subject:"\[edk2\] \[PATCH\] SecurityPkg\/DxePhysicalPresenceLib\: Reject illegal PCR bank allocation"

[edk2] [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

2018-01-24 Thread Zhang, Chao B

According to TCG PP1.3 spec, error PCR bank allocation input should be rejected 
by
Physical Presence. Firmware has to ensure that at least one PCR banks is active.

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12 
 1 file changed, 12 insertions(+)

diff --git 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c 
b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 5bf95a1..830266b 100644
--- 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ 
b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
 case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
   Status = Tpm2GetCapabilitySupportedAndActivePcrs 
(&TpmHashAlgorithmBitmap, &ActivePcrBanks);
   ASSERT_EFI_ERROR (Status);
+
+  //
+  // PP spec requirements:
+  //Firmware should check that all requested (set) hashing algorithms 
are supported with respective PCR banks. 
+  //Firmware has to ensure that at least one PCR banks is active
+  // If not, an error is returned and no action is taken
+  //
+  if (CommandParameter == 0 || (CommandParameter & 
(~TpmHashAlgorithmBitmap)) != 0) {
+DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by 
TPM. Skip operation\n", CommandParameter));
+return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
+  }
+  DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x 
CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter));
   Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, 
CommandParameter);
   if (EFI_ERROR (Status)) {
 return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

2018-01-25 Thread Bill Paul

Of all the gin joints in all the towns in all the world, Zhang, Chao B had to 
walk into mine at 20:53 on Wednesday 24 January 2018 and say:

> According to TCG PP1.3 spec, error PCR bank allocation input should be
> rejected by Physical Presence. Firmware has to ensure that at least one
> PCR banks is active.
> 
> Cc: Long Qin 
> Cc: Yao Jiewen 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang 
> ---
>  .../DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c  | 12
>  1 file changed, 12 insertions(+)
> 
> diff --git
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c index 5bf95a1..830266b 100644
> ---
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c +++
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLi
> b.c @@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
>  case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
>Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks); ASSERT_EFI_ERROR (Status);
> +
> +  //
> +  // PP spec requirements:
> +  //Firmware should check that all requested (set) hashing
> algorithms are supported with respective PCR banks. +  //Firmware
> has to ensure that at least one PCR banks is active +  // If not, an
> error is returned and no action is taken
> +  //
> +  if (CommandParameter == 0 || (CommandParameter &
> (~TpmHashAlgorithmBitmap)) != 0) { +DEBUG((DEBUG_ERROR, "PCR banks
> %x to allocate are not supported by TPM. Skip operation\n",
> CommandParameter)); +return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE
> +  }
> +  DEBUG((DEBUG_ERROR, "zhangchao TpmHashAlgorithmBitmap %x

Was it your intention to have the debug error message string identify you by 
name? :)

-Bill

> CommandParameter %x\n", TpmHashAlgorithmBitmap, CommandParameter)); Status
> = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap,
> CommandParameter); if (EFI_ERROR (Status)) {
>  return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-- 
=
-Bill Paul(510) 749-2329 | Senior Member of Technical Staff,
 wp...@windriver.com | Master of Unix-Fu - Wind River Systems
=
   "I put a dollar in a change machine. Nothing changed." - George Carlin
=
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

Re: [edk2] [PATCH] SecurityPkg/DxePhysicalPresenceLib: Reject illegal PCR bank allocation

2 matches

Site Navigation

Mail list logo

Footer information