Date   

回复: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add runtime SetImage support

gaoliming
 

Bob:
I suggest to obviously describe that FMP protocol services may be available in EFI runtime, and define the standard method to know whether FMP protocol supports runtime attribute.

Because UEFI spec is required to be updated, the code enhancement in DxeCapsuleLibFmp and FmpDevicePkg can go through code first process and be placed into edk2-staging first.

Thanks
Liming

-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Bob Morgan
via groups.io
发送时间: 2021年11月5日 6:53
收件人: devel@edk2.groups.io; gaoliming@...
抄送: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
主题: Re: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add
runtime SetImage support

Hi Liming,

The Uefi spec Version 2.9 appears to have some inconsistencies regarding the
possibility of runtime processing of FMP capsules. The UpdateCapsule()
runtime service in Section 8.5.3 states that "the firmware may process the
capsule immediately", but in Section 23.3.1, where the FMP capsule is
described, the last paragraph states "By definition Firmware Management
protocol services are not available in EFI runtime".

I think the following spec changes would document the optional runtime FMP
capsule processing as implemented in this patch:

1. Reword Section 23.3.1 Description last paragraph, first sentence.
From: "By definition Firmware Management protocol services are not
available in EFI runtime and depending upon platform capabilities, EFI runtime
delivery of this capsule may not be supported and may return an error when
delivered in EFI runtime with CAPSULE_FLAGS_PERSIST_ACROSS_RESET bit
defined."

To something like this: "Depending upon platform capabilities, EFI runtime
delivery or processing of this capsule may not be supported and may return an
error when delivered in EFI runtime.

2. Reword Section 23.3.3 Step 3.
From: "If system is not in boot services and platform does not support
persistence of capsule across reset when initiated within EFI Runtime,
EFI_OUT_OF_RESOURCES error is returned."

To something like this: "If system is not in boot services and the
CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag is set, but the platform does
not support persistence of capsule across reset when initiated within EFI
Runtime, EFI_OUT_OF_RESOURCES error is returned." <<<By the way,
UpdateCapsule() currently appears to return EFI_UNSUPPORTED in this case,
see the IsPersistAcrossResetCapsuleSupported () check near the end>>>

3. Add runtime FMP support info to Section 23.3.3 Step 3.
If system is not in boot services and the
CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag is not set, but the platform
does not support processing of capsules within EFI Runtime,
EFI_OUT_OF_RESOURCES error is returned. If the platform supports
processing of capsules within EFI Runtime, steps 4-10 are not applicable and
the capsules are processed according to steps 11-14.

Let me know what you think and we can get an ECR process started to update
the spec.

Thanks,

-bob

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming
via groups.io
Sent: Monday, November 1, 2021 7:17 PM
To: devel@edk2.groups.io; Bob Morgan <bobm@...>
Cc: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp:
Add runtime SetImage support

External email: Use caution opening links or attachments


Bob:
Thanks for your detail. PcdRuntimeFmpCapsuleImageTypeIdGuid is edk2
implementation solution. Have you the proposal on how to update UEFI spec
to support runtime FMP protocol?

Thanks
Liming
-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Bob
Morgan via
groups.io
发送时间: 2021年10月30日 1:59
收件人: gaoliming <gaoliming@...>; devel@edk2.groups.io
抄送: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
主题: Re: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add
runtime SetImage support

Hi Liming, See inline below.

-----Original Message-----
From: gaoliming <gaoliming@...>
Sent: Thursday, October 28, 2021 7:57 PM
To: devel@edk2.groups.io; Bob Morgan <bobm@...>
Cc: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp:
Add runtime SetImage support

External email: Use caution opening links or attachments


Bob:
I think this patch needs to work together with the changes of
FmpDevicePkg: Add support for runtime FmpDxe driver.
Yes, this patch adds support to process FMP capsules at runtime if the
capsule’s UpdateImageTypeId is supported by a runtime-capable FmpDxe
driver (e.g. using the FmpDevicePkg patch you mentioned). The
PcdSupportProcessCapsuleAtRuntime PCD must be TRUE and the capsule’s
CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag must be FALSE.

Capsule is runtime service. If it consumes FMP to do update, FMP
service can support runtime. But, how does Capsule know whether FMP
protocol supports runtime or not?
Right, this patch requires an implementation to list the FMP
ImageTypeId GUIDs supported by any runtime-capable FmpDxe drivers in
the new PcdRuntimeFmpCapsuleImageTypeIdGuid array PCD. This PCD is
used by the new InitializeRuntimeFmpArrays() function during
DxeRuntimeCapsuleLib initialization to find the FMP instances that
support those ImageTypeIds and save their
EFI_FIRMWARE_MANAGEMENT_PROTOCOL protocol structure pointers for
runtime use during capsule processing.

When ProcessFmpCapsuleImage() executes its step ‘2. Route payload to
right FMP instance’, it detects runtime execution and uses the saved
runtime-capable FMP protocol structure pointer if its ImageTypeId
matches that of the capsule being processed.

I hope that helps. Please let me know if additional clarification is needed.

Thanks,
-bob

Thanks
Liming
-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Bob
Morgan
via
groups.io
发送时间: 2021年10月20日 4:11
收件人: devel@edk2.groups.io
抄送: Bob Morgan <bobm@...>; Jian J Wang
<jian.j.wang@...>;
Liming Gao <gaoliming@...>; Guomin Jiang
<guomin.jiang@...>
主题: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add
runtime
SetImage support

Adds optional support for processing FMP capusle images after
ExitBootServices() if the ImageTypeIdGuid is mentioned in the new
PcdRuntimeFmpCapsuleImageTypeIdGuid list.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Liming Gao <gaoliming@...>
Cc: Guomin Jiang <guomin.jiang@...>
Signed-off-by: Bob Morgan <bobm@...>
---
.../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c | 81 +++++++++---
.../DxeCapsuleLibFmp/DxeCapsuleRuntime.c | 119
++++++++++++++++++
.../DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf | 4 +
MdeModulePkg/MdeModulePkg.dec | 7 +-
4 files changed, 192 insertions(+), 19 deletions(-)

diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
index 90942135d7..0000f91c6a 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
@@ -10,6 +10,7 @@
ValidateFmpCapsule(), and DisplayCapsuleImage() receives
untrusted input and
performs basic validation.

+ Copyright (c) 2021, NVIDIA CORPORATION. All rights
+ reserved.<BR>
Copyright (c) 2016 - 2019, Intel Corporation. All rights
reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -41,6 +42,11 @@
#include <Protocol/FirmwareManagementProgress.h>
#include <Protocol/DevicePath.h>

+BOOLEAN (EFIAPI *mLibAtRuntimeFunction) (VOID)
=
NULL;
+EFI_FIRMWARE_MANAGEMENT_PROTOCOL *mRuntimeFmp
= NULL;
+VOID
**mRuntimeFmpProtocolArray
= NULL;
+EFI_GUID *mRuntimeFmpGuidArray
= NULL;
+
EFI_SYSTEM_RESOURCE_TABLE *mEsrtTable =
NULL;
BOOLEAN mIsVirtualAddrConverted =
FALSE;

@@ -551,6 +557,11 @@ DumpAllFmpInfo (
UINT32
PackageVersion;
CHAR16
*PackageVersionName;

+ // Dump not supported at runtime.
+ if ((mLibAtRuntimeFunction != NULL) && mLibAtRuntimeFunction ())
{
+ return;
+ }
+
Status = gBS->LocateHandleBuffer (
ByProtocol,
&gEfiFirmwareManagementProtocolGuid,
@@ -906,25 +917,35 @@ SetFmpImageData (
CHAR16
*AbortReason;
EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS
ProgressCallback;

- Status = gBS->HandleProtocol(
- Handle,
- &gEfiFirmwareManagementProtocolGuid,
- (VOID **)&Fmp
- );
- if (EFI_ERROR(Status)) {
- return Status;
- }
+ // If not using optional runtime support, get FMP protocol for
+ given
Handle.
+ // Otherwise, use the one saved by ProcessFmpCapsuleImage().
+ if ((mLibAtRuntimeFunction == NULL) || !mLibAtRuntimeFunction ())
{
+ Status = gBS->HandleProtocol(
+ Handle,
+ &gEfiFirmwareManagementProtocolGuid,
+ (VOID **)&Fmp
+ );
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }

- //
- // Lookup Firmware Management Progress Protocol before
SetImage() is called
- // This is an optional protocol that may not be present on Handle.
- //
- Status = gBS->HandleProtocol (
- Handle,
-
&gEdkiiFirmwareManagementProgressProtocolGuid,
- (VOID **)&mFmpProgress
- );
- if (EFI_ERROR (Status)) {
+ //
+ // Lookup Firmware Management Progress Protocol before
SetImage()
is called
+ // This is an optional protocol that may not be present on Handle.
+ //
+ Status = gBS->HandleProtocol (
+ Handle,
+
&gEdkiiFirmwareManagementProgressProtocolGuid,
+ (VOID **)&mFmpProgress
+ );
+ if (EFI_ERROR (Status)) {
+ mFmpProgress = NULL;
+ }
+ } else {
+ if (mRuntimeFmp == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+ Fmp = mRuntimeFmp;
mFmpProgress = NULL;
}

