I don't see how that follows - regardless of whether or not we'd like to deprecate SHA1 support, people use it. There's little value in having an incomplete event log.
On Thu, Dec 13, 2018 at 01:23:35PM +0000, Yao, Jiewen wrote: > Right. > I think we are trying to deprecate the old SHA1 support, because SHA1 is > considered as unsecure algorithm. > We are moving to crypto agile. As such, we do not see the need to support old > style event log. > > Thank you > Yao Jiewen > > > > -----Original Message----- > > From: Laszlo Ersek [mailto:[email protected]] > > Sent: Thursday, December 13, 2018 8:36 PM > > To: Matthew Garrett <[email protected]> > > Cc: [email protected]; Yao, Jiewen <[email protected]>; > > Marc-André Lureau <[email protected]>; Stefan Berger > > <[email protected]> > > Subject: Re: [edk2] Obtaining TCG final events on systems without TCG2 log > > support > > > > + Jiewen, Marc-André, Stefan > > > > On 12/13/18 02:17, Matthew Garrett wrote: > > > SetupEventLog() in Tcg2Dxe.c only installs the final event log > > > configuration table if SupportedEventLogs includes the TCG2 log format. > > > If the platform only supports the TCG1.2 log format then the final > > > events table isn't installed. However, ExitBootServices() should > > > generate an event even on systems that don't support the TCG2 log > > > format. How is an OS supposed to obtain the log of the > > > ExitBootServices() events in that case? > > > > > > > I don't think it can. > > > > You probably refer to the code below the comment "No need to handle > > EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2", in SetupEventLog(). This code > > dates > > back to commit fd46e831bc33 ("SecurityPkg: Update final event log > > calculation.", 2016-01-18). And the commit message says, "... there is > > no need to record TCG12 format log to final event log area ...". > > > > Hence, the code is intentional. I even think the code is valid > > (according to the spec [*]); I just think the commit message should have > > said, "there is no *way* to record TCG12 format log to final event log > > area". Because, IMO, the bug is in the spec. > > > > [*] TCG EFI Protocol Specification > > Family “2.0” > > Level 00 Revision 00.13 > > March 30, 2016 > > > > Here's why I think it's a spec bug: > > > > > > (1) If EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 is *clear* in > > SupportedEventLogs, > > then the platform advertizes GetEventLog() as unable to produce the > > crypto agile log format. > > > > In other words, the platform is unable to produce a log which consists > > of TCG_PCR_EVENT2 entries, beyond the sole TCG_PCR_EVENT ("SHA1 > > format") > > header entry. > > > > Accordingly, GetEventLog() will fail with EFI_INVALID_PARAMETER, when > > called with EventLogFormat=EFI_TCG2_EVENT_LOG_FORMAT_TCG_2. (BTW, > > I > > think EFI_UNSUPPORTED would have been better for this, but I digress.) > > > > (2) EFI_TCG2_FINAL_EVENTS_TABLE is defined with TCG_PCR_EVENT2 > > entries > > *only*. TCG_PCR_EVENT is not accommodated. > > > > > > That's the contradiction. If a platform is unable to produce > > TCG_PCR_EVENT2 entries in GetEventLog(), it is fairly certainly also > > unable to produce them in the final events table. > > > > And, while the first *instance* of the limitation is conformant, via > > SupportedEventLogs, the second instance of the same limitation isn't. > > > > Thanks, > > Laszlo -- Matthew Garrett | [email protected] _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
