Re: [edk2] [patch v2 0/2] Remove duplicated BSD license

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Dandan Bi
Sent: Tuesday, March 12, 2019 9:20 AM
To: edk2-devel@lists.01.org
Cc: Kinney, Michael D ; Gao, Liming 

Subject: [edk2] [patch v2 0/2] Remove duplicated BSD license

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1612

V2: Keep Microsoft copyright in patch 0001, which is deleted by mistake in V1.

Cc: Michael D Kinney 
Cc: Liming Gao 
Dandan Bi (2):
  SecurityPkg: Remove duplicated BSD license
  Vlv2TbltDevicePkg: Remove duplicated BSD license

 .../Ppi/FirmwareVolumeInfoPrehashedFV.h   | 28 ++-
 .../Library/I2CLib/I2CLibNull.inf | 10 +--
 2 files changed, 3 insertions(+), 35 deletions(-)

--
2.18.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] Maintainers.txt: remove unexpected unicode BOM

[Zhang, Chao B]

HI Jian: 
Tks for the fix. 
Reviewed-by: Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Jian J 
Wang
Sent: Friday, March 8, 2019 4:56 PM
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek ; Yao, Jiewen ; 
Zhang, Chao B ; zh...@ml01.01.org
Subject: [edk2] [PATCH] Maintainers.txt: remove unexpected unicode BOM

The BOM was introduced by commit 6c05b958df532345a35b418b05effcf7fd51fc4e
accidentally.

Cc: Yao Jiewen 
Cc: Zhang, Chao B 
Cc: Laszlo Ersek 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jian J Wang 
---
 Maintainers.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Maintainers.txt b/Maintainers.txt index 08a676b236..61c57587a6 
100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -1,4 +1,4 @@
-EDK II Maintainers
+EDK II Maintainers
 ==
 
 This file provides information about the primary maintainers for
--
2.17.1.windows.2

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] Maintainers.txt: Change package maintainer and reviewer of SecurityPkg.

[Zhang, Chao B]

HI Laszlo:
Thanks for catching this. Sorry about the inconvenience.

From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo 
Ersek
Sent: Friday, March 8, 2019 4:02 PM
To: Zhang, Chao B ; edk2-devel@lists.01.org
Cc: Yao, Jiewen ; Gao, Liming 
Subject: Re: [edk2] [Patch] Maintainers.txt: Change package maintainer and 
reviewer of SecurityPkg.

On 03/08/19 03:56, Zhang, Chao B wrote:
> Cc: Yao Jiewen mailto:jiewen@intel.com>>
> Cc: Jian Wang mailto:jian.j.w...@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Zhang, Chao B 
> mailto:chao.b.zh...@intel.com>>
> ---
>  Maintainers.txt | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/Maintainers.txt b/Maintainers.txt
> index 7772926b2f..08a676b236 100644
> --- a/Maintainers.txt
> +++ b/Maintainers.txt
> @@ -1,6 +1,6 @@
> -EDK II Maintainers
> +EDK II Maintainers
>  ==

This hunk (which is now part of commit 6c05b958df53) is incorrect. It
adds a UTF-8 BOM to the beginning of the file.

Please remove the BOM urgently, before the stable tag.

Thanks
Laszlo

>
>  This file provides information about the primary maintainers for
>  EDK II.
>
> @@ -237,10 +237,11 @@ M: Kelly Steele 
> mailto:kelly.ste...@intel.com>>
>
>  SecurityPkg
>  W: https://github.com/tianocore/tianocore.github.io/wiki/SecurityPkg
>  M: Chao Zhang mailto:chao.b.zh...@intel.com>>
>  M: Jiewen Yao mailto:jiewen@intel.com>>
> +M: Jian Wang mailto:jian.j.w...@intel.com>>
>
>  ShellBinPkg
>  W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
>  M: Jaben Carsey mailto:jaben.car...@intel.com>>  
> (Ia32/X64)
>  M: Ray Ni mailto:ray...@intel.com>>  (Ia32/X64)
>

___
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] Maintainers.txt: Change package maintainer and reviewer of SecurityPkg.

[Zhang, Chao B]

Cc: Yao Jiewen 
Cc: Jian Wang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 Maintainers.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Maintainers.txt b/Maintainers.txt
index 7772926b2f..08a676b236 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -1,6 +1,6 @@
-EDK II Maintainers
+EDK II Maintainers
 ==
 
 This file provides information about the primary maintainers for
 EDK II.
 
@@ -237,10 +237,11 @@ M: Kelly Steele 
 
 SecurityPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/SecurityPkg
 M: Chao Zhang 
 M: Jiewen Yao 
+M: Jian Wang 
 
 ShellBinPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
 M: Jaben Carsey   (Ia32/X64)
 M: Ray Ni   (Ia32/X64)
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] UefiCpuPkg/Microcode: Fix incorrect checksum issue for extended table

[Zhang, Chao B]

Chen Chen:
   I think you can add uCode format info into comments. Also please highlight 
in comment
Which part is header checksum calculation, which part is for extended header

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Chen A 
Chen
Sent: Monday, February 18, 2019 1:54 PM
To: edk2-devel@lists.01.org
Cc: Dong, Eric 
Subject: [edk2] [PATCH] UefiCpuPkg/Microcode: Fix incorrect checksum issue for 
extended table

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1020

The following Microcode payload format is define in SDM spec.
Payload: |MicrocodeHeader|MicrocodeBinary|ExtendedHeader|ExtendedTable|.
When we verify the CheckSum32 with ExtendedTable, we should use the fields of 
ExtendedTable to replace corresponding fields in MicrocodeHeader, and then 
calculate the CheckSum32 with MicrocodeHeader+MicrocodeBinary.
This patch already verified on ICL platform.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen 
Cc: Ray Ni 
Cc: Eric Dong 
---
 UefiCpuPkg/Library/MpInitLib/Microcode.c | 38 
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/UefiCpuPkg/Library/MpInitLib/Microcode.c 
b/UefiCpuPkg/Library/MpInitLib/Microcode.c
index d84344c6f5..38880cdbec 100644
--- a/UefiCpuPkg/Library/MpInitLib/Microcode.c
+++ b/UefiCpuPkg/Library/MpInitLib/Microcode.c
@@ -57,6 +57,7 @@ MicrocodeDetect (
   UINT32  LatestRevision;
   UINTN   TotalSize;
   UINT32  CheckSum32;
+  UINT32  InCompleteCheckSum32;
   BOOLEAN CorrectMicrocode;
   VOID*MicrocodeData;
   MSR_IA32_PLATFORM_ID_REGISTER   PlatformIdMsr;
@@ -121,6 +122,26 @@ MicrocodeDetect (
   MicrocodeData  = NULL;
   MicrocodeEnd = (UINTN) (CpuMpData->MicrocodePatchAddress + 
CpuMpData->MicrocodePatchRegionSize);
   MicrocodeEntryPoint = (CPU_MICROCODE_HEADER *) (UINTN) 
CpuMpData->MicrocodePatchAddress;
+
+  //
+  // To avoid double calculate checksum32 value.
+  // Save the CheckSum32 of the common parts in advance.
+  //
+  if (MicrocodeEntryPoint->DataSize == 0) {
+InCompleteCheckSum32 = CalculateSum32 (
+ (UINT32 *) MicrocodeEntryPoint,
+ sizeof (CPU_MICROCODE_HEADER) + 2000
+ );
+  } else {
+InCompleteCheckSum32 = CalculateSum32 (
+ (UINT32 *) MicrocodeEntryPoint,
+ sizeof (CPU_MICROCODE_HEADER) + 
MicrocodeEntryPoint->DataSize
+ );
+  }
+  InCompleteCheckSum32 -= 
+ MicrocodeEntryPoint->ProcessorSignature.Uint32;
+  InCompleteCheckSum32 -= MicrocodeEntryPoint->ProcessorFlags;
+  InCompleteCheckSum32 -= MicrocodeEntryPoint->Checksum;
+
   do {
 //
 // Check if the microcode is for the Cpu and the version is newer @@ 
-137,14 +158,10 @@ MicrocodeDetect (
   MicrocodeEntryPoint->UpdateRevision > LatestRevision &&
   (MicrocodeEntryPoint->ProcessorFlags & (1 << PlatformId))
   ) {
-if (MicrocodeEntryPoint->DataSize == 0) {
-  CheckSum32 = CalculateSum32 ((UINT32 *) MicrocodeEntryPoint, 2048);
-} else {
-  CheckSum32 = CalculateSum32 (
- (UINT32 *) MicrocodeEntryPoint,
- MicrocodeEntryPoint->DataSize + sizeof 
(CPU_MICROCODE_HEADER)
- );
-}
+CheckSum32 = InCompleteCheckSum32;
+CheckSum32 += MicrocodeEntryPoint->ProcessorSignature.Uint32;
+CheckSum32 += MicrocodeEntryPoint->ProcessorFlags;
+CheckSum32 += MicrocodeEntryPoint->Checksum;
 if (CheckSum32 == 0) {
   CorrectMicrocode = TRUE;
   ProcessorFlags = MicrocodeEntryPoint->ProcessorFlags;
@@ -171,7 +188,10 @@ MicrocodeDetect (
   ExtendedTableCount = ExtendedTableHeader->ExtendedSignatureCount;
   ExtendedTable  = (CPU_MICROCODE_EXTENDED_TABLE *) 
(ExtendedTableHeader + 1);
   for (Index = 0; Index < ExtendedTableCount; Index ++) {
-CheckSum32 = CalculateSum32 ((UINT32 *) ExtendedTable, 
sizeof(CPU_MICROCODE_EXTENDED_TABLE));
+CheckSum32 = InCompleteCheckSum32;
+CheckSum32 += ExtendedTable->ProcessorSignature.Uint32;
+CheckSum32 += ExtendedTable->ProcessorFlag;
+CheckSum32 += ExtendedTable->Checksum;
 if (CheckSum32 == 0) {
   //
   // Verify Header
--
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org

Re: [edk2] [PATCH] MdeModulePkg/CapsuleApp: Fix memory leak issue.

[Zhang, Chao B]

ChenChen:
   Please add FileInfoBuffer[Index] NULL check before free 
 
-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Chen A 
Chen
Sent: Monday, February 11, 2019 2:17 PM
To: edk2-devel@lists.01.org
Cc: Wu, Hao A ; Gao, Liming ; Zhang, 
Chao B 
Subject: [edk2] [PATCH] MdeModulePkg/CapsuleApp: Fix memory leak issue.

This issue is caused by FileInfoBuffer variable. This is a pointer array and 
each elements also pointer to a memory buffer that is allocated and returned by 
AllocateCopyPool function.

Cc: Jian J Wang 
Cc: Hao Wu 
Cc: Zhang Chao B 
Cc: Liming Gao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen 
---
 MdeModulePkg/Application/CapsuleApp/CapsuleDump.c | 81 ---
 1 file changed, 56 insertions(+), 25 deletions(-)

diff --git a/MdeModulePkg/Application/CapsuleApp/CapsuleDump.c 
b/MdeModulePkg/Application/CapsuleApp/CapsuleDump.c
index 7bef5a1378..00cf45d66a 100644
--- a/MdeModulePkg/Application/CapsuleApp/CapsuleDump.c
+++ b/MdeModulePkg/Application/CapsuleApp/CapsuleDump.c
@@ -806,48 +806,69 @@ DumpCapsuleFromDisk (
   Status = Fs->OpenVolume (Fs, );
   if (EFI_ERROR (Status)) {
 Print (L"Cannot open volume. Status = %r\n", Status);
-return EFI_NOT_FOUND;
+goto Done;
   }
 
   Status = Root->Open (Root, , EFI_CAPSULE_FILE_DIRECTORY, 
EFI_FILE_MODE_READ | EFI_FILE_MODE_WRITE , 0);
   if (EFI_ERROR (Status)) {
 Print (L"Cannot open %s. Status = %r\n", EFI_CAPSULE_FILE_DIRECTORY, 
Status);
-return EFI_NOT_FOUND;
+goto Done;
   }
 
   //
   // Get file count first
   //
-  for ( Status = FileHandleFindFirstFile (DirHandle, )
-  ; !EFI_ERROR(Status) && !NoFile
-  ; Status = FileHandleFindNextFile (DirHandle, FileInfo, )
- ){
-if ((FileInfo->Attribute & (EFI_FILE_SYSTEM | EFI_FILE_ARCHIVE)) == 0) {
-  continue;
+  do {
+Status = FileHandleFindFirstFile (DirHandle, );
+if (EFI_ERROR (Status) || FileInfo == NULL) {
+  Print (L"Get File Info Fail. Status = %r\n", Status);
+  goto Done;
 }
-FileCount++;
-  }
+
+if ((FileInfo->Attribute & (EFI_FILE_SYSTEM | EFI_FILE_ARCHIVE)) != 0) {
+  FileCount++;
+}
+
+Status = FileHandleFindNextFile (DirHandle, FileInfo, );
+if (EFI_ERROR (Status)) {
+  Print (L"Get Next File Fail. Status = %r\n", Status);
+  goto Done;
+}
+  } while (!NoFile);
 
   if (FileCount == 0) {
 Print (L"Error: No capsule file found!\n");
-return EFI_NOT_FOUND;
+Status = EFI_NOT_FOUND;
+goto Done;
   }
 
   FileInfoBuffer = AllocatePool (sizeof(FileInfo) * FileCount);
+  if (FileInfoBuffer == NULL) {
+Status = EFI_OUT_OF_RESOURCES;
+goto Done;
+  }
   NoFile = FALSE;
 
   //
   // Get all file info
   //
-  for ( Status = FileHandleFindFirstFile (DirHandle, )
-  ; !EFI_ERROR (Status) && !NoFile
-  ; Status = FileHandleFindNextFile (DirHandle, FileInfo, )
- ){
-if ((FileInfo->Attribute & (EFI_FILE_SYSTEM | EFI_FILE_ARCHIVE)) == 0) {
-  continue;
+  do {
+Status = FileHandleFindFirstFile (DirHandle, );
+if (EFI_ERROR (Status) || FileInfo == NULL) {
+  Print (L"Get File Info Fail. Status = %r\n", Status);
+  goto Done;
 }
-FileInfoBuffer[Index++] = AllocateCopyPool ((UINTN)FileInfo->Size, 
FileInfo);
-  }
+
+if ((FileInfo->Attribute & (EFI_FILE_SYSTEM | EFI_FILE_ARCHIVE)) != 0) {
+  FileInfoBuffer[Index++] = AllocateCopyPool ((UINTN)FileInfo->Size, 
FileInfo);
+}
+
+Status = FileHandleFindNextFile (DirHandle, FileInfo, );
+if (EFI_ERROR (Status)) {
+  Print (L"Get Next File Fail. Status = %r\n", Status);
+  goto Done;
+}
+  } while (!NoFile);
 
   //
   // Sort FileInfoBuffer by alphabet order @@ -866,7 +887,8 @@ 
DumpCapsuleFromDisk (
   }
 
   if (!DumpCapsuleInfo) {
-return EFI_SUCCESS;
+Status = EFI_SUCCESS;
+goto Done;
   }
 
   Print(L"The infomation of the capsules:\n"); @@ -875,19 +897,20 @@ 
DumpCapsuleFromDisk (
 FileHandle = NULL;
 Status = DirHandle->Open (DirHandle, , 
FileInfoBuffer[Index]->FileName, EFI_FILE_MODE_READ, 0);
 if (EFI_ERROR (Status)) {
-  break;
+  goto Done;
 }
 
 Status = FileHandleGetSize (FileHandle, (UINT64 *) );
 if (EFI_ERROR (Status)) {
   Print (L"Cannot read file %s. Status = %r\n", 
FileInfoBuffer[Index]->FileName, Status);
   FileHandleClose (FileHandle);
-  return Status;
+  goto Done;
 }
 
 FileBuffer = AllocatePool (FileSize);
 if (FileBuffer == NULL) {
-  return RETURN_OUT_OF_RESOURCES;
+  Status = EFI_OUT_OF_RESOURCES;
+  goto Done;
 }
 
 Status = FileHandleRead (FileHandle, , FileBuffer); @@ -895,7 
+918,7 @@ DumpCapsuleFromDisk (
   Print (L"Cannot read file %s. Status = %r\n", 
FileIn

[edk2] [Patch 2/2] MdeModulePkg:Tpm2Acpi.h: Upgrade UEFI supporting TCG spec info

[Zhang, Chao B]

Update "TCG ACPI Specification Level 00 Revision 00.37" to "TCG ACPI 
Specification 1.2 Revision 8"
https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yao Jiewen 
Signed-off-by: Zhang, Chao B 
---
 MdePkg/Include/IndustryStandard/Tpm2Acpi.h | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/Tpm2Acpi.h 
b/MdePkg/Include/IndustryStandard/Tpm2Acpi.h
index 6b8161e6a6..6bae0a0aa5 100644
--- a/MdePkg/Include/IndustryStandard/Tpm2Acpi.h
+++ b/MdePkg/Include/IndustryStandard/Tpm2Acpi.h
@@ -1,9 +1,9 @@
 /** @file
   TPM2 ACPI table definition.
 
-Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -29,17 +29,20 @@ typedef struct {
   //BIT0~15:  PlatformClass  This field is only valid for version 4 
and above
   //BIT16~31: Reserved
   UINT32  Flags;
   UINT64  AddressOfControlArea;
   UINT32  StartMethod;
-//UINT8   PlatformSpecificParameters[];
+//UINT8   PlatformSpecificParameters[];  // size up to 12
+//UINT32  Laml;  // Optional
+//UINT32  Lasa;  // Optional
 } EFI_TPM2_ACPI_TABLE;
 
 #define EFI_TPM2_ACPI_TABLE_START_METHOD_ACPI  
2
 #define EFI_TPM2_ACPI_TABLE_START_METHOD_TIS   
6
 #define EFI_TPM2_ACPI_TABLE_START_METHOD_COMMAND_RESPONSE_BUFFER_INTERFACE 
7
 #define 
EFI_TPM2_ACPI_TABLE_START_METHOD_COMMAND_RESPONSE_BUFFER_INTERFACE_WITH_ACPI   8
+#define 
EFI_TPM2_ACPI_TABLE_START_METHOD_COMMAND_RESPONSE_BUFFER_INTERFACE_WITH_SMC
11
 
 typedef struct {
   UINT32   Reserved;
   UINT32   Error;
   UINT32   Cancel;
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch 0/2] Update UEFI supporting TCG spec info

[Zhang, Chao B]

Update UEFI supporting TCG spec info

Zhang, Chao B (2):
  SecurityPkg/TCG: Upgrade UEFI supporting TCG spec info
  MdeModulePkg:Tpm2Acpi.h: Upgrade UEFI supporting TCG spec info

 MdePkg/Include/IndustryStandard/Tpm2Acpi.h | 7 +--
 SecurityPkg/SecurityPkg.dec| 2 +-
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf| 4 +++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf| 6 --
 4 files changed, 13 insertions(+), 6 deletions(-)

-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch 1/2] SecurityPkg/TCG: Upgrade UEFI supporting TCG spec info

[Zhang, Chao B]

Update "TCG ACPI Specification Level 00 Revision 00.37" to "TCG ACPI 
Specification 1.2 Revision 8"
https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf

Upgrade TCG PC Client Platform Physical Presence Interface Specification 
Version 1.3 Revision 0.52" to Errata Version 0.4
https://trustedcomputinggroup.org/wp-content/uploads/Errata-Version-0.4-for-TCG-PC-Client-Platform-Physical-Presence-Interface-Version-1.30-Revision-0.52.pdf

Upgrade "TCG EFI Protocol Specification for Family 2.0 Level 00" to Errata 0.5
https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-Errata-v.5.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yao Jiewen 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/SecurityPkg.dec | 2 +-
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 4 +++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf | 6 --
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 2708e7953c..7ae42ea150 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -403,11 +403,11 @@
   # When it is configured to Dynamic or DynamicEx, it can be set through 
detection using
   # a platform-specific method (e.g. Button pressed) in a actual platform in 
early boot phase.
   # @Prompt A physical presence user status
   
gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|FALSE|BOOLEAN|0x00010019
 
-  ## Indicate the TPM2 ACPI table revision. Rev 4 is defined in TCG ACPI 
Specification Rev 00.37.
+  ## Indicate the TPM2 ACPI table revision. Rev 4 has been defined since TCG 
ACPI Specification Rev 00.37.
   # To support configuring from setup page, this PCD can be DynamicHii type 
and map to a setup option.
   # For example, map to TCG2_VERSION.Tpm2AcpiTableRev to be configured by 
Tcg2ConfigDxe driver.
   # 
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L"TCG2_VERSION"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
   # @Prompt Revision of TPM2 ACPI table.
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|3|UINT8|0x0001001A
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index 87f0492750..49402d902c 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -4,19 +4,21 @@
 #  Spec Compliance Info:
 #"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
 #  along with
 #"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #"TCG EFI Protocol Specification" "Family 2.0" "Level 00 Revision 00.13"
+#  along with
+#"Errata Version 0.5 for TCG EFI Protocol Specification"
 #
 #  This module will produce Tcg2 protocol and measure boot environment.
 #
 #  Caution: This module requires additional review when modified.
 #  This driver will have external input - PE/COFF image.
 #  This external input must be validated carefully to avoid security issue like
 #  buffer overflow, integer overflow.
 #
-# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
+# Copyright (c) 2015 - 2019, Intel Corporation. All rights reserved.
 # This program and the accompanying materials
 # are licensed and made available under the terms and conditions of the BSD 
License
 # which accompanies this distribution. The full text of the license may be 
found at
 # http://opensource.org/licenses/bsd-license.php
 # THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
index 97cec443e4..cc5768294d 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
@@ -1,11 +1,13 @@
 ## @file
 #  Provides ACPI methods for TPM 2.0 support
 #
 #  Spec Compliance Info:
-# "TCG ACPI Specification Level 00 Revision 00.37"
+# "TCG ACPI Specification Version 1.2 Revision 8"
 # "Physical Presence Interface Specification Version 1.30 Revision 00.52"
+#   along with
+# "Errata Version 0.4 for TCG PC Client Platform Physical Presence 
Interface Specification"
 # "Platform Reset Attack Mitigation Specification Version 1.00"
 #TPM2.0 ACPI device object
 # "TCG PC Client Platform Firmware Profile Specification for TPM Family 
2.0 Level 00 Revision 1.03 v51"
 #   along with
 # "Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
@@ -16,11 +18,11 @@
 #
 #  Caution: This module requires additional review when modified.
 #  This driver will have external input - variable and ACPINvs data in SMM 
mode.
 #  This external input must be validated carefully to avoid security issue.
 #
-# Copyright (c) 2015 - 2018, Intel Corporation. All

Re: [edk2] [PATCH 1/3] MdeModulePkg/CapsuleApp: Refine code logic of parsing parameter.

[Zhang, Chao B]

Jiewen & Liming:
   It is a problem. Unlike UiApp. CapsuleApp is supposed to run in Shell.  
ShellLib provides standard parameter parsing support.
Any suggestion on this?

From: Yao, Jiewen
Sent: Friday, January 25, 2019 2:25 PM
To: Chen, Chen A ; edk2-devel@lists.01.org
Cc: Wu, Hao A ; Zhang, Chao B 
Subject: RE: [edk2] [PATCH 1/3] MdeModulePkg/CapsuleApp: Refine code logic of 
parsing parameter.

Hey
I don't think MdeModulePkg can depend on ShellPkg.

That is why we do not use ShellLib in the first version.

Do we change the package dependency rule?

Thank you
Yao Jiewen

> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Chen A Chen
> Sent: Friday, January 25, 2019 2:14 PM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Wu, Hao A mailto:hao.a...@intel.com>>; Zhang, Chao B
> mailto:chao.b.zh...@intel.com>>
> Subject: [edk2] [PATCH 1/3] MdeModulePkg/CapsuleApp: Refine code logic
> of parsing parameter.
>
> BZ:https://bugzilla.tianocore.org/show_bug.cgi?id=1482
>
> No change functionality, use ShellLib to parsing command line.
>
> Cc: Jian J Wang mailto:jian.j.w...@intel.com>>
> Cc: Hao Wu mailto:hao.a...@intel.com>>
> Cc: Zhang Chao B mailto:chao.b.zh...@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chen A Chen 
> mailto:chen.a.c...@intel.com>>
> ---
>  MdeModulePkg/Application/CapsuleApp/CapsuleApp.c   | 433
> +++--
>  MdeModulePkg/Application/CapsuleApp/CapsuleApp.inf |   2 +
>  2 files changed, 236 insertions(+), 199 deletions(-)
>
> diff --git a/MdeModulePkg/Application/CapsuleApp/CapsuleApp.c
> b/MdeModulePkg/Application/CapsuleApp/CapsuleApp.c
> index 4d907242f3..acae0fe261 100644
> --- a/MdeModulePkg/Application/CapsuleApp/CapsuleApp.c
> +++ b/MdeModulePkg/Application/CapsuleApp/CapsuleApp.c
> @@ -27,6 +27,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>
>  #define CAPSULE_HEADER_SIZE  0x20
>
> @@ -39,15 +40,27 @@
>
>  #define MAX_CAPSULE_NUM 10
>
> -extern UINTN  Argc;
> -extern CHAR16 **Argv;
> -
>  //
>  // Define how many block descriptors we want to test with.
>  //
>  UINTN  NumberOfDescriptors = 1;
> -UINTN  CapsuleFirstIndex;
> -UINTN  CapsuleLastIndex;
> +
> +STATIC CONST SHELL_PARAM_ITEM ParamList[] = {
> +  {L"-C", TypeFlag},
> +  {L"-E", TypeFlag},
> +  {L"-S", TypeFlag},
> +
> +  {L"-NR", TypeFlag},
> +
> +  {L"-G", TypeValue},
> +  {L"-O", TypeValue},
> +  {L"-N", TypeValue},
> +  {L"-D", TypeValue},
> +  {L"-P", TypeValue},
> +  {L"-I", TypeValue},
> +
> +  {NULL, TypeMax}
> +  };
>
>  /**
>Dump capsule information
> @@ -161,13 +174,12 @@ GetArg (
>  **/
>  EFI_STATUS
>  CreateBmpFmp (
> -  VOID
> +  IN CHAR16 *BmpName,
> +  IN CHAR16
> *OutputCapsuleName
>)
>  {
> -  CHAR16
> *OutputCapsuleName;
>VOID  *BmpBuffer;
>UINTN FileSize;
> -  CHAR16*BmpName;
>UINT8
> *FullCapsuleBuffer;
>UINTN
> FullCapsuleBufferSize;
>EFI_DISPLAY_CAPSULE   *DisplayCapsule;
> @@ -191,22 +203,10 @@ CreateBmpFmp (
>// HorizontalResolution >= BMP_IMAGE_HEADER.PixelWidth
>// VerticalResolution   >= BMP_IMAGE_HEADER.PixelHeight
>
> -  if (Argc != 5) {
> -Print(L"CapsuleApp: Incorrect parameter count.\n");
> -return EFI_UNSUPPORTED;
> -  }
> -
> -  if (StrCmp(Argv[3], L"-O") != 0) {
> -Print(L"CapsuleApp: NO output capsule name.\n");
> -return EFI_UNSUPPORTED;
> -  }
> -  OutputCapsuleName = Argv[4];
> -
>BmpBuffer = NULL;
>FileSize = 0;
>FullCapsuleBuffer = NULL;
>
> -  BmpName = Argv[2];
>Status = ReadFileToBuffer(BmpName, , );
>if (EFI_ERROR(Status)) {
>  Print(L"CapsuleApp: BMP image (%s) is not found.\n", BmpName);
> @@ -425,13 +425,12 @@ IsFmpCapsuleGuid (
>  **/
>  EFI_STATUS
>  CreateNestedFmp (
> -  VOID
> +  IN CHAR16 *CapsuleName,
> +  IN CHAR16
> *OutputCapsuleName
>)
>  {
> -  CHAR16
> *OutputCapsuleName;
>VOID  *CapsuleBuffer;
>UINTN FileSize;
> -  CHAR16*CapsuleName;
>UINT8
> *FullCapsuleBuffer;
>UINTN
> FullCapsuleBufferSize;
>EFI_CAP

Re: [edk2] [PATCH 3/3] FatPkg: Add GPT check in FatPei to support Capsule-on-Disk feature.

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: Chen, Chen A 
Sent: Thursday, January 17, 2019 10:03 AM
To: edk2-devel@lists.01.org
Cc: Chen, Chen A ; Ni, Ray ; Zhang, 
Chao B 
Subject: [PATCH 3/3] FatPkg: Add GPT check in FatPei to support Capsule-on-Disk 
feature.

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1470
This feature is used for finding GPT partition, follow the following step to 
check.
1) Check Protective MBR.
2) Check GPT primary/backup header.
3) Check GPT primary/backup entry array.

Cc: Ruiyu Ni 
Cc: Zhang Chao B 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen 
---
 FatPkg/FatPei/FatLitePeim.h |   1 +
 FatPkg/FatPei/FatPei.inf|   3 +
 FatPkg/FatPei/Gpt.c | 546 
 3 files changed, 550 insertions(+)
 create mode 100644 FatPkg/FatPei/Gpt.c

diff --git a/FatPkg/FatPei/FatLitePeim.h b/FatPkg/FatPei/FatLitePeim.h index 
fbf887da5f..afb429c56e 100644
--- a/FatPkg/FatPei/FatLitePeim.h
+++ b/FatPkg/FatPei/FatLitePeim.h
@@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
diff --git a/FatPkg/FatPei/FatPei.inf b/FatPkg/FatPei/FatPei.inf index 
829e87fe92..dd0869f7cd 100644
--- a/FatPkg/FatPei/FatPei.inf
+++ b/FatPkg/FatPei/FatPei.inf
@@ -31,6 +31,7 @@
 
 [Sources]
   Mbr.c
+  Gpt.c
   Eltorito.c
   Part.c
   FatLiteApi.c
@@ -49,6 +50,7 @@
 [LibraryClasses]
   PcdLib
   BaseMemoryLib
+  MemoryAllocationLib
   PeimEntryPoint
   BaseLib
   DebugLib
@@ -61,6 +63,7 @@
   gRecoveryOnFatIdeDiskGuid   ## SOMETIMES_CONSUMES   ## 
UNDEFINED
   gRecoveryOnFatFloppyDiskGuid## SOMETIMES_CONSUMES   ## 
UNDEFINED
   gRecoveryOnFatNvmeDiskGuid  ## SOMETIMES_CONSUMES   ## 
UNDEFINED
+  gEfiPartTypeUnusedGuid  ## SOMETIMES_CONSUMES   ## 
UNDEFINED
 
 
 [Ppis]
diff --git a/FatPkg/FatPei/Gpt.c b/FatPkg/FatPei/Gpt.c new file mode 100644 
index 00..d1f4c1c8b5
--- /dev/null
+++ b/FatPkg/FatPei/Gpt.c
@@ -0,0 +1,546 @@
+/** @file
+  Routines supporting partition discovery and
+  logical device reading
+
+Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+
+This program and the accompanying materials are licensed and made 
+available under the terms and conditions of the BSD License which 
+accompanies this distribution. The full text of the license may be 
+found at http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include 
+#include 
+#include 
+#include "FatLitePeim.h"
+
+//
+// Assumption: 'a' and 'blocksize' are all UINT32 or UINT64.
+// If 'a' and 'blocksize' are not the same type, should use DivU64xU32 to 
calculate.
+//
+#define EFI_SIZE_TO_BLOCKS(a, blocksize)  (((a) / (blocksize)) + (((a) 
+% (blocksize)) ? 1 : 0))
+
+//
+// GPT Partition Entry Status
+//
+typedef struct {
+  BOOLEAN OutOfRange;
+  BOOLEAN Overlap;
+  BOOLEAN OsSpecific;
+} EFI_PARTITION_ENTRY_STATUS;
+
+/**
+  Check if the CRC field in the Partition table header is valid
+
+  @param[in]  BlockIo Parent BlockIo interface
+  @param[in]  DiskIo  Disk Io Protocol.
+  @param[in]  PartHeader  Partition table header structure
+
+  @retval TRUE  the CRC is valid
+  @retval FALSE the CRC is invalid
+
+**/
+BOOLEAN
+PartitionCheckGptHeaderCRC (
+  IN  EFI_PARTITION_TABLE_HEADER  *PartHeader
+  )
+{
+  UINT32  GptHdrCrc;
+  UINT32  Crc;
+
+  GptHdrCrc = PartHeader->Header.CRC32;
+
+  //
+  // Set CRC field to zero when doing calcuation  //
+  PartHeader->Header.CRC32 = 0;
+
+  Crc = CalculateCrc32 (PartHeader, PartHeader->Header.HeaderSize);
+
+  //
+  // Restore Header CRC
+  //
+  PartHeader->Header.CRC32 = GptHdrCrc;
+
+  return (GptHdrCrc == Crc);
+}
+
+
+/**
+  Check if the CRC field in the Partition table header is valid
+  for Partition entry array.
+
+  @param[in]  BlockIo Parent BlockIo interface
+  @param[in]  DiskIo  Disk Io Protocol.
+  @param[in]  PartHeader  Partition table header structure
+
+  @retval TRUE  the CRC is valid
+  @retval FALSE the CRC is invalid
+
+**/
+BOOLEAN
+PartitionCheckGptEntryArrayCRC (
+  IN  EFI_PARTITION_TABLE_HEADER *PartHeader,
+  IN  EFI_PARTITION_ENTRY*PartEntry
+  )
+{
+  UINT32  Crc;
+  UINTN   Size;
+
+  Size = (UINTN)MultU64x32(PartHeader->NumberOfPartitionEntries, 
+ PartHeader->SizeOfPartitionEntry);
+  Crc  = CalculateCrc32 (PartEntry, Size);
+
+  return (BOOLEAN) (PartHeader->PartitionEntryArrayCRC32 == Crc); }
+
+/**
+  The function is used for valid GPT table. Both for Primary and Backup GPT 
header.
+
+  @param[in]  PrivateData   The global memory map 
+  @param[in]  ParentBlockDevNo  The parent block device
+  @param[in]  I

Re: [edk2] [PATCH v2 10/11] SecurityPkg/AuthVariableLib: allow MM_STANDALONE drivers to use this library

[Zhang, Chao B]

Reviewed-by : Chao Zhang 


-Original Message-
From: Jagadeesh Ujja [mailto:jagadeesh.u...@arm.com] 
Sent: Wednesday, January 2, 2019 9:14 PM
To: edk2-devel@lists.01.org; Gao, Liming ; Zhang, Chao B 
; leif.lindh...@linaro.org; ard.biesheu...@linaro.org; 
achin.gu...@arm.com; supreeth.venkat...@arm.com; Wang, Jian J 

Subject: [PATCH v2 10/11] SecurityPkg/AuthVariableLib: allow MM_STANDALONE 
drivers to use this library

“AuthVariableLib” library can be used by MM_STANDALONE drivers as well.
So add MM_STANDALONE as the module type this library supports.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja 
Reviewed-by: Chao Zhang 
---
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf 
b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 572ba4e..4294d3b 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -2,6 +2,7 @@
 #  Provides authenticated variable services.
 #
 #  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+#  Copyright (c) 2018, ARM Limited. All rights reserved.
 #
 #  This program and the accompanying materials  #  are licensed and made 
available under the terms and conditions @@ -21,12 +22,12 @@
   FILE_GUID  = B23CF5FB-6FCC-4422-B145-D855DBC05457
   MODULE_TYPE= DXE_RUNTIME_DRIVER
   VERSION_STRING = 1.0
-  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER
+  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER MM_STANDALONE
 
 #
 # The following information is for reference only and not required by the 
build tools.
 #
-#  VALID_ARCHITECTURES   = IA32 X64
+#  VALID_ARCHITECTURES   = IA32 X64 AARCH64
 #
 
 [Sources]
--
2.7.4

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg/Tcg: Fix Warnings and Remarks reported by IASL

[Zhang, Chao B]

Addressed warnings and remarks reported by IASL.EXE. Some methods had
unused arguments. A method was returning a value when it should not.