@@ -1259,6 +1280,30 @@ ProcessFmpCapsuleImage (
UpdateHardwareInstance =
ImageHeader->UpdateHardwareInstance;
}

+ // Optional runtime FMP SetImage processing sequence
+ if ((mLibAtRuntimeFunction != NULL) && mLibAtRuntimeFunction
+ ()
&&
+ (mRuntimeFmpProtocolArray != NULL)) {
+ mRuntimeFmp = NULL;
+ Index2 = 0;
+ while (mRuntimeFmpProtocolArray[Index2] != NULL) {
+ if (CompareGuid (&ImageHeader->UpdateImageTypeId,
+ &mRuntimeFmpGuidArray[Index2])) {
+ mRuntimeFmp =
(EFI_FIRMWARE_MANAGEMENT_PROTOCOL
*)
+ mRuntimeFmpProtocolArray[Index2];
+ break;
+ }
+ Index2++;
+ }
+
+ Status = SetFmpImageData (NULL,
+ ImageHeader,
+ Index -
FmpCapsuleHeader->EmbeddedDriverCount);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ continue;
+ }
+
Status = GetFmpHandleBufferByType (
&ImageHeader->UpdateImageTypeId,
UpdateHardwareInstance, diff --git
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
index f94044a409..6feb6dab79 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
+++
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
@@ -1,6 +1,7 @@
/** @file
Capsule library runtime support.

+ Copyright (c) 2021, NVIDIA CORPORATION. All rights
+ reserved.<BR>
Copyright (c) 2016 - 2017, Intel Corporation. All rights
reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -19,7 +20,11 @@
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeLib.h>

+extern BOOLEAN (EFIAPI
*mLibAtRuntimeFunction)
(VOID);
+extern VOID **mRuntimeFmpProtocolArray;
+extern EFI_GUID *mRuntimeFmpGuidArray;
extern EFI_SYSTEM_RESOURCE_TABLE *mEsrtTable;
extern BOOLEAN mIsVirtualAddrConverted;
EFI_EVENT
mDxeRuntimeCapsuleLibVirtualAddressChangeEvent = NULL; @@
-40,9
+45,121 @@ DxeCapsuleLibVirtualAddressChangeEvent (
)
{
gRT->ConvertPointer (EFI_OPTIONAL_PTR, (VOID **)&mEsrtTable);
+
+ if (mRuntimeFmpProtocolArray != NULL) {
+ VOID **FmpArrayEntry;
+
+ FmpArrayEntry = mRuntimeFmpProtocolArray;
+ while (*FmpArrayEntry != NULL) {
+ EfiConvertPointer (0x0, (VOID **) FmpArrayEntry);
+ FmpArrayEntry++;
+ }
+ EfiConvertPointer (0x0, (VOID **)
&mRuntimeFmpProtocolArray); }
+ if (mRuntimeFmpGuidArray != NULL) {
+ EfiConvertPointer (0x0, (VOID **) &mRuntimeFmpGuidArray); }
if
+ (mLibAtRuntimeFunction != NULL ) {
+ EfiConvertPointer (0x0, (VOID **) &mLibAtRuntimeFunction); }
+
mIsVirtualAddrConverted = TRUE; }

+/**
+ Initialize optional runtime FMP arrays to support FMP SetImage
processing
+ after ExitBootServices() is called.
+
+ The ImageTypeIdGuids of runtime-capable FMP protocol drivers
+ are
extracted
+ from the PcdRuntimeFmpCapsuleImageTypeIdGuid list and their
+ protocol structure pointers are saved in the
+ mRuntimeFmpProtocolArray for use
during
+ UpdateCapsule() processing. UpdateHardwareInstance is not
supported.
+
+**/
+STATIC
+VOID
+EFIAPI
+InitializeRuntimeFmpArrays (
+ VOID
+ )
+{
+ EFI_GUID *Guid;
+ UINTN NumHandles;
+ EFI_HANDLE *HandleBuffer;
+ EFI_STATUS Status;
+ UINTN Count;
+ UINTN Index;
+ UINTN FmpArrayIndex;
+
+ EFI_STATUS
+ GetFmpHandleBufferByType (
+ IN EFI_GUID
*UpdateImageTypeId,
+ IN UINT64
UpdateHardwareInstance,
+ OUT UINTN *NoHandles,
OPTIONAL
+ OUT EFI_HANDLE **HandleBuf,
OPTIONAL
+ OUT BOOLEAN
**ResetRequiredBuf
OPTIONAL
+ );
+
+ Count = PcdGetSize (PcdRuntimeFmpCapsuleImageTypeIdGuid) /
sizeof
(GUID);
+ if (Count == 0) {
+ return;
+ }
+
+ // mRuntimeFmpProtocolArray is a NULL-terminated list of FMP
+ protocol
pointers
+ mRuntimeFmpProtocolArray = (VOID **)
+ AllocateRuntimeZeroPool ((Count + 1) * sizeof (VOID *)); if
+ (mRuntimeFmpProtocolArray == NULL) {
+ DEBUG ((DEBUG_ERROR, "Error allocating
mRuntimeFmpProtocolArray\n"));
+ return;
+ }
+ mRuntimeFmpGuidArray = (EFI_GUID *)
+ AllocateRuntimeZeroPool (Count * sizeof (EFI_GUID)); if
+ (mRuntimeFmpGuidArray == NULL) {
+ DEBUG ((DEBUG_ERROR, "Error allocating
mRuntimeFmpGuidArray"));
+ FreePool (mRuntimeFmpProtocolArray);
+ return;
+ }
+
+ // For each runtime ImageTypeIdGuid in the PCD, save its GUID
+ and FMP
protocol
+ FmpArrayIndex = 0;
+ Guid = PcdGetPtr (PcdRuntimeFmpCapsuleImageTypeIdGuid);
+ for (Index = 0; Index < Count; Index++, Guid++) {
+ mRuntimeFmpGuidArray[FmpArrayIndex] = *Guid;
+ HandleBuffer = NULL;
+ Status = GetFmpHandleBufferByType (Guid,
+ 0,
+ &NumHandles,
+ &HandleBuffer,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR,
+ "Error finding FMP handle for runtime
ImageTypeIdGuid=%g: %r\n",
+ Guid, Status));
+ continue;
+ }
+
+ if (NumHandles > 1) {
+ DEBUG ((DEBUG_ERROR,
+ "FMP runtime ImageTypeIdGuid=%g returned %u
handles,
only 1 supported\n",
+ Guid, NumHandles));
+ }
+ Status = gBS->HandleProtocol (HandleBuffer[0],
+
&gEfiFirmwareManagementProtocolGuid,
+
&mRuntimeFmpProtocolArray[FmpArrayIndex]);
+ FreePool (HandleBuffer);
+ if (EFI_ERROR(Status)) {
+ DEBUG ((DEBUG_ERROR,
+ "Error getting FMP protocol for runtime
ImageTypeIdGuid=%g: %r\n",
+ Guid, Status));
+ continue;
+ }
+
+ FmpArrayIndex++;
+ }
+
+ mLibAtRuntimeFunction = EfiAtRuntime; }
+
/**
Notify function for event group
EFI_EVENT_GROUP_READY_TO_BOOT.

@@ -93,6 +210,8 @@ DxeCapsuleLibReadyToBootEventNotify (
//
mEsrtTable->FwResourceCountMax =
mEsrtTable->FwResourceCount;
}
+
+ InitializeRuntimeFmpArrays ();
}

/**
diff --git
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
index bf56f4623f..7b3f5e04f8 100644
---
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
+++
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
@@ -49,6 +49,7 @@
PrintLib
HobLib
BmpSupportLib
+ PcdLib


[Protocols]
@@ -70,5 +71,8 @@
gEfiEventVirtualAddressChangeGuid ## CONSUMES ##
Event
gEdkiiCapsuleOnDiskNameGuid ##
SOMETIMES_CONSUMES ## GUID

+[Pcd]
+
gEfiMdeModulePkgTokenSpaceGuid.PcdRuntimeFmpCapsuleImageTypeIdG
ui
d
+
[Depex]
gEfiVariableWriteArchProtocolGuid diff --git
a/MdeModulePkg/MdeModulePkg.dec
b/MdeModulePkg/MdeModulePkg.dec
index 133e04ee86..869aa892f7
100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -3,7 +3,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
and library classes) # and libraries instances, which are used
for those modules.
#
-# Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
+# Copyright (c) 2019-2021, NVIDIA CORPORATION. All rights
+reserved.<BR>
# Copyright (c) 2007 - 2021, Intel Corporation. All rights
reserved.<BR> # Copyright (c) 2016, Linaro Ltd. All rights
reserved.<BR> # (C) Copyright 2016 - 2019 Hewlett Packard
Enterprise Development LP<BR> @@ -2020,6 +2020,11 @@
# @Prompt Capsule On Disk Temp Relocation file name in PEI
phase

gEfiMdeModulePkgTokenSpaceGuid.PcdCoDRelocationFileName|L"Cod.tmp
"|
VOID*|0x30001048

+ ## This PCD holds a list of GUIDs for the ImageTypeId to
+ indicate the # FMP is runtime capable.
+ # @Prompt A list of runtime-capable FMP ImageTypeId GUIDs
+
gEfiMdeModulePkgTokenSpaceGuid.PcdRuntimeFmpCapsuleImageTypeIdG
ui
d|{0x0}|VOID*|0x30001049
+
## This PCD hold a list GUIDs for the ImageTypeId to indicate the
# FMP capsule is a system FMP.
# @Prompt A list of system FMP ImageTypeId GUIDs
--
2.17.1


















Re: [PATCH] Reallocate TPM Active PCRs based on platform support.

