS resolution based on UEFI DNS
> protocols.
> 
> -Copyright (c) 2015, Intel Corporation. All rights reserved.
> +Copyright (c) 2017, Intel Corporation. All rights reserved.
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
>  which accompanies this distribution.  The full text of the license may be 
> found
> at
>  http://opensource.org/licenses/bsd-license.php
> 
> @@ -86,11 +86,11 @@ HttpDns4 (
>//
>// Create a DNS child instance and get the protocol.
>//
>Status = NetLibCreateServiceChild (
>   Service->ControllerHandle,
> - Service->ImageHandle,
> + Service->Ip4DriverBindingHandle,
>   ,
>   
>   );
>if (EFI_ERROR (Status)) {
>  goto Exit;
> @@ -98,11 +98,11 @@ HttpDns4 (
> 
>Status = gBS->OpenProtocol (
>Dns4Handle,
>,
>(VOID **) ,
> -  Service->ImageHandle,
> +  Service->Ip4DriverBindingHandle,
>Service->ControllerHandle,
>EFI_OPEN_PROTOCOL_BY_DRIVER
>);
>if (EFI_ERROR (Status)) {
>  goto Exit;
> @@ -194,19 +194,19 @@ Exit:
>  Dns4->Configure (Dns4, NULL);
> 
>  gBS->CloseProtocol (
> Dns4Handle,
> ,
> -   Service->ImageHandle,
> +   Service->Ip4DriverBindingHandle,
> Service->ControllerHandle
> );
>}
> 
>if (Dns4Handle != NULL) {
>  NetLibDestroyServiceChild (
>Service->ControllerHandle,
> -  Service->ImageHandle,
> +  Service->Ip4DriverBindingHandle,
>,
>Dns4Handle
>);
>}
> 
> @@ -288,11 +288,11 @@ HttpDns6 (
>//
>// Create a DNSv6 child instance and get the protocol.
>//
>Status = NetLibCreateServiceChild (
>   Service->ControllerHandle,
> - Service->ImageHandle,
> + Service->Ip6DriverBindingHandle,
>   ,
>   
>   );
>if (EFI_ERROR (Status)) {
>  goto Exit;
> @@ -300,11 +300,11 @@ HttpDns6 (
> 
>Status = gBS->OpenProtocol (
>Dns6Handle,
>,
>(VOID **) ,
> -  Service->ImageHandle,
> +  Service->Ip6DriverBindingHandle,
>Service->ControllerHandle,
>EFI_OPEN_PROTOCOL_BY_DRIVER
>);
>if (EFI_ERROR (Status)) {
>  goto Exit;
> @@ -391,19 +391,19 @@ Exit:
>  Dns6->Configure (Dns6, NULL);
> 
>  gBS->CloseProtocol (
> Dns6Handle,
> ,
> -   Service->ImageHandle,
> +   Service->Ip6DriverBindingHandle,
> Service->ControllerHandle
> );
>}
> 
>if (Dns6Handle != NULL) {
>  NetLibDestroyServiceChild (
>Service->ControllerHandle,
> -  Service->ImageHandle,
> +  Service->Ip6DriverBindingHandle,
>,
>Dns6Handle
>);
>}
> 
> diff --git a/NetworkPkg/HttpDxe/HttpDriver.c
> b/NetworkPkg/HttpDxe/HttpDriver.c
> index de27635..5727526 100644
> --- a/NetworkPkg/HttpDxe/HttpDriver.c
> +++ b/NetworkPkg/HttpDxe/HttpDriver.c
> @@ -1,9 +1,9 @@
>  /** @file
>The driver binding and service binding protocol for HttpDxe driver.
> 
> -  Copyright (c) 2015 - 2016, Intel Corporation. All