Cc: Zhang Chao B 
Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Rydman 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Tcg/Tcg2Smm/Tpm.asl | 140 
 SecurityPkg/Tcg/TcgSmm/Tpm.asl  |  26 
 2 files changed, 82 insertions(+), 84 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl b/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
index 471b6b1fa1..903252f7d7 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
@@ -158,72 +158,70 @@ DefinitionBlock (
   Method(_SRS,1,Serialized)
   {
 //
 // Do not configure Interrupt if IRQ Num is configured 0 by default
 //
-If (LEqual(IRQN, 0)) {
-  Return (0)
-}
-
-//
-// Update resource descriptor
-// Use the field name to identify the offsets in the argument
-// buffer and RES0 buffer.
-//
-CreateDWordField(Arg0, ^INTR._INT, IRQ0)
-CreateDWordField(RES0, ^INTR._INT, LIRQ)
-Store(IRQ0, LIRQ)
-Store(IRQ0, IRQN)
+If (LNotEqual(IRQN, 0)) {
+  //
+  // Update resource descriptor
+  // Use the field name to identify the offsets in the argument
+  // buffer and RES0 buffer.
+  //
+  CreateDWordField(Arg0, ^INTR._INT, IRQ0)
+  CreateDWordField(RES0, ^INTR._INT, LIRQ)
+  Store(IRQ0, LIRQ)
+  Store(IRQ0, IRQN)
 
-CreateBitField(Arg0, ^INTR._HE, ITRG)
-CreateBitField(RES0, ^INTR._HE, LTRG)
-Store(ITRG, LTRG)
+  CreateBitField(Arg0, ^INTR._HE, ITRG)
+  CreateBitField(RES0, ^INTR._HE, LTRG)
+  Store(ITRG, LTRG)
 
-CreateBitField(Arg0, ^INTR._LL, ILVL)
-CreateBitField(RES0, ^INTR._LL, LLVL)
-Store(ILVL, LLVL)
+  CreateBitField(Arg0, ^INTR._LL, ILVL)
+  CreateBitField(RES0, ^INTR._LL, LLVL)
+  Store(ILVL, LLVL)
 
-//
-// Update TPM FIFO PTP/TIS interface only, identified by 
TPM_INTERFACE_ID_x lowest
-// nibble.
-//  - FIFO interface as defined in PTP for TPM 2.0 is active
-//  - FIFO interface as defined in TIS1.3 is active
-//
-If (LOr(LEqual (And (TID0, 0x0F), 0x00), LEqual (And (TID0, 0x0F), 
0x0F))) {
   //
-  // If FIFO interface, interrupt vector register is
-  // available. TCG PTP specification allows only
-  // values 1..15 in this field. For other interrupts
-  // the field should stay 0.
+  // Update TPM FIFO PTP/TIS interface only, identified by 
TPM_INTERFACE_ID_x lowest
+  // nibble.
+  //  - FIFO interface as defined in PTP for TPM 2.0 is active
+  //  - FIFO interface as defined in TIS1.3 is active
   //
-  If (LLess (IRQ0, 16)) {
-Store (And(IRQ0, 0xF), INTV)
-  }
-  //
-  // Interrupt enable register (TPM_INT_ENABLE_x) bits 3:4
-  // contains settings for interrupt polarity.
-  // The other bits of the byte enable individual interrupts.
-  // They should be all be zero, but to avoid changing the
-  // configuration, the other bits are be preserved.
-  // 00 - high level
-  // 01 - low level
-  // 10 - rising edge
-  // 11 - falling edge
-  //
-  // ACPI spec definitions:
-  // _HE: '1' is Edge, '0' is Level
-  // _LL: '1' is ActiveHigh, '0' is ActiveLow (inverted from TCG spec)
-  //
-  If (LEqual (ITRG, 1)) {
-Or(INTE, 0x0010, INTE)
-  } Else {
-And(INTE, 0xFFEF, INTE)
-  }
-  if (LEqual (ILVL, 0)) {
-Or(INTE, 0x0008, INTE)
-  } Else {
-And(INTE, 0xFFF7, INTE)
+  If (LOr(LEqual (And (TID0, 0x0F), 0x00), LEqual (And (TID0, 0x0F), 
0x0F))) {
+//
+// If FIFO interface, interrupt vector register is
+// available. TCG PTP specification allows only
+// values 1..15 in this field. For other interrupts
+// the field should stay 0.
+//
+If (LLess (IRQ0, 16)) {
+  Store (And(IRQ0, 0xF), INTV)
+}
+//
+// Interrupt enable register (TPM_INT_ENABLE_x) bits 3:4
+// contains settings for interrupt polarity.
+// The other bits of the byte enable individual interrupts.
+// They should be all be zero, but to avoid changing the
+// configuration, the other bits are be preserved.
+// 00 - high level
+// 01 - low level
+// 10 - rising edge
+// 11 - falling edge
+//
+// ACPI spec

Re: [edk2] [PATCH 2/7] SecurityPkg Tcg(2)Pei: Remove the using of PcdPeiCoreMaxFvSupported

[Zhang, Chao B]

Star :
   Reviewed -by : Chao Zhang 

-Original Message-
From: Zeng, Star 
Sent: Friday, December 14, 2018 6:29 PM
To: edk2-devel@lists.01.org
Cc: Zeng, Star ; Zhang, Chao B ; 
Yao, Jiewen 
Subject: [PATCH 2/7] SecurityPkg Tcg(2)Pei: Remove the using of 
PcdPeiCoreMaxFvSupported

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1405

Background as below.

Problem:
As static configuration from the PCDs, the binary PeiCore (for example in FSP 
binary with dispatch mode) could not predict how many FVs, Files or PPIs for 
different platforms.

Burden:
Platform developers need configure the PCDs accordingly for different platforms.

To solve the problem and remove the burden, we can update PeiCore to remove the 
using of PcdPeiCoreMaxFvSupported, PcdPeiCoreMaxPeimPerFv and 
PcdPeiCoreMaxPpiSupported by extending buffer dynamically for FV, File and PPI 
management.

This patch removes the using of PcdPeiCoreMaxFvSupported in Tcg(2)Pei.

Cc: Chao Zhang 
Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng 
---
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c   | 59 +++--
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf |  1 -
 SecurityPkg/Tcg/TcgPei/TcgPei.c | 59 +++--
 SecurityPkg/Tcg/TcgPei/TcgPei.inf   |  1 -
 4 files changed, 74 insertions(+), 46 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c 
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 09ef0c70a50b..152e3f737b56 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -71,10 +71,17 @@ EFI_PEI_PPI_DESCRIPTOR  mTpmInitializationDonePpiList = {
   NULL
 };
 
+//
+// Number of firmware blobs to grow by each time we run out of room // 
+#define FIRMWARE_BLOB_GROWTH_STEP 4
+
 EFI_PLATFORM_FIRMWARE_BLOB *mMeasuredBaseFvInfo;
+UINT32 mMeasuredMaxBaseFvIndex = 0;
 UINT32 mMeasuredBaseFvIndex = 0;
 
 EFI_PLATFORM_FIRMWARE_BLOB *mMeasuredChildFvInfo;
+UINT32 mMeasuredMaxChildFvIndex = 0;
 UINT32 mMeasuredChildFvIndex = 0;
 
 /**
@@ -615,13 +622,20 @@ MeasureFvImage (
   //
   // Add new FV into the measured FV list.
   //
-  ASSERT (mMeasuredBaseFvIndex < PcdGet32 (PcdPeiCoreMaxFvSupported));
-  if (mMeasuredBaseFvIndex < PcdGet32 (PcdPeiCoreMaxFvSupported)) {
-mMeasuredBaseFvInfo[mMeasuredBaseFvIndex].BlobBase   = FvBase;
-mMeasuredBaseFvInfo[mMeasuredBaseFvIndex].BlobLength = FvLength;
-mMeasuredBaseFvIndex++;
+  if (mMeasuredBaseFvIndex >= mMeasuredMaxBaseFvIndex) {
+mMeasuredBaseFvInfo = ReallocatePool (
+sizeof (EFI_PLATFORM_FIRMWARE_BLOB) * 
mMeasuredMaxBaseFvIndex,
+sizeof (EFI_PLATFORM_FIRMWARE_BLOB) * 
(mMeasuredMaxBaseFvIndex + FIRMWARE_BLOB_GROWTH_STEP),
+mMeasuredBaseFvInfo
+);
+ASSERT (mMeasuredBaseFvInfo != NULL);
+mMeasuredMaxBaseFvIndex = mMeasuredMaxBaseFvIndex + 
+ FIRMWARE_BLOB_GROWTH_STEP;
   }
 
+  mMeasuredBaseFvInfo[mMeasuredBaseFvIndex].BlobBase   = FvBase;
+  mMeasuredBaseFvInfo[mMeasuredBaseFvIndex].BlobLength = FvLength;  
+ mMeasuredBaseFvIndex++;
+
   return Status;
 }
 
@@ -724,20 +738,26 @@ FirmwareVolmeInfoPpiNotifyCallback (
   //
   if (Fv->ParentFvName != NULL || Fv->ParentFileName != NULL ) {
 
-ASSERT (mMeasuredChildFvIndex < PcdGet32 (PcdPeiCoreMaxFvSupported));
-if (mMeasuredChildFvIndex < PcdGet32 (PcdPeiCoreMaxFvSupported)) {
-  //
-  // Check whether FV is in the measured child FV list.
-  //
-  for (Index = 0; Index < mMeasuredChildFvIndex; Index++) {
-if (mMeasuredChildFvInfo[Index].BlobBase == (EFI_PHYSICAL_ADDRESS) 
(UINTN) Fv->FvInfo) {
-  return EFI_SUCCESS;
-}
+if (mMeasuredChildFvIndex >= mMeasuredMaxChildFvIndex) {
+  mMeasuredChildFvInfo = ReallocatePool (
+   sizeof (EFI_PLATFORM_FIRMWARE_BLOB) * 
mMeasuredMaxChildFvIndex,
+   sizeof (EFI_PLATFORM_FIRMWARE_BLOB) * 
(mMeasuredMaxChildFvIndex + FIRMWARE_BLOB_GROWTH_STEP),
+   mMeasuredChildFvInfo
+   );
+  ASSERT (mMeasuredChildFvInfo != NULL);
+  mMeasuredMaxChildFvIndex = mMeasuredMaxChildFvIndex + 
FIRMWARE_BLOB_GROWTH_STEP;
+}
+//
+// Check whether FV is in the measured child FV list.
+//
+for (Index = 0; Index < mMeasuredChildFvIndex; Index++) {
+  if (mMeasuredChildFvInfo[Index].BlobBase == (EFI_PHYSICAL_ADDRESS) 
(UINTN) Fv->FvInfo) {
+return EFI_SUCCESS;
   }
-  mMeasuredChildFvInfo[mMeasuredChildFvIndex].BlobBase   = 
(EFI_PHYSICAL_ADDRESS) (UINTN) Fv->FvInfo;
-  mMeasuredChildFvInfo[mMeasuredChildFvIndex].BlobLength = Fv->FvInfoSize;
-  mMeasuredChildFvIndex++;
 }
+mMeasuredChildFvInfo[mMeasuredChildFvIndex].BlobBase   = 
(EFI_PHYSICAL_ADDRESS) (UINTN) Fv->FvInfo;
+mMeasuredChildFvInfo[mMeas

Re: [edk2] [RFC PATCH v4 11/12] SecurityPkg/AuthVariableLib: allow MM_STANDALONE drivers to use this library

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: Jagadeesh Ujja [mailto:jagadeesh.u...@arm.com] 
Sent: Tuesday, December 11, 2018 2:22 PM
To: edk2-devel@lists.01.org; Gao, Liming ; Zhang, Chao B 
; leif.lindh...@linaro.org
Subject: [RFC PATCH v4 11/12] SecurityPkg/AuthVariableLib: allow MM_STANDALONE 
drivers to use this library

“AuthVariableLib” library can be used by MM_STANDALONE drivers as well.
So add MM_STANDALONE as the module type this library supports

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja 
Reviewed-by: Chao Zhang 
---
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf 
b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 572ba4e..4294d3b 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -2,6 +2,7 @@
 #  Provides authenticated variable services.
 #
 #  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+#  Copyright (c) 2018, ARM Limited. All rights reserved.
 #
 #  This program and the accompanying materials  #  are licensed and made 
available under the terms and conditions @@ -21,12 +22,12 @@
   FILE_GUID  = B23CF5FB-6FCC-4422-B145-D855DBC05457
   MODULE_TYPE= DXE_RUNTIME_DRIVER
   VERSION_STRING = 1.0
-  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER
+  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER MM_STANDALONE
 
 #
 # The following information is for reference only and not required by the 
build tools.
 #
-#  VALID_ARCHITECTURES   = IA32 X64
+#  VALID_ARCHITECTURES   = IA32 X64 AARCH64
 #
 
 [Sources]
--
2.7.4

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 2/2] SecurityPkg/Tcg: Fix typos in TcgDxe.c and Tcg2Dxe.c

[Zhang, Chao B]

Reviewed-by: Chao Zhang 

-Original Message-
From: Zhang, Shenglei 
Sent: Tuesday, December 11, 2018 9:32 AM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B ; Yao, Jiewen 
Subject: [PATCH 2/2] SecurityPkg/Tcg: Fix typos in TcgDxe.c and Tcg2Dxe.c

Change EFI_RETURNING_FROM_EFI_APPLICATOIN to EFI_RETURNING_FROM_EFI_APPLICATION.
https://bugzilla.tianocore.org/show_bug.cgi?id=1368

Cc: Chao Zhang 
Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang 
---
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c | 4 ++--
 SecurityPkg/Tcg/TcgDxe/TcgDxe.c   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
index aa463b287e..662637f3e3 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c
@@ -2314,10 +2314,10 @@ OnReadyToBoot (
 //
 Status = TcgMeasureAction (
4,
-   EFI_RETURNING_FROM_EFI_APPLICATOIN
+   EFI_RETURNING_FROM_EFI_APPLICATION
);
 if (EFI_ERROR (Status)) {
-  DEBUG ((EFI_D_ERROR, "%a not Measured. Error!\n", 
EFI_RETURNING_FROM_EFI_APPLICATOIN));
+  DEBUG ((EFI_D_ERROR, "%a not Measured. Error!\n", 
+ EFI_RETURNING_FROM_EFI_APPLICATION));
 }
 
 //
diff --git a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c 
index 21837fe3d3..3889fb4a81 100644
--- a/SecurityPkg/Tcg/TcgDxe/TcgDxe.c
+++ b/SecurityPkg/Tcg/TcgDxe/TcgDxe.c
@@ -1180,10 +1180,10 @@ OnReadyToBoot (
 // 6. Not first attempt, meaning a return from last attempt
 //
 Status = TcgMeasureAction (
-   EFI_RETURNING_FROM_EFI_APPLICATOIN
+   EFI_RETURNING_FROM_EFI_APPLICATION
);
 if (EFI_ERROR (Status)) {
-  DEBUG ((EFI_D_ERROR, "%a not Measured. Error!\n", 
EFI_RETURNING_FROM_EFI_APPLICATOIN));
+  DEBUG ((EFI_D_ERROR, "%a not Measured. Error!\n", 
+ EFI_RETURNING_FROM_EFI_APPLICATION));
 }
   }
 
--
2.18.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg: Remove dead code and inf redundant definitions.

[Zhang, Chao B]

Hi Chen Chen:
   TCG part is good to me. For Opal part, please include Eric Dong as reviewer.

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Chen A 
Chen
Sent: Wednesday, November 28, 2018 2:27 PM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B 
Subject: [edk2] [PATCH] SecurityPkg: Remove dead code and inf redundant 
definitions.

Fix BZ1065, https://bugzilla.tianocore.org/show_bug.cgi?id=1065

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen 
Cc: Zhang Chao B 
---
 SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf  |   1 -
 SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.c   |  52 
 SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.h   |  23 --
 SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h|  11 -
 .../Tcg/Opal/OpalPassword/OpalHiiCallbacks.c   |  87 --
 SecurityPkg/Tcg/Opal/OpalPassword/OpalNvmeMode.c   | 321 -
 SecurityPkg/Tcg/Opal/OpalPassword/OpalNvmeMode.h   | 128 
 .../Tcg/Opal/OpalPassword/OpalPasswordDxe.inf  |   2 -
 .../Tcg/Opal/OpalPassword/OpalPasswordPei.inf  |   1 -
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf   |   1 -
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf|   1 -
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf|   1 -
 SecurityPkg/Tcg/TcgConfigDxe/TcgConfigDxe.inf  |   1 -
 .../SecureBootConfigDxe/SecureBootConfigDxe.inf|   2 -
 14 files changed, 632 deletions(-)

diff --git a/SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf 
b/SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
index 6f9a77b868..a17fa4046d 100644
--- a/SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
+++ b/SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
@@ -43,7 +43,6 @@
   UefiDriverEntryPoint
   UefiBootServicesTableLib
   UefiRuntimeServicesTableLib
-  ReportStatusCodeLib
   DebugLib
   UefiLib
   MemoryAllocationLib
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.c 
b/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.c
index d51865380f..0c4edd5346 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.c
@@ -969,58 +969,6 @@ AhciReset (
 
 }
 
-/**
-  Send Buffer cmd to specific device.
-
-  @param[in]  AhciContext The pointer to the AHCI_CONTEXT.
-  @param[in]  PortThe port number of attached ATA device.
-  @param[in]  PortMultiplier  The port number of port multiplier of 
attached ATA device.
-  @param[in, out]  Buffer The Data Buffer to store IDENTIFY PACKET 
Data.
-
-  @retval EFI_DEVICE_ERRORThe cmd abort with error occurs.
-  @retval EFI_TIMEOUT The operation is time out.
-  @retval EFI_UNSUPPORTED The device is not ready for executing.
-  @retval EFI_SUCCESS The cmd executes successfully.
-
-**/
-EFI_STATUS
-EFIAPI
-AhciIdentify (
-  IN AHCI_CONTEXT *AhciContext,
-  IN UINT8Port,
-  IN UINT8PortMultiplier,
-  IN OUT ATA_IDENTIFY_DATA*Buffer
-  )
-{
-  EFI_STATUS   Status;
-  EFI_ATA_COMMAND_BLOCKAtaCommandBlock;
-
-  if (AhciContext == NULL || Buffer == NULL) {
-return EFI_INVALID_PARAMETER;
-  }
-
-  ZeroMem (, sizeof (EFI_ATA_COMMAND_BLOCK));
-
-  AtaCommandBlock.AtaCommand = ATA_CMD_IDENTIFY_DRIVE;
-  AtaCommandBlock.AtaSectorCount = 1;
-
-  Status = AhciPioTransfer (
- AhciContext,
- Port,
- PortMultiplier,
- NULL,
- 0,
- TRUE,
- ,
- NULL,
- Buffer,
- sizeof (ATA_IDENTIFY_DATA),
- ATA_TIMEOUT
- );
-
-  return Status;
-}
-
 /**
   Allocate transfer-related data struct which is used at AHCI mode.
 
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.h 
b/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.h
index 037f81ac24..2076b0411b 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.h
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalAhciMode.h
@@ -293,29 +293,6 @@ typedef struct {
   UINT32AhciBar;
 } AHCI_CONTEXT;
 
-/**
-  Send Buffer cmd to specific device.
-
-  @param  AhciContext The pointer to the AHCI_CONTEXT.
-  @param  PortThe number of port.
-  @param  PortMultiplier  The timeout Value of stop.
-  @param  Buffer  The Data Buffer to store IDENTIFY PACKET Data.
-
-  @retval EFI_DEVICE_ERRORThe cmd abort with error occurs.
-  @retval EFI_TIMEOUT The operation is time out.
-  @retval EFI_UNSUPPORTED The device is not ready for executing.
-  @retval EFI_SUCCESS The cmd executes successfully.
-
-**/
-EFI_STATUS
-EFIAPI
-AhciIdentify (
-  IN AHCI_CONTEXT *AhciContext,
-  IN UINT8Port,
-  IN UINT8PortMultiplier,
-  IN OUT ATA_IDENTIFY_DATA*Buffer
-  );
-
 /**
   Allocate transfer-related data struct which is used at AHCI mode.
 
diff --git

[edk2] [PATCH v2] SecurityPkg: Update TCG PFP spec revision.

[Zhang, Chao B]

UEFI TCG has aligned with TCG PFP 1.03 v51 along with Errata Version 1.0.
Update spec version accordingly.
Spec Link:
https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-Firmware-Profile-for-TPM-2-0-v1p03_r51-errata-v1p0_170426.pdf

Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf | 4 +++-
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 4 ++--
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 4 ++--
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf | 4 +++-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git 
a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
index 22eaced5fa..5610bc4da5 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
@@ -1,10 +1,12 @@
 ## @file
 #  Provides security service for TPM 2.0 measured boot
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
+#  along with
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This library instance hooks LoadImage() API to measure every image that
 #  is not measured in PEI phase. And, it will also measure GPT partition.
 #
 #  Caution: This module requires additional review when modified.
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index 2b89869ef1..12b7448ade 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -1,12 +1,12 @@
 ## @file
 #  Produces Tcg2 protocol and measure boot environment
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
 #  along with
-#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 0.21"
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #"TCG EFI Protocol Specification" "Family 2.0" "Level 00 Revision 00.13"
 #
 #  This module will produce Tcg2 protocol and measure boot environment.
 #
 #  Caution: This module requires additional review when modified.
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf 
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 9608f9ae7e..ea9dc759ab 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -1,12 +1,12 @@
 ## @file
 #  Initializes TPM 2.0 device and measure FVs in PEI phase
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
 #  along with
-#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 0.21"
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This module will initialize TPM device, measure reported FVs and BIOS 
version.
 #
 # Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
 # Copyright (c) 2017, Microsoft Corporation.  All rights reserved. 
diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
index 142941e269..0a08885786 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
@@ -4,11 +4,13 @@
 #  Spec Compliance Info:
 # "TCG ACPI Specification Level 00 Revision 00.37"
 # "Physical Presence Interface Specification Version 1.30 Revision 00.52"
 # "Platform Reset Attack Mitigation Specification Version 1.00"
 #TPM2.0 ACPI device object
-# "TCG PC Client Platform Firmware Profile Specification for TPM Family 
2.0 Level 00 Revision 00.21"
+# "TCG PC Client Platform Firmware Profile Specification for TPM Family 
2.0 Level 00 Revision 1.03 v51"
+#   along with
+# "Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This driver implements TPM 2.0 definition block in ACPI table and
 #  registers SMI callback functions for Tcg2

[edk2] [Patch] SecurityPkg: Update TCG PTP spec revision.

[Zhang, Chao B]

UEFI TCG has aligned with TCG PTP 1.03 v51 along with Errata Version 1.0.
Update spec version accordingly.
Spec Link:
https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-Firmware-Profile-for-TPM-2-0-v1p03_r51-errata-v1p0_170426.pdf

Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf | 4 +++-
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf | 4 ++--
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 4 ++--
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf | 4 +++-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git 
a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf 
b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
index 22eaced5fa..5610bc4da5 100644
--- a/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
+++ b/SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
@@ -1,10 +1,12 @@
 ## @file
 #  Provides security service for TPM 2.0 measured boot
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
+#  along with
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This library instance hooks LoadImage() API to measure every image that
 #  is not measured in PEI phase. And, it will also measure GPT partition.
 #
 #  Caution: This module requires additional review when modified.
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index 2b89869ef1..12b7448ade 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -1,12 +1,12 @@
 ## @file
 #  Produces Tcg2 protocol and measure boot environment
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
 #  along with
-#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 0.21"
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #"TCG EFI Protocol Specification" "Family 2.0" "Level 00 Revision 00.13"
 #
 #  This module will produce Tcg2 protocol and measure boot environment.
 #
 #  Caution: This module requires additional review when modified.
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf 
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 9608f9ae7e..ea9dc759ab 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -1,12 +1,12 @@
 ## @file
 #  Initializes TPM 2.0 device and measure FVs in PEI phase
 #
 #  Spec Compliance Info:
-#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 00.21"
+#"TCG PC Client Platform Firmware Profile Specification for TPM Family 2.0 
Level 00 Revision 1.03 v51"
 #  along with
-#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 0.21"
+#"Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This module will initialize TPM device, measure reported FVs and BIOS 
version.
 #
 # Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
 # Copyright (c) 2017, Microsoft Corporation.  All rights reserved. 
diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
index 142941e269..0a08885786 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
@@ -4,11 +4,13 @@
 #  Spec Compliance Info:
 # "TCG ACPI Specification Level 00 Revision 00.37"
 # "Physical Presence Interface Specification Version 1.30 Revision 00.52"
 # "Platform Reset Attack Mitigation Specification Version 1.00"
 #TPM2.0 ACPI device object
-# "TCG PC Client Platform Firmware Profile Specification for TPM Family 
2.0 Level 00 Revision 00.21"
+# "TCG PC Client Platform Firmware Profile Specification for TPM Family 
2.0 Level 00 Revision 1.03 v51"
+#   along with
+# "Errata for PC Client Specific Platform Firmware Profile Specification 
Version 1.0 Revision 1.03"
 #
 #  This driver implements TPM 2.0 definition block in ACPI table and
 #  registers SMI callback functions for Tcg2

[edk2] [Patch] SecurityPkg: TCG Add more Event type

[Zhang, Chao B]

Add more event log type defined in TCG PTP spec 00.51
https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf

Cc:Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 MdePkg/Include/IndustryStandard/UefiTcgPlatform.h | 9 +
 1 file changed, 9 insertions(+)

diff --git a/MdePkg/Include/IndustryStandard/UefiTcgPlatform.h 
b/MdePkg/Include/IndustryStandard/UefiTcgPlatform.h
index 5ecb4ac86e..2d223f4ea7 100644
--- a/MdePkg/Include/IndustryStandard/UefiTcgPlatform.h
+++ b/MdePkg/Include/IndustryStandard/UefiTcgPlatform.h
@@ -20,17 +20,25 @@
 #include 
 
 //
 // Standard event types
 //
+#define EV_PREBOOT_CERT ((TCG_EVENTTYPE) 0x)
 #define EV_POST_CODE((TCG_EVENTTYPE) 0x0001)
 #define EV_NO_ACTION((TCG_EVENTTYPE) 0x0003)
 #define EV_SEPARATOR((TCG_EVENTTYPE) 0x0004)
+#define EV_ACTION   ((TCG_EVENTTYPE) 0x0005)
 #define EV_S_CRTM_CONTENTS  ((TCG_EVENTTYPE) 0x0007)
 #define EV_S_CRTM_VERSION   ((TCG_EVENTTYPE) 0x0008)
 #define EV_CPU_MICROCODE((TCG_EVENTTYPE) 0x0009)
+#define EV_PLATFORM_CONFIG_FLAGS((TCG_EVENTTYPE) 0x000A)
 #define EV_TABLE_OF_DEVICES ((TCG_EVENTTYPE) 0x000B)
+#define EV_COMPACT_HASH ((TCG_EVENTTYPE) 0x000C)
+#define EV_NONHOST_CODE ((TCG_EVENTTYPE) 0x000F)
+#define EV_NONHOST_CONFIG   ((TCG_EVENTTYPE) 0x0010)
+#define EV_NONHOST_INFO ((TCG_EVENTTYPE) 0x0011)
+#define EV_OMIT_BOOT_DEVICE_EVENTS  ((TCG_EVENTTYPE) 0x0012)
 
 //
 // EFI specific event types
 //
 #define EV_EFI_EVENT_BASE   ((TCG_EVENTTYPE) 0x8000)
@@ -41,10 +49,11 @@
 #define EV_EFI_RUNTIME_SERVICES_DRIVER  (EV_EFI_EVENT_BASE + 5)
 #define EV_EFI_GPT_EVENT(EV_EFI_EVENT_BASE + 6)
 #define EV_EFI_ACTION   (EV_EFI_EVENT_BASE + 7)
 #define EV_EFI_PLATFORM_FIRMWARE_BLOB   (EV_EFI_EVENT_BASE + 8)
 #define EV_EFI_HANDOFF_TABLES   (EV_EFI_EVENT_BASE + 9)
+#define EV_EFI_HCRTM_EVENT  (EV_EFI_EVENT_BASE + 0x10)
 #define EV_EFI_VARIABLE_AUTHORITY   (EV_EFI_EVENT_BASE + 0xE0)
 
 #define EFI_CALLING_EFI_APPLICATION \
   "Calling EFI Application from Boot Option"
 #define EFI_RETURNING_FROM_EFI_APPLICATOIN  \
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 3/4] SecurityPkg: add TpmIoLibMmio instance

[Zhang, Chao B]

Hi Eugene:
 TpmIoLib is designed to abstract the various ways of access(MMIO/SPI/I2C 
GPIO programing……) to TPM register space. From my perspective, It is necessary 
to have library interface well designed to fit all the cases we can see.

From: Cohen, Eugene [mailto:eug...@hp.com]
Sent: Wednesday, November 14, 2018 10:59 PM
To: Zhang, Chao B ; Kinney, Michael D 
; edk2-devel@lists.01.org; Yao, Jiewen 

Cc: Bin, Sung-Uk (빈성욱) 
Subject: RE: [PATCH 3/4] SecurityPkg: add TpmIoLibMmio instance

Mike, Chao, Jiewen

Ø  [Chao] Infineon chip mentioned by Mike is an example but its register space 
doesn’t comply to PTP spec
Ø  [Mike] My experience is with DTPM and some I2C TPMs at 1.2 level.

We have experience with the TPM 1.2 Infineon I2C device and used a completely 
custom solution.  But I think that may be a 1.2 versus 2.0 difference.  I get 
the impression that TCG cleaned up their act a bit for the 2.0 spec – in fact 
we can see text to this effect in the PTP 1.03 
spec<https://trustedcomputinggroup.org/wp-content/uploads/TCG_PC_Client_Platform_TPM_Profile_PTP_2.0_r1.03_v22.pdf>
 Seciton 2.3:

The CRB Interface is intended to be physical-bus agnostic, so that it could
be implemented on an LPC or SPI interface, as specified in this specification 
or on
another physical interface not specified.

Reading a bit deeper in the PTP spec it looks like there are two register 
layouts but not driven by the physical bus (LPC, SPI, I2C) but rather the 
access method (FIFO or CRB access mode) – see section 5.3.2 called "Register 
Space Addresses" to see the FIFO and CRB register layouts juxtaposed.

Looking at I2C in the PTP spec I can now see the situation is totally different 
– I2C uses a variation of FIFO mode and has a significantly different layout of 
registers, comparing Table 10 to Table 48 in the PTP spec.  So now I see where 
you're coming from (and why we didn't initially understand the concern).


Given that HP's use case is SPI and SPI is aligned to LPC, we believe going 
forward with the TpmIoLib abstraction is still quite useful.  Whenever somebody 
needs to support I2C TPM2 devices then they will need to author another 
DeviceLib instance since the register layout is different.  (Will there ever be 
a Quark with an I2C TPM2?)

TPM experts, I'd appreciate if you could confirm that my analysis of 
LPC/I2C/SPI and CRB/FIFO is correct.


Ø  [Mike] I would recommend that a full implementation of TpmIoLib for a few 
non MMIO TPM devices be completed and pass validation before we consider adding 
new lib class to edk2.  Perhaps using an edk2-staging branch would be a better 
place to start and you can document in the Readme.md the criteria that must be 
met before the new lib class meets the requirements for edk2/master.

This plan is fine by me – our intent in the original Request for Comment emails 
was to understand if a TpmIoLib style abstraction would be acceptable to save 
us the work of going down a path that can't be upstreamed and having to fix it 
later.  I think the answer you are giving is "yes, as long as it really works". 
 We are developing and validating this support right now so as long as the TPM 
stack doesn't change out from under us on edk2/master while we are developing 
it should be straightforward to upstream the portions we can share and the 
results, so long as it is understood that we cannot upstream the full stack due 
to the proprietary HW elements – as such I'm not sure how useful the staging 
branch would be although I don't mind doing it.  (In fact I think branch-based 
pull requests are more reviewable than email patchsets but I think I may be in 
the minority on this mailing list).

Thanks,

Eugene


From: Zhang, Chao B mailto:chao.b.zh...@intel.com>>
Sent: Tuesday, November 13, 2018 6:53 PM
To: Kinney, Michael D 
mailto:michael.d.kin...@intel.com>>; Cohen, Eugene 
mailto:eug...@hp.com>>; 
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>; Yao, Jiewen 
mailto:jiewen@intel.com>>
Cc: Bin, Sung-Uk (빈성욱) mailto:sunguk-...@hp.com>>
Subject: RE: [PATCH 3/4] SecurityPkg: add TpmIoLibMmio instance

Hi All:
   PTP 1.3 spec already include I2C support. It sees I2C TPM communication into 
3 layers
  Application  Layer  -> Already implemented TCG PEI/TCG DXE
  TCG-I2C   ->  Not implemented by UEFI TCG (Infineon chip 
mentioned by Mike is an example but its register space doesn’t comply to PTP 
spec)
I2C  ->  What TpmIoLib also need to address
   It will be good to have more use cases to see if TpmIoLib is sufficiently 
designed to meet generic TPM devices covered by TCG spec.


From: Kinney, Michael D
Sent: Wednesday, November 14, 2018 8:44 AM
To: Cohen, Eugene mailto:eug...@hp.com>>; 
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>; Yao, Jiewen 
mailto:jiewen@intel.com>>; Zhang, Chao B 
mailto:chao.b.z

Re: [edk2] [Patch] SecurityPkg: Fix TPM device compatibility issue

[Zhang, Chao B]

Hi Leif:
   The NTC1310 can work well with previous EDK2 stable version (UDK2018). 
Interface Cache is a new feature introduced after UDK2018.
So far as we see, it causes NTC1310 fail to work.

From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Leif 
Lindholm
Sent: Friday, November 9, 2018 7:13 PM
To: Laszlo Ersek 
Cc: Kinney, Michael D ; edk2-devel@lists.01.org; 
Yao, Jiewen ; Zhang, Chao B 
Subject: Re: [edk2] [Patch] SecurityPkg: Fix TPM device compatibility issue

On Fri, Nov 09, 2018 at 09:04:46AM +0100, Laszlo Ersek wrote:
> On 11/09/18 07:02, Zhang, Chao B wrote:
> > Issue Statement:
> > TPM InterfaceId cache feature is introduced by 
> > f15cb995bb3880b77e15afe6facd3da05e599a17. It follows TCG PTP spec 1.3
> > to improve TPM transmission performance and also addresses defects in some 
> > TPM2.0 devices. But some other TPM devices like
> > NTC1310 SPI TPM is found function abnormally with this feature, causing 
> > extra device compatibility issue.
> >
> > Solution:
> > Add a policy indicator in PcdActiveTpmInterfaceType to disable TPM 
> > interface ID cache to support those existing TPM devices
> >
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Zhang, Chao B 
> > mailto:chao.b.zh...@intel.com>>
> > Cc: Andrew Fish mailto:af...@apple.com>>
> > Cc: Laszlo Ersek mailto:ler...@redhat.com>>
> > Cc: Leif Lindholm 
> > mailto:leif.lindh...@linaro.org>>
> > Cc: Michael D Kinney 
> > mailto:michael.d.kin...@intel.com>>
> > Cc: Yao Jiewen mailto:jiewen@intel.com>>
> > ---
> >  SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 23 +++-
> >  SecurityPkg/SecurityPkg.dec |  3 +-
> >  SecurityPkg/SecurityPkg.uni |  3 +-
> >  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 49 
> > +
> >  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c   | 42 +
> >  5 files changed, 117 insertions(+), 3 deletions(-)
>
> I'll let others review this patch for technical merit.
>
> However, I'm really undecided whether this patch qualifies for being
> pushed during the hard feature freeze. Comments welcome.

Unless the current behaviour causes an absolutely horrendous security
hole, I don't see how this qualifies for pushing during hard freeze.

According to its description, this is about supporting (non-compliant)
devices that have never worked with EDK2. And the support it updates
went in on 25 June. So there does not appear to be any urgency.

Once it does go in, I would also appreciate some simplification via
macros to cut down some of those very long lines, but then I'm not the
maintainer of this package.

Regards,

Leif
___
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] SecurityPkg: Fix TPM device compatibility issue

[Zhang, Chao B]

Hi All:
  Let me introduce more background.
   We enabled  Interface type Cache feature because it complies with TCG PTP 
1.03 spec (also earlier PTP 00.43) and reduces traffic to communicate with TPM.
It by chance addresses defect within some TPM2.0 device that frequent touching 
InterfaceID register could cause permanent damage.
   But in our recent test, we found other device compatibility issue. Using 
interface cache and skipping touching real hardware will cause NTC 1310 TPM 2.0 
malfunction.
In conclusion, I think our Interface Type Cache feature is the right direction, 
but with the intention to keep device compatibility, we still need to expose 
enable/disable configuration.