Yao, Jiewen
 

Would you please confirm if you have run CI and got a PASS result?

-----Original Message-----
From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@...>
Sent: Friday, November 5, 2021 2:07 AM
To: devel@edk2.groups.io
Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@...>;
Wang, Jian J <jian.j.wang@...>; Yao, Jiewen <jiewen.yao@...>
Subject: [PATCH] Reallocate TPM Active PCRs based on platform support.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3515

In V3: Cleaned up comments, debug prints and updated patch to use the
new debug ENUM definitions.

- Replaced EFI_D_INFO with DEBUG_INFO.
- Replaced EFI_D_VERBOSE with DEBUG_VERBOSE.

In V2: Add case to RegisterHashInterfaceLib logic

RegisterHashInterfaceLib needs to correctly handle registering the HashLib
instance supported algorithm bitmap when PcdTpm2HashMask is set to zero.

The current implementation of SyncPcrAllocationsAndPcrMask() triggers
PCR bank reallocation only based on the intersection between
TpmActivePcrBanks and PcdTpm2HashMask.

When the software HashLibBaseCryptoRouter solution is used, no PCR bank
reallocation is occurring based on the supported hashing algorithms
registered by the HashLib instances.

Need to have an additional check for the intersection between the
TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the
HashLib instances present on the platform's BIOS.

Signed-off-by: Rodrigo Gonzalez del Cueto
<rodrigo.gonzalez.del.cueto@...>

Cc: Jian J Wang <jian.j.wang@...>
Cc: Jiewen Yao <jiewen.yao@...>
---
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
| 6 +++++-
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c |
6 +++++-
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 67
++++++++++++++++++++++++++++++++++++++++++-------------------------
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +
4 files changed, 53 insertions(+), 27 deletions(-)

diff --git
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
c
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
c
index 7a0f61efbb..0821159120 100644
---
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
c
+++
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.
c
@@ -230,13 +230,17 @@ RegisterHashInterfaceLib (
{
UINTN Index;
UINT32 HashMask;
+ UINT32 Tpm2HashMask;
EFI_STATUS Status;

//
// Check allow
//
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
- if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+ Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);
+
+ if ((Tpm2HashMask != 0) &&
+ ((HashMask & Tpm2HashMask) == 0)) {
return EFI_UNSUPPORTED;
}

diff --git
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
index 42cb562f67..6ae51dbce4 100644
---
a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
+++
b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
@@ -327,13 +327,17 @@ RegisterHashInterfaceLib (
UINTN Index;
HASH_INTERFACE_HOB *HashInterfaceHob;
UINT32 HashMask;
+ UINT32 Tpm2HashMask;
EFI_STATUS Status;

//
// Check allow
//
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
- if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+ Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);
+
+ if ((Tpm2HashMask != 0) &&
+ ((HashMask & Tpm2HashMask) == 0)) {
return EFI_UNSUPPORTED;
}

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 93a8803ff6..582b9377e5 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -1,7 +1,7 @@
/** @file
Initialize TPM2 device and measure FVs before handing off control to DXE.

-Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -253,7 +253,7 @@ EndofPeiSignalNotifyCallBack (

/**
Make sure that the current PCR allocations, the TPM supported PCRs,
- and the PcdTpm2HashMask are all in agreement.
+ PcdTcg2HashAlgorithmBitmap and the PcdTpm2HashMask are all in
agreement.
**/
VOID
SyncPcrAllocationsAndPcrMask (
@@ -262,52 +262,68 @@ SyncPcrAllocationsAndPcrMask (
{
EFI_STATUS Status;
EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap;
UINT32 TpmActivePcrBanks;
UINT32 NewTpmActivePcrBanks;
UINT32 Tpm2PcrMask;
UINT32 NewTpm2PcrMask;

- DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));
+ DEBUG ((DEBUG_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));

//
// Determine the current TPM support and the Platform PCR mask.
//
Status = Tpm2GetCapabilitySupportedAndActivePcrs
(&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
+
ASSERT_EFI_ERROR (Status);

+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -
TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));
+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs -
TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
+
Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
if (Tpm2PcrMask == 0) {
//
- // if PcdTPm2HashMask is zero, use ActivePcr setting
+ // If PcdTpm2HashMask is zero, use ActivePcr setting.
+ // Only when PcdTpm2HashMask is initialized to 0, will it be updated to
current Active Pcrs.
//
PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
Tpm2PcrMask = TpmActivePcrBanks;
}
+ DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));

//
- // Find the intersection of Pcd support and TPM support.
- // If banks are missing from the TPM support that are in the PCD, update the
PCD.
- // If banks are missing from the PCD that are active in the TPM, reallocate the
banks and reboot.
- //
-
- //
- // If there are active PCR banks that are not supported by the Platform mask,
- // update the TPM allocations and reboot the machine.
+ // The Active PCRs in the TPM need to be a strict subset of the hashing
algorithms supported by BIOS.
//
- if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {
- NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;
-
- DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n",
__FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));
+ // * Find the intersection of Pcd support and TPM active PCRs. If banks are
missing from the TPM support
+ // that are in the PCD, update the PCD.
+ // * Find intersection of TPM Active PCRs and BIOS supported algorithms. If
there are active PCR banks
+ // that are not supported by the platform, update the TPM allocations and
reboot.
+ // Note: When the HashLibBaseCryptoRouter solution is used, the hash
algorithm support from BIOS is reported
+ // by Tcg2HashAlgorithmBitmap, which is populated by HashLib instances
at runtime.
+ BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
+ DEBUG ((DEBUG_INFO, "Tcg2HashAlgorithmBitmap: 0x%08x\n",
BiosHashAlgorithmBitmap));
+
+ if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||
+ ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks)) {
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & Tpm2PcrMask = 0x%08x\n",
(TpmActivePcrBanks & Tpm2PcrMask)));
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap =
0x%08x\n", (TpmActivePcrBanks & BiosHashAlgorithmBitmap)));
+ NewTpmActivePcrBanks = TpmActivePcrBanks;
+ NewTpmActivePcrBanks &= Tpm2PcrMask;
+ NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;
+ DEBUG ((DEBUG_INFO, "NewTpmActivePcrBanks 0x%08x\n",
NewTpmActivePcrBanks));
+
+ DEBUG ((DEBUG_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n",
__FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));
if (NewTpmActivePcrBanks == 0) {
- DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a less
restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - No viable PCRs active! Please set a less
restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
ASSERT (FALSE);
} else {
+ DEBUG ((DEBUG_ERROR, "Tpm2PcrAllocateBanks
(TpmHashAlgorithmBitmap: 0x%08x, NewTpmActivePcrBanks: 0x%08x)\n",
TpmHashAlgorithmBitmap, NewTpmActivePcrBanks));
Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap,
NewTpmActivePcrBanks);
if (EFI_ERROR (Status)) {
//
// We can't do much here, but we hope that this doesn't happen.
//
- DEBUG ((EFI_D_ERROR, "%a - Failed to reallocate PCRs!\n",
__FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - Failed to reallocate PCRs!\n",
__FUNCTION__));
ASSERT_EFI_ERROR (Status);
}
//
@@ -324,13 +340,14 @@ SyncPcrAllocationsAndPcrMask (
if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {
NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;

- DEBUG ((EFI_D_INFO, "%a - Updating PcdTpm2HashMask from 0x%X to
0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask));
+ DEBUG ((DEBUG_ERROR, "%a - Updating PcdTpm2HashMask from 0x%X to
0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask));
if (NewTpm2PcrMask == 0) {
- DEBUG ((EFI_D_ERROR, "%a - No viable PCRs supported! Please set a less
restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - No viable PCRs supported! Please set a less
restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
ASSERT (FALSE);
}

Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
+ DEBUG ((DEBUG_ERROR, "Set PcdTpm2Hash Mask to 0x%08x\n",
NewTpm2PcrMask));
ASSERT_EFI_ERROR (Status);
}
}
@@ -365,7 +382,7 @@ LogHashEvent (
RetStatus = EFI_SUCCESS;
for (Index = 0; Index < sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0]);
Index++) {
if ((SupportedEventLogs & mTcg2EventInfo[Index].LogFormat) != 0) {
- DEBUG ((EFI_D_INFO, " LogFormat - 0x%08x\n",
mTcg2EventInfo[Index].LogFormat));
+ DEBUG ((DEBUG_INFO, " LogFormat - 0x%08x\n",
mTcg2EventInfo[Index].LogFormat));
switch (mTcg2EventInfo[Index].LogFormat) {
case EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2:
Status = GetDigestFromDigestList (TPM_ALG_SHA1, DigestList,
&NewEventHdr->Digest);
@@ -476,7 +493,7 @@ HashLogExtendEvent (
}

if (Status == EFI_DEVICE_ERROR) {
- DEBUG ((EFI_D_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n", Status));
+ DEBUG ((DEBUG_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n",
Status));
BuildGuidHob (&gTpmErrorHobGuid,0);
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
@@ -1011,7 +1028,7 @@ PeimEntryMA (
}

if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) {
- DEBUG ((EFI_D_ERROR, "TPM2 error!\n"));
+ DEBUG ((DEBUG_ERROR, "TPM2 error!\n"));
return EFI_DEVICE_ERROR;
}

@@ -1075,7 +1092,7 @@ PeimEntryMA (
for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) {
Status = MeasureSeparatorEventWithError (PcrIndex);
if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Separator Event with Error not Measured.
Error!\n"));
+ DEBUG ((DEBUG_ERROR, "Separator Event with Error not Measured.
Error!\n"));
}
}
}
@@ -1106,7 +1123,7 @@ PeimEntryMA (

Done:
if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "TPM2 error! Build Hob\n"));
+ DEBUG ((DEBUG_ERROR, "TPM2 error! Build Hob\n"));
BuildGuidHob (&gTpmErrorHobGuid,0);
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 06c26a2904..17ad116126 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -86,6 +86,7 @@
## SOMETIMES_CONSUMES
## SOMETIMES_PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ##
CONSUMES

[Depex]
gEfiPeiMasterBootModePpiGuid AND
--
2.33.1.windows.1


回复: [edk2-devel] 回复: [PATCH V4 1/3] MdePkg: Introduce CcMeasurementProtocol for CC Guest firmware

gaoliming
 

Min:

-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Min Xu
发送时间: 2021年11月4日 20:35
收件人: devel@edk2.groups.io; gaoliming@...
抄送: Kinney, Michael D <michael.d.kinney@...>; Liu, Zhiguang
<zhiguang.liu@...>; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J
<jian.j.wang@...>; Lu, Ken <ken.lu@...>; 'Sami Mujawar'
<sami.mujawar@...>; 'Gerd Hoffmann' <kraxel@...>
主题: Re: [edk2-devel] 回复: [PATCH V4 1/3] MdePkg: Introduce
CcMeasurementProtocol for CC Guest firmware

On November 4, 2021 1:51 PM, Gao, Liming wrote:
Min:
I have one minor comment. gEfiCcFinalEventsTableGuid may be placed
into
[Guids] section instead of [Protocols] section.
Hi, Liming
I follow the definition of gEfiTcg2ProtocolGuid and
gEfiTcg2FinalEventsTableGuid. See
https://github.com/tianocore/edk2/blob/master/MdePkg/MdePkg.dec#L159
0-L1592
Actually gEfiCcMeasurementProtocolGuid and gEfiCcFinalEventsTableGuid are
the counterpart protocol/guid definition in Confidential Computing measure
boot.
I am not sure if there is some other consideration that
gEfiTcg2ProtocolGuid
and gEfiTcg2FinalEventsTableGuid are defined in the section of
[Protocols].
I find gEfiTcg2FinalEventsTableGuid is used for configuration table. This is
one Guid usage.
It should be placed into [Guids] section.

You can see hash protocol and hash algorithm guid in MdePkg.
gEfiHashProtocolGuid is defined in [Protocols] section, and
gEfiHashAlgorithmMD5Guid
is defined in [Guids] section. They are both from
MdePkg/Include/Protocol/Hash.h.

So, I suggest to follow the guid usage to define this Guid into the
different section.

Thanks
Liming

Thanks
Min




回复: [edk2-devel] [PATCH v2 07/16] ArmPkg and MdePkg: Move the AsmMacroIoLib from ArmPkg to MdePkg

gaoliming
 

Reviewed-by: Liming Gao <gaoliming@...>

-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Leif Lindholm
发送时间: 2021年11月4日 20:18
收件人: brbarkel@... <bret@...>
抄送: devel@edk2.groups.io; Ard Biesheuvel <ardb+tianocore@...>;
Michael D Kinney <michael.d.kinney@...>; Liming Gao
<gaoliming@...>; Zhiguang Liu <zhiguang.liu@...>; Sean
Brogan <sean.brogan@...>
主题: Re: [edk2-devel] [PATCH v2 07/16] ArmPkg and MdePkg: Move the
AsmMacroIoLib from ArmPkg to MdePkg

On Tue, Nov 02, 2021 at 13:17:39 -0700, brbarkel@... wrote:
From: Bret Barkelew <brbarkel@...>

Cc: Leif Lindholm <leif@...>
Cc: Ard Biesheuvel <ardb+tianocore@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Liming Gao <gaoliming@...>
Cc: Zhiguang Liu <zhiguang.liu@...>
Cc: Sean Brogan <sean.brogan@...>
Signed-off-by: Bret Barkelew <bret.barkelew@...>
For the moving out part:
Reviewed-by: Leif Lindholm <leif@...>
Need one of the MdePkg maintainers to acknowledge the moving in
part.

/
Leif

---
{ArmPkg/Include => MdePkg/Include/AArch64}/AsmMacroIoLibV8.h | 0
{ArmPkg/Include => MdePkg/Include/Arm}/AsmMacroIoLib.h | 0
2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/ArmPkg/Include/AsmMacroIoLibV8.h
b/MdePkg/Include/AArch64/AsmMacroIoLibV8.h
similarity index 100%
rename from ArmPkg/Include/AsmMacroIoLibV8.h
rename to MdePkg/Include/AArch64/AsmMacroIoLibV8.h
diff --git a/ArmPkg/Include/AsmMacroIoLib.h
b/MdePkg/Include/Arm/AsmMacroIoLib.h
similarity index 100%
rename from ArmPkg/Include/AsmMacroIoLib.h
rename to MdePkg/Include/Arm/AsmMacroIoLib.h
--
2.31.1.windows.1



Re: [Patch V2 7/7] OvmfPkg: Reproduce builds across source format changes

Yao, Jiewen
 

Reviewed-by: Jiewen Yao <jiewen.yao@...>

-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@...>
Sent: Tuesday, November 2, 2021 5:38 AM
To: devel@edk2.groups.io
Cc: Ard Biesheuvel <ardb+tianocore@...>; Yao, Jiewen
<jiewen.yao@...>; Justen, Jordan L <jordan.l.justen@...>; Gerd
Hoffmann <kraxel@...>; Michael Kubacki
<michael.kubacki@...>
Subject: [Patch V2 7/7] OvmfPkg: Reproduce builds across source format
changes

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3688

Use DEBUG_LINE_NUMBER instead of __LINE__.

Cc: Ard Biesheuvel <ardb+tianocore@...>
Cc: Jiewen Yao <jiewen.yao@...>
Cc: Jordan Justen <jordan.l.justen@...>
Cc: Gerd Hoffmann <kraxel@...>
Cc: Michael Kubacki <michael.kubacki@...>
Signed-off-by: Michael D Kinney <michael.d.kinney@...>
---
OvmfPkg/Csm/LegacyBiosDxe/LegacyPci.c | 6 +++---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 4 ++--
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 2 +-
OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/OvmfPkg/Csm/LegacyBiosDxe/LegacyPci.c
b/OvmfPkg/Csm/LegacyBiosDxe/LegacyPci.c
index 746b366448e6..350cf3dd0b3a 100644
--- a/OvmfPkg/Csm/LegacyBiosDxe/LegacyPci.c
+++ b/OvmfPkg/Csm/LegacyBiosDxe/LegacyPci.c
@@ -2321,7 +2321,7 @@ LegacyBiosInstallRom (
);