Re: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic

2017-01-21 Thread Yao, Jiewen 
Reviewed-by: jiewen@intel.com

> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang,
> Chao B
> Sent: Thursday, January 19, 2017 1:14 PM
> To: edk2-devel@lists.01.org
> Cc: Zhang, Chao B ; Yao, Jiewen
> ; Zeng, Star ;
> yao.jie...@intel.com
> Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update
> PCR[7] measure logic
> 
> Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
> Only entries in DB that is used for image authentication need to be
> measured.
> http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific
> _Platform_Profile_for_TPM_2p0_Systems_v21.pdf
> 
> Cc: Star Zeng 
> Cc: Yao Jiewen 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang 
> ---
>  .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 10
> +++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git
> a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> index 7b7e6af..e28e106 100644
> --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
> @@ -12,7 +12,7 @@
>DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage()
> function will accept
>untrusted PE/COFF image and validate its data structure within this image
> buffer before use.
> 
> -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
>  (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
> @@ -1026,7 +1026,12 @@ IsSignatureFoundInDatabase (
>// Find the signature in database.
>//
>IsFound = TRUE;
> -  SecureBootHook (VariableName, ,
> CertList->SignatureSize, Cert);
> +  //
> +  // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to
> validate image should be measured
> +  //
> +  if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
> +SecureBootHook (VariableName,
> , CertList->SignatureSize, Cert);
> +  }
>break;
>  }
> 
> @@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
>  mImageDigestSize
>  );
>  if (IsForbidden) {
> -  SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1,
> , CertList->SignatureSize, CertData);
>DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
> but signature is forbidden by DBX.\n"));
>goto Done;
>  }
> --
> 1.9.5.msysgit.1
> 
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]

2017-01-21 Thread Yao, Jiewen 
Reviewed-by: jiewen@intel.com

> -Original Message-
> From: Zhang, Chao B
> Sent: Thursday, January 19, 2017 1:14 PM
> To: edk2-devel@lists.01.org
> Cc: yao.jie...@intel.com; Zeng, Star ; Yao, Jiewen
> ; Zhang, Chao B 
> Subject: [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]
> 
> Measure DBT into PCR[7] in initial measurement phase according
> to TCG PC Client PFP 00.37.
> http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific
> _Platform_Profile_for_TPM_2p0_Systems_v21.pdf
> 
> Cc: Star Zeng 
> Cc: Yao Jiewen 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang 
> ---
>  SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
> b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
> index 556ef33..3534fd1 100644
> --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
> +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
> @@ -1,7 +1,7 @@
>  /** @file
>This module implements Tcg2 Protocol.
> 
> -Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
> +Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
>  (C) Copyright 2016 Hewlett Packard Enterprise Development LP
>  This program and the accompanying materials
>  are licensed and made available under the terms and conditions of the BSD
> License
> @@ -115,6 +115,7 @@ VARIABLE_TYPE  mVariableType[] = {
>{EFI_KEY_EXCHANGE_KEY_NAME,},
>{EFI_IMAGE_SECURITY_DATABASE,  },
>{EFI_IMAGE_SECURITY_DATABASE1, },
> +  {EFI_IMAGE_SECURITY_DATABASE2, },
>  };
> 
>  EFI_HANDLE mImageHandle;
> --
> 1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [patch] NetworkPkg: Fix protocol handler service in HttpDxe.

2017-01-21 Thread Zhang Lubo 
When we create a HTTP driver service binding private
instance, there may be different DriverBindingHandle
for Ipv4 or Ipv6, so it is essential to distinguish
the HttpService image which will be used in open
protocol or close protocol.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo 
Cc: Sriram Subramanian 
Cc: Ye Ting 
Cc: Fu Siyuan 
Cc: Wu Jiaxin 
---
 NetworkPkg/HttpDxe/HttpDns.c| 18 
 NetworkPkg/HttpDxe/HttpDriver.c | 21 +-
 NetworkPkg/HttpDxe/HttpImpl.c   | 11 --
 NetworkPkg/HttpDxe/HttpProto.c  | 48 -
 NetworkPkg/HttpDxe/HttpProto.h  |  5 +++--
 5 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDns.c b/NetworkPkg/HttpDxe/HttpDns.c
index 0f5fe18..59cd7b3 100644
--- a/NetworkPkg/HttpDxe/HttpDns.c
+++ b/NetworkPkg/HttpDxe/HttpDns.c
@@ -1,9 +1,9 @@
 /** @file
   Routines for HttpDxe driver to perform DNS resolution based on UEFI DNS 
protocols.
 