From: Laszlo Ersek [mailto:ler...@redhat.com]
Sent: Friday, November 9, 2018 4:05 PM
To: Zhang, Chao B ; edk2-devel@lists.01.org
Cc: Andrew Fish ; Leif Lindholm ; 
Kinney, Michael D ; Yao, Jiewen 

Subject: Re: [Patch] SecurityPkg: Fix TPM device compatibility issue

On 11/09/18 07:02, Zhang, Chao B wrote:
> Issue Statement:
> TPM InterfaceId cache feature is introduced by 
> f15cb995bb3880b77e15afe6facd3da05e599a17. It follows TCG PTP spec 1.3
> to improve TPM transmission performance and also addresses defects in some 
> TPM2.0 devices. But some other TPM devices like
> NTC1310 SPI TPM is found function abnormally with this feature, causing extra 
> device compatibility issue.
>
> Solution:
> Add a policy indicator in PcdActiveTpmInterfaceType to disable TPM interface 
> ID cache to support those existing TPM devices
>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Zhang, Chao B 
> mailto:chao.b.zh...@intel.com>>
> Cc: Andrew Fish mailto:af...@apple.com>>
> Cc: Laszlo Ersek mailto:ler...@redhat.com>>
> Cc: Leif Lindholm mailto:leif.lindh...@linaro.org>>
> Cc: Michael D Kinney 
> mailto:michael.d.kin...@intel.com>>
> Cc: Yao Jiewen mailto:jiewen@intel.com>>
> ---
>  SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 23 +++-
>  SecurityPkg/SecurityPkg.dec |  3 +-
>  SecurityPkg/SecurityPkg.uni |  3 +-
>  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 49 
> +
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c   | 42 +
>  5 files changed, 117 insertions(+), 3 deletions(-)

I'll let others review this patch for technical merit.

However, I'm really undecided whether this patch qualifies for being
pushed during the hard feature freeze. Comments welcome.

Thanks
Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [RFC PATCH 7/9] SecurityPkg/AuthVariableLib:allow reusability as MM_STANDALONE

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
Jagadeesh Ujja
Sent: Wednesday, October 31, 2018 7:10 PM
To: edk2-devel@lists.01.org
Subject: [edk2] [RFC PATCH 7/9] SecurityPkg/AuthVariableLib:allow reusability 
as MM_STANDALONE

“AuthVariableLib” library will be used by MM_STANDALONE driver too, hence 
adding LIBRARY_CLASS as MM_STANDALONE

Change-Id: I67a10e1c60b3c859283c995f442d5b8709de89e1
Signed-off-by: Jagadeesh Ujja 
---
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf 
b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 572ba4e..4294d3b 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -2,6 +2,7 @@
 #  Provides authenticated variable services.
 #
 #  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
+#  Copyright (c) 2018, ARM Limited. All rights reserved.
 #
 #  This program and the accompanying materials  #  are licensed and made 
available under the terms and conditions @@ -21,12 +22,12 @@
   FILE_GUID  = B23CF5FB-6FCC-4422-B145-D855DBC05457
   MODULE_TYPE= DXE_RUNTIME_DRIVER
   VERSION_STRING = 1.0
-  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER
+  LIBRARY_CLASS  = AuthVariableLib|DXE_RUNTIME_DRIVER 
DXE_SMM_DRIVER MM_STANDALONE
 
 #
 # The following information is for reference only and not required by the 
build tools.
 #
-#  VALID_ARCHITECTURES   = IA32 X64
+#  VALID_ARCHITECTURES   = IA32 X64 AARCH64
 #
 
 [Sources]
--
1.9.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg: Fix TPM device compatibility issue

[Zhang, Chao B]

Issue Statement:
TPM InterfaceId cache feature is introduced by 
f15cb995bb3880b77e15afe6facd3da05e599a17. It follows TCG PTP spec 1.3
to improve TPM transmission performance and also addresses defects in some 
TPM2.0 devices. But some other TPM devices like
NTC1310 SPI TPM is found function abnormally with this feature, causing extra 
device compatibility issue.

Solution:
Add a policy indicator in PcdActiveTpmInterfaceType to disable TPM interface ID 
cache to support those existing TPM devices

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
Cc: Andrew Fish 
Cc: Laszlo Ersek 
Cc: Leif Lindholm 
Cc: Michael D Kinney 
Cc: Yao Jiewen 
---
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c | 23 +++-
 SecurityPkg/SecurityPkg.dec |  3 +-
 SecurityPkg/SecurityPkg.uni |  3 +-
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 49 +
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c   | 42 +
 5 files changed, 117 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
index ad2f188b46..66aa8794ac 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c
@@ -524,10 +524,17 @@ DumpPtpInfo (
 
   Vid = 0x;
   Did = 0x;
   Rid = 0xFF;
   PtpInterface = PcdGet8(PcdActiveTpmInterfaceType);
+  if (PtpInterface == 0xFE) {
+//
+// TPM interface type cache disabled. Always read Interface type from TPM
+//
+PtpInterface = Tpm2GetPtpInterface (Register);
+  }
+
   DEBUG ((EFI_D_INFO, "PtpInterface - %x\n", PtpInterface));
   switch (PtpInterface) {
   case Tpm2PtpInterfaceCrb:
 Vid = MmioRead16 ((UINTN)&((PTP_CRB_REGISTERS *)Register)->Vid);
 Did = MmioRead16 ((UINTN)&((PTP_CRB_REGISTERS *)Register)->Did);
@@ -568,11 +575,18 @@ DTpm2SubmitCommand (
   IN UINT8 *OutputParameterBlock
   )
 {
   TPM2_PTP_INTERFACE_TYPE  PtpInterface;
 
-  PtpInterface = PcdGet8(PcdActiveTpmInterfaceType);
+  PtpInterface = PcdGet8(PcdActiveTpmInterfaceType);  
+  if (PtpInterface == 0xFE) {
+//
+// Always read Interface type from TPM to get more device compatibility
+//
+PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+  }
+
   switch (PtpInterface) {
   case Tpm2PtpInterfaceCrb:
 return PtpCrbTpmCommand (
(PTP_CRB_REGISTERS_PTR) (UINTN) PcdGet64 (PcdTpmBaseAddress),
InputParameterBlock,
@@ -608,10 +622,17 @@ DTpm2RequestUseTpm (
   )
 {
   TPM2_PTP_INTERFACE_TYPE  PtpInterface;
 
   PtpInterface = PcdGet8(PcdActiveTpmInterfaceType);
+  if (PtpInterface == 0xFE) {
+//
+// Always read Interface type from TPM to get more device compatibility
+//
+PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+  }
+
   switch (PtpInterface) {
   case Tpm2PtpInterfaceCrb:
 return PtpCrbRequestUseTpm ((PTP_CRB_REGISTERS_PTR) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
   case Tpm2PtpInterfaceFifo:
   case Tpm2PtpInterfaceTis:
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8d64b4fefe..2aef4ba128 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -467,11 +467,12 @@
   ## This PCD indicates current active TPM interface type.
   #  Accodingt to TCG PTP spec 1.3, there are 3 types defined in 
TPM2_PTP_INTERFACE_TYPE.
   #  0x00 - FIFO interface as defined in TIS 1.3 is active.
   #  0x01 - FIFO interface as defined in PTP for TPM 2.0 is active.
   #  0x02 - CRB interface is active.
-  #  0xFF - Contains no current active TPM interface type.
+  #  0xFE - Disable TPM interface type cache feature.
+  #  0xFF - Enable TPM interface cache and contain no current active TPM 
interface type.
   #
   # @Prompt current active TPM interface type.
   gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType|0xFF|UINT8|0x0001001E
 
   ## This PCD records IdleByass status supported by current active TPM 
interface.
diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 400fe6015e..44182bb62a 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -252,11 +252,12 @@
 
 #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdActiveTpmInterfaceType_HELP  
#language en-US "This PCD indicates current active TPM interface type.\n"

   "0x00 - FIFO interface as defined in TIS 1.3 is active.\n"

   "0x01 - FIFO interface as defined in PTP for TPM 2.0 is 
active.\n"

   "0x02 - CRB interface is active.\n"
-

[edk2] [Patch] Maintainer.txt: Add Chao to be co-maintainer of SignedCapsulePkg

[Zhang, Chao B]

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
Cc: Jiewen Yao 
---
 Maintainers.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Maintainers.txt b/Maintainers.txt
index 7ebd53f662..43c487d461 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -239,10 +239,11 @@ M: Jaben Carsey 
 M: Ruiyu Ni 
 
 SignedCapsulePkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/SignedCapsulePkg
 M: Jiewen Yao 
+M: Chao Zhang 
 
 SourceLevelDebugPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/SourceLevelDebugPkg
 M: Hao Wu 
 
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] Tianocore and TPM2 pcr values

[Zhang, Chao B]

Hi Jorge:
PCR 0 should change if you  use different core boot payload + UEFI. So your 
case seems to be an issue. Can you provide more detailed info? 


-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Jorge 
Fernandez Monteagudo
Sent: Monday, September 24, 2018 5:57 PM
To: edk2-devel@lists.01.org
Subject: [edk2] Tianocore and TPM2 pcr values

Hi all,


This is my first message in this list. I'm using tianocore as a payload for a 
Coreboot in order to

boot a custom board I'm working on it. Finally I've been able to enable the 
TPM2 support in

coreboot and in tianocore but I have some questions regarding the values I'm 
seeing in the PCRs.


I'm using Tianocore master branch as is selected by coreboot menuconfig and x64 
architecture.

Once the system is running I can read the PCRs and, if I'm not wrong, PCRs 0 to 
7 are handled

by the Tianocore/Coreboot. I've flashed a coreboot+tianocore in release mode 
and a coreboot+

tianocore in debug mode and the PCRs are the same. Is it ok? I thought that any 
change in the

coreboot.rom will made the PCR values to change...


pcr0: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
pcr1: a3a3552caa68c6d9db64bf1ed4dca08080f99b59f1b26debc9abefa59ee8ca28
pcr2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
pcr3: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
pcr4: 74a35102770e65ab94b35135a4bf54c411134ae8059e03df41060a33f573871f
pcr5: dfa65561584cb8604b1675c869f3341d0c99c642ce9d91353380361126235ad8
pcr6: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
pcr7: b5710bf57d25623e4019027da116821fa99f5c81e9e38b87671cc574f9281439

Another test I've done is using the Tianocore stable branch as selected by 
coreboot
(STABLE_COMMIT_ID=315d9d08fd77db1024ccc5307823da8aaed85e2f) and I get the same 
values from release and build coreboot.roms except that PCR1 has the same value 
as PCR0, 2, 3 and 6, it seems it's not used in this version.

Is this the expected behavior?

Thanks!
Jorge
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 3/3] SecurityPkg: remove PE/COFF header workaround for ELILO on IPF

[Zhang, Chao B]

Hi Ard:
  I am good with this patch. I will help to push it.

From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org]
Sent: Thursday, September 20, 2018 5:47 AM
To: Laszlo Ersek 
Cc: edk2-devel@lists.01.org; Zeng, Star ; Wang, Jian J 
; Kinney, Michael D ; Gao, 
Liming ; Zhang, Chao B ; Yao, 
Jiewen ; Leif Lindholm 
Subject: Re: [PATCH v2 3/3] SecurityPkg: remove PE/COFF header workaround for 
ELILO on IPF

On 7 September 2018 at 01:28, Laszlo Ersek 
mailto:ler...@redhat.com>> wrote:
> On 09/07/18 07:42, Ard Biesheuvel wrote:
>> Now that Itanium support has been dropped, we can remove the various
>> occurrences of the ELILO on Itanium PE/COFF header workaround.
>>
>> Link: https://bugzilla.tianocore.org/show_bug.cgi?id=816
>> Contributed-under: TianoCore Contribution Agreement 1.1
>> Signed-off-by: Ard Biesheuvel 
>> mailto:ard.biesheu...@linaro.org>>
>> ---
>>  SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c   
>>  | 47 
>>  SecurityPkg/Library/DxeTpmMeasureBootLib/DxeTpmMeasureBootLib.c 
>>  | 27 +++
>>  SecurityPkg/Tcg/Tcg2Dxe/MeasureBootPeCoff.c 
>>  | 27 +++
>>  
>> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c 
>> | 25 +++
>>  4 files changed, 25 insertions(+), 101 deletions(-)
>
> Reviewed-by: Laszlo Ersek mailto:ler...@redhat.com>>
>

Chao, Jiewen: any concerns?
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg: HashLib: Change dos format

[Zhang, Chao B]

Change file format to DOS

Cc: Bi Dandan 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang Chao B 
Signed-off-by: Zhang, Chao B 
---
 .../HashInstanceLibSha384/HashInstanceLibSha384.c  | 310 ++---
 .../HashInstanceLibSha384.inf  |  90 +++---
 .../HashInstanceLibSha384.uni  |  42 +--
 .../HashInstanceLibSha512/HashInstanceLibSha512.c  | 308 ++--
 .../HashInstanceLibSha512.inf  |  90 +++---
 .../HashInstanceLibSha512.uni  |  42 +--
 6 files changed, 441 insertions(+), 441 deletions(-)

diff --git a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c 
b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
index 54bc687425..c750273bdc 100644
--- a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
+++ b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
@@ -1,155 +1,155 @@
-/** @file
-  This library is BaseCrypto SHA384 hash instance.
-  It can be registered to BaseCrypto router, to serve as hash engine.
-
-Copyright (c) 2018, Intel Corporation. All rights reserved. 
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD 
License
-which accompanies this distribution.  The full text of the license may be 
found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include 
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-/**
-  The function set SHA384 to digest list.
-
-  @param DigestList   digest list
-  @param Sha384Digest SHA384 digest
-**/
-VOID
-Tpm2SetSha384ToDigestList (
-  IN TPML_DIGEST_VALUES *DigestList,
-  IN UINT8  *Sha384Digest
-  )
-{
-  DigestList->count = 1;
-  DigestList->digests[0].hashAlg = TPM_ALG_SHA384;
-  CopyMem (
-DigestList->digests[0].digest.sha384,
-Sha384Digest,
-SHA384_DIGEST_SIZE
-);
-}
-
-/**
-  Start hash sequence.
-
-  @param HashHandle Hash handle.
-
-  @retval EFI_SUCCESS  Hash sequence start and HandleHandle returned.
-  @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
-**/
-EFI_STATUS
-EFIAPI
-Sha384HashInit (
-  OUT HASH_HANDLE*HashHandle
-  )
-{
-  VOID *Sha384Ctx;
-  UINTNCtxSize;
-
-  CtxSize = Sha384GetContextSize ();
-  Sha384Ctx = AllocatePool (CtxSize);
-  ASSERT (Sha384Ctx != NULL);
-
-  Sha384Init (Sha384Ctx);
-
-  *HashHandle = (HASH_HANDLE)Sha384Ctx;
-
-  return EFI_SUCCESS;
-}
-
-/**
-  Update hash sequence data.
-
-  @param HashHandleHash handle.
-  @param DataToHashData to be hashed.
-  @param DataToHashLen Data size.
-
-  @retval EFI_SUCCESS Hash sequence updated.
-**/
-EFI_STATUS
-EFIAPI
-Sha384HashUpdate (
-  IN HASH_HANDLEHashHandle,
-  IN VOID   *DataToHash,
-  IN UINTN  DataToHashLen
-  )
-{
-  VOID *Sha384Ctx;
-
-  Sha384Ctx = (VOID *)HashHandle;
-  Sha384Update (Sha384Ctx, DataToHash, DataToHashLen);
-
-  return EFI_SUCCESS;
-}
-
-/**
-  Complete hash sequence complete.
-
-  @param HashHandleHash handle.
-  @param DigestListDigest list.
-
-  @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
-**/
-EFI_STATUS
-EFIAPI
-Sha384HashFinal (
-  IN HASH_HANDLE HashHandle,
-  OUT TPML_DIGEST_VALUES *DigestList
-  )
-{
-  UINT8 Digest[SHA384_DIGEST_SIZE];
-  VOID  *Sha384Ctx;
-
-  Sha384Ctx = (VOID *)HashHandle;
-  Sha384Final (Sha384Ctx, Digest);
-
-  FreePool (Sha384Ctx);
-  
-  Tpm2SetSha384ToDigestList (DigestList, Digest);
-
-  return EFI_SUCCESS;
-}
-
-HASH_INTERFACE  mSha384InternalHashInstance = {
-  HASH_ALGORITHM_SHA384_GUID,
-  Sha384HashInit,
-  Sha384HashUpdate,
-  Sha384HashFinal,
-};
-
-/**
-  The function register SHA384 instance.
-  
-  @retval EFI_SUCCESS   SHA384 instance is registered, or system dose not 
surpport registr SHA384 instance
-**/
-EFI_STATUS
-EFIAPI
-HashInstanceLibSha384Constructor (
-  VOID
-  )
-{
-  EFI_STATUS  Status;
-
-  Status = RegisterHashInterfaceLib ();
-  if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
-//
-// Unsupported means platform policy does not need this instance enabled.
-//
-return EFI_SUCCESS;
-  }
-  return Status;
-}
\ No newline at end of file
+/** @file
+  This library is BaseCrypto SHA384 hash instance.
+  It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2018, Intel Corporation. All rights reserved. 
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD 
License
+which accompanies this distribution.  The full text of the license may be 
found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN &quo

Re: [edk2] [PATCH 3/5] SecurityPkg: Remove unused PCDs

[Zhang, Chao B]

Reviewed-by: Chao Zhang 

-Original Message-
From: Zhang, Shenglei 
Sent: Thursday, August 16, 2018 1:32 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen ; Zhang, Chao B 
Subject: [PATCH 3/5] SecurityPkg: Remove unused PCDs

The PCDs below are unused, so they have been removed from inf.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemTableId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision

Cc: Jiewen Yao 
Cc: Chao Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: shenglei 
---
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf | 1 -
 SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf  | 6 --
 2 files changed, 7 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf 
b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
index a0136bc0c5..581669a277 100644
--- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
+++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
@@ -67,7 +67,6 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## PRODUCES
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy ## PRODUCES
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmAutoDetection## CONSUMES
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress  ## 
SOMETIMES_CONSUMES
 
 [Depex]
   gEfiPeiMasterBootModePpiGuid AND
diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf 
b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
index b875ab7e01..2b89869ef1 100644
--- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
+++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
@@ -101,12 +101,6 @@
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmPlatformClass ## 
SOMETIMES_CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized  ## 
SOMETIMES_CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid  ## 
CONSUMES
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress   ## 
SOMETIMES_CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemId## 
SOMETIMES_CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemTableId   ## 
SOMETIMES_CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision  ## 
SOMETIMES_CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId## 
SOMETIMES_CONSUMES
-  gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision  ## 
SOMETIMES_CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice  ## 
SOMETIMES_CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap  ## 
CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdTcg2NumberOfPCRBanks ## 
CONSUMES
-- 
2.18.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] EDK II Stable Tag release edk2-stable201808 and quiet period starting today

[Zhang, Chao B]

Hi Laszlo：
   8  667abfaf8a16 UefiCpuPkg: Removing ipf which is no longer supported from 
edk2.
   9  df49a85dbcc6 CorebootModulePkg: Removing ipf from edk2.
  10  04c7f9023ffe CorebootPayloadPkg: Removing ipf from edk2.
  11  4fcb0d54584f NetworkPkg: Removing ipf which is no longer supported from 
edk2.
  12  87f9867f5536 QuarkPlatformPkg: Removing ipf which is no longer supported 
from edk2.
  13  fda6abd64f02 QuarkSocPkg: Removing ipf which is no longer supported from 
edk2.
  14  22ec06c8aaa1 Vlv2TbltDevicePkg: Removing ipf which from edk2.

  These patches are in a patch series to remove IPF. The community review has 
been started a very long time before silent period.  And part of patch series 
was already in EDK2.
There is no source code change but only removes some useless sections in INF & 
DSC. And from feature complete perspective, I think it is OK to check-in.
Anyway, We will learn from this process and be more careful.


From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo 
Ersek
Sent: Tuesday, August 14, 2018 11:12 PM
To: Kinney, Michael D ; edk2-devel@lists.01.org; 
leif.lindh...@linaro.org; Andrew Fish (af...@apple.com) ; 
Richardson, Brian 
Subject: Re: [edk2] EDK II Stable Tag release edk2-stable201808 and quiet 
period starting today

On 08/08/18 16:16, Kinney, Michael D wrote:
> Hello,
>
> I sent an RFC for review on EDK II stable tags.
>
> https://lists.01.org/pipermail/edk2-devel/2018-June/026474.html
>
> There were no objections and we would like to move forward
> with the an EDK II Stable Tag release.  The original goal was
> 8/10/2018.  I have seen a request to move the stable tag
> release out a few days.
>
> I recommend we target 8/15/2018 and start a quiet period
> on edk2/master starting today.  This means critical bug
> fixes only on edk2/master.  New features and large changes
> should be held until the edk2-stable201808 tag is created.
>
> Please use Bugzilla for the critical issues that must be
> fixed before the tag is created.
>
> https://bugzilla.tianocore.org/

The following commits have been pushed since we entered the quiet period
(the last commit before it was 9e6c4f1527e6, "FmpDevicePkg FmpDxe: Lock
variables in entrypoint instead of callback"):

   1  3781f14c31e0 SecurityPkg/Library/Tpm2DeviceLibDTpm: fix 
s/Constructor/CONSTRUCTOR

This is a critical bugfix, satisfying the requirement.

   2  b3e1e343fe34 SecurityPkg: HashLib: Update HashLib file GUID

Can also be considered an important bugfix (GUID duplication), although
the commit does not name a TianoCore BZ.

   3  10ea1b6853f9 Maintainers.txt: Add FmpDevicePkg maintainers

Can be considered an important bugfix (no maintainers listed for a
top-level package). Misses a TianoCore BZ reference.

   4  45e076b7a720 Vlv2TbltDevicePkg/Override/Bds: Add test key notification
   5  dc65dd5be697 Vlv2TbltDevicePkg/Feature/Capsule: Add FmpDeviceLib instances
   6  d3049066ca25 Vlv2TbltDevicePkg/Capsule: Add scripts to generate capsules
   7  1aa9314e3a84 Vlv2TbltDevicePkg: Update DSC/FDF to use FmpDevicePkg

These commits violate the quiet period. They add a feature.

   8  667abfaf8a16 UefiCpuPkg: Removing ipf which is no longer supported from 
edk2.
   9  df49a85dbcc6 CorebootModulePkg: Removing ipf from edk2.
  10  04c7f9023ffe CorebootPayloadPkg: Removing ipf from edk2.
  11  4fcb0d54584f NetworkPkg: Removing ipf which is no longer supported from 
edk2.
  12  87f9867f5536 QuarkPlatformPkg: Removing ipf which is no longer supported 
from edk2.
  13  fda6abd64f02 QuarkSocPkg: Removing ipf which is no longer supported from 
edk2.
  14  22ec06c8aaa1 Vlv2TbltDevicePkg: Removing ipf which from edk2.

These commits also violate the quiet period. They implement a valid
cleanup, but not a critical bugfix. They should have been delayed.

Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with OVMF

[Zhang, Chao B]

Hi Laszlo:
   We seriously considered such dependency change in design. The library is 
shared between DXE & PEI. So PCD is the generic way to share the data and 
reduce real register touch.
Therefore, the problem is that Library can’t be used by SEC anymore.  The 
decision is,  since there is no SEC usage so far, we’d like to change Lib type 
first & Split it when there is real usage.
   I think your suggestion to split the patch & provide more detailed 
information in log is good.  I will follow this rule later on.

From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo 
Ersek
Sent: Thursday, August 9, 2018 10:56 PM
To: Marc-André Lureau ; Zhang, Chao B 

Cc: Zeng, Star ; edk2-devel@lists.01.org; Gao, Liming 

Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with 
OVMF

On 08/09/18 16:09, Marc-André Lureau wrote:
> Hi
>
> On Mon, Aug 6, 2018 at 5:26 PM, Zhang, Chao B 
> mailto:chao.b.zh...@intel.com>> wrote:
>> Hi Ricardo
>>I double checked OVMF Debug Build. All the 2 PCDs are already built as 
>> Dynamic PCD. There should be no problem
>> Setting & Getting these PCD as Dynamic. We also verified this feature on 
>> several real hardware platforms with same configuration.
>> No issue reported.
>>Can you share me the boot log?
>>
>> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
>> Laszlo Ersek
>> Sent: Friday, August 3, 2018 10:46 PM
>> To: Ricardo Araújo 
>> mailto:rica...@lsd.ufcg.edu.br>>; Zhang, Chao B 
>> mailto:chao.b.zh...@intel.com>>
>> Cc: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>; Zeng, Star 
>> mailto:star.z...@intel.com>>; Gao, Liming 
>> mailto:liming@intel.com>>
>> Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 
>> with OVMF
>>
>> On 08/03/18 15:39, Ricardo Araújo wrote:
>>> Hi folks, sorry for the delay!
>>>
>>> I've just applied the patch and got the same error message and empty PCRs.
>>
>> Thanks for the feedback -- although it's not the kind I had hoped for :)
>>
>> I have now filed "[regression] SecurityPkg commit f15cb995bb38 breaks
>> TPM2_ENABLE in OvmfPkg":
>>
>>   https://bugzilla.tianocore.org/show_bug.cgi?id=1075
>>
>> Ricardo, please consider registering in the TianoCore Bugzilla, and
>> adding yourself to the CC list of BZ#1075.
>>
>> For now, I have assigned the BZ to Marc-André, for triaging / analysis.
>> swtpm is not set up on my end, and the TPM2 enablement for OvmfPkg was
>> contributed by Marc-André. Marc-André, are you OK with this? The BZ
>> assignment is about root-causing the issue, at the moment.
>
> That fixes the problem for me:
>
> -  Constructor= Tpm2DeviceLibConstructor
> +  CONSTRUCTOR= Tpm2DeviceLibConstructor

Nice! \o/

>
> It looks to me like the patch "SecurityPkg: Cache TPM interface type
> info" could use more reviews.
>
> Fwiw, I also question why that change (just the line above) was necessary:
>
> -  LIBRARY_CLASS  = Tpm2DeviceLib
> +  LIBRARY_CLASS  = Tpm2DeviceLib|PEIM DXE_DRIVER
> DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER

It's usually a good idea to spell out the client module types that are
permitted to consume the specific library instance, for a given library
class requirement. Different module types have different restrictions
and devices at their disposal, in their respective environments /
firmware phases, and library instances may be specific to those
restrictions / devices.

In this specific case, a PcdLib dependency (more, precisely, a dynamic
PCD dependency) was added to the library instance, and so it might make
sense to restrict the library instance to module types whose
environments (their entry point functions anyway) support dynamic PCDs.

I do agree though that this change should have been made either in a
separate patch (if the change isn't closely related to the PCD
dependency), *or* (if it is) it should have been explained / justified
specifically, in the commit message. The commit message is very lacking
indeed.

Thank you for tracking this down!

Laszlo
___
edk2-devel mailing list
edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 1/1] SecurityPkg/Library/Tpm2DeviceLibDTpm: fix s/Constructor/CONSTRUCTOR

[Zhang, Chao B]

HI Lureau:
   Thanks for you investigation. It is my typo! The reason why we didn’t have 
this issue is that we only use TPM2InstanceLib.
That lib use the correct definition.

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
marcandre.lur...@redhat.com
Sent: Thursday, August 9, 2018 10:33 PM
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek ; Zhang, Chao B ; 
Long, Qin 
Subject: [edk2] [PATCH 1/1] SecurityPkg/Library/Tpm2DeviceLibDTpm: fix 
s/Constructor/CONSTRUCTOR

From: Marc-André Lureau 

The library constructor is not being called because of the typo, causing TPM2 
detection/initialization to fail.

This fixes OVMF TPM2 regression since commit f15cb995bb38.
https://bugzilla.tianocore.org/show_bug.cgi?id=1075

Cc: Laszlo Ersek 
Cc: Zhang Chao B 
Cc: Long Qin 
Fixes: f15cb995bb3880b77e15afe6facd3da05e599a17
Contributed-under: TianoCore Contribution Agreement 1.1
Reported-by:  Ricardo Araújo 
Signed-off-by: Marc-André Lureau 
---
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
index b6867bc4fff4..c6d23c93fe93 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -28,7 +28,7 @@
   MODULE_TYPE= BASE
   VERSION_STRING = 1.0
   LIBRARY_CLASS  = Tpm2DeviceLib|PEIM DXE_DRIVER 
DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
-  Constructor= Tpm2DeviceLibConstructor
+  CONSTRUCTOR= Tpm2DeviceLibConstructor
 #
 # The following information is for reference only and not required by the 
build tools.
 #
--
2.18.0.547.g1d89318c48

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 1/1] SecurityPkg/Library/Tpm2DeviceLibDTpm: fix s/Constructor/CONSTRUCTOR

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
marcandre.lur...@redhat.com
Sent: Thursday, August 9, 2018 10:33 PM
To: edk2-devel@lists.01.org
Cc: Laszlo Ersek ; Zhang, Chao B ; 
Long, Qin 
Subject: [edk2] [PATCH 1/1] SecurityPkg/Library/Tpm2DeviceLibDTpm: fix 
s/Constructor/CONSTRUCTOR

From: Marc-André Lureau 

The library constructor is not being called because of the typo, causing TPM2 
detection/initialization to fail.

This fixes OVMF TPM2 regression since commit f15cb995bb38.
https://bugzilla.tianocore.org/show_bug.cgi?id=1075

Cc: Laszlo Ersek 
Cc: Zhang Chao B 
Cc: Long Qin 
Fixes: f15cb995bb3880b77e15afe6facd3da05e599a17
Contributed-under: TianoCore Contribution Agreement 1.1
Reported-by:  Ricardo Araújo 
Signed-off-by: Marc-André Lureau 
---
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
index b6867bc4fff4..c6d23c93fe93 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -28,7 +28,7 @@
   MODULE_TYPE= BASE
   VERSION_STRING = 1.0
   LIBRARY_CLASS  = Tpm2DeviceLib|PEIM DXE_DRIVER 
DXE_RUNTIME_DRIVER DXE_SMM_DRIVER UEFI_APPLICATION UEFI_DRIVER
-  Constructor= Tpm2DeviceLibConstructor
+  CONSTRUCTOR= Tpm2DeviceLibConstructor
 #
 # The following information is for reference only and not required by the 
build tools.
 #
--
2.18.0.547.g1d89318c48

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] SecurityPkg: HashLib: Update HashLib file GUID

[Zhang, Chao B]

Tks for comments. I will update GUID before check-in

From: Long, Qin
Sent: Thursday, August 9, 2018 2:22 PM
To: Zhang, Chao B ; edk2-devel@lists.01.org
Subject: RE: [edk2] [Patch] SecurityPkg: HashLib: Update HashLib file GUID

Chao, Please change the lowercase letters in the new GUID to uppercase letters 
when committing this.

Reviewed-by: Long Qin mailto:qin.l...@intel.com>>


Best Regards & Thanks,
LONG, Qin

> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang,
> Chao B
> Sent: Wednesday, August 8, 2018 11:06 PM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Long, Qin mailto:qin.l...@intel.com>>
> Subject: [edk2] [Patch] SecurityPkg: HashLib: Update HashLib file GUID
>
> 2 file GUIDs conflict with existing SHA256 Lib. Update them.
>
> Cc: Long Qin mailto:qin.l...@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Zhang, Chao B 
> mailto:chao.b.zh...@intel.com>>
> ---
>  SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf | 2 +-
> SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git
> a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> index 76677794fa..cf12587354 100644
> --- a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
> +++ b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.in
> +++ f
> @@ -15,11 +15,11 @@
>
>  [Defines]
>INF_VERSION= 0x00010005
>BASE_NAME  = HashInstanceLibSha384
>MODULE_UNI_FILE= HashInstanceLibSha384.uni
> -  FILE_GUID  = 5810798A-ED30-4080-8DD7-B9667A748C02
> +  FILE_GUID  = 74223710-17A9-478f-9B24-E354496B968B
>MODULE_TYPE= BASE
>VERSION_STRING = 1.0
>LIBRARY_CLASS  = NULL
>CONSTRUCTOR= HashInstanceLibSha384Constructor
>
> diff --git
> a/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> b/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> index 94929a8736..917c23f3d5 100644
> --- a/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
> +++ b/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.in
> +++ f
> @@ -15,11 +15,11 @@
>
>  [Defines]
>INF_VERSION= 0x00010005
>BASE_NAME  = HashInstanceLibSha512
>MODULE_UNI_FILE= HashInstanceLibSha512.uni
> -  FILE_GUID  = 5810798A-ED30-4080-8DD7-B9667A748C02
> +  FILE_GUID  = 959C3685-AC3F-4f3e-AC5B-7E2A64BADD36
>MODULE_TYPE= BASE
>VERSION_STRING = 1.0
>LIBRARY_CLASS  = NULL
>CONSTRUCTOR= HashInstanceLibSha512Constructor
>
> --
> 2.16.2.windows.1
>
> ___
> edk2-devel mailing list
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg: HashLib: Update HashLib file GUID

[Zhang, Chao B]

2 file GUIDs conflict with existing SHA256 Lib. Update them.

Cc: Long Qin 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf | 2 +-
 SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf 
b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
index 76677794fa..cf12587354 100644
--- a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+++ b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
@@ -15,11 +15,11 @@
 
 [Defines]
   INF_VERSION= 0x00010005
   BASE_NAME  = HashInstanceLibSha384
   MODULE_UNI_FILE= HashInstanceLibSha384.uni
-  FILE_GUID  = 5810798A-ED30-4080-8DD7-B9667A748C02
+  FILE_GUID  = 74223710-17A9-478f-9B24-E354496B968B
   MODULE_TYPE= BASE
   VERSION_STRING = 1.0
   LIBRARY_CLASS  = NULL
   CONSTRUCTOR= HashInstanceLibSha384Constructor
 
diff --git 
a/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf 
b/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
index 94929a8736..917c23f3d5 100644
--- a/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
+++ b/SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
@@ -15,11 +15,11 @@
 
 [Defines]
   INF_VERSION= 0x00010005
   BASE_NAME  = HashInstanceLibSha512
   MODULE_UNI_FILE= HashInstanceLibSha512.uni
-  FILE_GUID  = 5810798A-ED30-4080-8DD7-B9667A748C02
+  FILE_GUID  = 959C3685-AC3F-4f3e-AC5B-7E2A64BADD36
   MODULE_TYPE= BASE
   VERSION_STRING = 1.0
   LIBRARY_CLASS  = NULL
   CONSTRUCTOR= HashInstanceLibSha512Constructor
 
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 5/7] SecurityPkg/SecureBootConfigDxe: replace OpenFileByDevicePath() with UefiLib API

[Zhang, Chao B]

Reviewed-by : Chao Zhang 

-Original Message-
From: Laszlo Ersek [mailto:ler...@redhat.com] 
Sent: Friday, August 3, 2018 8:16 PM
To: edk2-devel-01 
Cc: Zhang, Chao B ; Yao, Jiewen ; 
Roman Bacik 
Subject: [PATCH v2 5/7] SecurityPkg/SecureBootConfigDxe: replace 
OpenFileByDevicePath() with UefiLib API

Replace the OpenFileByDevicePath() function with EfiOpenFileByDevicePath() from 
UefiLib, correcting the following issues:

- imprecise comments on OpenFileByDevicePath(),
- code duplication between this module and other modules,
- local variable name "EfiSimpleFileSystemProtocol" starting with "Efi"
  prefix,
- bogus "FileHandle = NULL" assignments,
- leaking "Handle1" when the device path type/subtype check or the
  realignment-motivated AllocateCopyPool() fails in the loop,
- stale SHELL_FILE_HANDLE reference in a comment.

Cc: Chao Zhang 
Cc: Jiewen Yao 
Cc: Roman Bacik 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1008
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek 
Reviewed-by: Chao Zhang 
Reviewed-by: Jaben Carsey 
---

Notes:
v2:

- pick up Chao's and Jaben's R-b's

- insert a space character between "EfiOpenFileByDevicePath" and "(" --
  it was missing from the pre-patch code too

 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf  
  |   1 -
 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 | 151 +---
 2 files changed, 1 insertion(+), 151 deletions(-)

diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 487fc8cda917..caf95ddac7d9 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigDxe.inf
@@ -114,7 +114,6 @@ [Guids]
 [Protocols]
   gEfiHiiConfigAccessProtocolGuid   ## PRODUCES
   gEfiDevicePathProtocolGuid## PRODUCES
-  gEfiSimpleFileSystemProtocolGuid  ## SOMETIMES_CONSUMES
   gEfiBlockIoProtocolGuid   ## SOMETIMES_CONSUMES
 
 [Depex]
diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
index 2a26c20f394c..aef85c470143 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigFileExplorer.c
@@ -80,155 +80,6 @@ CleanUpPage (
 );
 }
 
-/**
-  This function will open a file or directory referenced by DevicePath.
-
-  This function opens a file with the open mode according to the file path. The
-  Attributes is valid only for EFI_FILE_MODE_CREATE.
-
-  @param[in, out]  FilePathOn input, the device path to the file.
-   On output, the remaining device path.
-  @param[out]  FileHandle  Pointer to the file handle.
-  @param[in]   OpenModeThe mode to open the file with.
-  @param[in]   Attributes  The file's file attributes.
-
-  @retval EFI_SUCCESS  The information was set.
-  @retval EFI_INVALID_PARAMETEROne of the parameters has an invalid value.
-  @retval EFI_UNSUPPORTED  Could not open the file path.
-  @retval EFI_NOT_FOUNDThe specified file could not be found on the
-   device or the file system could not be 
found on
-   the device.
-  @retval EFI_NO_MEDIA The device has no medium.
-  @retval EFI_MEDIA_CHANGEDThe device has a different medium in it or 
the
-   medium is no longer supported.
-  @retval EFI_DEVICE_ERROR The device reported an error.
-  @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
-  @retval EFI_WRITE_PROTECTED  The file or medium is write protected.
-  @retval EFI_ACCESS_DENIEDThe file was opened read only.
-  @retval EFI_OUT_OF_RESOURCES Not enough resources were available to open 
the
-   file.
-  @retval EFI_VOLUME_FULL  The volume is full.
-**/
-EFI_STATUS
-EFIAPI
-OpenFileByDevicePath(
-  IN OUT EFI_DEVICE_PATH_PROTOCOL **FilePath,
-  OUT EFI_FILE_HANDLE *FileHandle,
-  IN UINT64   OpenMode,
-  IN UINT64   Attributes
-  )
-{
-  EFI_STATUS  Status;
-  EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *EfiSimpleFileSystemProtocol;
-  EFI_FILE_PROTOCOL   *Handle1;
-  EFI_FILE_PROTOCOL   *Handle2;
-  EFI_HANDLE  DeviceHandle;
-  CHAR16  *PathName;
-  UI

Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with OVMF

[Zhang, Chao B]

Hi Ricardo
   I double checked OVMF Debug Build. All the 2 PCDs are already built as 
Dynamic PCD. There should be no problem
Setting & Getting these PCD as Dynamic. We also verified this feature on 
several real hardware platforms with same configuration.
No issue reported.
   Can you share me the boot log?