if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n", __LINE__));
+ DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n",
DEBUG_LINE_NUMBER));
//
// Report Status Code to indicate that there is no enough space for OpROM
//
@@ -2337,7 +2337,7 @@ LegacyBiosInstallRom (
//
RuntimeAddress = Private->OptionRom;
if (RuntimeAddress + *RuntimeImageLength > MaxRomAddr) {
- DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n", __LINE__));
+ DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n",
DEBUG_LINE_NUMBER));
gBS->FreePages (PhysicalAddress, EFI_SIZE_TO_PAGES (ImageSize));
//
// Report Status Code to indicate that there is no enough space for OpROM
@@ -2355,7 +2355,7 @@ LegacyBiosInstallRom (
//
InitAddress = PCI_START_ADDRESS (Private->OptionRom);
if (InitAddress + ImageSize > MaxRomAddr) {
- DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n", __LINE__));
+ DEBUG ((DEBUG_ERROR, "return LegacyBiosInstallRom(%d):
EFI_OUT_OF_RESOURCES (no more space for OpROM)\n",
DEBUG_LINE_NUMBER));
//
// Report Status Code to indicate that there is no enough space for OpROM
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index 9b21ba2bd699..186401296ae2 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -624,7 +624,7 @@ PrepareLpcBridgeDevicePath (
DEBUG((
DEBUG_INFO,
"BdsPlatform.c+%d: COM%d DevPath: %s\n",
- __LINE__,
+ DEBUG_LINE_NUMBER,
gPnp16550ComPortDeviceNode.UID + 1,
DevPathStr
));
@@ -656,7 +656,7 @@ PrepareLpcBridgeDevicePath (
DEBUG((
DEBUG_INFO,
"BdsPlatform.c+%d: COM%d DevPath: %s\n",
- __LINE__,
+ DEBUG_LINE_NUMBER,
gPnp16550ComPortDeviceNode.UID + 1,
DevPathStr
));
diff --git a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
index 513d2f00a747..e767c3b172ba 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@@ -586,7 +586,7 @@ PrepareLpcBridgeDevicePath (
DEBUG((
DEBUG_INFO,
"BdsPlatform.c+%d: COM%d DevPath: %s\n",
- __LINE__,
+ DEBUG_LINE_NUMBER,
gPnp16550ComPortDeviceNode.UID + 1,
DevPathStr
));
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 1c5405f620e7..fd8057735549 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -556,7 +556,7 @@ PrepareLpcBridgeDevicePath (
DEBUG((
DEBUG_INFO,
"BdsPlatform.c+%d: COM%d DevPath: %s\n",
- __LINE__,
+ DEBUG_LINE_NUMBER,
gPnp16550ComPortDeviceNode.UID + 1,
DevPathStr
));
@@ -588,7 +588,7 @@ PrepareLpcBridgeDevicePath (
DEBUG((
DEBUG_INFO,
"BdsPlatform.c+%d: COM%d DevPath: %s\n",
- __LINE__,
+ DEBUG_LINE_NUMBER,
gPnp16550ComPortDeviceNode.UID + 1,
DevPathStr
));
--
2.32.0.windows.1


Re: [Patch V2 7/7] BaseTools/Conf: Fix Linux GCC ARM build issues with HII

Michael D Kinney
 

Hi Leif,

I am dropping patch 7 from this series.

I am not able to get the ARM build failure resolved at this time.

The basic issue is that the GCC builds are using objcopy to create
and ELF image with an section named .hii with the HII data. However,
objcopy can not set the ELF fields for the ABI correctly and some of
the linkers will complain if the ABI does not match, even if there
is no code associated with the ELF image.

We may need to consider a better solution for generating resource
sections that works for all toolchains instead of trying to use
objcopy.

Mike

-----Original Message-----
From: Kinney, Michael D <michael.d.kinney@...>
Sent: Thursday, November 4, 2021 10:08 AM
To: devel@edk2.groups.io; leif@...; Kinney, Michael D <michael.d.kinney@...>
Cc: Feng, Bob C <bob.c.feng@...>; Liming Gao <gaoliming@...>; Chen, Christine <yuwei.chen@...>; Ard
Biesheuvel <ardb+tianocore@...>
Subject: RE: [edk2-devel] [Patch V2 7/7] BaseTools/Conf: Fix Linux GCC ARM build issues with HII

Hi Leif,

I will add NOOPT information to the commit message.

Unfortunately, this change caused a boot to shell failure for ArmVirtPkg QEMU. TFTP dynamic shell command failed to find
HII package.

https://github.com/tianocore/edk2/pull/2166
https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=32907&view=logs&j=cf2d8b26-a21c-5c68-abf4-
b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1&l=547

I am investigating and will send a V3 with updates.

Mike

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Leif Lindholm
Sent: Thursday, November 4, 2021 3:50 AM
To: Kinney, Michael D <michael.d.kinney@...>
Cc: devel@edk2.groups.io; Feng, Bob C <bob.c.feng@...>; Liming Gao <gaoliming@...>; Chen, Christine
<yuwei.chen@...>; Ard Biesheuvel <ardb+tianocore@...>
Subject: Re: [edk2-devel] [Patch V2 7/7] BaseTools/Conf: Fix Linux GCC ARM build issues with HII

On Wed, Nov 03, 2021 at 15:59:54 -0700, Michael D Kinney wrote:
Update builds_rules.template to add $(SLINK) to the GCC
steps for processing HII resources to produce a static
library instead of an object file. This improves linker
compatibility and specifically fixes a link failure seen
on Linux GCC ARM builds of the MdeModulePkg due to
mismatched ABI types between the HII resource section
and the rest of the libraries.

Cc: Bob Feng <bob.c.feng@...>
Cc: Liming Gao <gaoliming@...>
Cc: Yuwei Chen <yuwei.chen@...>
Cc: Leif Lindholm <leif@...>
Cc: Ard Biesheuvel <ardb+tianocore@...>
Signed-off-by: Michael D Kinney <michael.d.kinney@...>
This arguably looks like a plain fix in the first place.

However, I am only able to trigger the build failure for the NOOPT
target. That may be useful to mention in the commit message.

With that:
Reviewed-by: Leif Lindholm <leif@...>

---
BaseTools/Conf/build_rule.template | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/BaseTools/Conf/build_rule.template b/BaseTools/Conf/build_rule.template
index 3add1029f276..5f59044da36d 100755
--- a/BaseTools/Conf/build_rule.template
+++ b/BaseTools/Conf/build_rule.template
@@ -668,6 +668,8 @@

<Command.GCC>
"$(GENFW)" -o $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc -g $(MODULE_GUID) --hiibinpackage $(HII_BINARY_PACKAGES)
$(GENFW_FLAGS)
- "$(RC)" $(RC_FLAGS) $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc ${dst}
+ "$(RC)" $(RC_FLAGS) $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc.obj
+ "$(SLINK)" cr ${dst} $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc.obj
+
<Command.XCODE, Command.RVCT, Command.CLANGGCC>
"$(GENFW)" -o $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc -g $(MODULE_GUID) --hiibinpackage $(HII_BINARY_PACKAGES)
$(GENFW_FLAGS)
--
2.32.0.windows.1



Event: TianoCore Community Meeting - APAC/NAMO - 11/04/2021 #cal-reminder

devel@edk2.groups.io Calendar <noreply@...>
 

Reminder: TianoCore Community Meeting - APAC/NAMO

When:
11/04/2021
7:30pm to 8:30pm
(UTC-07:00) America/Los Angeles

Where:
https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWNiZWM1MzgtNWEzMy00MTgwLTgwNjAtNWQ1ZWUwZmQzNjVh%40thread.v2/0?context=%7b%22Tid%22%3a%2246c98d88-e344-4ed4-8496-4ed7712e255d%22%2c%22Oid%22%3a%22b286b53a-1218-4db3-bfc9-3d4c5aa7669e%22%7d

Organizer: Soumya Guptha

View Event

Description:

Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

Join with a video conferencing device

teams@...

Video Conference ID: 119 132 712 6

Alternate VTC dialing instructions

Or call in (audio only)

+1 916-245-6934,,494156131#   United States, Sacramento

Phone Conference ID: 494 156 131#

Find a local number | Reset PIN

Learn More | Meeting options


Re: [PATCH V4 3/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpmMeasurementLib

Min Xu
 

Hi, Sami

Please see my comments inline.

+**/
+EFI_STATUS
+EFIAPI
+CcMeasureAndLogData (
+  IN UINT32             PcrIndex,
+  IN UINT32             EventType,
+  IN VOID               *EventLog,
+  IN UINT32             LogLen,
+  IN VOID               *HashData,
+  IN UINT64             HashDataLen
+  )
+{
+  EFI_STATUS                    Status;
+  EFI_CC_MEASUREMENT_PROTOCOL  *CcProtocol;
+  EFI_CC_EVENT                 *EfiCcEvent;
+  UINT32                        MrIndex;

[SAMI] Same comment as in patch 2/3. Is it possible to use the typedef for the measurment register index here, please?

[Min] Thanks for reminder. It will be fixed.

 
+
+  Status = gBS->LocateProtocol (&gEfiCcMeasurementProtocolGuid, NULL, (VOID **) &CcProtocol);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = CcProtocol->MapPcrToMrIndex (CcProtocol, PcrIndex, &MrIndex);
+  if (EFI_ERROR (Status)) {
+    return EFI_INVALID_PARAMETER;

[SAMI] Is it possible to return the error code returned by  CcProtocol->MapPcrToMrIndex(), please?

[Min] Sure. It will be updated in the next version.

