Pushed: 8ed8568922be9b5f7111fc1297317106aba7ab52
> -Original Message-
> From: Gonzalez Del Cueto, Rodrigo
> Sent: Friday, December 17, 2021 10:47 AM
> To: devel@edk2.groups.io
> Cc: Gonzalez Del Cueto, Rodrigo ; Yao,
> Jiewen ; Wang, Jian J
> Subject: [PATCH] SecurityPkg: Debug code to a
Ran CI on this version of the patch using a draft pull request: SecurityPkg:
Debug code to audit BIOS TPM extend operations by rodrigog-intel · Pull Request
#2321 · tianocore/edk2 (github.com) (
https://github.com/tianocore/edk2/pull/2321 )
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2858
In V2: Fixed patch format and uncrustify cleanup
In V1: Add debug functionality to examine TPM extend operations
performed by BIOS and inspect the PCR 00 value prior to
any BIOS measurements.
Signed-off-by: Rodrigo Gonzalez del Cueto
Cc:
I am OK to add API to the library.
I am OK to add one function call to dump PCR[0] in TcgPei to show if there is
any measurement before BIOS. That is good use case for BootGuard.
But I don't think we need dump the PCR every time in PCR_Extend - assuming TPM
hardware is good, then it should alwa
Hi Jiewen,
The intention of such API would be to ease debugging and auditing PCR
attestation along the boot; it has been a common task while debugging several
issues and TPM configurations.
a) Configurations in which BIOS is not the S-CRTM and we need to attest what
has been measured to the TP
Some feedback:
1) I think it is OK to add Tpm2PcrReadForActiveBank() API.
But I feel we will add too many noise to dump Tpm2PcrReadForActiveBank() in the
code everytime.
I am not sure why it is needed.
What is the problem statement?
2) Below definition does not follow EDKII coding style. Please
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2858
Add debug functionality to examine TPM extend operations
performed by BIOS and inspect the PCR 00 value prior to
any BIOS measurements.
Replaced usage of EFI_D_* for DEBUG_* definitions in debug
messages.
Signed-off-by: Rodrigo Gonzalez de
Here is some initial feedback:
1) Please don't change function header Tpm2PcrEvent() and Tpm2PcrRead() in
Tpm2CommandLib.h
2) Please don't move Tpm2PcrRead() function in Tpm2Integrity.c, so that I can
know what you have changed.
3) Please add Tpm2ActivePcrRegisterRead() as the last function in
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2858
Add debug functionality to examine TPM extend operations
performed by BIOS and inspect the PCR 00 value prior to
any BIOS measurements.
Replaced usage of EFI_D_* for DEBUG_* definitions in debug
messages.
Cc: Jiewen Yao
Cc: Jian J Wang
C