From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo 
Ersek
Sent: Friday, August 3, 2018 10:46 PM
To: Ricardo Araújo ; Zhang, Chao B 

Cc: edk2-devel@lists.01.org; Zeng, Star ; Gao, Liming 

Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with 
OVMF

On 08/03/18 15:39, Ricardo Araújo wrote:
> Hi folks, sorry for the delay!
>
> I've just applied the patch and got the same error message and empty PCRs.

Thanks for the feedback -- although it's not the kind I had hoped for :)

I have now filed "[regression] SecurityPkg commit f15cb995bb38 breaks
TPM2_ENABLE in OvmfPkg":

  https://bugzilla.tianocore.org/show_bug.cgi?id=1075

Ricardo, please consider registering in the TianoCore Bugzilla, and
adding yourself to the CC list of BZ#1075.

For now, I have assigned the BZ to Marc-André, for triaging / analysis.
swtpm is not set up on my end, and the TPM2 enablement for OvmfPkg was
contributed by Marc-André. Marc-André, are you OK with this? The BZ
assignment is about root-causing the issue, at the moment.

Once we know more closely what the problem is, we can decide what to do.
If it's hard to fix, my argument will be that we should roll back
SecurityPkg commit f15cb995bb38 first (it's a regression after all), and
re-apply it only when it no longer breaks OVMF. If the issue is not hard
to fix and we can commit the solution quickly, then I'll be fine with
leaving f15cb995bb38 applied.

Thanks,
Laszlo

>
> De: "Zhang, Chao B" mailto:chao.b.zh...@intel.com>>
> Para: "Laszlo Ersek" mailto:ler...@redhat.com>>, "Ricardo 
> Araújo" mailto:rica...@lsd.ufcg.edu.br>>, 
> "Marc-André Lureau" 
> mailto:marcandre.lur...@redhat.com>>
> Cc: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>, "Gao, Liming" 
> mailto:liming@intel.com>>, "Zeng, Star" 
> mailto:star.z...@intel.com>>
> Enviadas: Quinta-feira, 2 de agosto de 2018 21:22:18
> Assunto: RE: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 
> with OVMF
>
>
>
> Tks Lazslo. And please make sure PcdLib is correctly lined in OVMF
>
>
>
>
> From: Laszlo Ersek [mailto:ler...@redhat.com]
> Sent: Thursday, August 2, 2018 9:14 PM
> To: Zhang, Chao B mailto:chao.b.zh...@intel.com>>; 
> Ricardo Araújo mailto:rica...@lsd.ufcg.edu.br>>; 
> Marc-André Lureau 
> mailto:marcandre.lur...@redhat.com>>
> Cc: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>; Gao, Liming 
> mailto:liming@intel.com>>; Zeng, Star 
> mailto:star.z...@intel.com>>
> Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 
> with OVMF
>
>
>
>
> On 08/02/18 04:04, Zhang, Chao B wrote:
>> Hi Laszlo & Ricardo
>> The patch was intended to reduce the time to read TPM interface ID register. 
>> The interface type should not change within boot cycle according to PTP spec.
>> I agree to add some ASSERT after PCDSetxxsS.
>> But It is a core solution without platform change as PCD has been configured 
>> as DYN, DYNEx in DEC. I don’t know why you meet Set Failure
>> In OVMF. Here, I include PCD expert to explain this.
>
> As far as I recall, dynamic PCDs have never behaved as actually settable
> for me unless I added dynamic defaults for them in the OVMF DSC files.
>
> I never really researched why this was the case, I just accepted that
> the dynamic defaults were apparently necessary.
>
> Let's wait for Ricardo's response. Perhaps my analysis / suspicion were
> incorrect and it's not actually the "dynamism" of the PCD that's missing
> for OVMF. Ricardo's answer will tell us if there's another issue.
>
> Thanks
> Laszlo
>
>> From: Laszlo Ersek [ mailto:ler...@redhat.com ]
>> Sent: Thursday, August 2, 2018 5:49 AM
>> To: Ricardo Araújo < rica...@lsd.ufcg.edu.br<mailto:rica...@lsd.ufcg.edu.br> 
>> >; Zhang, Chao B < chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com> >; 
>> Marc-André Lureau < 
>> marcandre.lur...@redhat.com<mailto:marcandre.lur...@redhat.com> >
>> Cc: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
>> Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 
>> with OVMF
>>
>> On 08/01/18 19:50, Ricardo Araújo wrote:
>>> The commit I was referring to is:
>>> https://github.com/tianocore/edk2/c

Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with OVMF

[Zhang, Chao B]

Tks Lazslo.  And please make sure PcdLib is correctly lined in OVMF

From: Laszlo Ersek [mailto:ler...@redhat.com]
Sent: Thursday, August 2, 2018 9:14 PM
To: Zhang, Chao B ; Ricardo Araújo 
; Marc-André Lureau 
Cc: edk2-devel@lists.01.org; Gao, Liming ; Zeng, Star 

Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with 
OVMF

On 08/02/18 04:04, Zhang, Chao B wrote:
> Hi Laszlo & Ricardo
> The patch was intended to reduce the time to read TPM interface ID register. 
> The interface type should not change within boot cycle according to PTP spec.
> I agree to add some ASSERT after PCDSetxxsS.
> But It is a core solution without platform change as PCD has been configured 
> as DYN, DYNEx in DEC.  I don’t know why you meet Set Failure
> In OVMF. Here, I include PCD expert to explain this.

As far as I recall, dynamic PCDs have never behaved as actually settable
for me unless I added dynamic defaults for them in the OVMF DSC files.

I never really researched why this was the case, I just accepted that
the dynamic defaults were apparently necessary.

Let's wait for Ricardo's response. Perhaps my analysis / suspicion were
incorrect and it's not actually the "dynamism" of the PCD that's missing
for OVMF. Ricardo's answer will tell us if there's another issue.

Thanks
Laszlo

> From: Laszlo Ersek [mailto:ler...@redhat.com]
> Sent: Thursday, August 2, 2018 5:49 AM
> To: Ricardo Araújo mailto:rica...@lsd.ufcg.edu.br>>; 
> Zhang, Chao B mailto:chao.b.zh...@intel.com>>; 
> Marc-André Lureau 
> mailto:marcandre.lur...@redhat.com>>
> Cc: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 
> with OVMF
>
> On 08/01/18 19:50, Ricardo Araújo wrote:
>> The commit I was referring to is:
>> https://github.com/tianocore/edk2/commit/f15cb995bb3880b77e15afe6facd3da05e599a17
>>
>> Regards,
>>
>> Ricardo Araujo -
>> www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo%3chttp:/www.lsd.ufcg.edu.br/~ricardo>>
>>
>> - Mensagem original -
>> De: "Ricardo Araújo" 
>> mailto:rica...@lsd.ufcg.edu.br<mailto:rica...@lsd.ufcg.edu.br%3cmailto:rica...@lsd.ufcg.edu.br>>>
>> Para: 
>> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org%3cmailto:edk2-devel@lists.01.org>>
>> Enviadas: Quarta-feira, 1 de agosto de 2018 14:33:45
>> Assunto: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7
>> with OVMF
>>
>> Hi everyone,
>>
>> I'm using OVMF with a simulated TPM 2.0 (from
>> https://github.com/stefanberger/swtpm) and I noticed lately that PCRs
>> 0-7 are zeroed after booting the vm (ubuntu 18.04) and the only
>> message related to this in dmesg is:
>>
>> [ 2.286690] tpm_tis 00:06: 2.0 TPM (device-id 0x1, rev-id 1)
>> [ 2.303753] tpm tpm0: A TPM error (256) occurred continue selftest
>> [ 2.314199] tpm tpm0: starting up the TPM manually
>>
>> I found this started to happen after this commit , previous commits to
>> that are showing boot time measurements on PCR 0-7 normally and the
>> error message is gone. Has anyone experienced the same behavior? I
>> followed the instructions here for building OVMF but I added the
>> parameters -D TPM2_ENABLE=TRUE -D SECURE_BOOT_ENABLE=TRUE -D
>> HTTP_BOOT_ENABLE=TRUE. Is there anything else I need to add to enable
>> these measurements?
>>
>> Regards,
>>
>> Ricardo Araujo
>> www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo%3chttp:/www.lsd.ufcg.edu.br/~ricardo>>
>
> Thank you for the bug report. It looks like a regression to me, but the
> details aren't immediately clear.
>
> Adding Marc-André who contributed the TPM enablement for OVMF, and Chao
> Zhang who authored the commit in question.
>
> If I recall correctly, in OVMF we decided to never cache the TPM type
> but always detect it. I could be remembering wrong though. See commit
> 6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
> 2018-03-09).
>
> Chao Zhang: can you please explain what additional requirements are
> presented for a platform by commit f15cb995bb38? In OVMF we use a
> customized Tcg2ConfigPei module (see the commit above).
>
>
> Oh wait, I suspect what's wrong. I believe there are two bugs in commit
> f15cb995bb38 ("SecurityPkg: Cache TPM interface type info", 2018-06-25):
>
> * Bug#1:
>
> Commit f15cb995bb38  introduces a new PCD, called
> "PcdActiveTpmInterfaceType", in section [PcdsDynamic, Pcd

Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with OVMF

[Zhang, Chao B]

Hi Laszlo & Ricardo
The patch was intended to reduce the time to read TPM interface ID register. 
The interface type should not change within boot cycle according to PTP spec.
I agree to add some ASSERT after PCDSetxxsS.
But It is a core solution without platform change as PCD has been configured as 
DYN, DYNEx in DEC.  I don’t know why you meet Set Failure
In OVMF. Here, I include PCD expert to explain this.


From: Laszlo Ersek [mailto:ler...@redhat.com]
Sent: Thursday, August 2, 2018 5:49 AM
To: Ricardo Araújo ; Zhang, Chao B 
; Marc-André Lureau 
Cc: edk2-devel@lists.01.org
Subject: Re: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7 with 
OVMF

On 08/01/18 19:50, Ricardo Araújo wrote:
> The commit I was referring to is:
> https://github.com/tianocore/edk2/commit/f15cb995bb3880b77e15afe6facd3da05e599a17
>
> Regards,
>
> Ricardo Araujo -
> www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo>
>
> - Mensagem original -
> De: "Ricardo Araújo" mailto:rica...@lsd.ufcg.edu.br>>
> Para: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Enviadas: Quarta-feira, 1 de agosto de 2018 14:33:45
> Assunto: [edk2] Missing boot related measurements at TPM 2.0 PCRs 0-7
> with OVMF
>
> Hi everyone,
>
> I'm using OVMF with a simulated TPM 2.0 (from
> https://github.com/stefanberger/swtpm) and I noticed lately that PCRs
> 0-7 are zeroed after booting the vm (ubuntu 18.04) and the only
> message related to this in dmesg is:
>
> [ 2.286690] tpm_tis 00:06: 2.0 TPM (device-id 0x1, rev-id 1)
> [ 2.303753] tpm tpm0: A TPM error (256) occurred continue selftest
> [ 2.314199] tpm tpm0: starting up the TPM manually
>
> I found this started to happen after this commit , previous commits to
> that are showing boot time measurements on PCR 0-7 normally and the
> error message is gone. Has anyone experienced the same behavior? I
> followed the instructions here for building OVMF but I added the
> parameters -D TPM2_ENABLE=TRUE -D SECURE_BOOT_ENABLE=TRUE -D
> HTTP_BOOT_ENABLE=TRUE. Is there anything else I need to add to enable
> these measurements?
>
> Regards,
>
> Ricardo Araujo
> www.lsd.ufcg.edu.br/~ricardo<http://www.lsd.ufcg.edu.br/~ricardo>

Thank you for the bug report. It looks like a regression to me, but the
details aren't immediately clear.

Adding Marc-André who contributed the TPM enablement for OVMF, and Chao
Zhang who authored the commit in question.

If I recall correctly, in OVMF we decided to never cache the TPM type
but always detect it. I could be remembering wrong though. See commit
6cf1880fb5b6 ("OvmfPkg: add customized Tcg2ConfigPei clone",
2018-03-09).

Chao Zhang: can you please explain what additional requirements are
presented for a platform by commit f15cb995bb38? In OVMF we use a
customized Tcg2ConfigPei module (see the commit above).


Oh wait, I suspect what's wrong. I believe there are two bugs in commit
f15cb995bb38 ("SecurityPkg: Cache TPM interface type info", 2018-06-25):

* Bug#1:

Commit f15cb995bb38  introduces a new PCD, called
"PcdActiveTpmInterfaceType", in section [PcdsDynamic, PcdsDynamicEx] of
"SecurityPkg.dec", and makes core modules from SecurityPkg dependent on
it.

Obviously this means that platforms are required to provide a Dynamic
Default for the new PCD in their DSC files, if they include those core
modules from SecurityPkg, otherwise the PCD won't actually behave
dynamically -- "set" operations will fail, and "get" operations will
just return the central default from the SecurityPkg.dec file. As a
result, the cached TPM type will always be wrong (it will look like
"undetected", 0xFF).

This could have been avoided by grepping all "*dsc*" files in the edk2
tree for references to the SecurityPkg module INF files that were about
to receive a dependency on the PCD. Such as:

  git grep -l -F \
-e SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf \
--or -e SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf \
--or -e SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf \
--or -e SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf \
'*dsc*'

This would have listed all platforms in-tree that were going to depend
on the new dynamic PCD via inclusion of the affected SecurityPkg
modules.

Running this command now, I get the following output:

  OvmfPkg/OvmfPkgIa32.dsc
  OvmfPkg/OvmfPkgIa32X64.dsc
  OvmfPkg/OvmfPkgX64.dsc
  SecurityPkg/SecurityPkg.dsc

Open source hygiene dictates that modifications to infrastructure code
or otherwise central code be accompanied by necessary updates to *ALL*
in-tree subsystems that depend on said core code. (Out-of-tree
subsystems are a different matter.) It's OK if a single contributor
cannot test every single platform -- but we can still use the mailing
list and 

[edk2] [Patch] SecurityPkgDSC: Fix 2 DSC build error

[Zhang, Chao B]

Error is caused by SHA384/SHA512 hash lib change in.

Cc: Bi Dandan 
Contributed-under: TianoCore Contribution Agreement 1.1

Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/SecurityPkg.dsc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a705cdcf72..68a2953162 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -217,12 +217,12 @@
   #
   # TPM2
   #
   SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
   SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-  SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha384.inf
-  SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha512.inf
+  SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
+  SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
 
   SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf {
 
   
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg: HashLib: Add SHA384, SHA512 HashLib

[Zhang, Chao B]

Add SHA384, 512 Hash lib support. Now only CryptoPkg support PEI/DXE
version.

Cc: Long Qin 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Include/Library/HashLib.h  |   2 +-
 .../HashInstanceLibSha384/HashInstanceLibSha384.c  | 155 +
 .../HashInstanceLibSha384.inf  |  45 ++
 .../HashInstanceLibSha384.uni  |  21 +++
 .../HashInstanceLibSha512/HashInstanceLibSha512.c  | 154 
 .../HashInstanceLibSha512.inf  |  45 ++
 .../HashInstanceLibSha512.uni  |  21 +++
 SecurityPkg/SecurityPkg.dsc|   6 +
 8 files changed, 448 insertions(+), 1 deletion(-)
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.uni
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.c
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.inf
 create mode 100644 
SecurityPkg/Library/HashInstanceLibSha512/HashInstanceLibSha512.uni

diff --git a/SecurityPkg/Include/Library/HashLib.h 
b/SecurityPkg/Include/Library/HashLib.h
index 8be8b9c59c..2b886a1b05 100644
--- a/SecurityPkg/Include/Library/HashLib.h
+++ b/SecurityPkg/Include/Library/HashLib.h
@@ -17,11 +17,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #ifndef _HASH_LIB_H_
 #define _HASH_LIB_H_
 
 #include 
 #include 
-
+#include 
 typedef UINTN  HASH_HANDLE;
 
 /**
   Start hash sequence.
 
diff --git a/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c 
b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
new file mode 100644
index 00..54bc687425
--- /dev/null
+++ b/SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.c
@@ -0,0 +1,155 @@
+/** @file
+  This library is BaseCrypto SHA384 hash instance.
+  It can be registered to BaseCrypto router, to serve as hash engine.
+
+Copyright (c) 2018, Intel Corporation. All rights reserved. 
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD 
License
+which accompanies this distribution.  The full text of the license may be 
found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include 
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+/**
+  The function set SHA384 to digest list.
+
+  @param DigestList   digest list
+  @param Sha384Digest SHA384 digest
+**/
+VOID
+Tpm2SetSha384ToDigestList (
+  IN TPML_DIGEST_VALUES *DigestList,
+  IN UINT8  *Sha384Digest
+  )
+{
+  DigestList->count = 1;
+  DigestList->digests[0].hashAlg = TPM_ALG_SHA384;
+  CopyMem (
+DigestList->digests[0].digest.sha384,
+Sha384Digest,
+SHA384_DIGEST_SIZE
+);
+}
+
+/**
+  Start hash sequence.
+
+  @param HashHandle Hash handle.
+
+  @retval EFI_SUCCESS  Hash sequence start and HandleHandle returned.
+  @retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
+**/
+EFI_STATUS
+EFIAPI
+Sha384HashInit (
+  OUT HASH_HANDLE*HashHandle
+  )
+{
+  VOID *Sha384Ctx;
+  UINTNCtxSize;
+
+  CtxSize = Sha384GetContextSize ();
+  Sha384Ctx = AllocatePool (CtxSize);
+  ASSERT (Sha384Ctx != NULL);
+
+  Sha384Init (Sha384Ctx);
+
+  *HashHandle = (HASH_HANDLE)Sha384Ctx;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Update hash sequence data.
+
+  @param HashHandleHash handle.
+  @param DataToHashData to be hashed.
+  @param DataToHashLen Data size.
+
+  @retval EFI_SUCCESS Hash sequence updated.
+**/
+EFI_STATUS
+EFIAPI
+Sha384HashUpdate (
+  IN HASH_HANDLEHashHandle,
+  IN VOID   *DataToHash,
+  IN UINTN  DataToHashLen
+  )
+{
+  VOID *Sha384Ctx;
+
+  Sha384Ctx = (VOID *)HashHandle;
+  Sha384Update (Sha384Ctx, DataToHash, DataToHashLen);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Complete hash sequence complete.
+
+  @param HashHandleHash handle.
+  @param DigestListDigest list.
+
+  @retval EFI_SUCCESS Hash sequence complete and DigestList is returned.
+**/
+EFI_STATUS
+EFIAPI
+Sha384HashFinal (
+  IN HASH_HANDLE HashHandle,
+  OUT TPML_DIGEST_VALUES *DigestList
+  )
+{
+  UINT8 Digest[SHA384_DIGEST_SIZE];
+  VOID  *Sha384Ctx;
+
+  Sha384Ctx = (VOID *)HashHandle;
+  Sha384Final (Sha384Ctx, Digest);
+
+  FreePool (Sha384Ctx);
+  
+  Tpm2SetSha384ToDigestList (DigestList, Digest);
+
+  return EFI_SUCCESS;
+}
+
+HASH_INTERFACE  mSha384InternalHashInstance = {
+  HASH_ALGORITHM_SHA384_GUID,
+  Sha384HashInit,

Re: [edk2] [patch 2/2] SecurityPkg/Tcg: Add use case for new Perf macro

[Zhang, Chao B]

Reviewed-by: Chao Zhang

-Original Message-
From: Bi, Dandan 
Sent: Thursday, July 19, 2018 2:44 PM
To: edk2-devel@lists.01.org
Cc: Gao, Liming ; Zhang, Chao B 
Subject: [patch 2/2] SecurityPkg/Tcg: Add use case for new Perf macro

Add an example case for the usage of
PERF_CALLBACK_BEGIN/PERF_CALLBACK_END

Cc: Liming Gao 
Cc: Chao Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi 
---
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 4 
 SecurityPkg/Tcg/TcgPei/TcgPei.c   | 5 +
 SecurityPkg/Tcg/TcgPei/TcgPei.inf | 1 +
 3 files changed, 10 insertions(+)

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c 
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 74cdd1fa88..09ef0c70a5 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -159,10 +159,12 @@ EndofPeiSignalNotifyCallBack (  {
   MEASURED_HOB_DATA *MeasuredHobData;
 
   MeasuredHobData = NULL;
 
+  PERF_CALLBACK_BEGIN ();
+
   //
   // Create a Guid hob to save all measured Fv
   //
   MeasuredHobData = BuildGuidHob(
   , @@ -184,10 +186,12 @@ 
EndofPeiSignalNotifyCallBack (
 // Save measured child Fv info
 //
 CopyMem (>MeasuredFvBuf[mMeasuredBaseFvIndex] , 
mMeasuredChildFvInfo, sizeof(EFI_PLATFORM_FIRMWARE_BLOB) * 
(mMeasuredChildFvIndex));
   }
 
+  PERF_CALLBACK_END ();
+
   return EFI_SUCCESS;
 }
 
 /**
   Make sure that the current PCR allocations, the TPM supported PCRs, diff 
--git a/SecurityPkg/Tcg/TcgPei/TcgPei.c b/SecurityPkg/Tcg/TcgPei/TcgPei.c index 
1ed11a1b29..d07047580c 100644
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.c
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.c
@@ -39,10 +39,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #include   #include 
  #include   #include 
  #include 
+#include 
 
 BOOLEAN mImageInMemory  = FALSE;
 
 EFI_PEI_PPI_DESCRIPTOR  mTpmInitializedPpiList = {
   EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
@@ -168,10 +169,12 @@ EndofPeiSignalNotifyCallBack (  {
   MEASURED_HOB_DATA *MeasuredHobData;
 
   MeasuredHobData = NULL;
 
+  PERF_CALLBACK_BEGIN ();
+
   //
   // Create a Guid hob to save all measured Fv
   //
   MeasuredHobData = BuildGuidHob(
   , @@ -193,10 +196,12 @@ 
EndofPeiSignalNotifyCallBack (
 // Save measured child Fv info
 //
 CopyMem (>MeasuredFvBuf[mMeasuredBaseFvIndex] , 
mMeasuredChildFvInfo, sizeof(EFI_PLATFORM_FIRMWARE_BLOB) * 
(mMeasuredChildFvIndex));
   }
 
+  PERF_CALLBACK_END ();
+
   return EFI_SUCCESS;
 }
 
 /**
 Single function calculates SHA1 digest value for all raw data. It diff --git 
a/SecurityPkg/Tcg/TcgPei/TcgPei.inf b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
index 0252511391..4c8a055c6c 100644
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.inf
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
@@ -54,10 +54,11 @@
   BaseLib
   PcdLib
   MemoryAllocationLib
   ReportStatusCodeLib
   Tpm12CommandLib
+  PerformanceLib
 
 [Guids]
   gTcgEventEntryHobGuid   ## 
PRODUCES   ## HOB
   gTpmErrorHobGuid## 
SOMETIMES_PRODUCES ## HOB
   gMeasuredFvHobGuid  ## 
PRODUCES   ## HOB
--
2.14.3.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 4/6] SecurityPkg/SecureBootConfigDxe: replace OpenFileByDevicePath() with UefiLib API

[Zhang, Chao B]

Reviewed-by： Chao Zhang

-Original Message-
From: Laszlo Ersek [mailto:ler...@redhat.com] 
Sent: Thursday, July 19, 2018 4:51 AM
To: edk2-devel-01 
Cc: Zhang, Chao B ; Yao, Jiewen ; 
Roman Bacik 
Subject: [PATCH 4/6] SecurityPkg/SecureBootConfigDxe: replace 
OpenFileByDevicePath() with UefiLib API

Replace the OpenFileByDevicePath() function with EfiOpenFileByDevicePath() from 
UefiLib, correcting the following issues:

- imprecise comments on OpenFileByDevicePath(),
- code duplication between this module and other modules,
- local variable name "EfiSimpleFileSystemProtocol" starting with "Efi"
  prefix,
- bogus "FileHandle = NULL" assignments,
- leaking "Handle1" when the device path type/subtype check or the
  realignment-motivated AllocateCopyPool() fails in the loop,
- stale SHELL_FILE_HANDLE reference in a comment.

Cc: Chao Zhang 
Cc: Jiewen Yao 
Cc: Roman Bacik 
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1008
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek 
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf  
  |   1 -
 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 | 151 +---
 2 files changed, 1 insertion(+), 151 deletions(-)

diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 487fc8cda917..caf95ddac7d9 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigDxe.inf
@@ -114,7 +114,6 @@ [Guids]
 [Protocols]
   gEfiHiiConfigAccessProtocolGuid   ## PRODUCES
   gEfiDevicePathProtocolGuid## PRODUCES
-  gEfiSimpleFileSystemProtocolGuid  ## SOMETIMES_CONSUMES
   gEfiBlockIoProtocolGuid   ## SOMETIMES_CONSUMES
 
 [Depex]
diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
index 2a26c20f394c..312a92d7461a 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigFileExplorer.c
@@ -80,155 +80,6 @@ CleanUpPage (
 );
 }
 
-/**
-  This function will open a file or directory referenced by DevicePath.
-
-  This function opens a file with the open mode according to the file path. The
-  Attributes is valid only for EFI_FILE_MODE_CREATE.
-
-  @param[in, out]  FilePathOn input, the device path to the file.
-   On output, the remaining device path.
-  @param[out]  FileHandle  Pointer to the file handle.
-  @param[in]   OpenModeThe mode to open the file with.
-  @param[in]   Attributes  The file's file attributes.
-
-  @retval EFI_SUCCESS  The information was set.
-  @retval EFI_INVALID_PARAMETEROne of the parameters has an invalid value.
-  @retval EFI_UNSUPPORTED  Could not open the file path.
-  @retval EFI_NOT_FOUNDThe specified file could not be found on the
-   device or the file system could not be 
found on
-   the device.
-  @retval EFI_NO_MEDIA The device has no medium.
-  @retval EFI_MEDIA_CHANGEDThe device has a different medium in it or 
the
-   medium is no longer supported.
-  @retval EFI_DEVICE_ERROR The device reported an error.
-  @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
-  @retval EFI_WRITE_PROTECTED  The file or medium is write protected.
-  @retval EFI_ACCESS_DENIEDThe file was opened read only.
-  @retval EFI_OUT_OF_RESOURCES Not enough resources were available to open 
the
-   file.
-  @retval EFI_VOLUME_FULL  The volume is full.
-**/
-EFI_STATUS
-EFIAPI
-OpenFileByDevicePath(
-  IN OUT EFI_DEVICE_PATH_PROTOCOL **FilePath,
-  OUT EFI_FILE_HANDLE *FileHandle,
-  IN UINT64   OpenMode,
-  IN UINT64   Attributes
-  )
-{
-  EFI_STATUS  Status;
-  EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *EfiSimpleFileSystemProtocol;
-  EFI_FILE_PROTOCOL   *Handle1;
-  EFI_FILE_PROTOCOL   *Handle2;
-  EFI_HANDLE  DeviceHandle;
-  CHAR16  *PathName;
-  UINTN   PathLength;
-
-  if ((FilePath == NULL || FileHandle == NULL)) {
-return EFI_INVALID_PARAMETER;
-  }
-
-  Status = gBS->LocateDevicePath (
-  ,
-  FilePath,
-  
-  

[edk2] [Patch 2/2] MdeModulePkg: TpmMeasureLib: Re-prioritize TCG/TCG2 protocol

[Zhang, Chao B]

TPM1.2 is obsoleted by TPM2.0. switch TCG/TCG2 protocol check to apply this
trend

Cc: Long, Qin 
Cc: Yao, Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 .../DxeTpmMeasurementLib/DxeTpmMeasurementLib.c| 23 +++---
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c 
b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
index 8c56a713d8..3aa034851d 100644
--- a/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
+++ b/SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.c
@@ -182,25 +182,26 @@ TpmMeasureAndLogData (
   )
 {
   EFI_STATUS  Status;
 
   //
-  // Try to measure using Tpm1.2 protocol
+  // Try to measure using Tpm20 protocol
   //
-  Status = Tpm12MeasureAndLogData(
-   PcrIndex,
-   EventType,
-   EventLog,
-   LogLen,
-   HashData,
-   HashDataLen
-   );
+  Status = Tpm20MeasureAndLogData(
+ PcrIndex,
+ EventType,
+ EventLog,
+ LogLen,
+ HashData,
+ HashDataLen
+ );
+
   if (EFI_ERROR (Status)) {
 //
-// Try to measure using Tpm20 protocol
+// Try to measure using Tpm1.2 protocol
 //
-Status = Tpm20MeasureAndLogData(
+Status = Tpm12MeasureAndLogData(
PcrIndex,
EventType,
EventLog,
LogLen,
HashData,
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch 0/2] Re-prioritize TCG/TCG2 protocol

[Zhang, Chao B]

Re-prioritize TCG/TCG2 protocol

Zhang, Chao B (2):
  MdeModulePkg: Variable: Re-prioritize TCG/TCG2 protocol
  MdeModulePkg: TpmMeasureLib: Re-prioritize TCG/TCG2 protocol

 .../Universal/Variable/RuntimeDxe/TcgMorLockSmm.c  | 10 +-
 .../DxeTpmMeasurementLib/DxeTpmMeasurementLib.c| 23 +++---
 2 files changed, 17 insertions(+), 16 deletions(-)

-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch 1/2] MdeModulePkg: Variable: Re-prioritize TCG/TCG2 protocol

[Zhang, Chao B]

TPM1.2 is obsoleted by TPM2.0. switch TCG/TCG2 protocol check to apply this
trend

Cc: Long, Qin 
Cc: Yao, Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c 
b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index c26616ecfe..28aa2893c6 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -2,11 +2,11 @@
   TCG MOR (Memory Overwrite Request) Lock Control support (SMM version).
 
   This module initilizes MemoryOverwriteRequestControlLock variable.
   This module adds Variable Hook and check MemoryOverwriteRequestControlLock.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -457,18 +457,18 @@ MorLockInitAtEndOfDxe (
 // does not produce it. Whether this is the case (from the last OS boot)
 // can be deduced from the absence of the TCG / TCG2 protocols, as edk2's
 // MOR implementation depends on (one of) those protocols.
 //
 TcgStatus = gBS->LocateProtocol (
-   ,
-   NULL, // Registration
+   ,
+   NULL, // Registration

);
 if (EFI_ERROR (TcgStatus)) {
   TcgStatus = gBS->LocateProtocol (
- ,
- NULL,  // Registration
+ ,
+ NULL,   // Registration
  
  );
 }
 
 if (!EFI_ERROR (TcgStatus)) {
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg: TcgSmm: Handle invalid parameter in MOR SMI handler

[Zhang, Chao B]

Add more logic to filter invalid function parameter in MOR Control SMI handler

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 4 
 SecurityPkg/Tcg/TcgSmm/TcgSmm.c   | 4 
 2 files changed, 8 insertions(+)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index 21b1014a3b..4a1a293bfc 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -151,10 +151,14 @@ MemoryClearCallback (
 
 if (MOR_CLEAR_MEMORY_VALUE (MorControl) == 0x0) {
   return EFI_SUCCESS;
 }
 MorControl &= ~MOR_CLEAR_MEMORY_BIT_MASK;
+  } else {
+mTcgNvs->MemoryClear.ReturnCode = MOR_REQUEST_GENERAL_FAILURE;
+DEBUG ((EFI_D_ERROR, "[TPM] MOR Parameter error! Parameter = %x\n", 
mTcgNvs->MemoryClear.Parameter));
+return EFI_SUCCESS;
   }
 
   DataSize = sizeof (UINT8);
   Status = mSmmVariable->SmmSetVariable (
MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
diff --git a/SecurityPkg/Tcg/TcgSmm/TcgSmm.c b/SecurityPkg/Tcg/TcgSmm/TcgSmm.c
index 0b8a002a4d..d3ddae6886 100644
--- a/SecurityPkg/Tcg/TcgSmm/TcgSmm.c
+++ b/SecurityPkg/Tcg/TcgSmm/TcgSmm.c
@@ -269,10 +269,14 @@ MemoryClearCallback (
 
 if (MOR_CLEAR_MEMORY_VALUE (MorControl) == 0x0) {
   return EFI_SUCCESS;
 }
 MorControl &= ~MOR_CLEAR_MEMORY_BIT_MASK;
+  } else {
+mTcgNvs->MemoryClear.ReturnCode = MOR_REQUEST_GENERAL_FAILURE;
+DEBUG ((EFI_D_ERROR, "[TPM] MOR Parameter error! Parameter = %x\n", 
mTcgNvs->MemoryClear.Parameter));
+return EFI_SUCCESS;
   }
 
   DataSize = sizeof (UINT8);
   Status = mSmmVariable->SmmSetVariable (
MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2] SecurityPkg: Fix assert when setting key from eMMC/SD/USB

[Zhang, Chao B]

Hi Bacik:
   Tks for the fix. Would you please file another report in Bugzilla for 
RamDisk & Tls Configuration driver? They have same issue as SecureBootConfig 
driver

-Original Message-
From: rba...@gmail.com [mailto:rba...@gmail.com] 
Sent: Wednesday, July 11, 2018 6:51 AM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B ; Yao, Jiewen ; 
Laszlo Ersek ; Vladimir Olovyannikov 

Subject: [PATCH v2] SecurityPkg: Fix assert when setting key from eMMC/SD/USB

From: Roman Bacik 

When secure boot is enabled, if one loads keys from a FAT formatted eMMC/SD/USB 
when trying to provision PK/KEK/DB keys via the menu, an assert in StrLen() 
occurs.
This is because the filename starts on odd address, which is not a uint16 
aligned boundary: https://bugzilla.tianocore.org/show_bug.cgi?id=1003

Cc: Chao Zhang 
Cc: Jiewen Yao 
Cc: Laszlo Ersek 
Cc: Vladimir Olovyannikov 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Roman Bacik 
---
 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
index 1b6f88804275..19b13a5569a6 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigFileExplorer.c
@@ -123,6 +123,8 @@ OpenFileByDevicePath(
   EFI_FILE_PROTOCOL   *Handle1;
   EFI_FILE_PROTOCOL   *Handle2;
   EFI_HANDLE  DeviceHandle;
+  CHAR16  *PathName;
+  UINTN   PathLength;
 
   if ((FilePath == NULL || FileHandle == NULL)) {
 return EFI_INVALID_PARAMETER;
@@ -173,6 +175,11 @@ OpenFileByDevicePath(
 //
 Handle2  = Handle1;
 Handle1 = NULL;
+PathLength = DevicePathNodeLength(*FilePath) - 
sizeof(EFI_DEVICE_PATH_PROTOCOL);
+PathName = AllocateCopyPool(PathLength, 
((FILEPATH_DEVICE_PATH*)*FilePath)->PathName);
+if (PathName == NULL) {
+  return EFI_OUT_OF_RESOURCES;
+}
 
 //
 // Try to test opening an existing file @@ -180,7 +187,7 @@ 
OpenFileByDevicePath(
 Status = Handle2->Open (
   Handle2,
   ,
-  ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
+  PathName,
   OpenMode &~EFI_FILE_MODE_CREATE,
   0
  );
@@ -192,7 +199,7 @@ OpenFileByDevicePath(
   Status = Handle2->Open (
 Handle2,
 ,
-((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
+PathName,
 OpenMode,
 Attributes
);
@@ -202,6 +209,8 @@ OpenFileByDevicePath(
 //
 Handle2->Close (Handle2);
 
+FreePool (PathName);
+
 if (EFI_ERROR(Status)) {
   return (Status);
 }
--
2.17.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg:Tcg: Fix comment typos

[Zhang, Chao B]

"Triggle" is a typo. Fix it with "Trigger"

Cc: Long Qin 
Cc: Jiewen Yao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Tcg/Tcg2Smm/Tpm.asl | 16 
 SecurityPkg/Tcg/TcgSmm/Tpm.asl  | 16 
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl b/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
index 50dea0ab9a..471b6b1fa1 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tpm.asl
@@ -257,16 +257,16 @@ DefinitionBlock (
   // Bit4 -- DisableAutoDetect. 0 -- Firmware MAY autodetect.
   //
   If (LNot (And (MORD, 0x10)))
   {
 //
-// Triggle the SMI through ACPI _PTS method.
+// Trigger the SMI through ACPI _PTS method.
 //
 Store (0x02, MCIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (MCIN, IOB2)
   }
 }
 Return (0)
@@ -363,11 +363,11 @@ DefinitionBlock (
 Store (DerefOf (Index (Arg2, 0x00)), PPRQ)
 Store (0, PPRM)
 Store (0x02, PPIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 Return (FRET)
 
 
@@ -394,11 +394,11 @@ DefinitionBlock (
 // e) Return TPM Operation Response to OS Environment
 //
 Store (0x05, PPIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 
 Store (LPPR, Index (TPM3, 0x01))
 Store (PPRP, Index (TPM3, 0x02))
@@ -426,11 +426,11 @@ DefinitionBlock (
 If (LEqual (PPRQ, 23)) {
   Store (DerefOf (Index (Arg2, 0x01)), PPRM)
 }
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 Return (FRET)
   }
   Case (8)
@@ -440,11 +440,11 @@ DefinitionBlock (
 //
 Store (8, PPIP)
 Store (DerefOf (Index (Arg2, 0x00)), UCRQ)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 
 Return (FRET)
   }
@@ -474,16 +474,16 @@ DefinitionBlock (
 // Save the Operation Value of the Request to MORD (reserved 
memory)
 //
 Store (DerefOf (Index (Arg2, 0x00)), MORD)
 
 //
-// Triggle the SMI through ACPI _DSM method.
+// Trigger the SMI through ACPI _DSM method.
 //
 Store (0x01, MCIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (MCIN, IOB2)
 Return (MRET)
   }
   Default {BreakPoint}
diff --git a/SecurityPkg/Tcg/TcgSmm/Tpm.asl b/SecurityPkg/Tcg/TcgSmm/Tpm.asl
index 12f24f3996..2114283b45 100644
--- a/SecurityPkg/Tcg/TcgSmm/Tpm.asl
+++ b/SecurityPkg/Tcg/TcgSmm/Tpm.asl
@@ -93,16 +93,16 @@ DefinitionBlock (
   // Bit4 -- DisableAutoDetect. 0 -- Firmware MAY autodetect.
   //
   If (LNot (And (MORD, 0x10)))
   {
 //
-// Triggle the SMI through ACPI _PTS method.
+// Trigger the SMI through ACPI _PTS method.
 //
 Store (0x02, MCIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (MCIN, IOB2)
   }
 }
 Return (0)
@@ -198,11 +198,11 @@ DefinitionBlock (
 
 Store (DerefOf (Index (Arg2, 0x00)), PPRQ)
 Store (0x02, PPIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 Return (FRET)
 
 
@@ -229,11 +229,11 @@ DefinitionBlock (
 // e) Return TPM Operation Response to OS Environment
 //
 Store (0x05, PPIP)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 
 Store (LPPR, Index (TPM3, 0x01))
 Store (PPRP, Index (TPM3, 0x02))
@@ -257,11 +257,11 @@ DefinitionBlock (
 //
 Store (7, PPIP)
 Store (DerefOf (Index (Arg2, 0x00)), PPRQ)
 
 //
-// Triggle the SMI interrupt
+// Trigger the SMI interrupt
 //
 Store (PPIN, IOB2)
 Return (FRET)
   }
   Case (8)
@@ -271,11 +271,1

Re: [edk2] [patch V2 8/9] SecurityPkg: Use new added Perf macros

[Zhang, Chao B]

HI  Dandan :
   That patch is good to me. Reviewed-by: Chao Zhang 
-Original Message-
From: Bi, Dandan 
Sent: Friday, June 22, 2018 4:56 PM
To: edk2-devel@lists.01.org
Cc: Gao, Liming ; Zhang, Chao B 
Subject: [patch V2 8/9] SecurityPkg: Use new added Perf macros

Replace old Perf macros with the new added ones.