 

Thanks

Min_._,_._,_


Event: TianoCore Community Meeting - APAC/NAMO - 11/04/2021 #cal-reminder

devel@edk2.groups.io Calendar <noreply@...>
 

Reminder: TianoCore Community Meeting - APAC/NAMO

When:
11/04/2021
7:30pm to 8:30pm
(UTC-07:00) America/Los Angeles

Where:
https://teams.microsoft.com/l/meetup-join/19%3ameeting_ZWNiZWM1MzgtNWEzMy00MTgwLTgwNjAtNWQ1ZWUwZmQzNjVh%40thread.v2/0?context=%7b%22Tid%22%3a%2246c98d88-e344-4ed4-8496-4ed7712e255d%22%2c%22Oid%22%3a%22b286b53a-1218-4db3-bfc9-3d4c5aa7669e%22%7d

Organizer: Soumya Guptha

View Event

Description:

Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

Join with a video conferencing device

teams@...

Video Conference ID: 119 132 712 6

Alternate VTC dialing instructions

Or call in (audio only)

+1 916-245-6934,,494156131#   United States, Sacramento

Phone Conference ID: 494 156 131#

Find a local number | Reset PIN

Learn More | Meeting options


Re: [PATCH V4 2/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpm2MeasureBootLib

Min Xu
 

Hi, Sami

Please see my comments inline.

 

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sami Mujawar
Sent: Tuesday, November 2, 2021 5:43 PM
To: Xu, Min M <min.m.xu@...>; devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@...>; Liming Gao <gaoliming@...>; Liu, Zhiguang <zhiguang.liu@...>; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J <jian.j.wang@...>; Gerd Hoffmann <kraxel@...>; nd <nd@...>
Subject: Re: [edk2-devel] [PATCH V4 2/3] SecurityPkg: Support CcMeasurementProtocol in DxeTpm2MeasureBootLib

 

+/**
+  Create CcEvent from Tcg2Event.
+
+  CcEvent is similar to Tcg2Event except the MrIndex.
+
+  @param  CcProtocol  Pointer to the located Cc Measurement protocol instance.
+  @param  Tcg2Event   Pointer to the Tcg2Event.
+  @param  EventSize   Size of the Event.
+  @param  EfiCcEvent  The created CcEvent
+
+  @retval EFI_SUCCESS           Successfully create the CcEvent
+  @retval EFI_INVALID_PARAMETER The input parameter is invalid
+  @retval EFI_UNSUPPORTED       The input PCRIndex cannot be mapped to Cc MR
+  @retval EFI_OUT_OF_RESOURCES  Out of resource
+**/
+EFI_STATUS

[SAMI] Is EFIAPI needed here?

[Min] EFIAPI is not needed here. From the EDKII C Coding Standards Spec (https://edk2-docs.gitbook.io/edk-ii-c-coding-standards-specification/5_source_files/56_declarations_and_types)

“The EFIAPI modifier must be used for all UEFI defined API functions, as well as for any function that takes a variable number of arguments. All protocol functions as well as public functions exposed by drivers must also be declared EFIAPI. This establishes a common calling convention for functions that could be referenced by other code that has potentially been built using a different compiler, with a different native calling convention”

CreateCcEventFromTcg2Event is only called internally and it will not be exposed outside. So EFIAPI is not needed.

 
+CreateCcEventFromTcg2Event (
+  IN  EFI_CC_MEASUREMENT_PROTOCOL   *CcProtocol,
+  IN  EFI_TCG2_EVENT                *Tcg2Event,
+  IN  UINT32                        EventSize,
+  IN OUT EFI_CC_EVENT               **EfiCcEvent
+  )
+{
+  UINT32            MrIndex;

[SAMI] I think it may be good to use the typedef for the measurment register index here i.e. EFI_CC_MR_INDEX.

[Min] Thanks for reminder. It will be fixed in the next version.

 

Thanks

Min_._,_._,_


Re: [PATCH v1] Maintainers.txt: Change SimicsOpenBoardPkg Maintainer

Agyeman, Prince
 

Reviewed-by: Prince Agyeman <prince.agyeman@...>

Prince

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Desimone, Nathaniel L
Sent: Tuesday, November 2, 2021 3:07 PM
To: devel@edk2.groups.io
Cc: Agyeman, Prince <prince.agyeman@...>; Leif Lindholm <leif@...>; Kinney, Michael D <michael.d.kinney@...>
Subject: [edk2-devel] [PATCH v1] Maintainers.txt: Change SimicsOpenBoardPkg Maintainer

To help keep edk2-platforms healthy, I would like to offer to maintain SimicsOpenBoardPkg, SimicsX58SktPkg, and SimicsIch10Pkg. The current maintainer for those packages has changed jobs and is no longer active in the community.

Cc: Agyeman Prince <prince.agyeman@...>
Cc: Leif Lindholm <leif@...>
Cc: Michael D Kinney <michael.d.kinney@...>
Signed-off-by: Nate DeSimone <nathaniel.l.desimone@...>
---
Maintainers.txt | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Maintainers.txt b/Maintainers.txt index c839c71b22..8d9d454347 100644
--- a/Maintainers.txt
+++ b/Maintainers.txt
@@ -235,7 +235,7 @@ M: Chasel Chiu <chasel.chiu@...>

Platform/Intel/SimicsOpenBoardPkg
F: Platform/Intel/SimicsOpenBoardPkg/
-M: Agyeman Prince <prince.agyeman@...>
+M: Nate DeSimone <nathaniel.l.desimone@...>

Platform/Intel/Tools
F: Platform/Intel/Tools/
@@ -301,11 +301,11 @@ M: Chasel Chiu <chasel.chiu@...>

Silicon/Intel/SimicsX58SktPkg
F: Silicon/Intel/SimicsX58SktPkg/
-M: Agyeman Prince <prince.agyeman@...>
+M: Nate DeSimone <nathaniel.l.desimone@...>

Silicon/Intel/SimicsIch10Pkg
F: Silicon/Intel/SimicsIch10Pkg/
-M: Agyeman Prince <prince.agyeman@...>
+M: Nate DeSimone <nathaniel.l.desimone@...>

Silicon/Intel/Tools
F: Silicon/Intel/Tools/
--
2.27.0.windows.1


Re: [PATCH V3 14/29] UefiCpuPkg: Enable Tdx support in MpInitLib

Min Xu
 

On November 4, 2021 11:21 PM, Tom Lendacky wrote:
On 11/4/21 3:10 AM, Gerd Hoffmann wrote:
On Wed, Nov 03, 2021 at 12:57:37PM +0000, Xu, Min M wrote:
On November 3, 2021 2:09 PM, Gerd Hoffmann wrote:
+++ b/UefiCpuPkg/Library/MpInitLib/X64/IntelTdcall.nasm
@@ -0,0 +1,120 @@
+;-----------------------------------------------------------------
+---
+----------
+;*
+;* Copyright (c) 2020 - 2021, Intel Corporation. All rights
+reserved.<BR>
+;* SPDX-License-Identifier: BSD-2-Clause-Patent
+;*
+;*
+;-----------------------------------------------------------------
+---
+----------
+
+DEFAULT REL
+SECTION .text
+
+%macro tdcall 0
+ db 0x66,0x0f,0x01,0xcc
+%endmacro
Hmm, could you just use TdxLib instead of bringing your own copy of
the assembler code?
My initial thought was to include TdxLib in the .dsc as little as
possible. For example, DxeMpInitLib is included in
OvmfPkg/Microvm/MicrovmX64.dsc. If TdxLib is used by DxeMpInitLib,
then it has to be included in MicrovmX64.dsc as well.
Hmm, yes. Adding a TdxLib dependency has its downsides indeed.

So I copy the assemble code in MpInitLib.
The problem with copying code is that long-term maintenance becomes
harder. When a bug is found you have to find and fix all the copies
of that code. That's why I strongly prefer to avoid code copy&paste.
Sometimes there is no easy way around creating a copy though.
Can't you create something in MdePkg/Library/Baselib and then use it
everywhere it's needed?
Do you mean put the basic Tdx functions in MdePkg/Library/BaseLib? If that is the case, then I would add below basic Tdx functions in BaseLib:
- TdIsEnabled ()
- TdCall ()
- TdVmCall ()

Gerd, what's your thought?

Thanks
Min


Re: [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add runtime SetImage support

Bob Morgan
 

Hi Liming,

The Uefi spec Version 2.9 appears to have some inconsistencies regarding the possibility of runtime processing of FMP capsules. The UpdateCapsule() runtime service in Section 8.5.3 states that "the firmware may process the capsule immediately", but in Section 23.3.1, where the FMP capsule is described, the last paragraph states "By definition Firmware Management protocol services are not available in EFI runtime".