-Copyright (c) 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -86,11 +86,11 @@ HttpDns4 (
   //
   // Create a DNS child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip4DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -98,11 +98,11 @@ HttpDns4 (
 
   Status = gBS->OpenProtocol (
   Dns4Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -194,19 +194,19 @@ Exit:
 Dns4->Configure (Dns4, NULL);
 
 gBS->CloseProtocol (
Dns4Handle,
,
-   Service->ImageHandle,
+   Service->Ip4DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns4Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip4DriverBindingHandle,
   ,
   Dns4Handle
   );
   }
 
@@ -288,11 +288,11 @@ HttpDns6 (
   //
   // Create a DNSv6 child instance and get the protocol.
   //
   Status = NetLibCreateServiceChild (
  Service->ControllerHandle,
- Service->ImageHandle,
+ Service->Ip6DriverBindingHandle,
  ,
  
  );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -300,11 +300,11 @@ HttpDns6 (
   
   Status = gBS->OpenProtocol (
   Dns6Handle,
   ,
   (VOID **) ,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   Service->ControllerHandle,
   EFI_OPEN_PROTOCOL_BY_DRIVER
   );
   if (EFI_ERROR (Status)) {
 goto Exit;
@@ -391,19 +391,19 @@ Exit:
 Dns6->Configure (Dns6, NULL);
 
 gBS->CloseProtocol (
Dns6Handle,
,
-   Service->ImageHandle,
+   Service->Ip6DriverBindingHandle,
Service->ControllerHandle
);
   }
 
   if (Dns6Handle != NULL) {
 NetLibDestroyServiceChild (
   Service->ControllerHandle,
-  Service->ImageHandle,
+  Service->Ip6DriverBindingHandle,
   ,
   Dns6Handle
   );
   }
 
diff --git a/NetworkPkg/HttpDxe/HttpDriver.c b/NetworkPkg/HttpDxe/HttpDriver.c
index de27635..5727526 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.c
+++ b/NetworkPkg/HttpDxe/HttpDriver.c
@@ -1,9 +1,9 @@
 /** @file
   The driver binding and service binding protocol for HttpDxe driver.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
   (C) Copyright 2016 Hewlett Packard Enterprise Development LP
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD 
License
   which accompanies this distribution.  The full text of the license may be 
found at
@@ -43,21 +43,19 @@ EFI_DRIVER_BINDING_PROTOCOL gHttpDxeIp6DriverBinding = {
 /**
   Create a HTTP driver service binding private instance.
 
   @param[in]  Controller The controller that has TCP4 service binding
  installed.
-  @param[in]  ImageHandle

Re: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic

2017-01-21 Thread Zeng, Star 
Chao,

I will leave the review for this patch to Jiewen since I am not so familiar 
with the code logic.

Thanks,
Star
-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang, 
Chao B
Sent: Thursday, January 19, 2017 1:14 PM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B ; Yao, Jiewen ; 
Zeng, Star ; yao.jie...@intel.com
Subject: [edk2] [PATCH V2 1/3] SecurityPkg: DxeImageVerificationLib: Update 
PCR[7] measure logic

Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be measured.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c  | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git 
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c 
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index 7b7e6af..e28e106 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLi
+++ b.c
@@ -12,7 +12,7 @@
   DxeImageVerificationHandler(), HashPeImageByType(), HashPeImage() function 
will accept
   untrusted PE/COFF image and validate its data structure within this image 
buffer before use.
 