Cc: Liming Gao 
Cc: Chao Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi 
---
 .../DxeRsa2048Sha256GuidedSectionExtractLib.c| 16 
 .../PeiRsa2048Sha256GuidedSectionExtractLib.c| 16 
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git 
a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
 
b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
index 39768fbac22..d6f4207a506 100644
--- 
a/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa2048Sha256GuidedSectionExtractLib.c
+++ b/SecurityPkg/Library/DxeRsa2048Sha256GuidedSectionExtractLib/DxeRsa
+++ 2048Sha256GuidedSectionExtractLib.c
@@ -161,13 +161,13 @@ Rsa2048Sha256GuidedSectionHandler (
 // Get the RSA 2048 SHA 256 information.
 //
 CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *) 
InputSection)->CertBlockRsa2048Sha256;
 OutputBufferSize   = SECTION2_SIZE (InputSection) - sizeof 
(RSA_2048_SHA_256_SECTION2_HEADER);
 if EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & 
EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
-  PERF_START (NULL, "RsaCopy", "DXE", 0);
+  PERF_INMODULE_BEGIN ("DxeRsaCopy");
   CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof 
(RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);
-  PERF_END (NULL, "RsaCopy", "DXE", 0);
+  PERF_INMODULE_END ("DxeRsaCopy");
 } else {
   *OutputBuffer = (UINT8 *)InputSection + sizeof 
(RSA_2048_SHA_256_SECTION2_HEADER);
 }
 
 //
@@ -189,13 +189,13 @@ Rsa2048Sha256GuidedSectionHandler (
 // Get the RSA 2048 SHA 256 information.
 //
 CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER 
*)InputSection)->CertBlockRsa2048Sha256;
 OutputBufferSize   = SECTION_SIZE (InputSection) - sizeof 
(RSA_2048_SHA_256_SECTION_HEADER);
 if EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & 
EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
-  PERF_START (NULL, "RsaCopy", "DXE", 0);
+  PERF_INMODULE_BEGIN ("DxeRsaCopy");
   CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof 
(RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);
-  PERF_END (NULL, "RsaCopy", "DXE", 0);
+  PERF_INMODULE_END ("DxeRsaCopy");
 } else {
   *OutputBuffer = (UINT8 *)InputSection + sizeof 
(RSA_2048_SHA_256_SECTION_HEADER);
 }
 
 //
@@ -325,13 +325,13 @@ Rsa2048Sha256GuidedSectionHandler (
   if (!CryptoStatus) {
 DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));
 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
 goto Done;
   }
-  PERF_START (NULL, "RsaShaData", "DXE", 0);
+  PERF_INMODULE_BEGIN ("DxeRsaShaData");
   CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);
-  PERF_END (NULL, "RsaShaData", "DXE", 0);
+  PERF_INMODULE_END ("DxeRsaShaData");
   if (!CryptoStatus) {
 DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));
 *AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
 goto Done;
   }
@@ -343,19 +343,19 @@ Rsa2048Sha256GuidedSectionHandler (
   }
 
   //
   // Verify the RSA 2048 SHA 256 signature.
   //
-  PERF_START (NULL, "RsaVerify", "DXE", 0);
+  PERF_INMODULE_BEGIN ("DxeRsaVerify");
   CryptoStatus = RsaPkcs1Verify (
Rsa, 
Digest, 
SHA256_DIGEST_SIZE, 
CertBlockRsa2048Sha256->Signature, 
sizeof (CertBlockRsa2048Sha256->Signature)
);
-  PERF_END (NULL, "RsaVerify", "DXE", 0);
+  PERF_INMODULE_END ("DxeRsaVerify");
   if (!CryptoStatus) {
 //
 // If RSA 2048 SHA 256 signature verification fails, AUTH tested failed 
bit is set.
 //
 DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaPkcs1Verify() failed\n")); diff 
--git 
a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
 
b/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
index ba1c700ad03..2272308ddca 100644
--- 
a/SecurityPkg/Library/PeiRsa2048Sha256GuidedSectionExtractLib/PeiRsa2048Sha256GuidedSectionExtractLib.c
+++ b/SecurityPkg/Library/Pe

Re: [edk2] [Patch 2/2] SecurityPkg: Tpm2DeviceLib: Enable CapCRBIdleBypass support

[Zhang, Chao B]

Hi Gary:
   It is caused by code merge. Tks for notification. We have fixed it.

From: Gary Lin [mailto:g...@suse.com]
Sent: Wednesday, June 27, 2018 4:19 PM
To: Zhang, Chao B 
Cc: edk2-devel@lists.01.org; Yao, Jiewen ; Long, Qin 

Subject: Re: [edk2] [Patch 2/2] SecurityPkg: Tpm2DeviceLib: Enable 
CapCRBIdleBypass support

On Mon, Jun 25, 2018 at 12:44:21PM +0800, Zhang, Chao B wrote:
> Directly transition from CMD completion to CMD Ready state if device
> supports IdleByPass
>
> Cc: Long Qin mailto:qin.l...@intel.com>>
> Cc: Yao Jiewen mailto:jiewen@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang 
> mailto:chao.b.zh...@intel.com>>
> Signed-off-by: Zhang, Chao B 
> mailto:chao.b.zh...@intel.com>>
> ---
>  .../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c  | 19 +
>  .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf|  1 +
>  .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c| 19 +
>  .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf  |  3 +-
>  SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c| 98 
> +++---
>  SecurityPkg/SecurityPkg.dec| 10 +++
>  SecurityPkg/SecurityPkg.uni| 10 ++-
>  7 files changed, 146 insertions(+), 14 deletions(-)
>
> diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c 
> b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
> index 3feb64df7e..e6fe563b40 100644
> --- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
> +++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
> @@ -29,10 +29,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
> EXPRESS OR IMPLIED.
>  TPM2_PTP_INTERFACE_TYPE
>  Tpm2GetPtpInterface (
>IN VOID *Register
>);
>
> +/**
> +  Return PTP CRB interface IdleByPass state.
> +
> +  @param[in] RegisterPointer to PTP register.
> +
> +  @return PTP CRB interface IdleByPass state.
> +**/
> +UINT8
> +Tpm2GetIdleByPass (
> +  IN VOID *Register
> +  );
> +
>  /**
>This service enables the sending of commands to the TPM2.
>
>@param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
> block.
>@param[in]  InputParameterBlock  Pointer to the TPM2 input 
> parameter block.
> @@ -138,15 +150,22 @@ EFIAPI
>  Tpm2DeviceLibConstructor (
>VOID
>)
>  {
>TPM2_PTP_INTERFACE_TYPE  PtpInterface;
> +  UINT8IdleByPass;
>
>//
>// Cache current active TpmInterfaceType only when needed
>//
>if (PcdGet8(PcdActiveTpmInterfaceType) == 0xFF) {
>  PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
> (PcdTpmBaseAddress));
>  PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
>}
> +
> +  if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
> PcdGet8(PcdCRBIdleByPass) == 0xFF) {
I got a build error with PtpInterfaceCrb:

SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c: In function 
‘Tpm2DeviceLibConstructor’:
SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c:165:45: error: 
‘PtpInterfaceCrb’ undeclared (first use in this function); did you mean 
‘PtpInterface’?
   if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
 ^~~
 PtpInterface

I assume you mean Tpm2PtpInterfaceCrb?

Cheers,

Gary Lin

> +IdleByPass = Tpm2GetIdleByPass((VOID *) (UINTN) PcdGet64 
> (PcdTpmBaseAddress));
> +PcdSet8S(PcdCRBIdleByPass, IdleByPass);
> +  }
> +
>return EFI_SUCCESS;
>  }
> diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
> b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> index 634bbae847..2e54a78cc0 100644
> --- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> +++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
> @@ -53,5 +53,6 @@
>PcdLib
>
>  [Pcd]
>gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress## CONSUMES
>gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType## PRODUCES
> +  gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
> \ No newline at end of file
> diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c 
> b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
> index 01f78bf0be..edcdb72a79 100644
> --- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
> +++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
> @@ -32,10 +32,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
> EXPRESS O

Re: [edk2] [Patch] SecurityPkg Tpm2DeviceLibDTpm: Update enum type name to match the one in lib

[Zhang, Chao B]

Hi Liming:
  Thanks for catching this. Reviewed-by: Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Liming 
Gao
Sent: Wednesday, June 27, 2018 10:49 PM
To: edk2-devel@lists.01.org
Subject: [edk2] [Patch] SecurityPkg Tpm2DeviceLibDTpm: Update enum type name to 
match the one in lib

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao 
---
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c   | 2 +-
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 29b7d8e..815a149 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -162,7 +162,7 @@ Tpm2DeviceLibConstructor (
 PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
   }
 
-  if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
+  if (PcdGet8(PcdActiveTpmInterfaceType) == Tpm2PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
 IdleByPass = Tpm2GetIdleByPass((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
 PcdSet8S(PcdCRBIdleByPass, IdleByPass);
   }
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 9301e68..9bcf7a8 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -125,7 +125,7 @@ Tpm2InstanceLibDTpmConstructor (
 PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
   }
 
-  if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
+  if (PcdGet8(PcdActiveTpmInterfaceType) == Tpm2PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
 IdleByPass = Tpm2GetIdleByPass((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
 PcdSet8S(PcdCRBIdleByPass, IdleByPass);
   }
-- 
2.10.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch 2/2] SecurityPkg: Tpm2DeviceLib: Enable CapCRBIdleBypass support

[Zhang, Chao B]

Directly transition from CMD completion to CMD Ready state if device
supports IdleByPass

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 .../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c  | 19 +
 .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf|  1 +
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c| 19 +
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf  |  3 +-
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c| 98 +++---
 SecurityPkg/SecurityPkg.dec| 10 +++
 SecurityPkg/SecurityPkg.uni| 10 ++-
 7 files changed, 146 insertions(+), 14 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 3feb64df7e..e6fe563b40 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -29,10 +29,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 TPM2_PTP_INTERFACE_TYPE
 Tpm2GetPtpInterface (
   IN VOID *Register
   );
 
+/**
+  Return PTP CRB interface IdleByPass state.
+
+  @param[in] RegisterPointer to PTP register.
+
+  @return PTP CRB interface IdleByPass state.
+**/
+UINT8
+Tpm2GetIdleByPass (
+  IN VOID *Register
+  );
+
 /**
   This service enables the sending of commands to the TPM2.
 
   @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
   @param[in]  InputParameterBlock  Pointer to the TPM2 input parameter 
block.
@@ -138,15 +150,22 @@ EFIAPI
 Tpm2DeviceLibConstructor (
   VOID
   )
 {
   TPM2_PTP_INTERFACE_TYPE  PtpInterface;
+  UINT8IdleByPass;
 
   //
   // Cache current active TpmInterfaceType only when needed
   //
   if (PcdGet8(PcdActiveTpmInterfaceType) == 0xFF) {
 PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
 PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
   }
+
+  if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
+IdleByPass = Tpm2GetIdleByPass((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+PcdSet8S(PcdCRBIdleByPass, IdleByPass);
+  }
+
   return EFI_SUCCESS;
 }
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
index 634bbae847..2e54a78cc0 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -53,5 +53,6 @@
   PcdLib
 
 [Pcd]
   gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress## CONSUMES
   gEfiSecurityPkgTokenSpaceGuid.PcdActiveTpmInterfaceType## PRODUCES
+  gEfiSecurityPkgTokenSpaceGuid.PcdCRBIdleByPass ## PRODUCES
\ No newline at end of file
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
index 01f78bf0be..edcdb72a79 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c
@@ -32,10 +32,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 TPM2_PTP_INTERFACE_TYPE
 Tpm2GetPtpInterface (
   IN VOID *Register
   );
 
+/**
+  Return PTP CRB interface IdleByPass state.
+
+  @param[in] RegisterPointer to PTP register.
+
+  @return PTP CRB interface IdleByPass state.
+**/
+UINT8
+Tpm2GetIdleByPass (
+  IN VOID *Register
+  );
+
 /**
   Dump PTP register information.
 
   @param[in] RegisterPointer to PTP register.
 **/
@@ -95,10 +107,11 @@ Tpm2InstanceLibDTpmConstructor (
   VOID
   )
 {
   EFI_STATUS   Status;
   TPM2_PTP_INTERFACE_TYPE  PtpInterface;
+  UINT8IdleByPass;
 
   Status = Tpm2RegisterTpm2DeviceLib ();
   if ((Status == EFI_SUCCESS) || (Status == EFI_UNSUPPORTED)) {
 //
 // Unsupported means platform policy does not need this instance enabled.
@@ -109,10 +122,16 @@ Tpm2InstanceLibDTpmConstructor (
   //
   if (PcdGet8(PcdActiveTpmInterfaceType) == 0xFF) {
 PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
 PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
   }
+
+  if (PcdGet8(PcdActiveTpmInterfaceType) == PtpInterfaceCrb && 
PcdGet8(PcdCRBIdleByPass) == 0xFF) {
+IdleByPass = Tpm2GetIdleByPass((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+PcdSet8S(PcdCRBIdleByPass, IdleByPass);
+  }
+
   DumpPtpInfo ((VOID *) (UINTN) PcdGet64 (PcdTpmBaseAddress));
 }
 return EFI_SUCCESS;
   }
   return Status;
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf

[edk2] [Patch 1/2] Add CapCRBIdleBypass definition to interface ID register. It complies with existing register

[Zhang, Chao B]

Signed-off-by: Zhang, Chao B 
---
 MdePkg/Include/IndustryStandard/TpmPtp.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/MdePkg/Include/IndustryStandard/TpmPtp.h 
b/MdePkg/Include/IndustryStandard/TpmPtp.h
index 0796512688..c7ff8fdc58 100644
--- a/MdePkg/Include/IndustryStandard/TpmPtp.h
+++ b/MdePkg/Include/IndustryStandard/TpmPtp.h
@@ -1,10 +1,10 @@
 /** @file
   Platform TPM Profile Specification definition for TPM2.0.
   It covers both FIFO and CRB interface.
 
-Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -336,11 +336,12 @@ typedef PTP_CRB_REGISTERS  *PTP_CRB_REGISTERS_PTR;
 typedef union {
   struct {
 UINT32   InterfaceType:4;
 UINT32   InterfaceVersion:4;
 UINT32   CapLocality:1;
-UINT32   Reserved1:2;
+UINT32   CapCRBIdleBypass:1;
+UINT32   Reserved1:1;
 UINT32   CapDataXferSizeSupport:2;
 UINT32   CapFIFO:1;
 UINT32   CapCRB:1;
 UINT32   CapIFRes:2;
 UINT32   InterfaceSelector:2;
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch V2] SecurityPkg: Cache TPM interface type info

[Zhang, Chao B]

Cache TPM interface type info to avoid excessive interface ID register read

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Include/Library/Tpm2DeviceLib.h| 12 +++-
 .../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c  | 38 +++-
 .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf|  8 ++-
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c| 27 -
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf  |  6 +-
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c| 47 +++
 SecurityPkg/SecurityPkg.dec| 12 +++-
 SecurityPkg/SecurityPkg.uni| 10 +++-
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf   |  3 +-
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c| 68 ++
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c  | 60 ++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.h  |  1 +
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf|  1 +
 13 files changed, 148 insertions(+), 145 deletions(-)

diff --git a/SecurityPkg/Include/Library/Tpm2DeviceLib.h 
b/SecurityPkg/Include/Library/Tpm2DeviceLib.h
index 67f158ef03..f072a24925 100644
--- a/SecurityPkg/Include/Library/Tpm2DeviceLib.h
+++ b/SecurityPkg/Include/Library/Tpm2DeviceLib.h
@@ -1,9 +1,9 @@
 /** @file
   This library abstract how to access TPM2 hardware device.
 
-Copyright (c) 2013, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -15,10 +15,20 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #ifndef _TPM2_DEVICE_LIB_H_
 #define _TPM2_DEVICE_LIB_H_
 
 #include 
 
+//
+// Used in PcdActiveTpmInterfaceType to identify TPM interface type
+//
+typedef enum {
+  Tpm2PtpInterfaceTis,
+  Tpm2PtpInterfaceFifo,
+  Tpm2PtpInterfaceCrb,
+  Tpm2PtpInterfaceMax,
+} TPM2_PTP_INTERFACE_TYPE;
+
 /**
   This service enables the sending of commands to the TPM2.
 
   @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
   @param[in]  InputParameterBlock  Pointer to the TPM2 input parameter 
block.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 0b1723e4a1..3feb64df7e 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -1,10 +1,10 @@
 /** @file
   This library is TPM2 DTPM device lib.
   Choosing this library means platform uses and only uses DTPM device as TPM2 
engine.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -15,10 +15,23 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 
 #include 
 #include 
 #include 
 #include 
+#include 
+
+/**
+  Return PTP interface type.
+
+  @param[in] RegisterPointer to PTP register.
+
+  @return PTP interface type.
+**/
+TPM2_PTP_INTERFACE_TYPE
+Tpm2GetPtpInterface (
+  IN VOID *Register
+  );
 
 /**
   This service enables the sending of commands to the TPM2.
 
   @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
@@ -112,5 +125,28 @@ Tpm2RegisterTpm2DeviceLib (
   IN TPM2_DEVICE_INTERFACE   *Tpm2Device
   )
 {
   return EFI_UNSUPPORTED;
 }
+
+/**
+  The function caches current active TPM interface type.
+  
+  @retval EFI_SUCCESS   DTPM2.0 instance is registered, or system dose not 
surpport registr DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2DeviceLibConstructor (
+  VOID
+  )
+{
+  TPM2_PTP_INTERFACE_TYPE  PtpInterface;
+
+  //
+  // Cache current active TpmInterfaceType only when needed
+  //
+  if (PcdGet8(PcdActiveTpmInterfaceType) == 0xFF) {
+PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
+  }
+  return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
index 3e619b98b7..634bbae847 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -8,11 +8,11 @@
 #  This library implements TIS (TPM Interface Specification) and
 #  PTP (Platform TPM Profile

[edk2] [Patch] SecurityPkg: Cache TPM interface type info

[Zhang, Chao B]

Cache TPM interface type info to avoid excessive interface ID register read

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 SecurityPkg/Include/Library/Tpm2DeviceLib.h| 12 +++-
 .../Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c  | 38 +++-
 .../Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf|  8 ++-
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.c| 27 -
 .../Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf  |  6 +-
 SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2Ptp.c| 47 +++
 SecurityPkg/SecurityPkg.dec| 12 +++-
 SecurityPkg/SecurityPkg.uni| 10 +++-
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigDxe.inf   |  3 +-
 SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c| 68 ++
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c  | 60 ++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.h  |  1 +
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf|  1 +
 13 files changed, 148 insertions(+), 145 deletions(-)

diff --git a/SecurityPkg/Include/Library/Tpm2DeviceLib.h 
b/SecurityPkg/Include/Library/Tpm2DeviceLib.h
index 67f158ef03..f072a24925 100644
--- a/SecurityPkg/Include/Library/Tpm2DeviceLib.h
+++ b/SecurityPkg/Include/Library/Tpm2DeviceLib.h
@@ -1,9 +1,9 @@
 /** @file
   This library abstract how to access TPM2 hardware device.
 
-Copyright (c) 2013, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -15,10 +15,20 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #ifndef _TPM2_DEVICE_LIB_H_
 #define _TPM2_DEVICE_LIB_H_
 
 #include 
 
+//
+// Used in PcdActiveTpmInterfaceType to identify TPM interface type
+//
+typedef enum {
+  Tpm2PtpInterfaceTis,
+  Tpm2PtpInterfaceFifo,
+  Tpm2PtpInterfaceCrb,
+  Tpm2PtpInterfaceMax,
+} TPM2_PTP_INTERFACE_TYPE;
+
 /**
   This service enables the sending of commands to the TPM2.
 
   @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
   @param[in]  InputParameterBlock  Pointer to the TPM2 input parameter 
block.
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
index 0b1723e4a1..3feb64df7e 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.c
@@ -1,10 +1,10 @@
 /** @file
   This library is TPM2 DTPM device lib.
   Choosing this library means platform uses and only uses DTPM device as TPM2 
engine.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -15,10 +15,23 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 
 #include 
 #include 
 #include 
 #include 
+#include 
+
+/**
+  Return PTP interface type.
+
+  @param[in] RegisterPointer to PTP register.
+
+  @return PTP interface type.
+**/
+TPM2_PTP_INTERFACE_TYPE
+Tpm2GetPtpInterface (
+  IN VOID *Register
+  );
 
 /**
   This service enables the sending of commands to the TPM2.
 
   @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
@@ -112,5 +125,28 @@ Tpm2RegisterTpm2DeviceLib (
   IN TPM2_DEVICE_INTERFACE   *Tpm2Device
   )
 {
   return EFI_UNSUPPORTED;
 }
+
+/**
+  The function caches current active TPM interface type.
+  
+  @retval EFI_SUCCESS   DTPM2.0 instance is registered, or system dose not 
surpport registr DTPM2.0 instance
+**/
+EFI_STATUS
+EFIAPI
+Tpm2DeviceLibConstructor (
+  VOID
+  )
+{
+  TPM2_PTP_INTERFACE_TYPE  PtpInterface;
+
+  //
+  // Cache current active TpmInterfaceType only when needed
+  //
+  if (PcdGet8(PcdActiveTpmInterfaceType) == 0xFF) {
+PtpInterface = Tpm2GetPtpInterface ((VOID *) (UINTN) PcdGet64 
(PcdTpmBaseAddress));
+PcdSet8S(PcdActiveTpmInterfaceType, PtpInterface);
+  }
+  return EFI_SUCCESS;
+}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf 
b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
index 3e619b98b7..634bbae847 100644
--- a/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
+++ b/SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
@@ -8,11 +8,11 @@
 #  This library implements TIS (TPM Interface Specification) and
 #  PTP

[edk2] [Patch] CryptoPkg PeiCryptLib: Enable SHA384/512 support

[Zhang, Chao B]

Enable SHA384/512 support in PEI phase.

Cc: Long Qin 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
Signed-off-by: Zhang, Chao B 
---
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf 
b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f1f709ef6d..e08627be24 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -11,11 +11,11 @@
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, 
X.509 
 #  certificate handler functions, authenticode signature verification 
functions, 
 #  PEM handler functions, and pseudorandom number generator functions are not 
 #  supported in this instance.
 #
-#  Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+#  Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD 
License
 #  which accompanies this distribution.  The full text of the license may be 
found at
 #  http://opensource.org/licenses/bsd-license.php
 #
@@ -42,11 +42,11 @@
 [Sources]
   Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
-  Hash/CryptSha512Null.c
+  Hash/CryptSha512.c
   Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg/SecureBootConfigDxe: Fix invalid NV data issue.

[Zhang, Chao B]

Reviewed-by: Chao Zhang 

-Original Message-
From: Nickle Wang [mailto:nickle.w...@hpe.com] 
Sent: Tuesday, May 29, 2018 8:08 PM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B ; Yao, Jiewen ; 
Nickle Wang ; cinnamon shia 
Subject: [PATCH] SecurityPkg/SecureBootConfigDxe: Fix invalid NV data issue.

Check the return value of HiiGetBrowserData() before calling 
HiiSetBrowserData(). HiiGetBrowserData() failed to retrieve NV data during 
action EFI_BROWSER_ACTION_RETRIEVE. If NV data is invalid, stop sending it to 
form browser.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Nickle Wang 
Signed-off-by: cinnamon shia 
---
 .../SecureBootConfigDxe/SecureBootConfigImpl.c  | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c 
b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e3066f7..6123b56 100644
--- 
a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
+++ nfigImpl.c
@@ -2,6 +2,7 @@
   HII Config Access protocol implementation of SecureBoot configuration module.
 
 Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at @@ -4319,6 +4320,7 
@@ SecureBootCallback (
   UINTN   NameLength;
   UINT16  *FilePostFix;
   SECUREBOOT_CONFIG_PRIVATE_DATA  *PrivateData;
+  BOOLEAN GetBrowserDataResult;
 
   Status   = EFI_SUCCESS;
   SecureBootEnable = NULL;
@@ -4343,7 +4345,7 @@ SecureBootCallback (
 return EFI_OUT_OF_RESOURCES;
   }
 
-  HiiGetBrowserData (, mSecureBootStorageName, 
BufferSize, (UINT8 *) IfrNvData);
+  GetBrowserDataResult = HiiGetBrowserData 
+ (, mSecureBootStorageName, BufferSize, 
+ (UINT8 *) IfrNvData);
 
   if (Action == EFI_BROWSER_ACTION_FORM_OPEN) {
 if (QuestionId == KEY_SECURE_BOOT_MODE) { @@ -4889,7 +4891,7 @@ 
SecureBootCallback (
 
 EXIT:
 
-  if (!EFI_ERROR (Status)) {
+  if (!EFI_ERROR (Status) && GetBrowserDataResult) {
 BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
 HiiSetBrowserData (, mSecureBootStorageName, 
BufferSize, (UINT8*) IfrNvData, NULL);
   }
--
2.5.1.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg/Tcg2Smm: Correct function parameter attribute

[Zhang, Chao B]

Correct UpdatePossibleResource parameter attribute to align to comment

Change-Id: Id8f8be975f0e8666573decc3fbaaf326b7767ba8
Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Long Qin <qin.l...@intel.com>
Cc: Yao Jiewen <jiewen@intel.com>
Reviewed-by: Chao Zhang <chao.b.zh...@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zh...@intel.com>
---
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index 3e0a68999a..f0c92462cf 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -315,14 +315,14 @@ UpdatePPVersion (
   @return  patch status.
 
 **/
 EFI_STATUS
 UpdatePossibleResource (
-  IN  EFI_ACPI_DESCRIPTION_HEADER*Table,
-  IN  UINT32 *IrqBuffer,
-  IN  UINT32 IrqBuffserSize,
-  OUT BOOLEAN*IsShortFormPkgLength
+  IN OUT  EFI_ACPI_DESCRIPTION_HEADER*Table,
+  IN  UINT32 *IrqBuffer,
+  IN  UINT32 IrqBuffserSize,
+  OUT BOOLEAN*IsShortFormPkgLength
   )
 {
   UINT8   *DataPtr;
   UINT8   *DataEndPtr;
   UINT32  NewPkgLength;
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] Set "db" variable in secure boot setup mode still requires generating PKCS#7?

[Zhang, Chao B]

David:
   Have you tried to enroll .crt from HII Secure Boot Configure Page?
Basically when PK exists , PhysicalPresence and Customized Mode must be 
asserted in order  to enroll a signature without CertData to KEK/DB…,

From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of David F.
Sent: Monday, May 21, 2018 3:54 AM
To: Long, Qin 
Cc: edk2 developers list ; Laszlo Ersek 

Subject: Re: [edk2] Set "db" variable in secure boot setup mode still requires 
generating PKCS#7?

>Do you mean this code snippet can succeed to enroll KEK, but fail to
enroll DB data?

Correct.


> What’s the returned errcode value? (And one reminder is that KEK and DB
are binding with different vendor GUID: gEfiGlobalVariableGuid, and
gEfiImageSecurityDatabaseGuid).

It was a access denied type of error code (I'd have to enable it again to
test the exact code).  Yes, the GUID was set different for the database
(wasn't able to save anything using the database guid).


On Wed, May 2, 2018 at 8:09 PM, Long, Qin 
> wrote:

> Hi, David,
>
>
>
> Yes, in Setup / Custom mode, no need to generate the AuthData for
> verification. It’s good enough to create the AUTH_2 descriptor / headers
> without CertData as the parameter for SetVariable() call.
>
>
>
> Do you mean this code snippet can succeed to enroll KEK, but fail to
> enroll DB data?
>
> The data initialization from code snippet looks good. What’s the returned
> errcode value? (And one reminder is that KEK and DB are binding with
> different vendor GUID: gEfiGlobalVariableGuid, and
> gEfiImageSecurityDatabaseGuid).
>
>
>
>
>
> Best Regards & Thanks,
>
> LONG, Qin
>
>
>
> *From:* edk2-devel [mailto:edk2-devel-boun...@lists.01.org] *On Behalf Of
> *David F.
> *Sent:* Thursday, May 3, 2018 12:26 AM
> *To:* Laszlo Ersek >
> *Cc:* edk2 developers list 
> >
> *Subject:* Re: [edk2] Set "db" variable in secure boot setup mode still
> requires generating PKCS#7?
>
>
>
> This Intel mobo didn't like?  This is the code snippet that builds it:
>
>
> // calc size of header (with no certdata) and crt file data to add
> size_t authhdrsize;
> size_t siglisthdrsize;
>
> if (applyrawdata) {
>   authhdrsize=0;
>   siglisthdrsize=0;
> }
> else {
>   authhdrsize=offsetof(EFI_VARIABLE_AUTHENTICATION_2,
> AuthInfo)+offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData);
>   siglisthdrsize=sizeof(EFI_SIGNATURE_LIST)+offsetof(EFI_SIGNATURE_DATA,
> SignatureData);
> }
> size_t tempbufsize=ffinfo.FileSize+authhdrsize+siglisthdrsize;
>
> BYTE *tempbuf;
> if ((tempbuf=new BYTE [tempbufsize])!=NULL) {
>   // variable to determine where to read file
>   BYTE *certdata=tempbuf;
>   // determine if need to prefix .crt for kek/db entries
>   if (!applyrawdata) {
> // zero header part of buffer so all are init to zero
> memset(tempbuf, 0, authhdrsize+siglisthdrsize);
> //
> // setup EFI_VARIABLE_AUTHENTICATION_2  header
> //
> EFI_VARIABLE_AUTHENTICATION_2
> *efivarauth2=(EFI_VARIABLE_AUTHENTICATION_2 *) tempbuf;
> // setup time
> TimeTToUEFITimeGMT(time(NULL), >TimeStamp);
> efivarauth2->TimeStamp.Nanosecond=0;
> // setup authinfo (without any CertData)
> efivarauth2->AuthInfo.Hdr.dwLength=offsetof(WIN_CERTIFICATE_UEFI_GUID,
> CertData);
> efivarauth2->AuthInfo.Hdr.wRevision=0x200;
> efivarauth2->AuthInfo.Hdr.wCertificateType=WIN_CERT_TYPE_EFI_GUID;
> efivarauth2->AuthInfo.CertType=gEfiCertPkcs7Guid;
> //
> // setup EFI_SIGNATURE_LIST
> //
> EFI_SIGNATURE_LIST *efisiglist=(EFI_SIGNATURE_LIST *)
> (tempbuf+authhdrsize);
> efisiglist->SignatureType=gEfiCertX509Guid;
>
> efisiglist->SignatureListSize=(uint32_t)(ffinfo.FileSize+siglisthdrsize);
> efisiglist->SignatureHeaderSize=0;
> efisiglist->SignatureSize=ffinfo.FileSize+offsetof(EFI_SIGNATURE_DATA,
> SignatureData);
> //
> // setup EFI_SIGNATURE_DATA  (no owner)
> //
> EFI_SIGNATURE_DATA *efisigdata=(EFI_SIGNATURE_DATA *)
> ((BYTE*)efisiglist+sizeof(EFI_SIGNATURE_LIST)+efisiglist->
> SignatureHeaderSize);
> certdata=efisigdata->SignatureData;
>   }
>   // Read file to buffer
>   if ((errcode=FSOpenReadCloseFile(openpath, certdata, 0, ffinfo.FileSize,
> NULL, filesys))==ERROR_NONE) {
> // have the data, now write it to the correct variable
> uint32_t varattr=EFI_VARIABLE_NON_VOLATILE|
>  EFI_VARIABLE_BOOTSERVICE_ACCESS|
>  EFI_VARIABLE_RUNTIME_ACCESS|
>  EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> if (!rparam) {
>   varattr|=EFI_VARIABLE_APPEND_WRITE;
> }
>
> // update variable
> errcode=UEFISetVariable(varname, guidstr, tempbuf, tempbufsize,
> varattr);
>   }
>   // clean up
>   delete[] tempbuf;
> }
>
>
> On Wed, May 2, 2018 at 3:21 AM, Laszlo Ersek 
> 

[edk2] [Patch] SecurityPkg:Tcg2Smm: Update TcgNvs info after memory is allocated

[Zhang, Chao B]

Update package format info in _PRS to TcgNvs after memory is allocated.