I think the following spec changes would document the optional runtime FMP capsule processing as implemented in this patch:

1. Reword Section 23.3.1 Description last paragraph, first sentence.
From: "By definition Firmware Management protocol services are not available in EFI runtime and depending upon platform capabilities, EFI runtime delivery of this capsule may not be supported and may return an error when delivered in EFI runtime with CAPSULE_FLAGS_PERSIST_ACROSS_RESET bit defined."

To something like this: "Depending upon platform capabilities, EFI runtime delivery or processing of this capsule may not be supported and may return an error when delivered in EFI runtime.

2. Reword Section 23.3.3 Step 3.
From: "If system is not in boot services and platform does not support persistence of capsule across reset when initiated within EFI Runtime, EFI_OUT_OF_RESOURCES error is returned."

To something like this: "If system is not in boot services and the CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag is set, but the platform does not support persistence of capsule across reset when initiated within EFI Runtime, EFI_OUT_OF_RESOURCES error is returned." <<<By the way, UpdateCapsule() currently appears to return EFI_UNSUPPORTED in this case, see the IsPersistAcrossResetCapsuleSupported () check near the end>>>

3. Add runtime FMP support info to Section 23.3.3 Step 3.
If system is not in boot services and the CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag is not set, but the platform does not support processing of capsules within EFI Runtime, EFI_OUT_OF_RESOURCES error is returned. If the platform supports processing of capsules within EFI Runtime, steps 4-10 are not applicable and the capsules are processed according to steps 11-14.

Let me know what you think and we can get an ECR process started to update the spec.

Thanks,

-bob

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming via groups.io
Sent: Monday, November 1, 2021 7:17 PM
To: devel@edk2.groups.io; Bob Morgan <bobm@...>
Cc: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang' <guomin.jiang@...>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add runtime SetImage support

External email: Use caution opening links or attachments


Bob:
Thanks for your detail. PcdRuntimeFmpCapsuleImageTypeIdGuid is edk2 implementation solution. Have you the proposal on how to update UEFI spec to support runtime FMP protocol?

Thanks
Liming
-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Bob Morgan via
groups.io
发送时间: 2021年10月30日 1:59
收件人: gaoliming <gaoliming@...>; devel@edk2.groups.io
抄送: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
主题: Re: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add
runtime SetImage support

Hi Liming, See inline below.

-----Original Message-----
From: gaoliming <gaoliming@...>
Sent: Thursday, October 28, 2021 7:57 PM
To: devel@edk2.groups.io; Bob Morgan <bobm@...>
Cc: 'Jian J Wang' <jian.j.wang@...>; 'Guomin Jiang'
<guomin.jiang@...>
Subject: 回复: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp:
Add runtime SetImage support

External email: Use caution opening links or attachments


Bob:
I think this patch needs to work together with the changes of
FmpDevicePkg: Add support for runtime FmpDxe driver.
Yes, this patch adds support to process FMP capsules at runtime if the
capsule’s UpdateImageTypeId is supported by a runtime-capable FmpDxe
driver (e.g. using the FmpDevicePkg patch you mentioned). The
PcdSupportProcessCapsuleAtRuntime PCD must be TRUE and the capsule’s
CAPSULE_FLAGS_PERSIST_ACROSS_RESET flag must be FALSE.

Capsule is runtime service. If it consumes FMP to do update, FMP
service can support runtime. But, how does Capsule know whether FMP
protocol supports runtime or not?
Right, this patch requires an implementation to list the FMP
ImageTypeId GUIDs supported by any runtime-capable FmpDxe drivers in
the new PcdRuntimeFmpCapsuleImageTypeIdGuid array PCD. This PCD is
used by the new InitializeRuntimeFmpArrays() function during
DxeRuntimeCapsuleLib initialization to find the FMP instances that
support those ImageTypeIds and save their
EFI_FIRMWARE_MANAGEMENT_PROTOCOL protocol structure pointers for
runtime use during capsule processing.

When ProcessFmpCapsuleImage() executes its step ‘2. Route payload to
right FMP instance’, it detects runtime execution and uses the saved
runtime-capable FMP protocol structure pointer if its ImageTypeId
matches that of the capsule being processed.

I hope that helps. Please let me know if additional clarification is needed.

Thanks,
-bob

Thanks
Liming
-----邮件原件-----
发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Bob
Morgan
via
groups.io
发送时间: 2021年10月20日 4:11
收件人: devel@edk2.groups.io
抄送: Bob Morgan <bobm@...>; Jian J Wang
<jian.j.wang@...>;
Liming Gao <gaoliming@...>; Guomin Jiang
<guomin.jiang@...>
主题: [edk2-devel] [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add
runtime
SetImage support

Adds optional support for processing FMP capusle images after
ExitBootServices() if the ImageTypeIdGuid is mentioned in the new
PcdRuntimeFmpCapsuleImageTypeIdGuid list.

Cc: Jian J Wang <jian.j.wang@...>
Cc: Liming Gao <gaoliming@...>
Cc: Guomin Jiang <guomin.jiang@...>
Signed-off-by: Bob Morgan <bobm@...>
---
.../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c | 81 +++++++++---
.../DxeCapsuleLibFmp/DxeCapsuleRuntime.c | 119
++++++++++++++++++
.../DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf | 4 +
MdeModulePkg/MdeModulePkg.dec | 7 +-
4 files changed, 192 insertions(+), 19 deletions(-)

diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
index 90942135d7..0000f91c6a 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c
@@ -10,6 +10,7 @@
ValidateFmpCapsule(), and DisplayCapsuleImage() receives
untrusted input and
performs basic validation.

+ Copyright (c) 2021, NVIDIA CORPORATION. All rights
+ reserved.<BR>
Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -41,6 +42,11 @@
#include <Protocol/FirmwareManagementProgress.h>
#include <Protocol/DevicePath.h>

+BOOLEAN (EFIAPI *mLibAtRuntimeFunction) (VOID)
=
NULL;
+EFI_FIRMWARE_MANAGEMENT_PROTOCOL *mRuntimeFmp
= NULL;
+VOID
**mRuntimeFmpProtocolArray
= NULL;
+EFI_GUID *mRuntimeFmpGuidArray
= NULL;
+
EFI_SYSTEM_RESOURCE_TABLE *mEsrtTable =
NULL;
BOOLEAN mIsVirtualAddrConverted =
FALSE;

@@ -551,6 +557,11 @@ DumpAllFmpInfo (
UINT32
PackageVersion;
CHAR16
*PackageVersionName;

+ // Dump not supported at runtime.
+ if ((mLibAtRuntimeFunction != NULL) && mLibAtRuntimeFunction ()) {
+ return;
+ }
+
Status = gBS->LocateHandleBuffer (
ByProtocol,
&gEfiFirmwareManagementProtocolGuid,
@@ -906,25 +917,35 @@ SetFmpImageData (
CHAR16
*AbortReason;
EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS
ProgressCallback;

- Status = gBS->HandleProtocol(
- Handle,
- &gEfiFirmwareManagementProtocolGuid,
- (VOID **)&Fmp
- );
- if (EFI_ERROR(Status)) {
- return Status;
- }
+ // If not using optional runtime support, get FMP protocol for
+ given
Handle.
+ // Otherwise, use the one saved by ProcessFmpCapsuleImage().
+ if ((mLibAtRuntimeFunction == NULL) || !mLibAtRuntimeFunction ()) {
+ Status = gBS->HandleProtocol(
+ Handle,
+ &gEfiFirmwareManagementProtocolGuid,
+ (VOID **)&Fmp
+ );
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }

- //
- // Lookup Firmware Management Progress Protocol before
SetImage() is called
- // This is an optional protocol that may not be present on Handle.
- //
- Status = gBS->HandleProtocol (
- Handle,
-
&gEdkiiFirmwareManagementProgressProtocolGuid,
- (VOID **)&mFmpProgress
- );
- if (EFI_ERROR (Status)) {
+ //
+ // Lookup Firmware Management Progress Protocol before
SetImage()
is called
+ // This is an optional protocol that may not be present on Handle.
+ //
+ Status = gBS->HandleProtocol (
+ Handle,
+
&gEdkiiFirmwareManagementProgressProtocolGuid,
+ (VOID **)&mFmpProgress
+ );
+ if (EFI_ERROR (Status)) {
+ mFmpProgress = NULL;
+ }
+ } else {
+ if (mRuntimeFmp == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+ Fmp = mRuntimeFmp;
mFmpProgress = NULL;
}

@@ -1259,6 +1280,30 @@ ProcessFmpCapsuleImage (
UpdateHardwareInstance =
ImageHeader->UpdateHardwareInstance;
}

+ // Optional runtime FMP SetImage processing sequence
+ if ((mLibAtRuntimeFunction != NULL) && mLibAtRuntimeFunction
+ ()
&&
+ (mRuntimeFmpProtocolArray != NULL)) {
+ mRuntimeFmp = NULL;
+ Index2 = 0;
+ while (mRuntimeFmpProtocolArray[Index2] != NULL) {
+ if (CompareGuid (&ImageHeader->UpdateImageTypeId,
+ &mRuntimeFmpGuidArray[Index2])) {
+ mRuntimeFmp =
(EFI_FIRMWARE_MANAGEMENT_PROTOCOL
*)
+ mRuntimeFmpProtocolArray[Index2];
+ break;
+ }
+ Index2++;
+ }
+
+ Status = SetFmpImageData (NULL,
+ ImageHeader,
+ Index -
FmpCapsuleHeader->EmbeddedDriverCount);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ continue;
+ }
+
Status = GetFmpHandleBufferByType (
&ImageHeader->UpdateImageTypeId,
UpdateHardwareInstance, diff --git
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
index f94044a409..6feb6dab79 100644
--- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
+++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleRuntime.c
@@ -1,6 +1,7 @@
/** @file
Capsule library runtime support.