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP  This program 
and the accompanying materials  are licensed and made available under the terms 
and conditions of the BSD License @@ -1026,7 +1026,12 @@ 
IsSignatureFoundInDatabase (
   // Find the signature in database.
   //
   IsFound = TRUE;
-  SecureBootHook (VariableName, , 
CertList->SignatureSize, Cert);
+  //
+  // Entries in UEFI_IMAGE_SECURITY_DATABASE that are used to validate 
image should be measured
+  //
+  if (StrCmp(VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) {
+SecureBootHook (VariableName, , 
CertList->SignatureSize, Cert);
+  }
   break;
 }
 
@@ -1309,7 +1314,6 @@ IsForbiddenByDbx (
 mImageDigestSize
 );
 if (IsForbidden) {
-  SecureBootHook (EFI_IMAGE_SECURITY_DATABASE1, 
, CertList->SignatureSize, CertData);
   DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed but 
signature is forbidden by DBX.\n"));
   goto Done;
 }
--
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]

2017-01-21 Thread Zeng, Star 
Chao,

I have one minor comment.

Please remember to add "  ## SOMETIMES_CONSUMES  ## Variable:L"dbt" " in 
Tcg2Dxe.inf.

With the comment covered, Reviewed-by: Star Zeng 

Thanks,
Star
-Original Message-
From: Zhang, Chao B 
Sent: Thursday, January 19, 2017 1:14 PM
To: edk2-devel@lists.01.org
Cc: yao.jie...@intel.com; Zeng, Star ; Yao, Jiewen 
; Zhang, Chao B 
Subject: [PATCH V2 2/3] SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]

Measure DBT into PCR[7] in initial measurement phase according to TCG PC Client 
PFP 00.37. 
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
index 556ef33..3534fd1 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
@@ -1,7 +1,7 @@
 /** @file
   This module implements Tcg2 Protocol.
   
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP  This program 
and the accompanying materials  are licensed and made available under the terms 
and conditions of the BSD License @@ -115,6 +115,7 @@ VARIABLE_TYPE  
mVariableType[] = {
   {EFI_KEY_EXCHANGE_KEY_NAME,},
   {EFI_IMAGE_SECURITY_DATABASE,  },
   {EFI_IMAGE_SECURITY_DATABASE1, },
+  {EFI_IMAGE_SECURITY_DATABASE2, },
 };
 
 EFI_HANDLE mImageHandle;
--
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] SCT 2.3.1 v1.3

2017-01-21 Thread Jin, Eric 
I agree it is the gap between current UEFI SCT and UEFI Spec.
Removing the checkpoint from the test is simple. But the Spec enhancement on 
these missed error description is the better choice.

Best Regards
Eric

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Gao, 
Liming
Sent: Friday, January 20, 2017 5:35 PM
To: Laszlo Ersek ; Daniel Samuelraj 

Cc: Jianning Wang ; edk2-devel@lists.01.org; Sathya 
Prakash ; Chidambara GR 

Subject: Re: [edk2] SCT 2.3.1 v1.3

Laszlo:
  I agree this is gap between SCT and UEFI spec. I think UEFI spec can be 
updated to describe these error conditions. 

Thanks
Liming
>-Original Message-
>From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
>Laszlo Ersek
>Sent: Wednesday, January 18, 2017 4:57 PM
>To: Daniel Samuelraj 
>Cc: Jianning Wang ; 
>edk2-devel@lists.01.org; Sathya Prakash ; 
>Chidambara GR 
>Subject: Re: [edk2] SCT 2.3.1 v1.3
>
>(Dropping the  and  email addresses; 
>please never cross-post the public edk2-devel list with the 
>confidential spec development / working group lists on UEFI.org!)
>
>On 01/17/17 22:22, Daniel Samuelraj wrote:
>> Hi,
>>
>> What SCT v1.3 states for HII Config Access Protocol seems not in 
>> align with UEFI spec? For example, for extract config, when Progress 
>> or Result or Request is NULL, SCT is expecting EFI Invalid Parameter; 
>> similarly for Route Config, when progress is NULL, SCT expects 
>> EFI_INVALID_PARAMETER. UEFI spec doesn\u2019t seem mention anything 
>> for these cases.
>>
>>
>>
>> Should driver adhere to what SCT expects? Or is this fixed in newer 
>> SCT or will this be addressed in future? Please advise!
>
>I confirm this is a problem between the SCT and the UEFI spec.
>
>I've never personally built or used the SCT, but in 2015, Heyi Guo from 
>Linaro submitted patches for OVMF's PlatformDxe, some of which, for 
>example
>
>  [PATCH 2/3] OvmfPkg: PlatformDxe: Add sanity check for 
> HiiConfigAccess
>
>suppressed this kind of SCT failure report, by modifying OvmfPkg code.
>
>I didn't accept the patch, because we couldn't find any normative 
>reference (released UEFI spec version, or pending Mantis ticket) that 
>justified the SCT's expectations.
>
>... I would like to provide you with a mailing list archive link, but 
>that discussion was apparently only captured in the old GMANE archive, 
>and GMANE went belly-up a few months ago. Albeit being resuscitated, 
>the edk2-devel messages seem to be lost from it for good (or at least 
>cannot be looked up based on Message-Id).
>
>For lack of a better means, I'll quote one message from that thread 
>below, with context.
>
>Thanks
>Laszlo
>
>On 06/01/15 16:27, Laszlo Ersek wrote:
>> On 06/01/15 16:14, Laszlo Ersek wrote:
>>> On 06/01/15 14:08, Heyi Guo wrote:
 During UEFI SCT, it will throw an exception because "Progress" is 
 passed in with NULL and RouteConfig will try to access the string 
 at *(EFI_STRING *0), i.e. 0x14000400.