Change-Id: Icfadb350e60d3ed2df332e92c257ce13309c0018
Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yao Jiewen <jiewen@intel.com>
Cc: Long Qin <qin.l...@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zh...@intel.com>
---
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 19 ---
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index c3cee834ae..3e0a68999a 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -308,19 +308,21 @@ UpdatePPVersion (
   interrupt buffer size. BufferSize, PkgLength and interrupt descirptor in 
ByteList need to be patched
 
   @param[in, out] TableThe TPM item in ACPI table.
   @param[in]  IrqBufferInput new IRQ buffer.
   @param[in]  IrqBuffserSize   Input new IRQ buffer size.
+  @param[out] IsShortFormPkgLength   If _PRS returns Short length 
Package(ACPI spec 20.2.4).
 
   @return  patch status.
 
 **/
 EFI_STATUS
 UpdatePossibleResource (
-  EFI_ACPI_DESCRIPTION_HEADER*Table,
-  UINT32 *IrqBuffer,
-  UINT32 IrqBuffserSize
+  IN  EFI_ACPI_DESCRIPTION_HEADER*Table,
+  IN  UINT32 *IrqBuffer,
+  IN  UINT32 IrqBuffserSize,
+  OUT BOOLEAN*IsShortFormPkgLength
   )
 {
   UINT8   *DataPtr;
   UINT8   *DataEndPtr;
   UINT32  NewPkgLength;
@@ -429,11 +431,11 @@ UpdatePossibleResource (
   *(DataPtr + 2) = (UINT8)(IrqBuffserSize + 19);
 
   //
   // Notify _PRS to report short formed ResourceTemplate
   //
-  mTcgNvs->IsShortFormPkgLength = TRUE;
+  *IsShortFormPkgLength = TRUE;
 
   break;
 }
   }
 
@@ -501,11 +503,11 @@ UpdatePossibleResource (
 *(DataPtr + 2 + ((*DataPtr & (BIT7|BIT6)) >> 6)) = 
(UINT8)(IrqBuffserSize + 19);
 
 //
 // Notify _PRS to report long formed ResourceTemplate
 //
-mTcgNvs->IsShortFormPkgLength = FALSE;
+*IsShortFormPkgLength = FALSE;
 break;
   }
 }
   }
 
@@ -670,10 +672,13 @@ PublishAcpiTable (
   UINTN  TableKey;
   EFI_ACPI_DESCRIPTION_HEADER*Table;
   UINTN  TableSize;
   UINT32 *PossibleIrqNumBuf;
   UINT32 PossibleIrqNumBufSize;
+  BOOLEANIsShortFormPkgLength;
+
+  IsShortFormPkgLength = FALSE;
 
   Status = GetSectionFromFv (
  ,
  EFI_SECTION_RAW,
  0,
@@ -708,11 +713,11 @@ PublishAcpiTable (
 //
 PossibleIrqNumBuf = (UINT32 *)PcdGetPtr(PcdTpm2PossibleIrqNumBuf);
 PossibleIrqNumBufSize = (UINT32)PcdGetSize(PcdTpm2PossibleIrqNumBuf);
 
 if (PossibleIrqNumBufSize <= MAX_PRS_INT_BUF_SIZE && 
(PossibleIrqNumBufSize % sizeof(UINT32)) == 0) {
-  Status = UpdatePossibleResource(Table, PossibleIrqNumBuf, 
PossibleIrqNumBufSize);
+  Status = UpdatePossibleResource(Table, PossibleIrqNumBuf, 
PossibleIrqNumBufSize, );
   DEBUG ((
 DEBUG_INFO,
 "UpdatePossibleResource status - %x. TPM2 service may not ready in 
OS.\n",
 Status
 ));
@@ -741,11 +746,11 @@ PublishAcpiTable (
   ASSERT (Table->OemTableId == SIGNATURE_64 ('T', 'p', 'm', '2', 'T', 'a', 
'b', 'l'));
   CopyMem (Table->OemId, PcdGetPtr (PcdAcpiDefaultOemId), sizeof 
(Table->OemId) );
   mTcgNvs = AssignOpRegion (Table, SIGNATURE_32 ('T', 'N', 'V', 'S'), (UINT16) 
sizeof (TCG_NVS));
   ASSERT (mTcgNvs != NULL);
   mTcgNvs->TpmIrqNum= PcdGet32(PcdTpm2CurrentIrqNum);
-  mTcgNvs->IsShortFormPkgLength = FALSE;
+  mTcgNvs->IsShortFormPkgLength = IsShortFormPkgLength;
 
   //
   // Publish the TPM ACPI table. Table is re-checksumed.
   //
   Status = gBS->LocateProtocol (, NULL, (VOID **) 
);
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Zhang, Chao B]

Good catch！ Jiewen, I will add more check in CopyAuthSessionResponse()

From: Yao, Jiewen
Sent: Wednesday, March 21, 2018 2:39 PM
To: Zhang, Chao B <chao.b.zh...@intel.com>; Long, Qin <qin.l...@intel.com>; 
edk2-devel@lists.01.org
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory 
overflow

Some thought:

1) Would you please add debug message on every error check you added? Just like 
the original code does.

2) For below, can we separate the check, and add error message for each failure?
Tpm2Integrity.c:
  if (PcrSelectionOut->count > HASH_COUNT || RecvBufferSize < sizeof 
(TPM2_RESPONSE_HEADER) + sizeof(RecvBuffer.PcrUpdateCounter) + 
sizeof(RecvBuffer.PcrSelectionOut.count) + 
sizeof(RecvBuffer.PcrSelectionOut.pcrSelections[0]) * PcrSelectionOut->count) {
DEBUG ((EFI_D_ERROR, "Tpm2PcrRead - Digests->count -%x or RecvBufferSize 
Error - %x\n", PcrSelectionOut->count, RecvBufferSize));
return EFI_DEVICE_ERROR;
  }

3) For below, can we separate the check, and add error message for each failure?
Tpm2NvStorage.c
  if (NvNameSize > sizeof(TPMU_NAME) ||
  (RecvBufferSize != sizeof(TPM2_RESPONSE_HEADER) + sizeof(UINT16) + 
NvPublicSize + sizeof(UINT16) + NvNameSize)) {
DEBUG ((EFI_D_ERROR, "Tpm2NvReadPublic - RecvBufferSize Error - 
NvPublicSize %x, NvNameSize %x\n", RecvBufferSize, NvNameSize));
return EFI_NOT_FOUND;
  }


4) Do you think if we need add check for nonce.size below as well?
Tpm2Help.c

  // nonce
  AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));
  Buffer += sizeof(UINT16);

  CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);
  Buffer += AuthSessionOut->nonce.size;


Thank you
Yao Jiewen


> -Original Message-
> From: Zhang, Chao B
> Sent: Wednesday, March 21, 2018 11:03 AM
> To: Long, Qin <qin.l...@intel.com<mailto:qin.l...@intel.com>>; 
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Yao, Jiewen <jiewen@intel.com<mailto:jiewen@intel.com>>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Thanks Qin, I will add more comments to explain the magic code
>
> -Original Message-
> From: Long, Qin
> Sent: Wednesday, March 21, 2018 10:58 AM
> To: Zhang, Chao B <chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com>>; 
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Yao, Jiewen <jiewen@intel.com<mailto:jiewen@intel.com>>
> Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response
> memory overflow
>
> Hi, Chao,
>
> One minor suggestion to add the comment to explain the following value "8": 
> the
> number of digests in list is not greater than 8 per TPML_DIGEST definition.
> +  if (PcrValues->count > 8) {
> +    return EFI_DEVICE_ERROR;
> +  }
>
> Other looks good to me.
>
> Reviewed-by: Long Qin <qin.l...@intel.com<mailto:qin.l...@intel.com>>
>
>
> Best Regards & Thanks,
> LONG, Qin
>
> -Original Message-
> From: Zhang, Chao B
> Sent: Tuesday, March 20, 2018 4:36 PM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Cc: Long, Qin <qin.l...@intel.com<mailto:qin.l...@intel.com>>; Yao, Jiewen 
> <jiewen@intel.com<mailto:jiewen@intel.com>>;
> Zhang, Chao B <chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com>>
> Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory
> overflow
>
> TPM2.0 command lib always assumes TPM device and transmission channel can
> respond correctly. But it is not true when communication channel is exploited
> and wrong data is spoofed. Add more logic to prohibit memory overflow attack.
>
> Cc: Long Qin <qin.l...@intel.com<mailto:qin.l...@intel.com>>
> Cc: Yao Jiewen <jiewen@intel.com<mailto:jiewen@intel.com>>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang 
> <chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com>>
> Signed-off-by: Zhang, Chao B 
> <chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com>>
> ---
>  .../Library/Tpm2CommandLib/Tpm2Capability.c| 21
> ++-
>  .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31
> +-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
>  7 files changed, 107 

Re: [edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Zhang, Chao B]

Thanks Qin, I will add more comments to explain the magic code

-Original Message-
From: Long, Qin 
Sent: Wednesday, March 21, 2018 10:58 AM
To: Zhang, Chao B <chao.b.zh...@intel.com>; edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen@intel.com>
Subject: RE: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory 
overflow

Hi, Chao,

One minor suggestion to add the comment to explain the following value "8": the 
number of digests in list is not greater than 8 per TPML_DIGEST definition. 
+  if (PcrValues->count > 8) {
+return EFI_DEVICE_ERROR;
+  }

Other looks good to me. 

Reviewed-by: Long Qin <qin.l...@intel.com>


Best Regards & Thanks,
LONG, Qin

-----Original Message-
From: Zhang, Chao B
Sent: Tuesday, March 20, 2018 4:36 PM
To: edk2-devel@lists.01.org
Cc: Long, Qin <qin.l...@intel.com>; Yao, Jiewen <jiewen@intel.com>; Zhang, 
Chao B <chao.b.zh...@intel.com>
Subject: [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

TPM2.0 command lib always assumes TPM device and transmission channel can 
respond correctly. But it is not true when communication channel is exploited 
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin <qin.l...@intel.com>
Cc: Yao Jiewen <jiewen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zh...@intel.com>
---
 .../Library/Tpm2CommandLib/Tpm2Capability.c| 21 ++-
 .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---  
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31 +-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
 7 files changed, 107 insertions(+), 10 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 Capability related command.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials  are licensed and made available 
under the terms and conditions of the BSD License  which accompanies this 
distribution.  The full text of the license may be found at  
http://opensource.org/licenses/bsd-license.php
 
@@ -110,10 +110,18 @@ Tpm2GetCapability (
 
   if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
 return EFI_DEVICE_ERROR;
   }
 
+  //
+  // Fail if command failed
+  //
+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", 
SwapBytes32(RecvBuffer.Header.responseCode)));
+return EFI_DEVICE_ERROR;
+  }
+
   //
   // Return the response
   //
   *MoreData = RecvBuffer.MoreData;
   //
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
   }
   
   CopyMem (AlgList, , sizeof (TPML_ALG_PROPERTY));
 
   AlgList->count = SwapBytes32 (AlgList->count);
+  if (AlgList->count > MAX_CAP_ALGS) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < AlgList->count; Index++) {
 AlgList->algProperties[Index].alg = SwapBytes16 
(AlgList->algProperties[Index].alg);
 WriteUnaligned32 ((UINT32 *)>algProperties[Index].algProperties, 
SwapBytes32 (ReadUnaligned32 ((UINT32 
*)>algProperties[Index].algProperties)));
   }
 
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
   if (EFI_ERROR (Status)) {
 return Status;
   }
 
   Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+  if (Pcrs->count > HASH_COUNT) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < Pcrs->count; Index++) {
 Pcrs->pcrSelections[Index].hash = SwapBytes16 
(TpmCap.data.assignedPCR.pcrSelections[Index].hash);
 Pcrs->pcrSelections[Index].sizeofSelect = 
TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+  return EFI_DEVICE_ERROR;
+}
 CopyMem (Pcrs->pcrSelections[Index].pcrSelect, 
TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, 
Pcrs->pcrSelections[Index].sizeofSelect);
   }
 
   return EFI_SUCCESS;
 }
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Enh

[edk2] [Patch] SecurityPkg Tpm12CommandLib: Fix TPM12 GetCapability response error

[Zhang, Chao B]

TPM12 command lib doesn't convert Response Size before using. Add logic
to fix the issue.

Cc: Long Qin <qin.l...@intel.com>
Cc: Yao Jiewen <jiewen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zh...@intel.com>
---
 SecurityPkg/Library/Tpm12CommandLib/Tpm12GetCapability.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/Library/Tpm12CommandLib/Tpm12GetCapability.c 
b/SecurityPkg/Library/Tpm12CommandLib/Tpm12GetCapability.c
index c6eb9e1050..29d7a13edb 100644
--- a/SecurityPkg/Library/Tpm12CommandLib/Tpm12GetCapability.c
+++ b/SecurityPkg/Library/Tpm12CommandLib/Tpm12GetCapability.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM1.2 Get Capabilities related commands.
 
-Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved. 
+Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -83,11 +83,11 @@ Tpm12GetCapabilityFlagPermanent (
 DEBUG ((DEBUG_ERROR, "Tpm12GetCapabilityFlagPermanent: Response Code 
error! 0x%08x\r\n", SwapBytes32 (Response.Hdr.returnCode)));
 return EFI_DEVICE_ERROR;
   }
 
   ZeroMem (TpmPermanentFlags, sizeof (*TpmPermanentFlags));
-  CopyMem (TpmPermanentFlags, , MIN (sizeof 
(*TpmPermanentFlags), Response.ResponseSize));
+  CopyMem (TpmPermanentFlags, , MIN (sizeof 
(*TpmPermanentFlags), SwapBytes32(Response.ResponseSize)));
 
   return Status;
 }
 
 /**
@@ -129,9 +129,9 @@ Tpm12GetCapabilityFlagVolatile (
 DEBUG ((DEBUG_ERROR, "Tpm12GetCapabilityFlagVolatile: Response Code error! 
0x%08x\r\n", SwapBytes32 (Response.Hdr.returnCode)));
 return EFI_DEVICE_ERROR;
   }
 
   ZeroMem (VolatileFlags, sizeof (*VolatileFlags));
-  CopyMem (VolatileFlags, , MIN (sizeof (*VolatileFlags), 
Response.ResponseSize));
+  CopyMem (VolatileFlags, , MIN (sizeof (*VolatileFlags), 
SwapBytes32(Response.ResponseSize)));
 
   return Status;
 }
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [Patch] SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow

[Zhang, Chao B]

TPM2.0 command lib always assumes TPM device and transmission channel can
respond correctly. But it is not true when communication channel is exploited
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin <qin.l...@intel.com>
Cc: Yao Jiewen <jiewen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zh...@intel.com>
---
 .../Library/Tpm2CommandLib/Tpm2Capability.c| 21 ++-
 .../Tpm2CommandLib/Tpm2EnhancedAuthorization.c | 16 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Integrity.c | 19 ++---
 SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 14 --
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Object.c| 31 +-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Sequences.c | 10 ++-
 SecurityPkg/Library/Tpm2CommandLib/Tpm2Session.c   |  6 -
 7 files changed, 107 insertions(+), 10 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
index 79e80fb7a9..42afe107a6 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Capability.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 Capability related command.
 
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -110,10 +110,18 @@ Tpm2GetCapability (
 
   if (RecvBufferSize <= sizeof (TPM2_RESPONSE_HEADER) + sizeof (UINT8)) {
 return EFI_DEVICE_ERROR;
   }
 
+  //
+  // Fail if command failed
+  //
+  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {
+DEBUG ((EFI_D_ERROR, "Tpm2GetCapability: Response Code error! 0x%08x\r\n", 
SwapBytes32(RecvBuffer.Header.responseCode)));
+return EFI_DEVICE_ERROR;
+  }
+
   //
   // Return the response
   //
   *MoreData = RecvBuffer.MoreData;
   //
@@ -327,10 +335,14 @@ Tpm2GetCapabilitySupportedAlg (
   }
   
   CopyMem (AlgList, , sizeof (TPML_ALG_PROPERTY));
 
   AlgList->count = SwapBytes32 (AlgList->count);
+  if (AlgList->count > MAX_CAP_ALGS) {
+return EFI_DEVICE_ERROR; 
+  }
+
   for (Index = 0; Index < AlgList->count; Index++) {
 AlgList->algProperties[Index].alg = SwapBytes16 
(AlgList->algProperties[Index].alg);
 WriteUnaligned32 ((UINT32 *)>algProperties[Index].algProperties, 
SwapBytes32 (ReadUnaligned32 ((UINT32 
*)>algProperties[Index].algProperties)));
   }
 
@@ -474,13 +486,20 @@ Tpm2GetCapabilityPcrs (
   if (EFI_ERROR (Status)) {
 return Status;
   }
 
   Pcrs->count = SwapBytes32 (TpmCap.data.assignedPCR.count);
+  if (Pcrs->count > HASH_COUNT) {
+return EFI_DEVICE_ERROR;
+  }
+
   for (Index = 0; Index < Pcrs->count; Index++) {
 Pcrs->pcrSelections[Index].hash = SwapBytes16 
(TpmCap.data.assignedPCR.pcrSelections[Index].hash);
 Pcrs->pcrSelections[Index].sizeofSelect = 
TpmCap.data.assignedPCR.pcrSelections[Index].sizeofSelect;
+if (Pcrs->pcrSelections[Index].sizeofSelect > PCR_SELECT_MAX) {
+  return EFI_DEVICE_ERROR;
+}
 CopyMem (Pcrs->pcrSelections[Index].pcrSelect, 
TpmCap.data.assignedPCR.pcrSelections[Index].pcrSelect, 
Pcrs->pcrSelections[Index].sizeofSelect);
   }
 
   return EFI_SUCCESS;
 }
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c 
b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
index 6f6b3693f8..3e42875b83 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2EnhancedAuthorization.c
@@ -1,9 +1,9 @@
 /** @file
   Implement TPM2 EnhancedAuthorization related command.
 
-Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. 
+Copyright (c) 2014 - 2018, Intel Corporation. All rights reserved. 
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD 
License
 which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -178,19 +178,29 @@ Tpm2PolicySecret (
   //
   // Return the response
   //
   Buffer = (UINT8 *)
   Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
+  if (Timeout->size > sizeof(UINT64)) {
+Status = EFI_DEVICE_ERROR;
+goto Done;
+  }
+
   Buffer += sizeof(UINT16);
   CopyMem (Timeout->buffer, Buffer, Timeout->size);
 
   PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));
   Buffer += sizeof(UINT16);
   P

Re: [edk2] [PATCH 00/15] Remove TrEE*

[Zhang, Chao B]

Series reviewed-by: Chao Zhang<chao.b.zh...@intel.com>

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zhang, 
Chao B
Sent: Thursday, March 15, 2018 3:35 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen@intel.com>
Subject: [edk2] [PATCH 00/15] Remove TrEE*

From: Jiewen Yao <jiewen@intel.com>

TrEE is deprecated and not maintained any more.
We need use Tcg2.

*** BLURB HERE ***

Jiewen Yao (15):
  ShellPkg/UefiHandleParsingLib: remove TrEE reference.
  QuarkPlatformPkg: remove TrEE reference.
  Vlv2TbltDevicePkg/Tcg2PhysicalPresenceLib: use Tcg2 instead of TrEE.
  Vlv2TbltDevicePkg/Bds: use Tcg2 instead of TrEE.
  Vlv2TbltDevicePkg/dsc/fdf: use Tcg2 instead of TrEE.
  SecurityPkg/dsc: remove TrEE.
  SecurityPkg/TrEESmm: remove TrEE.
  SecurityPkg/TrEEDxe: remove TrEE.
  SecurityPkg/TrEEPei: remove TrEE.
  SecurityPkg/TrEEConfig: remove TrEE.
  SecurityPkg/Tpm2DeviceLibTrEE: remove TrEE.
  SecurityPkg/TrEEPhysicalPresenceLib: remove TrEE.
  SecurityPkg/TrEEVendorLib: remove TrEE.
  SecurityPkg/include: remove TrEE.
  SecurityPkg/dec: remove TrEE.

 QuarkPlatformPkg/Quark.dsc 

|2 +-
 QuarkPlatformPkg/Quark.fdf 

|2 +-
 SecurityPkg/Include/Guid/TrEEConfigHii.h   

|   25 -
 SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h

|   67 -
 SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h  

|   57 -
 SecurityPkg/Include/Library/TrEEPpVendorLib.h  

|  164 --
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c

|  743 
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf  

|   69 -
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.uni  

|   27 -
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/PhysicalPresenceStrings.uni 

|   29 -
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c  

|  125 --
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf

|   46 -
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.uni

|   22 -
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c  

|  131 --
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.inf

|   37 -
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.uni

|   18 -
 SecurityPkg/SecurityPkg.dec

|   18 +-
 SecurityPkg/SecurityPkg.dsc

|   44 +-
 SecurityPkg/Tcg/TrEEConfig/TpmDetection.c  

|  105 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr  

|   68 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDriver.c  

|  216 ---
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.inf   
 

[edk2] [PATCH 12/15] SecurityPkg/TrEEPhysicalPresenceLib: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c   
| 743 
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf 
|  69 --
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.uni 
|  27 -
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/PhysicalPresenceStrings.uni
|  29 -
 4 files changed, 868 deletions(-)

diff --git 
a/SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c 
b/SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c
deleted file mode 100644
index 31b02d907a..00
--- 
a/SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c
+++ /dev/null
@@ -1,743 +0,0 @@
-/** @file
-  Execute pending TPM2 requests from OS or BIOS.
-
-  Caution: This module requires additional review when modified.
-  This driver will have external input - variable.
-  This external input must be validated carefully to avoid security issue.
-
-  TrEEExecutePendingTpmRequest() will receive untrusted input and do 
validation.
-
-Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include 
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define CONFIRM_BUFFER_SIZE 4096
-
-EFI_HII_HANDLE mTrEEPpStringPackHandle;
-
-/**
-  Get string by string id from HII Interface.
-
-  @param[in] Id  String ID.
-
-  @retvalCHAR16 *String from ID.
-  @retvalNULLIf error occurs.
-
-**/
-CHAR16 *
-TrEEPhysicalPresenceGetStringById (
-  IN  EFI_STRING_ID   Id
-  )
-{
-  return HiiGetString (mTrEEPpStringPackHandle, Id, NULL);
-}
-
-/**
-  Send ClearControl and Clear command to TPM.
-
-  @param[in]  PlatformAuth  platform auth value. NULL means no platform 
auth change.
-
-  @retval EFI_SUCCESS   Operation completed successfully.
-  @retval EFI_TIMEOUT   The register can't run into the expected 
status in time.
-  @retval EFI_BUFFER_TOO_SMALL  Response data buffer is too small.
-  @retval EFI_DEVICE_ERROR  Unexpected device behavior.
-
-**/
-EFI_STATUS
-EFIAPI
-TpmCommandClear (
-  IN TPM2B_AUTH*PlatformAuth  OPTIONAL
-  )
-{
-  EFI_STATUSStatus;
-  TPMS_AUTH_COMMAND *AuthSession;
-  TPMS_AUTH_COMMAND LocalAuthSession;
-
-  if (PlatformAuth == NULL) {
-AuthSession = NULL;
-  } else {
-AuthSession = 
-ZeroMem (, sizeof(LocalAuthSession));
-LocalAuthSession.sessionHandle = TPM_RS_PW;
-LocalAuthSession.hmac.size = PlatformAuth->size;
-CopyMem (LocalAuthSession.hmac.buffer, PlatformAuth->buffer, 
PlatformAuth->size);
-  }
-
-  DEBUG ((EFI_D_INFO, "Tpm2ClearControl ... \n"));
-  Status = Tpm2ClearControl (TPM_RH_PLATFORM, AuthSession, NO);
-  DEBUG ((EFI_D_INFO, "Tpm2ClearControl - %r\n", Status));
-  if (EFI_ERROR (Status)) {
-goto Done;
-  }
-  DEBUG ((EFI_D_INFO, "Tpm2Clear ... \n"));
-  Status = Tpm2Clear (TPM_RH_PLATFORM, AuthSession);
-  DEBUG ((EFI_D_INFO, "Tpm2Clear - %r\n", Status));
-
-Done:
-  ZeroMem (, sizeof(LocalAuthSession.hmac));
-  return Status;
-}
-
-/**
-  Execute physical presence operation requested by the OS.
-
-  @param[in]  PlatformAuthplatform auth value. NULL means no 
platform auth change.
-  @param[in]  CommandCode Physical presence operation value.
-  @param[in, out] PpiFlagsThe physical presence interface flags.
-  
-  @retval TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE  Unknown physical presence 
operation.
-  @retval TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE  Error occurred during 
sending command to TPM or 
-   receiving response from TPM.
-  @retval Others   Return code from the TPM 
device after command execution.
-**/
-UINT32
-TrEEExecutePhysicalPresence (
-  IN  TPM2B_AUTH   *PlatformAuth,  OPTIONAL
-  IN  UINT32   CommandCode,
-  IN OUT  EFI_TREE_PHYSICAL_PRESENCE_FLAGS *PpiFlags
-  )
-{
-  EFI_STATUS  Status;
-
-  switch (CommandCode) {
-case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR:
-case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2:
-case 

[edk2] [PATCH 11/15] SecurityPkg/Tpm2DeviceLibTrEE: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c   | 125 

 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf |  46 ---
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.uni |  22 
 3 files changed, 193 deletions(-)

diff --git a/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c 
b/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c
deleted file mode 100644
index dc7b270705..00
--- a/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/** @file
-  This library is TPM2 TREE protocol lib.
-
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved. 
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD 
License
-which accompanies this distribution.  The full text of the license may be 
found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-EFI_TREE_PROTOCOL  *mTreeProtocol = NULL; 
-
-/**
-  This service enables the sending of commands to the TPM2.
-
-  @param[in]  InputParameterBlockSize  Size of the TPM2 input parameter 
block.
-  @param[in]  InputParameterBlock  Pointer to the TPM2 input parameter 
block.
-  @param[in,out]  OutputParameterBlockSize Size of the TPM2 output parameter 
block.
-  @param[in]  OutputParameterBlock Pointer to the TPM2 output 
parameter block.
-
-  @retval EFI_SUCCESSThe command byte stream was successfully sent 
to the device and a response was successfully received.
-  @retval EFI_DEVICE_ERROR   The command was not successfully sent to the 
device or a response was not successfully received from the device.
-  @retval EFI_BUFFER_TOO_SMALL   The output parameter block is too small. 
-**/
-EFI_STATUS
-EFIAPI
-Tpm2SubmitCommand (
-  IN UINT32InputParameterBlockSize,
-  IN UINT8 *InputParameterBlock,
-  IN OUT UINT32*OutputParameterBlockSize,
-  IN UINT8 *OutputParameterBlock
-  )
-{
-  EFI_STATUSStatus;
-  TPM2_RESPONSE_HEADER  *Header;
-
-  if (mTreeProtocol == NULL) {
-Status = gBS->LocateProtocol (, NULL, (VOID **) 
);
-if (EFI_ERROR (Status)) {
-  //
-  // TrEE protocol is not installed. So, TPM2 is not present.
-  //
-  DEBUG ((EFI_D_ERROR, "Tpm2SubmitCommand - TrEE - %r\n", Status));
-  return EFI_NOT_FOUND;
-}
-  }
-  //
-  // Assume when TrEE Protocol is ready, RequestUseTpm already done.
-  //
-  Status = mTreeProtocol->SubmitCommand (
-mTreeProtocol,
-InputParameterBlockSize,
-InputParameterBlock,
-*OutputParameterBlockSize,
-OutputParameterBlock
-);
-  if (EFI_ERROR (Status)) {
-return Status;
-  }
-  Header = (TPM2_RESPONSE_HEADER *)OutputParameterBlock;
-  *OutputParameterBlockSize = SwapBytes32 (Header->paramSize);
-
-  return EFI_SUCCESS;
-}
-
-/**
-  This service requests use TPM2.
-
-  @retval EFI_SUCCESS  Get the control of TPM2 chip.
-  @retval EFI_NOT_FOUNDTPM2 not found.
-  @retval EFI_DEVICE_ERROR Unexpected device behavior.
-**/
-EFI_STATUS
-EFIAPI
-Tpm2RequestUseTpm (
-  VOID
-  )
-{
-  EFI_STATUS   Status;
-
-  if (mTreeProtocol == NULL) {
-Status = gBS->LocateProtocol (, NULL, (VOID **) 
);
-if (EFI_ERROR (Status)) {
-  //
-  // TrEE protocol is not installed. So, TPM2 is not present.
-  //
-  DEBUG ((EFI_D_ERROR, "Tpm2RequestUseTpm - TrEE - %r\n", Status));
-  return EFI_NOT_FOUND;
-}
-  }
-  //
-  // Assume when TrEE Protocol is ready, RequestUseTpm already done.
-  //
-  return EFI_SUCCESS;
-}
-
-/**
-  This service register TPM2 device.
-
-  @param Tpm2Device  TPM2 device
-
-  @retval EFI_SUCCESS  This TPM2 device is registered successfully.
-  @retval EFI_UNSUPPORTED  System does not support register this TPM2 
device.
-  @retval EFI_ALREADY_STARTED  System already register this TPM2 device.
-**/
-EFI_STATUS
-EFIAPI
-Tpm2RegisterTpm2DeviceLib (
-  IN TPM2_DEVICE_INTERFACE   *Tpm2Device
-  )
-{
-  return EFI_UNSUPPORTED;
-}
diff --git a/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf 
b/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf
deleted file mode 100644
index 81195e6704..00
--- a/SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf
+++ /dev/null
@@ -1,46 +0,0 @@
-## @file
-#  Provides function interfaces 

[edk2] [PATCH 10/15] SecurityPkg/TrEEConfig: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Tcg/TrEEConfig/TpmDetection.c | 105 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr |  68 
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDriver.c | 216 
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.inf  |  88 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.uni  |  22 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxeExtra.uni |  19 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigImpl.c   | 344 
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigImpl.h   | 193 ---
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigNvData.h |  76 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.inf  |  77 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.uni  |  23 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigPeiExtra.uni |  19 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigPeim.c   | 159 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigStrings.uni  |  40 ---
 14 files changed, 1449 deletions(-)

diff --git a/SecurityPkg/Tcg/TrEEConfig/TpmDetection.c 
b/SecurityPkg/Tcg/TrEEConfig/TpmDetection.c
deleted file mode 100644
index 4e675d3602..00
--- a/SecurityPkg/Tcg/TrEEConfig/TpmDetection.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/** @file
-  TPM1.2/dTPM2.0 auto detection.
-
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-
-#include 
-#include 
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include "TrEEConfigNvData.h"
-
-/**
-  This routine check both SetupVariable and real TPM device, and return final 
TpmDevice configuration.
-
-  @param  SetupTpmDevice  TpmDevice configuration in setup driver
-
-  @return TpmDevice configuration
-**/
-UINT8
-DetectTpmDevice (
-  IN UINT8 SetupTpmDevice
-  )
-{
-  EFI_STATUSStatus;
-  EFI_BOOT_MODE BootMode;
-  TREE_DEVICE_DETECTION TrEEDeviceDetection;
-  EFI_PEI_READ_ONLY_VARIABLE2_PPI   *VariablePpi;
-  UINTN Size;
-
-  Status = PeiServicesGetBootMode ();
-  ASSERT_EFI_ERROR (Status);
-
-  //
-  // In S3, we rely on normal boot Detection, because we save to ReadOnly 
Variable in normal boot.
-  //
-  if (BootMode == BOOT_ON_S3_RESUME) {
-DEBUG ((EFI_D_INFO, "DetectTpmDevice: S3 mode\n"));
-
-Status = PeiServicesLocatePpi (, 0, NULL, 
(VOID **) );
-ASSERT_EFI_ERROR (Status);
-
-Size = sizeof(TREE_DEVICE_DETECTION);
-ZeroMem (, sizeof(TrEEDeviceDetection));
-Status = VariablePpi->GetVariable (
-VariablePpi,
-TREE_DEVICE_DETECTION_NAME,
-,
-NULL,
-,
-
-);
-if (!EFI_ERROR (Status) &&
-(TrEEDeviceDetection.TpmDeviceDetected >= TPM_DEVICE_MIN) &&
-(TrEEDeviceDetection.TpmDeviceDetected <= TPM_DEVICE_MAX)) {
-  DEBUG ((EFI_D_ERROR, "TpmDevice from DeviceDetection: %x\n", 
TrEEDeviceDetection.TpmDeviceDetected));
-  return TrEEDeviceDetection.TpmDeviceDetected;
-}
-  }
-
-  DEBUG ((EFI_D_INFO, "DetectTpmDevice:\n"));
-
-  // dTPM available and not disabled by setup
-  // We need check if it is TPM1.2 or TPM2.0
-  // So try TPM1.2 command at first
-
-  Status = Tpm12RequestUseTpm ();
-  if (EFI_ERROR (Status)) {
-//
-// dTPM not available
-//
-return TPM_DEVICE_NULL;
-  }
-
-  if (BootMode == BOOT_ON_S3_RESUME) {
-Status = Tpm12Startup (TPM_ST_STATE);
-  } else {
-Status = Tpm12Startup (TPM_ST_CLEAR);
-  }
-  if (EFI_ERROR (Status)) {
-return TPM_DEVICE_2_0_DTPM;
-  }
-
-  // NO initialization needed again.
-  Status = PcdSet8S (PcdTpmInitializationPolicy, 0);
-  ASSERT_EFI_ERROR (Status);
-  return TPM_DEVICE_1_2;
-}
diff --git a/SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr 
b/SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr
deleted file mode 100644
index 84b55a9f15..00
--- a/SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr
+++ /dev/null
@@ -1,68 +0,0 @@
-/** @file
-  VFR file used by the TREE configuration component.
-
-Copyright (c) 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found 

[edk2] [PATCH 09/15] SecurityPkg/TrEEPei: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Tcg/TrEEPei/TrEEPei.c| 690 
 SecurityPkg/Tcg/TrEEPei/TrEEPei.inf  |  86 ---
 SecurityPkg/Tcg/TrEEPei/TrEEPei.uni  |  21 -
 SecurityPkg/Tcg/TrEEPei/TrEEPeiExtra.uni |  19 -
 4 files changed, 816 deletions(-)

diff --git a/SecurityPkg/Tcg/TrEEPei/TrEEPei.c 
b/SecurityPkg/Tcg/TrEEPei/TrEEPei.c
deleted file mode 100644
index b561245790..00
--- a/SecurityPkg/Tcg/TrEEPei/TrEEPei.c
+++ /dev/null
@@ -1,690 +0,0 @@
-/** @file
-  Initialize TPM2 device and measure FVs before handing off control to DXE.
-
-Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include 
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#include 
-#include 
-#include 
-
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-#include 
-
-#define PERF_ID_TREE_PEI  0x3080
-
-typedef struct {
-  EFI_GUID   *EventGuid;
-  TREE_EVENT_LOG_FORMAT  LogFormat;
-} TREE_EVENT_INFO_STRUCT;
-
-TREE_EVENT_INFO_STRUCT mTreeEventInfo[] = {
-  {, TREE_EVENT_LOG_FORMAT_TCG_1_2},
-};
-
-BOOLEAN mImageInMemory  = FALSE;
-EFI_PEI_FILE_HANDLE mFileHandle;
-
-EFI_PEI_PPI_DESCRIPTOR  mTpmInitializedPpiList = {
-  EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
-  ,
-  NULL
-};
-
-EFI_PEI_PPI_DESCRIPTOR  mTpmInitializationDonePpiList = {
-  EFI_PEI_PPI_DESCRIPTOR_PPI | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST,
-  ,
-  NULL
-};
-
-EFI_PLATFORM_FIRMWARE_BLOB *mMeasuredBaseFvInfo;
-UINT32 mMeasuredBaseFvIndex = 0;
-
-EFI_PLATFORM_FIRMWARE_BLOB *mMeasuredChildFvInfo;
-UINT32 mMeasuredChildFvIndex = 0;
-
-/**
-  Measure and record the Firmware Volum Information once FvInfoPPI install.
-
-  @param[in] PeiServices   An indirect pointer to the EFI_PEI_SERVICES 
table published by the PEI Foundation.
-  @param[in] NotifyDescriptor  Address of the notification descriptor data 
structure.
-  @param[in] Ppi   Address of the PPI that was installed.
-
-  @retval EFI_SUCCESS  The FV Info is measured and recorded to TPM.
-  @return Others   Fail to measure FV.
-
-**/
-EFI_STATUS
-EFIAPI
-FirmwareVolmeInfoPpiNotifyCallback (
-  IN EFI_PEI_SERVICES  **PeiServices,
-  IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
-  IN VOID  *Ppi
-  );
-
-/**
-  Record all measured Firmware Volum Information into a Guid Hob
-
-  @param[in] PeiServices   An indirect pointer to the EFI_PEI_SERVICES 
table published by the PEI Foundation.
-  @param[in] NotifyDescriptor  Address of the notification descriptor data 
structure.
-  @param[in] Ppi   Address of the PPI that was installed.
-
-  @retval EFI_SUCCESS  The FV Info is measured and recorded to TPM.
-  @return Others   Fail to measure FV.
-
-**/
-EFI_STATUS
-EFIAPI
-EndofPeiSignalNotifyCallBack (
-  IN EFI_PEI_SERVICES  **PeiServices,
-  IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
-  IN VOID  *Ppi
-  );
-
-EFI_PEI_NOTIFY_DESCRIPTOR   mNotifyList[] = {
-  {
-EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK,
-,
-FirmwareVolmeInfoPpiNotifyCallback 
-  },
-  {
-EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK,
-,
-FirmwareVolmeInfoPpiNotifyCallback 
-  },
-  {
-(EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | 
EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
-,
-EndofPeiSignalNotifyCallBack
-  }
-};
-
-EFI_PEI_FIRMWARE_VOLUME_INFO_MEASUREMENT_EXCLUDED_PPI 
*mMeasurementExcludedFvPpi;
-
-/**
-  Record all measured Firmware Volum Information into a Guid Hob
-  Guid Hob payload layout is 
-
- UINT32 *** FIRMWARE_BLOB number
- EFI_PLATFORM_FIRMWARE_BLOB BLOB Array
-
-  @param[in] PeiServices   An indirect pointer to the EFI_PEI_SERVICES 
table published by the PEI Foundation.
-  @param[in] NotifyDescriptor  Address of the notification descriptor data 
structure.
-  @param[in] Ppi   Address of the PPI that was installed.
-
-  @retval EFI_SUCCESS  The FV Info is measured and recorded to TPM.
-  @return Others   Fail to measure FV.
-
-**/
-EFI_STATUS
-EFIAPI
-EndofPeiSignalNotifyCallBack (
-  IN EFI_PEI_SERVICES

[edk2] [PATCH 14/15] SecurityPkg/include: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Include/Guid/TrEEConfigHii.h  |  25 ---
 SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h   |  67 
 SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h |  57 ---
 SecurityPkg/Include/Library/TrEEPpVendorLib.h | 164 

 4 files changed, 313 deletions(-)

diff --git a/SecurityPkg/Include/Guid/TrEEConfigHii.h 
b/SecurityPkg/Include/Guid/TrEEConfigHii.h
deleted file mode 100644
index b5d1de746a..00
--- a/SecurityPkg/Include/Guid/TrEEConfigHii.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/** @file
-  GUIDs used as HII FormSet and HII Package list GUID in TrEEConfig driver. 
-  
-Copyright (c) 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials are licensed and made available 
under 
-the terms and conditions of the BSD License that accompanies this 
distribution.  
-The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php.

