Re: [edk2] [patch] Add error handling for TPM in S3 resume failure.
Good suggestion. I will update.
-Original Message-
From: Zhang, Chao B
Sent: Monday, November 09, 2015 9:00 AM
To: Yao, Jiewen; edk2-de...@ml01.01.org
Subject: RE: [patch] Add error handling for TPM in S3 resume failure.
Jiewen:
Should we do HashLogExtendEvent after SetTpm2HashMask?
Thanks & Best regards
Chao Zhang
-Original Message-
From: Yao, Jiewen
Sent: Friday, November 06, 2015 8:09 PM
To: edk2-de...@ml01.01.org
Cc: Yao, Jiewen; Zhang, Chao B
Subject: [patch] Add error handling for TPM in S3 resume failure.
If TPM2_Startup(TPM_SU_STATE) to return an error, the system firmware that
resumes from S3 MUST deal with a TPM2_Startup error appropriately.
For example, issuing a TPM2_Startup(TPM_SU_CLEAR) command and configuring the
device securely by taking actions like extending a separator with an error
digest (0x01) into PCRs 0 through 7.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yao, Jiewen
Cc: Zhang, Chao B
---
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 43 +++
1 file changed, 43 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 4ecfbe3..2e4ad53 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -829,6 +829,33 @@ PeimEntryMP (
}
/**
+ Measure and log Separator event with error, and extend the measurement
result into a specific PCR.
+
+ @param[in] PCRIndex PCR index.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_DEVICE_ERRORThe operation was unsuccessful.
+
+**/
+EFI_STATUS
+MeasureSeparatorEventWithError (
+ IN TPM_PCRINDEX PCRIndex
+ )
+{
+ TCG_PCR_EVENT_HDR TcgEvent;
+ UINT32EventData;
+
+ //
+ // Use EventData 0x1 to indicate there is error.
+ //
+ EventData = 0x1;
+ TcgEvent.PCRIndex = PCRIndex;
+ TcgEvent.EventType = EV_SEPARATOR;
+ TcgEvent.EventSize = (UINT32)sizeof (EventData);
+ return HashLogExtendEvent(0,(UINT8 *)&EventData, TcgEvent.EventSize,
+&TcgEvent,(UINT8 *)&EventData); }
+
+/**
Entry point of this module.
@param[in] FileHandle Handle of the file being invoked.
@@ -847,6 +874,7 @@ PeimEntryMA (
EFI_STATUSStatus;
EFI_STATUSStatus2;
EFI_BOOT_MODE BootMode;
+ TPM_PCRINDEX PcrIndex;
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceNoneGuid) ||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceTpm12Guid)){
@@ -889,7 +917,22 @@ PeimEntryMA (
if (BootMode == BOOT_ON_S3_RESUME) {
Status = Tpm2Startup (TPM_SU_STATE);
if (EFI_ERROR (Status) ) {
+ //
+ // The system firmware that resumes from S3 MUST deal with a
+ // TPM2_Startup error appropriately.
+ // For example, issue a TPM2_Startup(TPM_SU_CLEAR) command and
+ // configuring the device securely by taking actions like extending a
+ // separator with an error digest (0x01) into PCRs 0 through 7.
+ //
Status = Tpm2Startup (TPM_SU_CLEAR);
+ if (!EFI_ERROR(Status)) {
+for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) {
+ Status = MeasureSeparatorEventWithError (PcrIndex);
+ if (EFI_ERROR (Status)) {
+DEBUG ((EFI_D_ERROR, "Seperator Event with Error not Measured.
Error!\n"));
+ }
+}
+ }
}
} else {
Status = Tpm2Startup (TPM_SU_CLEAR);
--
1.9.5.msysgit.0
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [patch] Add error handling for TPM in S3 resume failure.
Jiewen:
Should we do HashLogExtendEvent after SetTpm2HashMask?
Thanks & Best regards
Chao Zhang
-Original Message-
From: Yao, Jiewen
Sent: Friday, November 06, 2015 8:09 PM
To: edk2-de...@ml01.01.org
Cc: Yao, Jiewen; Zhang, Chao B
Subject: [patch] Add error handling for TPM in S3 resume failure.
If TPM2_Startup(TPM_SU_STATE) to return an error, the system firmware that
resumes from S3 MUST deal with a TPM2_Startup error appropriately.
For example, issuing a TPM2_Startup(TPM_SU_CLEAR) command and configuring the
device securely by taking actions like extending a separator with an error
digest (0x01) into PCRs 0 through 7.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yao, Jiewen
Cc: Zhang, Chao B
---
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 43 +++
1 file changed, 43 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 4ecfbe3..2e4ad53 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -829,6 +829,33 @@ PeimEntryMP (
}
/**
+ Measure and log Separator event with error, and extend the measurement
result into a specific PCR.
+
+ @param[in] PCRIndex PCR index.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_DEVICE_ERRORThe operation was unsuccessful.
+
+**/
+EFI_STATUS
+MeasureSeparatorEventWithError (
+ IN TPM_PCRINDEX PCRIndex
+ )
+{
+ TCG_PCR_EVENT_HDR TcgEvent;
+ UINT32EventData;
+
+ //
+ // Use EventData 0x1 to indicate there is error.