 Add sanity check for ExtractConfig and RouteConfig to avoid NULL 
 pointer dereference.

 Contributed-under: TianoCore Contribution Agreement 1.0
 Signed-off-by: Heyi Guo 
 ---
  OvmfPkg/PlatformDxe/Platform.c | 10 ++
  1 file changed, 10 insertions(+)

 diff --git a/OvmfPkg/PlatformDxe/Platform.c
>b/OvmfPkg/PlatformDxe/Platform.c
 index 4ec327e..35fabf8 100644
 --- a/OvmfPkg/PlatformDxe/Platform.c
 +++ b/OvmfPkg/PlatformDxe/Platform.c
 @@ -234,6 +234,11 @@ ExtractConfig (
MAIN_FORM_STATE MainFormState;
EFI_STATUS  Status;

 +  if (Progress == NULL || Results == NULL)  {
 +return EFI_INVALID_PARAMETER;
 +  }
 +
DEBUG ((EFI_D_VERBOSE, "%a: Request=\"%s\"\n", __FUNCTION__,
>Request));

Status = PlatformConfigToFormState ();
>>>
>>> EFI_HII_CONFIG_ROUTING_PROTOCOL.ExtractConfig() does not require
>any of
>>> these checks. Both Progress and Results are OUT parameters (ie.
>>> pointers) and nothing in the spec resolves the caller from passing 
>>> in NULL (or non-NULL garbage, for that matter, which you couldn't 
>>> catch anyway).
>>>
>>> I can ACK this hunk if you show me a confirmed Mantis ticket for the 
>>> UEFI spec.
>>
>> Sorry, I just noticed that above I referenced 
>> EFI_HII_CONFIG_ROUTING_PROTOCOL rather than
>EFI_HII_CONFIG_ACCESS_PROTOCOL.
>>
>> However, after checking
>EFI_HII_CONFIG_ACCESS_PROTOCOL.ExtractConfig()
>> specifically, I still can't see any requirement for these checks.
>>
 @@ -327,6 +332,11 @@ RouteConfig (
UINTN   BlockSize;
EFI_STATUS  Status;

 +  if

Re: [edk2] [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new TCG spec

2017-01-21 Thread Zeng, Star 
Chao,

I have some minor comments.

1. Suggest to add mSecureBootVarData and mSecureBootVarDataSize and remove 
VARIABLE_FOLLOW_TYPE and SecureBootFollowUpdate.
2. Suggest to update function name RecordSecureBootPolicyVarFollow to 
RecordSecureBootPolicyVarData.
3. Please remember to add "  ## SOMETIMES_CONSUMES   ## Variable:L"DBT" " in 
VariableRuntimeDxe.inf and VariableSmmRuntimeDxe.inf.