-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,  
   
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __TREE_CONFIG_HII_GUID_H__
-#define __TREE_CONFIG_HII_GUID_H__
-
-#define TREE_CONFIG_FORM_SET_GUID \
-  { \
-0xc54b425f, 0xaa79, 0x48b4, { 0x98, 0x1f, 0x99, 0x8b, 0x3c, 0x4b, 0x64, 
0x1c } \
-  }
-
-extern EFI_GUID gTrEEConfigFormSetGuid;
-
-#endif
diff --git a/SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h 
b/SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h
deleted file mode 100644
index 0e2f8d1096..00
--- a/SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/** @file
-  Define the variable data structures used for TrEE physical presence.
-  The TPM2 request from firmware or OS is saved to variable. And it is
-  cleared after it is processed in the next boot cycle. The TPM2 response 
-  is saved to variable.
-
-Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved. 
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD 
License
-which accompanies this distribution.  The full text of the license may be 
found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __TREE_PHYSICAL_PRESENCE_DATA_GUID_H__
-#define __TREE_PHYSICAL_PRESENCE_DATA_GUID_H__
-
-#define EFI_TREE_PHYSICAL_PRESENCE_DATA_GUID \
-  { \
-0xf24643c2, 0xc622, 0x494e, { 0x8a, 0xd, 0x46, 0x32, 0x57, 0x9c, 0x2d, 
0x5b }\
-  }
-
-#define TREE_PHYSICAL_PRESENCE_VARIABLE  L"TrEEPhysicalPresence"
-
-typedef struct {
-  UINT8   PPRequest;  ///< Physical Presence request command.
-  UINT8   LastPPRequest;
-  UINT32  PPResponse;
-} EFI_TREE_PHYSICAL_PRESENCE;
-
-//
-// The definition bit of the flags
-//
-// BIT0 is reserved
-#define TREE_FLAG_NO_PPI_CLEARBIT1
-// BIT2 is reserved
-#define TREE_FLAG_RESET_TRACK BIT3
-
-//
-// This variable is used to save TPM Management Flags and corresponding 
operations.
-// It should be protected from malicious software (e.g. Set it as read-only 
variable). 
-//
-#define TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE  L"TrEEPhysicalPresenceFlags"
-typedef struct {
-  UINT8   PPFlags;
-} EFI_TREE_PHYSICAL_PRESENCE_FLAGS;
-
-//
-// The definition of physical presence operation actions
-//
-#define TREE_PHYSICAL_PRESENCE_NO_ACTION   0
-#define TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR 5
-#define TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2   14
-#define TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE  17
-#define TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE   18
-#define TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_3   21
-#define TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_4   22
-
-#define TREE_PHYSICAL_PRESENCE_NO_ACTION_MAX   22
-
-extern EFI_GUID  gEfiTrEEPhysicalPresenceGuid;
-
-#endif
-
diff --git a/SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h 
b/SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h
deleted file mode 100644
index ba809b9cf9..00
--- a/SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/** @file
-  This library is intended to be used by BDS modules.
-  This library will execute TPM2 request.
-
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the 

[edk2] [PATCH 13/15] SecurityPkg/TrEEVendorLib: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c   | 131 

 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.inf |  37 --
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.uni |  18 ---
 3 files changed, 186 deletions(-)

diff --git a/SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c 
b/SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c
deleted file mode 100644
index efd477ad19..00
--- a/SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/** @file
-  NULL TrEE PP Vendor library instance that does not support any vendor 
specific PPI.
-
-Copyright (c) 2015, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include 
-#include 
-
-/**
-  Check and execute the requested physical presence command.
-
-  This API should be invoked in BIOS boot phase to process pending request.
-  
-  Caution: This function may receive untrusted input.
-  
-  If OperationRequest < 128, then ASSERT().
-
-  @param[in]  PlatformAuth platform auth value. NULL means no platform 
auth change.
-  @param[in]  OperationRequest TPM physical presence operation request.
-  @param[in, out] ManagementFlags  BIOS TPM Management Flags.
-  @param[out] ResetRequiredIf reset is required to vendor settings in 
effect.
-   True, it indicates the reset is required.
-   False, it indicates the reset is not 
required.
-
-  @return TPM Operation Response to OS Environment.
-**/
-UINT32
-EFIAPI
-TrEEPpVendorLibExecutePendingRequest (
-  IN TPM2B_AUTH *PlatformAuth,  OPTIONAL
-  IN UINT32 OperationRequest,
-  IN OUT UINT32 *ManagementFlags,
-  OUT BOOLEAN   *ResetRequired
-  )
-{
-  ASSERT (OperationRequest >= 
TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
-  return TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE;
-}
-
-/**
-  Check if there is a valid physical presence command request.
-
-  This API should be invoked in BIOS boot phase to process pending request.
-  
-  Caution: This function may receive untrusted input.
-
-  If OperationRequest < 128, then ASSERT().
-
-  @param[in]  OperationRequest TPM physical presence operation request.
-  @param[in]  ManagementFlags  BIOS TPM Management Flags.
-  @param[out] RequestConfirmed If the physical presence operation command 
required user confirm from UI.
-   True, it indicates the command doesn't 
require user confirm.
-   False, it indicates the command need user 
confirm from UI.
-
-  @retval  TRUEPhysical Presence operation command is valid.
-  @retval  FALSE   Physical Presence operation command is invalid.
-**/
-BOOLEAN
-EFIAPI
-TrEEPpVendorLibHasValidRequest (
-  IN UINT32 OperationRequest,
-  IN UINT32 ManagementFlags,
-  OUT BOOLEAN   *RequestConfirmed
-  )
-{
-  ASSERT (OperationRequest >= 
TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
-  return FALSE;
-}
-
-/**
-  The callback for TPM vendor specific physical presence which is called for
-  Submit TPM Operation Request to Pre-OS Environment and
-  Submit TPM Operation Request to Pre-OS Environment 2.
-
-  This API should be invoked in OS runtime phase to interface with ACPI method.
-
-  Caution: This function may receive untrusted input.
-  
-  If OperationRequest < 128, then ASSERT().
-
-  @param[in]  OperationRequest TPM physical presence operation request.
-  @param[in]  ManagementFlags  BIOS TPM Management Flags.
-
-  @return Return Code for Submit TPM Operation Request to Pre-OS Environment 
and
-  Submit TPM Operation Request to Pre-OS Environment 2.
-**/
-UINT32
-EFIAPI
-TrEEPpVendorLibSubmitRequestToPreOSFunction (
-  IN UINT32 OperationRequest,
-  IN UINT32 ManagementFlags
-  )
-{
-  ASSERT (OperationRequest >= 
TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION);
-  return TREE_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
-}
-
-/**
-  The callback for TPM vendor specific physical presence which is called for
-  Get User Confirmation Status for Operation.
-
-  This API should be invoked in OS runtime phase to interface with ACPI method.
-
-  Caution: This 

[edk2] [PATCH 06/15] SecurityPkg/dsc: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/SecurityPkg.dsc | 44 +---
 1 file changed, 1 insertion(+), 43 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index ed47fb2fa0..9f1a91e5a9 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -60,10 +60,8 @@
   Tpm12CommandLib|SecurityPkg/Library/Tpm12CommandLib/Tpm12CommandLib.inf
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
-  
TrEEPhysicalPresenceLib|SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf
   TcgPpVendorLib|SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf
   
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
-  
TrEEPpVendorLib|SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.inf
   RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
   PciLib|MdePkg/Library/BasePciLibPciExpress/BasePciLibPciExpress.inf
   PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.inf
@@ -177,20 +175,12 @@
   SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
   SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
   SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
-  #
-  # TrEE - to be deprecated
-  #
-  SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf
 
   SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
   SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
 
   SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
-  #
-  # TrEE - to be deprecated
-  #
-  SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf
   SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
   SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
   SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
@@ -263,35 +253,6 @@
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
   }
 
-  #
-  # TrEE - to be deprecated
-  #
-  SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.inf {
-
-  
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibDTpm/Tpm12DeviceLibDTpm.inf
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2DeviceLibDTpm.inf
-  }
-  SecurityPkg/Tcg/TrEEPei/TrEEPei.inf {
-
-  
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterPei.inf
-  NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-  NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-  NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-  }
-
-  SecurityPkg/Tcg/TrEEDxe/TrEEDxe.inf {
-
-  
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
-  NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
-  NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
-  NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
-  PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
-  }
-  SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.inf {
-
-  Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf
-  }
-
   #
   # Hash2
   #
@@ -308,10 +269,7 @@
   SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
   SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf
   SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
-  #
-  # TrEE - to be deprecated
-  #
-  SecurityPkg/Tcg/TrEESmm/TrEESmm.inf
+
   #
   # Random Number Generator
   #
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH 07/15] SecurityPkg/TrEESmm: remove TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 SecurityPkg/Tcg/TrEESmm/Tpm.asl  | 354 -
 SecurityPkg/Tcg/TrEESmm/TrEESmm.c| 521 
 SecurityPkg/Tcg/TrEESmm/TrEESmm.h| 105 
 SecurityPkg/Tcg/TrEESmm/TrEESmm.inf  |  85 
 SecurityPkg/Tcg/TrEESmm/TrEESmm.uni  |  28 --
 SecurityPkg/Tcg/TrEESmm/TrEESmmExtra.uni |  19 -
 6 files changed, 1112 deletions(-)

diff --git a/SecurityPkg/Tcg/TrEESmm/Tpm.asl b/SecurityPkg/Tcg/TrEESmm/Tpm.asl
deleted file mode 100644
index 0f6b94a23d..00
--- a/SecurityPkg/Tcg/TrEESmm/Tpm.asl
+++ /dev/null
@@ -1,354 +0,0 @@
-/** @file
-  The TPM2 definition block in ACPI table for TrEE physical presence  
-  and MemoryClear.
-
-Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-DefinitionBlock (
-  "Tpm.aml",
-  "SSDT",
-  2,
-  "INTEL ",
-  "Tpm2Tabl",
-  0x1000
-  )
-{
-  Scope (\_SB)
-  {
-Device (TPM)
-{
-  //
-  // TREE
-  //
-  Name (_HID, "MSFT0101")
-  
-  //
-  // Readable name of this device, don't know if this way is correct yet
-  //
-  Name (_STR, Unicode ("TPM 2.0 Device"))
-
-  //
-  // Return the resource consumed by TPM device
-  //
-  Name (_CRS, ResourceTemplate () {
-Memory32Fixed (ReadWrite, 0xfed4, 0x5000)
-  })
-
-  //
-  // Operational region for Smi port access
-  //
-  OperationRegion (SMIP, SystemIO, 0xB2, 1)
-  Field (SMIP, ByteAcc, NoLock, Preserve)
-  { 
-  IOB2, 8
-  }
-
-  //
-  // Operational region for TPM access
-  //
-  OperationRegion (TPMR, SystemMemory, 0xfed4, 0x5000)
-  Field (TPMR, AnyAcc, NoLock, Preserve)
-  {
-ACC0, 8,
-  }
-
-  //
-  // Operational region for TPM support, TPM Physical Presence and TPM 
Memory Clear
-  // Region Offset 0x and Length 0xF0 will be fixed in C code.
-  //
-  OperationRegion (TNVS, SystemMemory, 0x, 0xF0)
-  Field (TNVS, AnyAcc, NoLock, Preserve)
-  {
-PPIN,   8,  //   Software SMI for Physical Presence Interface
-PPIP,   32, //   Used for save physical presence paramter
-PPRP,   32, //   Physical Presence request operation response
-PPRQ,   32, //   Physical Presence request operation
-LPPR,   32, //   Last Physical Presence request operation
-FRET,   32, //   Physical Presence function return code
-MCIN,   8,  //   Software SMI for Memory Clear Interface
-MCIP,   32, //   Used for save the Mor paramter
-MORD,   32, //   Memory Overwrite Request Data
-MRET,   32  //   Memory Overwrite function return code
-  }
-
-  Method (PTS, 1, Serialized)
-  {  
-//
-// Detect Sx state for MOR, only S4, S5 need to handle
-//
-If (LAnd (LLess (Arg0, 6), LGreater (Arg0, 3)))
-{   
-  //
-  // Bit4 -- DisableAutoDetect. 0 -- Firmware MAY autodetect.
-  //
-  If (LNot (And (MORD, 0x10)))
-  {
-//
-// Triggle the SMI through ACPI _PTS method.
-//
-Store (0x02, MCIP)
-  
-//
-// Triggle the SMI interrupt
-//
-Store (MCIN, IOB2)
-  }
-}
-Return (0)
-  }   
-
-  Method (_STA, 0)
-  {
-if (LEqual (ACC0, 0xff))
-{
-Return (0)
-}
-Return (0x0f)
-  }
-
-  //
-  // TCG Hardware Information
-  //
-  Method (HINF, 3, Serialized, 0, {BuffObj, PkgObj}, {UnknownObj, 
UnknownObj, UnknownObj}) // IntObj, IntObj, PkgObj
-  {
-//
-// Switch by function index
-//
-Switch (ToInteger(Arg1))
-{
-  Case (0)
-  {
-//
-// Standard query
-//
-Return (Buffer () {0x03})
-  }
-  Case (1)
-  {
-//
-// Return failure if no TPM present
-//
-Name(TPMV, Package () {0x01, Package () {0x2, 0x0}})
-if (LEqual (_STA (), 0x00))
-{
-  Return (Package () {0x00})
-}
-
-//
-// Return TPM version
-//
-Return (TPMV)
-  }
-  Default 

[edk2] [PATCH 04/15] Vlv2TbltDevicePkg/Bds: use Tcg2 instead of TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: David Wei 
Cc: Mang Guo 
Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c  | 6 +++---
 Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c 
b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
index 7f91777ea1..e42e82b678 100644
--- a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
+++ b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c
@@ -27,7 +27,7 @@ Abstract:
 #include "SetupMode.h"
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -1795,7 +1795,7 @@ PlatformBdsPolicyBehavior (
 TcgPhysicalPresenceLibProcessRequest();
 #endif
 #ifdef FTPM_ENABLE
-TrEEPhysicalPresenceLibProcessRequest(NULL);
+Tcg2PhysicalPresenceLibProcessRequest(NULL);
 #endif
 
 if (EsrtManagement != NULL) {
@@ -2005,7 +2005,7 @@ FULL_CONFIGURATION:
TcgPhysicalPresenceLibProcessRequest();
#endif
#ifdef FTPM_ENABLE
-   TrEEPhysicalPresenceLibProcessRequest(NULL);
+   Tcg2PhysicalPresenceLibProcessRequest(NULL);
#endif
 
 if (EsrtManagement != NULL) {
diff --git a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf 
b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf
index 7512556bb7..ecb3fb92c1 100644
--- a/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf
+++ b/Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf
@@ -70,7 +70,7 @@
   PrintLib
   BaseCryptLib
 #  TcgPhysicalPresenceLib
-  TrEEPhysicalPresenceLib  
+  Tcg2PhysicalPresenceLib  
   FileHandleLib
   S3BootScriptLib
   SerialPortLib
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH 00/15] Remove TrEE*

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated and not maintained any more.
We need use Tcg2.

*** BLURB HERE ***

Jiewen Yao (15):
  ShellPkg/UefiHandleParsingLib: remove TrEE reference.
  QuarkPlatformPkg: remove TrEE reference.
  Vlv2TbltDevicePkg/Tcg2PhysicalPresenceLib: use Tcg2 instead of TrEE.
  Vlv2TbltDevicePkg/Bds: use Tcg2 instead of TrEE.
  Vlv2TbltDevicePkg/dsc/fdf: use Tcg2 instead of TrEE.
  SecurityPkg/dsc: remove TrEE.
  SecurityPkg/TrEESmm: remove TrEE.
  SecurityPkg/TrEEDxe: remove TrEE.
  SecurityPkg/TrEEPei: remove TrEE.
  SecurityPkg/TrEEConfig: remove TrEE.
  SecurityPkg/Tpm2DeviceLibTrEE: remove TrEE.
  SecurityPkg/TrEEPhysicalPresenceLib: remove TrEE.
  SecurityPkg/TrEEVendorLib: remove TrEE.
  SecurityPkg/include: remove TrEE.
  SecurityPkg/dec: remove TrEE.

 QuarkPlatformPkg/Quark.dsc 

|2 +-
 QuarkPlatformPkg/Quark.fdf 

|2 +-
 SecurityPkg/Include/Guid/TrEEConfigHii.h   

|   25 -
 SecurityPkg/Include/Guid/TrEEPhysicalPresenceData.h

|   67 -
 SecurityPkg/Include/Library/TrEEPhysicalPresenceLib.h  

|   57 -
 SecurityPkg/Include/Library/TrEEPpVendorLib.h  

|  164 --
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.c

|  743 
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf  

|   69 -
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.uni  

|   27 -
 SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/PhysicalPresenceStrings.uni 

|   29 -
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.c  

|  125 --
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.inf

|   46 -
 SecurityPkg/Library/Tpm2DeviceLibTrEE/Tpm2DeviceLibTrEE.uni

|   22 -
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.c  

|  131 --
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.inf

|   37 -
 SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.uni

|   18 -
 SecurityPkg/SecurityPkg.dec

|   18 +-
 SecurityPkg/SecurityPkg.dsc

|   44 +-
 SecurityPkg/Tcg/TrEEConfig/TpmDetection.c  

|  105 --
 SecurityPkg/Tcg/TrEEConfig/TrEEConfig.vfr  

|   68 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDriver.c  

|  216 ---
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.inf   

|   88 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxe.uni   

|   22 -
 SecurityPkg/Tcg/TrEEConfig/TrEEConfigDxeExtra.uni  
   

[edk2] [PATCH 01/15] ShellPkg/UefiHandleParsingLib: remove TrEE reference.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: Jaben Carsey 
Cc: Ruiyu Ni 
Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.c   | 1 -
 ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf | 1 -
 2 files changed, 2 deletions(-)

diff --git a/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.c 
b/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.c
index b7b0246ac9..2d94a52108 100644
--- a/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.c
+++ b/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.c
@@ -2349,7 +2349,6 @@ STATIC CONST GUID_INFO_BLOCK mGuidStringList[] = {
   {STRING_TOKEN(STR_I2CEN), , 
   NULL},
   {STRING_TOKEN(STR_I2C_H), ,  
   NULL},
   {STRING_TOKEN(STR_I2C_BCM),   
,   NULL},
-  {STRING_TOKEN(STR_TREE),  , 
   NULL},
   {STRING_TOKEN(STR_TCG2),  , 
   NULL},
   {STRING_TOKEN(STR_TIMESTAMP), ,
   NULL},
   {STRING_TOKEN(STR_RNG),   ,  
   NULL},
diff --git a/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf 
b/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf
index 06e882ac33..05b9a7b769 100644
--- a/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf
+++ b/ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf
@@ -262,7 +262,6 @@
   gEfiI2cEnumerateProtocolGuid## UNDEFINED
   gEfiI2cHostProtocolGuid ## UNDEFINED
   gEfiI2cBusConfigurationManagementProtocolGuid   ## UNDEFINED
-  gEfiTrEEProtocolGuid## UNDEFINED
   gEfiTcg2ProtocolGuid## UNDEFINED
   gEfiTimestampProtocolGuid   ## UNDEFINED
   gEfiRngProtocolGuid ## UNDEFINED
-- 
2.16.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH 05/15] Vlv2TbltDevicePkg/dsc/fdf: use Tcg2 instead of TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: David Wei 
Cc: Mang Guo 
Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 Vlv2TbltDevicePkg/PlatformPkg.fdf   |  6 +++---
 Vlv2TbltDevicePkg/PlatformPkgGcc.fdf|  6 +++---
 Vlv2TbltDevicePkg/PlatformPkgGccX64.dsc | 14 +++---
 Vlv2TbltDevicePkg/PlatformPkgIA32.dsc   | 14 +++---
 Vlv2TbltDevicePkg/PlatformPkgX64.dsc| 14 +++---
 5 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/Vlv2TbltDevicePkg/PlatformPkg.fdf 
b/Vlv2TbltDevicePkg/PlatformPkg.fdf
index 148553828c..846db044b4 100644
--- a/Vlv2TbltDevicePkg/PlatformPkg.fdf
+++ b/Vlv2TbltDevicePkg/PlatformPkg.fdf
@@ -321,12 +321,12 @@ INF 
EdkCompatibilityPkg/Compatibility/AcpiVariableHobOnSmramReserveHobThunk/Acpi
 
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/PiSmmCommunicationPei.inf
 !if $(TPM_ENABLED) == TRUE
-INF SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.inf
+INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
 INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
 INF SecurityPkg/Tcg/PhysicalPresencePei/PhysicalPresencePei.inf
 !endif
 !if $(FTPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TrEEPei/TrEEPei.inf #use PCD config
+INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf #use PCD config
 !endif
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
@@ -556,7 +556,7 @@ INF RuleOverride = DRIVER_ACPITABLE 
SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/Tpm2DeviceSeCPei.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/$(DXE_ARCHITECTURE)/Tpm2DeviceSeCDxe.inf
 INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
-INF SecurityPkg/Tcg/TrEEDxe/TrEEDxe.inf
+INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/$(DXE_ARCHITECTURE)/FtpmSmm.inf
 !endif
 
diff --git a/Vlv2TbltDevicePkg/PlatformPkgGcc.fdf 
b/Vlv2TbltDevicePkg/PlatformPkgGcc.fdf
index d208871ae6..479c4c7264 100644
--- a/Vlv2TbltDevicePkg/PlatformPkgGcc.fdf
+++ b/Vlv2TbltDevicePkg/PlatformPkgGcc.fdf
@@ -278,12 +278,12 @@ INF 
EdkCompatibilityPkg/Compatibility/AcpiVariableHobOnSmramReserveHobThunk/Acpi
 
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/PiSmmCommunicationPei.inf
 !if $(TPM_ENABLED) == TRUE
-INF SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.inf
+INF SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf
 INF SecurityPkg/Tcg/TcgPei/TcgPei.inf
 INF SecurityPkg/Tcg/PhysicalPresencePei/PhysicalPresencePei.inf
 !endif
 !if $(FTPM_ENABLE) == TRUE
-INF  SecurityPkg/Tcg/TrEEPei/TrEEPei.inf #use PCD config
+INF  SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf #use PCD config
 !endif
 INF MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf
 
@@ -513,7 +513,7 @@ INF RuleOverride = DRIVER_ACPITABLE 
SecurityPkg/Tcg/TcgSmm/TcgSmm.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/Tpm2DeviceSeCPei.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/$(DXE_ARCHITECTURE)/Tpm2DeviceSeCDxe.inf
 INF SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
-INF SecurityPkg/Tcg/TrEEDxe/TrEEDxe.inf
+INF SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf
 INF RuleOverride = BINARY 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/$(DXE_ARCHITECTURE)/FtpmSmm.inf
 !endif
 
diff --git a/Vlv2TbltDevicePkg/PlatformPkgGccX64.dsc 
b/Vlv2TbltDevicePkg/PlatformPkgGccX64.dsc
index 824dbc9101..682e090a99 100644
--- a/Vlv2TbltDevicePkg/PlatformPkgGccX64.dsc
+++ b/Vlv2TbltDevicePkg/PlatformPkgGccX64.dsc
@@ -291,9 +291,9 @@
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
 !endif
   
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
-  
TrEEPhysicalPresenceLib|SecurityPkg/Library/DxeTrEEPhysicalPresenceLib/DxeTrEEPhysicalPresenceLib.inf
+  
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
 !if $(FTPM_ENABLE) == TRUE
-  
TrEEPpVendorLib|SecurityPkg/Library/TrEEPpVendorLibNull/TrEEPpVendorLibNull.inf
+  
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
 !endif
 
 
@@ -1070,7 +1070,7 @@ 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/fTPMInitPeim.inf
  MdeModulePkg/Universal/FaultTolerantWritePei/FaultTolerantWritePei.inf
 
 !if $(FTPM_ENABLE) == TRUE
-   SecurityPkg/Tcg/TrEEPei/TrEEPei.inf {
+   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
 
   gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8046
 
@@ -1081,7 +1081,7 @@ 
$(PLATFORM_BINARY_PACKAGE)/$(DXE_ARCHITECTURE)$(TARGET)/IA32/fTPMInitPeim.inf
   }
 !endif
 !if $(TPM_ENABLED) == TRUE
-  SecurityPkg/Tcg/TrEEConfig/TrEEConfigPei.inf {
+  SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigPei.inf {
 
   

[edk2] [PATCH 03/15] Vlv2TbltDevicePkg/Tcg2PhysicalPresenceLib: use Tcg2 instead of TrEE.

[Zhang, Chao B]

From: Jiewen Yao 

TrEE is deprecated. We need use Tcg2.

Cc: David Wei 
Cc: Mang Guo 
Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 
Vlv2TbltDevicePkg/Library/{DxeTrEEPhysicalPresenceLibNull/DxeTrEEPhysicalPresenceLibNull.c
 => DxeTcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLibNull.c} | 28 
++--
 
Vlv2TbltDevicePkg/Library/{DxeTrEEPhysicalPresenceLibNull/DxeTrEEPhysicalPresenceLibNull.inf
 => DxeTcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLibNull.inf} |  8 
+++---
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git 
a/Vlv2TbltDevicePkg/Library/DxeTrEEPhysicalPresenceLibNull/DxeTrEEPhysicalPresenceLibNull.c
 
b/Vlv2TbltDevicePkg/Library/DxeTcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLibNull.c
similarity index 90%
rename from 
Vlv2TbltDevicePkg/Library/DxeTrEEPhysicalPresenceLibNull/DxeTrEEPhysicalPresenceLibNull.c
rename to 
Vlv2TbltDevicePkg/Library/DxeTcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLibNull.c
index 9aebf528fb..96fad05527 100644
--- 
a/Vlv2TbltDevicePkg/Library/DxeTrEEPhysicalPresenceLibNull/DxeTrEEPhysicalPresenceLibNull.c
+++ 
b/Vlv2TbltDevicePkg/Library/DxeTcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLibNull.c
@@ -5,7 +5,7 @@
   This driver will have external input - variable.
   This external input must be validated carefully to avoid security issue.
 
-  TrEEExecutePendingTpmRequest() will receive untrusted input and do 
validation.
+  Tcg2ExecutePendingTpmRequest() will receive untrusted input and do 
validation.
 
 Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.
 This program and the accompanying materials 
@@ -20,7 +20,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 
 #include 
 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -32,9 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #include 
 #include 
 #include 
-#include 
+#include 
 #include 
-#include 
+#include 
 
 
 /**
@@ -47,7 +47,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 
 **/
 CHAR16 *
-TrEEPhysicalPresenceGetStringById (
+Tcg2PhysicalPresenceGetStringById (
   IN  EFI_STRING_ID   Id
   )
 {
@@ -87,7 +87,7 @@ TpmCommandClear (
   @retval Others   Return code from the TPM 
device after command execution.
 **/
 UINT32
-TrEEExecutePhysicalPresence (
+Tcg2ExecutePhysicalPresence (
   IN  TPM2B_AUTH   *PlatformAuth,  OPTIONAL
   IN  UINT32   CommandCode,
   IN OUT  EFI_TREE_PHYSICAL_PRESENCE_FLAGS *PpiFlags
@@ -107,7 +107,7 @@ TrEEExecutePhysicalPresence (
   @retval FALSE   User discarded the changes.
 **/
 BOOLEAN
-TrEEReadUserKey (
+Tcg2ReadUserKey (
   IN BOOLEANCautionKey
   )
 {
@@ -127,7 +127,7 @@ TrEEReadUserKey (
 **/
 EFI_STATUS
 EFIAPI
-TrEEPhysicalPresenceLibConstructor (
+Tcg2PhysicalPresenceLibConstructor (
   IN EFI_HANDLEImageHandle,
   IN EFI_SYSTEM_TABLE  *SystemTable
   )
@@ -144,7 +144,7 @@ TrEEPhysicalPresenceLibConstructor (
   @retvalFALSE The user doesn't confirm the changes.
 **/
 BOOLEAN
-TrEEUserConfirm (
+Tcg2UserConfirm (
   IN  UINT32TpmPpCommand
   )
 {
@@ -155,7 +155,7 @@ TrEEUserConfirm (
   Check if there is a valid physical presence command request. Also updates 
parameter value 
   to whether the requested physical presence command already confirmed by user
  
-   @param[in]  TcgPpData EFI TrEE Physical Presence request 
data. 
+   @param[in]  TcgPpData EFI Tcg2 Physical Presence request 
data. 
@param[in]  Flags The physical presence interface flags.
@param[out] RequestConfirmedIf the physical presence operation 
command required user confirm from UI.
  True, it indicates the command 
doesn't require user confirm, or already confirmed 
@@ -167,7 +167,7 @@ TrEEUserConfirm (
 
 **/
 BOOLEAN
-TrEEHaveValidTpmRequest  (
+Tcg2HaveValidTpmRequest  (
   IN  EFI_TREE_PHYSICAL_PRESENCE   *TcgPpData,
   IN  EFI_TREE_PHYSICAL_PRESENCE_FLAGS Flags,
   OUT BOOLEAN  *RequestConfirmed
@@ -189,7 +189,7 @@ TrEEHaveValidTpmRequest  (
   @param[in] FlagsThe physical presence interface flags.
 **/
 VOID
-TrEEExecutePendingTpmRequest (
+Tcg2ExecutePendingTpmRequest (
   IN  TPM2B_AUTH   *PlatformAuth,  OPTIONAL
   IN  EFI_TREE_PHYSICAL_PRESENCE   *TcgPpData,
   IN  EFI_TREE_PHYSICAL_PRESENCE_FLAGS Flags
@@ -213,7 +213,7 @@ TrEEExecutePendingTpmRequest (
 **/
 VOID
 EFIAPI
-TrEEPhysicalPresenceLibProcessRequest (
+Tcg2PhysicalPresenceLibProcessRequest (
   IN  TPM2B_AUTH 

Re: [edk2] [PATCH] ShellPkg/Dmpstore: Enhance display information for Auth3 variable.

[Zhang, Chao B]

Chen Chen:
  Please update license header. Others are good to me. 
  Reviewed-by: Chao Zhang<chao.b.zh...@intel.com>


-Original Message-
From: Chen, Chen A 
Sent: Tuesday, March 13, 2018 3:37 PM
To: edk2-devel@lists.01.org
Cc: Chen, Chen A <chen.a.c...@intel.com>; Ni, Ruiyu <ruiyu...@intel.com>; 
Zhang, Chao B <chao.b.zh...@intel.com>
Subject: [PATCH] ShellPkg/Dmpstore: Enhance display information for Auth3 
variable.

Add "EA" flag for dumping auth3 variable. When dumping Auth3 variable, it will 
not only displaying variable content but also in addition to metadata.
Give a warning message when dumping auth3 variable.

Cc: Ni Ruiyu <ruiyu...@intel.com>
Cc: Zhang Chao <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: chenc2 <chen.a.c...@intel.com>
---
 ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c   | 9 +
 .../UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.uni| 1 +
 2 files changed, 10 insertions(+)

diff --git a/ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c 
b/ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c
index 5791da9acc..adcec41992 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/DmpStore.c
@@ -69,6 +69,9 @@ GetAttrType (
   if ((Atts & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
 StrnCatGrow (, , L"+AT", 0);
   }
+  if ((Atts & EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS) != 0) {
+StrnCatGrow(, , L"+EA", 0);  }
 
   if (RetString == NULL) {
 RetString = StrnCatGrow(, , L"Invalid", 0); @@ -507,6 
+510,12 @@ CascadeProcessVariables (
 if (Type == DmpStoreDisplay) {
   if (!EFI_ERROR(Status) && (DataBuffer != NULL) && (FoundVarName != 
NULL)) {
 AttrString = GetAttrType(Atts);
+if (StrStr (AttrString, L"EA") != NULL) {
+ShellPrintHiiEx (
+  -1, -1, NULL, STRING_TOKEN (STR_DMPSTORE_VAR_EA_WARNING), 
gShellDebug1HiiHandle
+  );
+}
+
 if (StandardFormatOutput) {
   HexString = AllocatePool ((DataSize * 2 + 1) * sizeof (CHAR16));
   if (HexString != NULL) {
diff --git 
a/ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.uni 
b/ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.uni
index 011a7bfc2d..90ce69c932 100644
--- a/ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1CommandsLib.uni
+++ b/ShellPkg/Library/UefiShellDebug1CommandsLib/UefiShellDebug1Command
+++ sLib.uni
@@ -394,6 +394,7 @@
 #string STR_DMPSTORE_NO_VAR_FOUND_G#language en-US "%H%s%N: No matching 
variables found. Guid %g\r\n"
 #string STR_DMPSTORE_NO_VAR_FOUND_G_SFO #language en-US 
"VariableInfo,\"\",\"%g\",\"\",\"\",\"\"\r\n"
 #string STR_DMPSTORE_VAR_SFO   #language en-US 
"VariableInfo,\"%s\",\"%g\",\"0x%x\",\"0x%x\",\"%s\"\r\n"
+#string STR_DMPSTORE_VAR_EA_WARNING#language en-US "(Enhanced 
Authenticated Variable, Should be interpreted according to the metadata 
headers!)\r\n"
 
 #string STR_GET_HELP_COMP #language en-US ""
 ".TH comp 0 "Compare 2 files"\r\n"
--
2.13.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 2/2] SecurityPkg/TcgPei: drop PeiReadOnlyVariable from Depex

[Zhang, Chao B]

Reviewed-by: Chao Zhang <chao.b.zh...@intel.com>

-Original Message-
From: Laszlo Ersek [mailto:ler...@redhat.com] 
Sent: Saturday, March 10, 2018 4:05 AM
To: edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Zhang, Chao B <chao.b.zh...@intel.com>; Yao, Jiewen <jiewen@intel.com>
Subject: [PATCH 2/2] SecurityPkg/TcgPei: drop PeiReadOnlyVariable from Depex

TcgPei doesn't actually use the PEI-phase read-only variable service, so drop 
that from the Depex.