+ //
+ EventData = 0x1;
+ TcgEvent.PCRIndex = PCRIndex;
+ TcgEvent.EventType = EV_SEPARATOR;
+ TcgEvent.EventSize = (UINT32)sizeof (EventData);
+ return HashLogExtendEvent(0,(UINT8 *)&EventData, TcgEvent.EventSize,
+&TcgEvent,(UINT8 *)&EventData); }
+
+/**
Entry point of this module.
@param[in] FileHandle Handle of the file being invoked.
@@ -847,6 +874,7 @@ PeimEntryMA (
EFI_STATUSStatus;
EFI_STATUSStatus2;
EFI_BOOT_MODE BootMode;
+ TPM_PCRINDEX PcrIndex;
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceNoneGuid) ||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceTpm12Guid)){
@@ -889,7 +917,22 @@ PeimEntryMA (
if (BootMode == BOOT_ON_S3_RESUME) {
Status = Tpm2Startup (TPM_SU_STATE);
if (EFI_ERROR (Status) ) {
+ //
+ // The system firmware that resumes from S3 MUST deal with a
+ // TPM2_Startup error appropriately.
+ // For example, issue a TPM2_Startup(TPM_SU_CLEAR) command and
+ // configuring the device securely by taking actions like extending a
+ // separator with an error digest (0x01) into PCRs 0 through 7.
+ //
Status = Tpm2Startup (TPM_SU_CLEAR);
+ if (!EFI_ERROR(Status)) {
+for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) {
+ Status = MeasureSeparatorEventWithError (PcrIndex);
+ if (EFI_ERROR (Status)) {
+DEBUG ((EFI_D_ERROR, "Seperator Event with Error not Measured.
Error!\n"));
+ }
+}
+ }
}
} else {
Status = Tpm2Startup (TPM_SU_CLEAR);
--
1.9.5.msysgit.0
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [patch] Add error handling for TPM in S3 resume failure.
If TPM2_Startup(TPM_SU_STATE) to return an error, the system
firmware that resumes from S3 MUST deal with a TPM2_Startup
error appropriately.
For example, issuing a TPM2_Startup(TPM_SU_CLEAR) command and
configuring the device securely by taking actions like extending
a separator with an error digest (0x01) into PCRs 0 through 7.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yao, Jiewen
Cc: Zhang, Chao B
---
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 43 +++
1 file changed, 43 insertions(+)
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 4ecfbe3..2e4ad53 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -829,6 +829,33 @@ PeimEntryMP (
}
/**
+ Measure and log Separator event with error, and extend the measurement
result into a specific PCR.
+
+ @param[in] PCRIndex PCR index.
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_DEVICE_ERRORThe operation was unsuccessful.
+
+**/
+EFI_STATUS
+MeasureSeparatorEventWithError (
+ IN TPM_PCRINDEX PCRIndex
+ )
+{
+ TCG_PCR_EVENT_HDR TcgEvent;
+ UINT32EventData;
+
+ //
+ // Use EventData 0x1 to indicate there is error.
+ //
+ EventData = 0x1;
+ TcgEvent.PCRIndex = PCRIndex;
+ TcgEvent.EventType = EV_SEPARATOR;
+ TcgEvent.EventSize = (UINT32)sizeof (EventData);
+ return HashLogExtendEvent(0,(UINT8 *)&EventData, TcgEvent.EventSize,
&TcgEvent,(UINT8 *)&EventData);
+}
+
+/**
Entry point of this module.
@param[in] FileHandle Handle of the file being invoked.
@@ -847,6 +874,7 @@ PeimEntryMA (
EFI_STATUSStatus;
EFI_STATUSStatus2;
EFI_BOOT_MODE BootMode;
+ TPM_PCRINDEX PcrIndex;
if (CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceNoneGuid) ||
CompareGuid (PcdGetPtr(PcdTpmInstanceGuid),
&gEfiTpmDeviceInstanceTpm12Guid)){
@@ -889,7 +917,22 @@ PeimEntryMA (
if (BootMode == BOOT_ON_S3_RESUME) {
Status = Tpm2Startup (TPM_SU_STATE);
if (EFI_ERROR (Status) ) {
+ //
+ // The system firmware that resumes from S3 MUST deal with a
+ // TPM2_Startup error appropriately.
+ // For example, issue a TPM2_Startup(TPM_SU_CLEAR) command and
+ // configuring the device securely by taking actions like extending a
+ // separator with an error digest (0x01) into PCRs 0 through 7.
+ //
Status = Tpm2Startup (TPM_SU_CLEAR);
+ if (!EFI_ERROR(Status)) {
+for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) {
+ Status = MeasureSeparatorEventWithError (PcrIndex);
+ if (EFI_ERROR (Status)) {
+DEBUG ((EFI_D_ERROR, "Seperator Event with Error not Measured.
Error!\n"));
+ }
+}
+ }
}
} else {
Status = Tpm2Startup (TPM_SU_CLEAR);
--
1.9.5.msysgit.0
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