With those comments covered, Reviewed-by: Star Zeng 

Thanks,
Star
-Original Message-
From: Zhang, Chao B 
Sent: Thursday, January 19, 2017 1:14 PM
To: edk2-devel@lists.01.org
Cc: yao.jie...@intel.com; Zeng, Star ; Yao, Jiewen 
; Zhang, Chao B 
Subject: [PATCH V2 3/3] MdeModulePkg: Variable: Update PCR[7] measure for new 
TCG spec

Measure DBT into PCR[7] when it is updated between initial measure and 
ExitBootService. Measure "SecureBoot" change after PK update.
Spec version : TCG PC Client PFP 00.37. 
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang 
---
 .../Universal/Variable/RuntimeDxe/Measurement.c| 88 +-
 .../Universal/Variable/RuntimeDxe/VariableDxe.c| 17 +
 .../Variable/RuntimeDxe/VariableSmmRuntimeDxe.c| 17 +
 3 files changed, 121 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
index 2f92fae..707f988 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -1,7 +1,7 @@
 /** @file
   Measure TrEE required variable.
 
-Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at @@ -36,6 +36,24 @@ 
VARIABLE_TYPE  mVariableType[] = {
   {EFI_KEY_EXCHANGE_KEY_NAME,},
   {EFI_IMAGE_SECURITY_DATABASE,  },
   {EFI_IMAGE_SECURITY_DATABASE1, },
+  {EFI_IMAGE_SECURITY_DATABASE2, }, };
+
+typedef struct {
+  CHAR16 *VariableName;
+  EFI_GUID   *VendorGuid;
+  UINT8  *VarData;
+  UINTN  VarDataSize;
+} VARIABLE_FOLLOW_TYPE;
+
+//
+// "SecureBoot" may update following PK Del/Add // static 
+VARIABLE_FOLLOW_TYPE  SecureBootFollowUpdate = {
+   EFI_SECURE_BOOT_MODE_NAME,
+   ,
+   NULL,
+   0,
 };
 
 /**
@@ -251,5 +269,73 @@ SecureBootHook (
 FreePool (VariableData);
   }
 
+  //
+  // "SecureBoot" is 8bit & read-only. It can only be changed according 
+ to PK update  //  if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 
+ 0) &&
+   CompareGuid (VendorGuid, )) {
+ Status = InternalGetVariable (
+SecureBootFollowUpdate.VariableName,
+SecureBootFollowUpdate.VendorGuid,
+,
+
+);
+ if (EFI_ERROR (Status)) {
+   return;
+ }
+
+ if ((SecureBootFollowUpdate.VarData != NULL) &&
+ (CompareMem(SecureBootFollowUpdate.VarData, VariableData, 
VariableDataSize) != 0)) {
+   FreePool(SecureBootFollowUpdate.VarData);
+   SecureBootFollowUpdate.VarData = VariableData;
+   SecureBootFollowUpdate.VarDataSize = VariableDataSize;
+
+   DEBUG((DEBUG_INFO, "%s variable updated according to PK change. 
Remeasure the value!\n", SecureBootFollowUpdate.VariableName));
+   Status = MeasureVariable (
+  SecureBootFollowUpdate.VariableName,
+  SecureBootFollowUpdate.VendorGuid,
+  SecureBootFollowUpdate.VarData,
+  SecureBootFollowUpdate.VarDataSize
+  );
+   DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+ } else {
+   //
+   // "SecureBoot" variable is not changed
+   //
+   FreePool(VariableData);
+ }
+  }
+
   return ;
 }
+
+/**
+  Some Secure Boot Policy Variable may update following other variable 
changes(SecureBoot follows PK change, etc).
+  Record their initial State when variable write service is ready.
+
+**/
+VOID
+EFIAPI
+RecordSecureBootPolicyVarFollow(
+  VOID
+  )
+{
+  EFI_STATUS Status;
+
+  //
+  // Record initial "SecureBoot" variable value.
+  // It is used to detect SecureBoot variable change in SecureBootHook.
+  //
+  Status = InternalGetVariable (
+ SecureBootFollowUpdate.VariableName,
+ SecureBootFollowUpdate.VendorGuid,
+ (VOID **),
+ 
+