This patch was inspired by commit ab9e11da6651 ("SecurityPkg/Tcg2Pei: drop 
PeiReadOnlyVariable from Depex", 2018-03-09).

Cc: Chao Zhang <chao.b.zh...@intel.com>
Cc: Jiewen Yao <jiewen@intel.com>
Suggested-by: Chao Zhang <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <ler...@redhat.com>
---
 SecurityPkg/Tcg/TcgPei/TcgPei.inf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/SecurityPkg/Tcg/TcgPei/TcgPei.inf 
b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
index 9a44d8fbda51..57ce7263e909 100644
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.inf
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
@@ -85,7 +85,6 @@ [Pcd]
 
 [Depex]
   gEfiPeiMasterBootModePpiGuid AND
-  gEfiPeiReadOnlyVariable2PpiGuid AND
   gEfiTpmDeviceSelectedGuid
 
 [UserExtensions.TianoCore."ExtraFiles"]
--
2.14.1.3.gb7cf6e02401b

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 2/8] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex

[Zhang, Chao B]

Hi Lureau:
   I think we can remove same dependency in TcgPei. 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
marcandre.lur...@redhat.com
Sent: Wednesday, March 7, 2018 11:58 PM
To: edk2-devel@lists.01.org
Cc: qemu-de...@nongnu.org; javi...@redhat.com; pjo...@redhat.com; Yao, Jiewen 
; ler...@redhat.com
Subject: [edk2] [PATCH v2 2/8] SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable 
from Depex

From: Marc-André Lureau 

The module doesn't use read-only variable.

Cc: Laszlo Ersek 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-André Lureau 
---
 SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf 
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index bc910c3baf97..a4aae1488ff8 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -91,7 +91,6 @@ [Pcd]
 
 [Depex]
   gEfiPeiMasterBootModePpiGuid AND
-  gEfiPeiReadOnlyVariable2PpiGuid AND
   gEfiTpmDeviceSelectedGuid
 
 [UserExtensions.TianoCore."ExtraFiles"]
-- 
2.16.2.346.g9779355e34

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH v2 1/8] SecurityPkg: also clear HashInterfaceHob.SupportedHashMask

[Zhang, Chao B]

Reviewed-by: Chao Zhang<chao.b.zh...@intel.com>

-Original Message-
From: marcandre.lur...@redhat.com [mailto:marcandre.lur...@redhat.com] 
Sent: Wednesday, March 7, 2018 11:58 PM
To: edk2-devel@lists.01.org
Cc: pjo...@redhat.com; Yao, Jiewen <jiewen@intel.com>; 
stef...@linux.vnet.ibm.com; ler...@redhat.com; qemu-de...@nongnu.org; 
javi...@redhat.com; Marc-André Lureau <marcandre.lur...@redhat.com>; Zhang, 
Chao B <chao.b.zh...@intel.com>; Zeng, Star <star.z...@intel.com>
Subject: [PATCH v2 1/8] SecurityPkg: also clear 
HashInterfaceHob.SupportedHashMask

From: Marc-André Lureau <marcandre.lur...@redhat.com>

Commit 4cc2b63bd829426b05bad0d8952f1855a10d6ed7 fixed an out of bounds
ZeroMem() call. However, as Laszlo Ersek pointed out, the intent was to clear 
all but the Identifier (to revert the effect of RegisterHashInterfaceLib()). 
For that, it should clear the SupportedHashMask too.

Cc: Jiewen Yao <jiewen@intel.com>
Cc: Chao Zhang <chao.b.zh...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com>
---
 .../Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c | 1 +
 1 file changed, 1 insertion(+)

diff --git 
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c 
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
index 361a4f6508a0..bf6e1336ee76 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute
+++ rPei.c
@@ -426,6 +426,7 @@ HashLibBaseCryptoRouterPeiConstructor (
 //
 ZeroMem (>HashInterface, sizeof 
(HashInterfaceHob->HashInterface));
 HashInterfaceHob->HashInterfaceCount = 0;
+HashInterfaceHob->SupportedHashMask = 0;
   }
 
   //
--
2.16.2.346.g9779355e34

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [patch] SecurityPkg/SmmTcg2PhysicalPresenceLib: Fix coding style issue

[Zhang, Chao B]

Reviewed-by: Chao Zhang <chao.b.zh...@intel.com>

-Original Message-
From: Bi, Dandan 
Sent: Wednesday, March 7, 2018 1:54 PM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B <chao.b.zh...@intel.com>
Subject: [patch] SecurityPkg/SmmTcg2PhysicalPresenceLib: Fix coding style issue

Boolean values do not need to use explicit comparisons to TRUE or FALSE.

Cc: Chao Zhang <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan...@intel.com>
---
 .../Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c 
b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
index dfef6c8..6a4dce9 100644
--- 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPres
+++ enceLib.c
@@ -339,11 +339,11 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
 case 
TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
 case 
TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
   break;
 
 default:
-  if (mIsTcg2PPVerLowerThan_1_3 == FALSE) {
+  if (!mIsTcg2PPVerLowerThan_1_3) {
 if (OperationRequest < 
TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
   //
   // TCG2 PP1.3 spec defined operations that are reserved or 
un-implemented
   //
   return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
--
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 1/1] RFC: SecurityPkg: only clear HashInterface informations

[Zhang, Chao B]

Reviewed-by: Chao Zhang <chao.b.zh...@intel.com>

-Original Message-
From: marcandre.lur...@redhat.com [mailto:marcandre.lur...@redhat.com] 
Sent: Wednesday, March 7, 2018 4:27 AM
To: edk2-devel@lists.01.org
Cc: Marc-André Lureau <marcandre.lur...@redhat.com>; Yao, Jiewen 
<jiewen....@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>; Zeng, Star 
<star.z...@intel.com>; Laszlo Ersek <ler...@redhat.com>
Subject: [PATCH 1/1] RFC: SecurityPkg: only clear HashInterface informations

From: Marc-André Lureau <marcandre.lur...@redhat.com>

The ZeroMem() call goes beyond the HashInterfaceHob structure, causing HOB list 
corruption. Instead, just clear the HashInterface fields, as I suppose was 
originally intended.

Cc: Jiewen Yao <jiewen@intel.com>
Cc: Chao Zhang <chao.b.zh...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com>
---
 .../HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c 
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
index dbee0f2531bc..361a4f6508a0 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRoute
+++ rPei.c
@@ -424,7 +424,8 @@ HashLibBaseCryptoRouterPeiConstructor (
 // This is the second execution of this module, clear the hash interface
 // information registered at its first execution.
 //
-ZeroMem (>HashInterface, sizeof (*HashInterfaceHob) - 
sizeof (EFI_GUID));
+ZeroMem (>HashInterface, sizeof 
(HashInterfaceHob->HashInterface));
+HashInterfaceHob->HashInterfaceCount = 0;
   }
 
   //
--
2.16.2.346.g9779355e34

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] Maintainers.txt: Add Jiewen to be co-maintainer of SecurityPkg.

[Zhang, Chao B]

Reviewed-by: Chao Zhang <chao.b.zh...@intel.com>

-Original Message-
From: Zhang, Chao B 
Sent: Wednesday, February 28, 2018 2:19 PM
To: edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>
Subject: [PATCH] Maintainers.txt: Add Jiewen to be co-maintainer of SecurityPkg.

From: Jiewen Yao <jiewen@intel.com>

Cc: Chao B Zhang <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen@intel.com>
---
 Maintainers.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Maintainers.txt b/Maintainers.txt index 74f2538..e103f85 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -217,6 +217,7 @@ M: Kelly Steele <kelly.ste...@intel.com>  SecurityPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/SecurityPkg
 M: Chao Zhang <chao.b.zh...@intel.com>
+M: Jiewen Yao <jiewen@intel.com>
 
 ShellBinPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
--
2.7.4.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] Maintainers.txt: Add Jiewen to be co-maintainer of SecurityPkg.

[Zhang, Chao B]

From: Jiewen Yao 

Cc: Chao B Zhang 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao 
---
 Maintainers.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Maintainers.txt b/Maintainers.txt
index 74f2538..e103f85 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -217,6 +217,7 @@ M: Kelly Steele 
 SecurityPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/SecurityPkg
 M: Chao Zhang 
+M: Jiewen Yao 
 
 ShellBinPkg
 W: https://github.com/tianocore/tianocore.github.io/wiki/ShellPkg
-- 
2.7.4.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] TPM 2.0 Manufacutre ID wrong byte order

[Zhang, Chao B]

Derek:
   Thank you for the info. TPM Library spec 1.38. Page 342 defines each 
property to be a 32-bit value. Endian conversion only applies to those 32-bit 
value that are interpreted as 16-bit, 32-bit data outside. 
It doesn't apply to the PT_MANFACTURER case. We can add comments to make this 
interface clearer. But I think current implementation is good from spec point 
of view.   


-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Lin, 
Derek (HPS UEFI Dev)
Sent: Friday, February 23, 2018 4:08 PM
To: Zhang, Chao B <chao.b.zh...@intel.com>; edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen@intel.com>; Zeng, Star <star.z...@intel.com>
Subject: Re: [edk2] TPM 2.0 Manufacutre ID wrong byte order

Hi Chao B,

I think you are right, the Manufacture ID is a byte array. The order in ACPI 
HID is correct.

But Tpm2GetCapabilityManufactureID return a UINT32 value.
EFI_STATUS
EFIAPI
Tpm2GetCapabilityManufactureID (
  OUT UINT32*ManufactureId
  )


This is confused . When the caller use ManufactureId as UINT32, the byte order 
is confused.
For example in Tcg2Dxe.c, it print:
Tpm2GetCapabilityManufactureID - 204D5453

Which should be "53544D20" in the case.

  Status = Tpm2GetCapabilityManufactureID ();
  if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Tpm2GetCapabilityManufactureID fail!\n"));
  } else {
DEBUG ((EFI_D_INFO, "Tpm2GetCapabilityManufactureID - %08x\n", 
mTcgDxeData.BsCap.ManufacturerID));
  }

How about changing the returning value to a 4 bytes array?

Thanks,
Derek

From: Zhang, Chao B [mailto:chao.b.zh...@intel.com]
Sent: Friday, February 23, 2018 11:03 AM
To: Lin, Derek (HPS UEFI Dev) <derek.l...@hpe.com>; edk2-devel@lists.01.org
Cc: Yao, Jiewen <jiewen@intel.com>; Zeng, Star <star.z...@intel.com>
Subject: RE: TPM 2.0 Manufacutre ID wrong byte order

Hi Derek:
Can you specify the "reversed" ManufactureId issue?  What did you get from 
this interface?
The implementation follows Vendor ID registry spec. The vendor ID is octet 
array. There is no endian issue here.
We haven't seen any disorder before.


From: Lin, Derek (HPS UEFI Dev) [mailto:derek.l...@hpe.com]
Sent: Thursday, February 22, 2018 7:25 PM
To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>; Zhang, Chao B 
<chao.b.zh...@intel.com<mailto:chao.b.zh...@intel.com>>
Cc: Yao, Jiewen <jiewen@intel.com<mailto:jiewen@intel.com>>; Zeng, Star 
<star.z...@intel.com<mailto:star.z...@intel.com>>
Subject: TPM 2.0 Manufacutre ID wrong byte order

Hi TPM expert,

The line in 
https://github.com/tianocore/edk2/commit/73126ac2bd9804632255b2fddd4d7633537c9620#diff-76abe1c1ebf05982ed72eaf56f489029R192
 change the byte order of Manufacture ID in Tpm2GetCapabilityManufactureID ().

I see it return "reversed" ManufactureId for two TPM vendor's module.
Also, all other Capability data in Tpm2Capability.c use SwapBytes32 since TPM 
is big-endian, which seems correct.

Can you check this and confirm?

Thanks,
Derek

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] TPM 2.0 Manufacutre ID wrong byte order

[Zhang, Chao B]

Hi Derek:
Can you specify the "reversed" ManufactureId issue?  What did you get from 
this interface?
The implementation follows Vendor ID registry spec. The vendor ID is octet 
array. There is no endian issue here.
We haven't seen any disorder before.


From: Lin, Derek (HPS UEFI Dev) [mailto:derek.l...@hpe.com]
Sent: Thursday, February 22, 2018 7:25 PM
To: edk2-devel@lists.01.org; Zhang, Chao B <chao.b.zh...@intel.com>
Cc: Yao, Jiewen <jiewen@intel.com>; Zeng, Star <star.z...@intel.com>
Subject: TPM 2.0 Manufacutre ID wrong byte order

Hi TPM expert,

The line in 
https://github.com/tianocore/edk2/commit/73126ac2bd9804632255b2fddd4d7633537c9620#diff-76abe1c1ebf05982ed72eaf56f489029R192
 change the byte order of Manufacture ID in Tpm2GetCapabilityManufactureID ().

I see it return "reversed" ManufactureId for two TPM vendor's module.
Also, all other Capability data in Tpm2Capability.c use SwapBytes32 since TPM 
is big-endian, which seems correct.

Can you check this and confirm?

Thanks,
Derek

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg: Tcg2Smm: Fix type casting issue

[Zhang, Chao B]

Fix type casting issue when calculating pointers offset

Cc: Wu Hao 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index 6eb62ae..c3cee83 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -543,7 +543,7 @@ UpdatePossibleResource (
   //
   DataPtr += 2;
   if (DataPtr < DataEndPtr) {
-SetMem(DataPtr, (UINTN)(DataEndPtr - DataPtr), AML_NOOP_OP);
+SetMem(DataPtr, (UINTN)DataEndPtr - (UINTN)DataPtr, AML_NOOP_OP);
   }
 
   return EFI_SUCCESS;
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg:Tcg2Smm: Fix compile issue

[Zhang, Chao B]

Update Tcg2Smm _PRS patching logic to fix compile issue

Cc: Liming Gao 
Cc: Dandan Bi 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index e3938cb..6eb62ae 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -539,10 +539,11 @@ UpdatePossibleResource (
   *(DataPtr + 1) = 0;
 
   //
-  // 5. Jump over whole ResourceTemplate. Stuff rest bytes to NOOP
+  // 5. Jump over new ResourceTemplate. Stuff rest bytes to NOOP
   //
-  for (DataPtr += 2; DataPtr < DataEndPtr; DataPtr++) {
-*DataPtr = AML_NOOP_OP;
+  DataPtr += 2;
+  if (DataPtr < DataEndPtr) {
+SetMem(DataPtr, (UINTN)(DataEndPtr - DataPtr), AML_NOOP_OP);
   }
 
   return EFI_SUCCESS;
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [Patch] SecurityPkg: Don't build AuthVariableLib for EBC arch

[Zhang, Chao B]

Reviewed-by: Chao Zhang 

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Liming 
Gao
Sent: Tuesday, January 30, 2018 1:34 PM
To: edk2-devel@lists.01.org
Subject: [edk2] [Patch] SecurityPkg: Don't build AuthVariableLib for EBC arch

EBC build failure is caused by d7a09cb86a0416c099fa3a9e0fbe2c8f399b28de.
It changes MAX_UINTN definition as below. AuthVariableLib uses MAX_UINTN in the 
global data initialization. New style has >> operator, and not supported by EBC 
compiler. The fix is not to build AuthVariableLib for EBC.

#define MAX_UINTN  ((UINTN) ~0)
==>
#define MAX_UINTN  ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao 
---
 SecurityPkg/SecurityPkg.dsc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 
43ac0b1..65a2fe3 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -215,6 +215,7 @@
   SecurityPkg/Library/FmpAuthenticationLibPkcs7/FmpAuthenticationLibPkcs7.inf
   
SecurityPkg/Library/FmpAuthenticationLibRsa2048Sha256/FmpAuthenticationLibRsa2048Sha256.inf
 
+[Components.IA32, Components.X64, Components.IPF, Components.ARM, 
+Components.AARCH64]
   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
 
 [Components.IA32, Components.X64, Components.IPF]
--
2.8.0.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg: Support PP version lower than 1.3

[Zhang, Chao B]

Qin & Jiewen
 Tks for your comments , I will follow up to update the patch.

-Original Message-
From: Yao, Jiewen 
Sent: Tuesday, February 6, 2018 10:33 AM
To: Long, Qin <qin.l...@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>; 
edk2-devel@lists.01.org
Subject: RE: [PATCH] SecurityPkg: Support PP version lower than 1.3

Yeah. I suggest we just use sizeof() for the fixed string.


> -Original Message-
> From: Long, Qin
> Sent: Tuesday, February 6, 2018 10:30 AM
> To: Zhang, Chao B <chao.b.zh...@intel.com>; edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen@intel.com>
> Subject: RE: [PATCH] SecurityPkg: Support PP version lower than 1.3
> 
> Could you update the AsciiStrLen usage with safe version, or direct 
> "sizeof()"?
> Others looks good to me.
> 
> Reviewed-by: Long Qin <qin.l...@intel.com>
> 
> 
> Best Regards & Thanks,
> LONG, Qin
> 
> -Original Message-
> From: Zhang, Chao B
> Sent: Monday, February 5, 2018 10:32 AM
> To: edk2-devel@lists.01.org
> Cc: Long, Qin <qin.l...@intel.com>; Yao, Jiewen 
> <jiewen@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>
> Subject: [PATCH] SecurityPkg: Support PP version lower than 1.3
> 
> TCG PP 1.2 & PP 1.3 spec defined different Opcodes.
> Update code to support both.
> 
> Cc: Long Qin <qin.l...@intel.com>
> Cc: Yao Jiewen <jiewen@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
> ---
>  .../SmmTcg2PhysicalPresenceLib.c   | 31
> +-
>  .../SmmTcg2PhysicalPresenceLib.inf |  7 +++--
>  2 files changed, 30 insertions(+), 8 deletions(-)
> 
> diff --git
> a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresen
> ce
> Lib.c
> b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresen
> ce
> Lib.c
> index 6061453..ffade10 100644
> ---
> a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresen
> ce
> Lib.c
> +++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPr
> +++ es
> +++ enceLib.c
> @@ -10,7 +10,7 @@
>Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction() and
> Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction()
>will receive untrusted input and do validation.
> 
> -Copyright (c) 2015 - 2017, Intel Corporation. All rights 
> reserved.
> +Copyright (c) 2015 - 2018, Intel Corporation. All rights 
> +reserved.
>  This program and the accompanying materials  are licensed and made 
> available under the terms and conditions of the BSD License  which 
> accompanies this distribution.  The full text of the license may be 
> found at @@
> -27,12 +27,16 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, 
> EITHER EXPRESS OR IMPLIED.
> 
>  #include 
> 
> +#include 
>  #include 
>  #include 
>  #include 
>  #include 
> 
> +#define PP_INF_VERSION_1_2"1.2"
> +
>  EFI_SMM_VARIABLE_PROTOCOL  *mTcg2PpSmmVariable;
> +BOOLEANmIsTcg2PPVerLowerThan_1_3 = FALSE;
> 
>  /**
>The handler for TPM physical presence function:
> @@ -337,11 +341,22 @@
> Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
>break;
> 
>  default:
> -  if (OperationRequest <
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> -//
> -// TCG PP spec defined operations that are reserved or
> un-implemented
> -//
> -return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
> +  if (mIsTcg2PPVerLowerThan_1_3 == FALSE) {
> +if (OperationRequest <
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> +  //
> +  // TCG2 PP1.3 spec defined operations that are reserved or
> un-implemented
> +  //
> +  return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
> +}
> +  } else {
> +   //
> +   // TCG PP lower than 1.3. (1.0, 1.1, 1.2)
> +   //
> +   if (OperationRequest <=
> TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
> + RequestConfirmed = TRUE;
> +   } else if (OperationRequest <
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> + return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
> +   }
>}
>break;
>}
> @@ -377,6 +392,10 @@ Tcg2PhysicalPresenceLibConstructor (  {
>EFI_STATUS  Status;
> 
> +  if (AsciiStrnCmp(PP_INF_VERSION_1_2, (CHAR8
> *)PcdGetPtr(PcdTcgPhysicalPresenceInterfaceVer),
> AsciiStrLen(PP_INF_VERSION_1_2)) <=0) {
> +mIsTcg2PPVerLowerThan_1_3 = TRUE;  }
> +
>//
>// Locat

Re: [edk2] Why does EDK2 disable time checks on certificates?

[Zhang, Chao B]

Bryan:
   You can reference EFI_CERT_X509_SHA256,  EFI_CERT_X509_SHA384, 
EFI_CERT_X509_SHA512 data structure definition in UEFI spec.
  Now they are only supported in DBX.  Revocation time here is defined by user 
instead of directly from Validity of X059 Certificate in order to address the 
issue mentioned below.


-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Long, Qin
Sent: Tuesday, February 6, 2018 8:55 AM
To: Bryan Rosario ; edk2-devel@lists.01.org
Subject: Re: [edk2] Why does EDK2 disable time checks on certificates?

It's EDK2-only. 
The current pre-boot environment have no trusted timer synchronization service. 
And it's very likely the system time is not the real-time (esp under dev 
environment). So the certificate time expiration checking was bypassed to avoid 
any boot break. 

Against the corresponding certificate revocation case, the UEFI introduced the 
DBX database (forbidden list) to address this. 


Best Regards & Thanks,
LONG, Qin

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Bryan 
Rosario
Sent: Tuesday, February 6, 2018 5:52 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Why does EDK2 disable time checks on certificates?

See here ("Currently certificate time expiration checking is ignored."):
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security
.

Is this behavior part of the UEFI specification or is it EDK2-only? And what's 
the reasoning for it?

Thanks,
Bryan
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg: Support PP version lower than 1.3

[Zhang, Chao B]

TCG PP 1.2 & PP 1.3 spec defined different Opcodes.
Update code to support both.

Cc: Long Qin 
Cc: Yao Jiewen 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 .../SmmTcg2PhysicalPresenceLib.c   | 31 +-
 .../SmmTcg2PhysicalPresenceLib.inf |  7 +++--
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c 
b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
index 6061453..ffade10 100644
--- 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
+++ 
b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
@@ -10,7 +10,7 @@
   Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction() and 
Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction()
   will receive untrusted input and do validation.
 
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
 This program and the accompanying materials 
 are licensed and made available under the terms and conditions of the BSD 
License 
 which accompanies this distribution.  The full text of the license may be 
found at 
@@ -27,12 +27,16 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 
 #include 
 
+#include 
 #include 
 #include 
 #include 
 #include 
 
+#define PP_INF_VERSION_1_2"1.2"
+
 EFI_SMM_VARIABLE_PROTOCOL  *mTcg2PpSmmVariable;
+BOOLEANmIsTcg2PPVerLowerThan_1_3 = FALSE;
 
 /**
   The handler for TPM physical presence function:
@@ -337,11 +341,22 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
   break;
 
 default:
-  if (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) 
{
-//
-// TCG PP spec defined operations that are reserved or un-implemented
-//
-return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
+  if (mIsTcg2PPVerLowerThan_1_3 == FALSE) {
+if (OperationRequest < 
TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
+  //
+  // TCG2 PP1.3 spec defined operations that are reserved or 
un-implemented
+  //
+  return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
+}
+  } else {
+   //
+   // TCG PP lower than 1.3. (1.0, 1.1, 1.2)
+   //
+   if (OperationRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
+ RequestConfirmed = TRUE;
+   } else if (OperationRequest < 
TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
+ return TCG_PP_GET_USER_CONFIRMATION_NOT_IMPLEMENTED;
+   }
   }
   break;
   }
@@ -377,6 +392,10 @@ Tcg2PhysicalPresenceLibConstructor (
 {
   EFI_STATUS  Status;
 
+  if (AsciiStrnCmp(PP_INF_VERSION_1_2, (CHAR8 
*)PcdGetPtr(PcdTcgPhysicalPresenceInterfaceVer), 
AsciiStrLen(PP_INF_VERSION_1_2)) <=0) {
+mIsTcg2PPVerLowerThan_1_3 = TRUE;
+  }
+
   //
   // Locate SmmVariableProtocol.
   //
diff --git 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf 
b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
index 5fa84b1..8367097 100644
--- 
a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
+++ 
b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf
@@ -7,7 +7,7 @@
 #  This driver will have external input - variable.
 #  This external input must be validated carefully to avoid security issue.
 #
-# Copyright (c) 2015, Intel Corporation. All rights reserved.
+# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
 # This program and the accompanying materials
 # are licensed and made available under the terms and conditions of the BSD 
License
 # which accompanies this distribution. The full text of the license may be 
found at
@@ -52,6 +52,9 @@
   ## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresence"
   ## SOMETIMES_CONSUMES ## Variable:L"PhysicalPresenceFlags"
   gEfiTcg2PhysicalPresenceGuid
-  
+
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer  ## CONSUMES
+
 [Depex]
   gEfiSmmVariableProtocolGuid
\ No newline at end of file
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg: Add UNI string for 2 PCDs

[Zhang, Chao B]

Add prompt & help string for PcdTpm2CurrentIrqNum, PcdTpm2PossibleIrqNumBuf

Cc: Dandan Bi 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 SecurityPkg/SecurityPkg.uni | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/SecurityPkg.uni b/SecurityPkg/SecurityPkg.uni
index 1263516..aaf7726 100644
--- a/SecurityPkg/SecurityPkg.uni
+++ b/SecurityPkg/SecurityPkg.uni
@@ -5,7 +5,7 @@
 // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library 
classes)
 // and libraries instances, which are used for those features.
 //
-// Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
 //
 // This program and the accompanying materials are licensed and made available 
under
 // the terms and conditions of the BSD License which accompanies this 
distribution.
@@ -238,3 +238,12 @@

 "To support configuring from setup page, this PCD can be DynamicHii type 
and map to a setup option.\n"

 "For example, map to TCG2_VERSION.Tpm2AcpiTableRev to be configured by 
Tcg2ConfigDxe driver.\n"

 
"gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L\"TCG2_VERSION\"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2CurrentIrqNum_PROMPT  
#language en-US "Current TPM2 device interrupt number"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2CurrentIrqNum_HELP  #language 
en-US "This PCD defines current TPM2 device interrupt number reported by _CRS. 
If set to 0, interrupt is disabled."
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2PossibleIrqNumBuf_PROMPT  
#language en-US "Possible TPM2 device interrupt number buffer"
+
+#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2PossibleIrqNumBuf_HELP  
#language en-US "This PCD defines possible TPM2 interrupt number in a platform 
reported by _PRS control method.\n"
+   
  "If PcdTpm2CurrentIrqNum set to 0, _PRS will not report any possible 
TPM2 interrupt numbers."
\ No newline at end of file
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH] SecurityPkg: Disable TPM interrupt in DEC

[Zhang, Chao B]

Disable TPM interrupt support in DEC

Cc: Yao Jiewen 
Cc: Long Qin 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 SecurityPkg/SecurityPkg.dec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index d2741f6..983fb0e 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -453,12 +453,12 @@
   ## Indicate current TPM2 Interrupt Number reported by _CRS control 
method.
   # TPM2 Interrupt feature is disabled If the pcd is set to 0.
   # @Prompt Current TPM2 Interrupt Number
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2CurrentIrqNum|0x0C|UINT32|0x0001001C
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2CurrentIrqNum|0x00|UINT32|0x0001001C
 
   ## Indicate platform possible TPM2 Interrupt Number reported by _PRS control 
method.
   # Possible TPM2 Interrupt Number Buffer will not be reported if TPM2 
Interrupt feature is disabled.
   # @Prompt Possible TPM2 Interrupt Number buffer
-  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x0C, 0x00, 0x00, 
0x00}|VOID*|0x0001001D
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, 0x00, 
0x00}|VOID*|0x0001001D
 
 [PcdsDynamic, PcdsDynamicEx]
 
-- 
1.9.5.msysgit.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt support

[Zhang, Chao B]

Jiewen: 
  Thank you for the comment.
  I agree with 1〜3. Will update patch accordingly 
  For 4. We verified short format Possible Interrupt with 
PcdTpm2PossibleIrqNumBuf set to
   {(UINT32) 0x01}Short formed resource buffer 
   {(UINT32)0x01, ~ (UINT32)0x0A}   Short formed resource buffer
   {UINT32)0x01 ~  (UINT32) 0x0B}long formed resource buffer
   { UINT32)0x01 ~  (UINT32) 0x0F}long formed resource buffer
   All of them can be patched successfully.

-Original Message-
From: Yao, Jiewen 
Sent: Thursday, January 25, 2018 2:39 PM
To: Zhang, Chao B <chao.b.zh...@intel.com>; edk2-devel@lists.01.org
Cc: Zhang, Chao B <chao.b.zh...@intel.com>; Ronald Aigner 
<ronald.aig...@microsoft.com>
Subject: RE: [edk2] [PATCH] SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt 
support

Thanks Chao.
In general this patch is good.

Some minor suggestion for your consideration:
1) Can we rename PcdTpm2IrqNum to PcdTpm2CurrentIrqNum ? (To match 
PcdTpm2PossibleIrqNumBuf)

2) I suggest we output debug message if below condition is NOT satisfied. As 
such people know what happens.
Silence failure is not the best way.

> +if (PossibleIrqNumBufSize <= MAX_PRS_INT_BUF_SIZE &&
> (PossibleIrqNumBufSize % sizeof(UINT32)) == 0) {
> +  Status = UpdatePossibleResource(Table, PossibleIrqNumBuf,
> PossibleIrqNumBufSize);
> +  DEBUG ((
> +DEBUG_INFO,
> +"UpdatePossibleResource status - %x\n",
> +Status
> +));
> +  }

3) Do we use UINT32 to IrqNumber? If so, you can use {(UINT32)0x12} for that.

> +  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x12, 0x00,
> 0x00, 0x00}|VOID*|0x0001001D

4) Would you please clarify what test has been done for the PCD patch?
Since you support flexible format (short v.s. long), please make sure all path 
is covered.



Thank you
Yao Jiewen


> -Original Message-
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
> Zhang, Chao B
> Sent: Thursday, January 25, 2018 2:25 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen@intel.com>; Zhang, Chao B 
> <chao.b.zh...@intel.com>; Ronald Aigner <ronald.aig...@microsoft.com>
> Subject: [edk2] [PATCH] SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt 
> support
> 
> 1. Expose _CRS, _SRS, _PRS control method to support TPM interrupt 2. 
> Provide 2 PCDs to configure _CRS and _PRS returned data
> 
> Cc: Yao Jiewen <jiewen@intel.com>
> Cc: Ronald Aigner <ronald.aig...@microsoft.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
> ---
>  SecurityPkg/SecurityPkg.dec |  12 +-
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c   | 268
> +++-
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.h   |  24 +++-
>  SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf |   5 +-
>  SecurityPkg/Tcg/Tcg2Smm/Tpm.asl |  96 ++---
>  5 files changed, 383 insertions(+), 22 deletions(-)
> 
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec 
> index 50dbe95..a2b3191 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -5,7 +5,7 @@
>  #  It also provides the definitions(including PPIs/PROTOCOLs/GUIDs 
> and library
> classes)
>  #  and libraries instances, which are used for those features.
>  #
> -# Copyright (c) 2009 - 2017, Intel Corporation. All rights 
> reserved.
> +# Copyright (c) 2009 - 2018, Intel Corporation. All rights 
> +reserved.
>  # (C) Copyright 2015 Hewlett Packard Enterprise Development LP   
> # Copyright (c) 2017, Microsoft Corporation.  All rights reserved. 
>   # This program and the accompanying materials are licensed and 
> made available under @@ -450,6 +450,16 @@
># @Prompt Initial setting of TCG2 Persistent Firmware Management 
> Flags
> 
> gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags|0x300E2|UIN
> T3
> 2|0x0001001B
> 
> +  ## Indicate current TPM2 Interrupt Number reported by _CRS control
> method.
> +  # TPM2 Interrupt feature is disabled If the pcd is set to 0.  # 
> + @Prompt Current TPM2 Interrupt Number
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdTpm2IrqNum|0x12|UINT32|0x0001001C
> +
> +  ## Indicate platform possible TPM2 Interrupt Number reported by 
> + _PRS
> control method.
> +  # Possible TPM2 Interrupt Number Buffer will not be reported if 
> + TPM2
> Interrupt feature is disabled.
> +  # @Prompt Possible TPM2 Interrupt Number buffer  
> + gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x12, 0x00,
> 0x00, 0x00}|VOID*|0x0001001D
> +
>  [PcdsDynamic, PcdsDynamicEx]
> 
>## This PCD indicates Hash mask fo

[edk2] [PATCH] SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt support

[Zhang, Chao B]

1. Expose _CRS, _SRS, _PRS control method to support TPM interrupt
2. Provide 2 PCDs to configure _CRS and _PRS returned data

Cc: Yao Jiewen 
Cc: Ronald Aigner 
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang 
---
 SecurityPkg/SecurityPkg.dec |  12 +-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c   | 268 +++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.h   |  24 +++-
 SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.inf |   5 +-
 SecurityPkg/Tcg/Tcg2Smm/Tpm.asl |  96 ++---
 5 files changed, 383 insertions(+), 22 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 50dbe95..a2b3191 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -5,7 +5,7 @@
 #  It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library 
classes)
 #  and libraries instances, which are used for those features.
 #
-# Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
 # (C) Copyright 2015 Hewlett Packard Enterprise Development LP 
 # Copyright (c) 2017, Microsoft Corporation.  All rights reserved. 
 # This program and the accompanying materials are licensed and made available 
under
@@ -450,6 +450,16 @@
   # @Prompt Initial setting of TCG2 Persistent Firmware Management Flags
   
gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags|0x300E2|UINT32|0x0001001B
 
+  ## Indicate current TPM2 Interrupt Number reported by _CRS control 
method.
+  # TPM2 Interrupt feature is disabled If the pcd is set to 0.
+  # @Prompt Current TPM2 Interrupt Number
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2IrqNum|0x12|UINT32|0x0001001C
+
+  ## Indicate platform possible TPM2 Interrupt Number reported by _PRS control 
method.
+  # Possible TPM2 Interrupt Number Buffer will not be reported if TPM2 
Interrupt feature is disabled.
+  # @Prompt Possible TPM2 Interrupt Number buffer
+  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x12, 0x00, 0x00, 
0x00}|VOID*|0x0001001D
+
 [PcdsDynamic, PcdsDynamicEx]
 
   ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly follows 
TCG Algorithm Registry.
diff --git a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c 
b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
index 5a1fd3e..5ad042e 100644
--- a/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
+++ b/SecurityPkg/Tcg/Tcg2Smm/Tcg2Smm.c
@@ -9,7 +9,7 @@
 
   PhysicalPresenceCallback() and MemoryClearCallback() will receive untrusted 
input and do some check.
 
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
 This program and the accompanying materials 
 are licensed and made available under the terms and conditions of the BSD 
License 
 which accompanies this distribution.  The full text of the license may be 
found at 
@@ -304,6 +304,251 @@ UpdatePPVersion (
 }
 
 /**
+  Patch interrupt resources returned by TPM _PRS. ResourceTemplate to patch is 
determined by input
+  interrupt buffer size. BufferSize, PkgLength and interrupt descirptor in 
ByteList need to be patched
+
+  @param[in, out] TableThe TPM item in ACPI table.
+  @param[in]  IrqBufferInput new IRQ buffer.
+  @param[in]  IrqBuffserSize   Input new IRQ buffer size.
+
+  @return  patch status.
+
+**/
+EFI_STATUS
+UpdatePossibleResource (
+  EFI_ACPI_DESCRIPTION_HEADER*Table,
+  UINT32 *IrqBuffer,
+  UINT32 IrqBuffserSize
+  )
+{
+  UINT8   *DataPtr;
+  UINT8   *DataEndPtr;
+  UINT32  NewPkgLength;
+  UINT32  OrignalPkgLength;
+
+  NewPkgLength = 0;
+  OrignalPkgLength = 0;
+  DataEndPtr   = NULL;
+
+  //
+  // Follow ACPI spec
+  //   6.4.3   Extend Interrupt Descriptor.
+  //   19.3.3 ASL Resource Template
+  //   20  AML specification
+  // to patch TPM ACPI object _PRS returned ResourceTemplate() containing 2 
resource descriptors and an auto appended End Tag
+  //
+  //  AML data is organized by following rule.
+  //  Code need to patch BufferSize and PkgLength and interrupt descirptor in 
ByteList
+  //
+  // =  Buffer 
+  //   DefBuffer := BufferOp PkgLength BufferSize ByteList
+  //BufferOp := 0x11
+  //
+  // ==PkgLength==
+  //  PkgLength := PkgLeadByte |
+  //   |
+  //   |
+  //  
+  //
+  //   PkgLeadByte := 
+  //   
+  //   
+  //
+  //==BufferSize==
+  //BufferSize := Integar
+  //   Integar := ByteConst|WordConst|DwordConst
+  //
+  //   ByteConst := BytePrefix ByteData
+  //
+