+ Copyright (c) 2021, NVIDIA CORPORATION. All rights
+ reserved.<BR>
Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -19,7 +20,11 @@
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeLib.h>

+extern BOOLEAN (EFIAPI
*mLibAtRuntimeFunction)
(VOID);
+extern VOID **mRuntimeFmpProtocolArray;
+extern EFI_GUID *mRuntimeFmpGuidArray;
extern EFI_SYSTEM_RESOURCE_TABLE *mEsrtTable;
extern BOOLEAN mIsVirtualAddrConverted;
EFI_EVENT
mDxeRuntimeCapsuleLibVirtualAddressChangeEvent = NULL; @@ -40,9
+45,121 @@ DxeCapsuleLibVirtualAddressChangeEvent (
)
{
gRT->ConvertPointer (EFI_OPTIONAL_PTR, (VOID **)&mEsrtTable);
+
+ if (mRuntimeFmpProtocolArray != NULL) {
+ VOID **FmpArrayEntry;
+
+ FmpArrayEntry = mRuntimeFmpProtocolArray;
+ while (*FmpArrayEntry != NULL) {
+ EfiConvertPointer (0x0, (VOID **) FmpArrayEntry);
+ FmpArrayEntry++;
+ }
+ EfiConvertPointer (0x0, (VOID **)
&mRuntimeFmpProtocolArray); }
+ if (mRuntimeFmpGuidArray != NULL) {
+ EfiConvertPointer (0x0, (VOID **) &mRuntimeFmpGuidArray); }
if
+ (mLibAtRuntimeFunction != NULL ) {
+ EfiConvertPointer (0x0, (VOID **) &mLibAtRuntimeFunction); }
+
mIsVirtualAddrConverted = TRUE; }

+/**
+ Initialize optional runtime FMP arrays to support FMP SetImage
processing
+ after ExitBootServices() is called.
+
+ The ImageTypeIdGuids of runtime-capable FMP protocol drivers
+ are
extracted
+ from the PcdRuntimeFmpCapsuleImageTypeIdGuid list and their
+ protocol structure pointers are saved in the
+ mRuntimeFmpProtocolArray for use
during
+ UpdateCapsule() processing. UpdateHardwareInstance is not
supported.
+
+**/
+STATIC
+VOID
+EFIAPI
+InitializeRuntimeFmpArrays (
+ VOID
+ )
+{
+ EFI_GUID *Guid;
+ UINTN NumHandles;
+ EFI_HANDLE *HandleBuffer;
+ EFI_STATUS Status;
+ UINTN Count;
+ UINTN Index;
+ UINTN FmpArrayIndex;
+
+ EFI_STATUS
+ GetFmpHandleBufferByType (
+ IN EFI_GUID
*UpdateImageTypeId,
+ IN UINT64
UpdateHardwareInstance,
+ OUT UINTN *NoHandles,
OPTIONAL
+ OUT EFI_HANDLE **HandleBuf,
OPTIONAL
+ OUT BOOLEAN
**ResetRequiredBuf
OPTIONAL
+ );
+
+ Count = PcdGetSize (PcdRuntimeFmpCapsuleImageTypeIdGuid) /
sizeof
(GUID);
+ if (Count == 0) {
+ return;
+ }
+
+ // mRuntimeFmpProtocolArray is a NULL-terminated list of FMP
+ protocol
pointers
+ mRuntimeFmpProtocolArray = (VOID **)
+ AllocateRuntimeZeroPool ((Count + 1) * sizeof (VOID *)); if
+ (mRuntimeFmpProtocolArray == NULL) {
+ DEBUG ((DEBUG_ERROR, "Error allocating
mRuntimeFmpProtocolArray\n"));
+ return;
+ }
+ mRuntimeFmpGuidArray = (EFI_GUID *)
+ AllocateRuntimeZeroPool (Count * sizeof (EFI_GUID)); if
+ (mRuntimeFmpGuidArray == NULL) {
+ DEBUG ((DEBUG_ERROR, "Error allocating
mRuntimeFmpGuidArray"));
+ FreePool (mRuntimeFmpProtocolArray);
+ return;
+ }
+
+ // For each runtime ImageTypeIdGuid in the PCD, save its GUID
+ and FMP
protocol
+ FmpArrayIndex = 0;
+ Guid = PcdGetPtr (PcdRuntimeFmpCapsuleImageTypeIdGuid);
+ for (Index = 0; Index < Count; Index++, Guid++) {
+ mRuntimeFmpGuidArray[FmpArrayIndex] = *Guid;
+ HandleBuffer = NULL;
+ Status = GetFmpHandleBufferByType (Guid,
+ 0,
+ &NumHandles,
+ &HandleBuffer,
+ NULL);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR,
+ "Error finding FMP handle for runtime
ImageTypeIdGuid=%g: %r\n",
+ Guid, Status));
+ continue;
+ }
+
+ if (NumHandles > 1) {
+ DEBUG ((DEBUG_ERROR,
+ "FMP runtime ImageTypeIdGuid=%g returned %u
handles,
only 1 supported\n",
+ Guid, NumHandles));
+ }
+ Status = gBS->HandleProtocol (HandleBuffer[0],
+
&gEfiFirmwareManagementProtocolGuid,
+
&mRuntimeFmpProtocolArray[FmpArrayIndex]);
+ FreePool (HandleBuffer);
+ if (EFI_ERROR(Status)) {
+ DEBUG ((DEBUG_ERROR,
+ "Error getting FMP protocol for runtime
ImageTypeIdGuid=%g: %r\n",
+ Guid, Status));
+ continue;
+ }
+
+ FmpArrayIndex++;
+ }
+
+ mLibAtRuntimeFunction = EfiAtRuntime; }
+
/**
Notify function for event group
EFI_EVENT_GROUP_READY_TO_BOOT.

@@ -93,6 +210,8 @@ DxeCapsuleLibReadyToBootEventNotify (
//
mEsrtTable->FwResourceCountMax =
mEsrtTable->FwResourceCount;
}
+
+ InitializeRuntimeFmpArrays ();
}

/**
diff --git
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
index bf56f4623f..7b3f5e04f8 100644
---
a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
+++
b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
@@ -49,6 +49,7 @@
PrintLib
HobLib
BmpSupportLib
+ PcdLib


[Protocols]
@@ -70,5 +71,8 @@
gEfiEventVirtualAddressChangeGuid ## CONSUMES ## Event
gEdkiiCapsuleOnDiskNameGuid ##
SOMETIMES_CONSUMES ## GUID

+[Pcd]
+
gEfiMdeModulePkgTokenSpaceGuid.PcdRuntimeFmpCapsuleImageTypeIdG
ui
d
+
[Depex]
gEfiVariableWriteArchProtocolGuid diff --git
a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 133e04ee86..869aa892f7
100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -3,7 +3,7 @@
# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs
and library classes) # and libraries instances, which are used
for those modules.
#
-# Copyright (c) 2019, NVIDIA CORPORATION. All rights reserved.
+# Copyright (c) 2019-2021, NVIDIA CORPORATION. All rights
+reserved.<BR>
# Copyright (c) 2007 - 2021, Intel Corporation. All rights
reserved.<BR> # Copyright (c) 2016, Linaro Ltd. All rights
reserved.<BR> # (C) Copyright 2016 - 2019 Hewlett Packard
Enterprise Development LP<BR> @@ -2020,6 +2020,11 @@
# @Prompt Capsule On Disk Temp Relocation file name in PEI
phase

gEfiMdeModulePkgTokenSpaceGuid.PcdCoDRelocationFileName|L"Cod.tmp
"|
VOID*|0x30001048

+ ## This PCD holds a list of GUIDs for the ImageTypeId to
+ indicate the # FMP is runtime capable.
+ # @Prompt A list of runtime-capable FMP ImageTypeId GUIDs
+
gEfiMdeModulePkgTokenSpaceGuid.PcdRuntimeFmpCapsuleImageTypeIdG
ui
d|{0x0}|VOID*|0x30001049
+
## This PCD hold a list GUIDs for the ImageTypeId to indicate the
# FMP capsule is a system FMP.
# @Prompt A list of system FMP ImageTypeId GUIDs
--
2.17.1








[PATCH] Reallocate TPM Active PCRs based on platform support.

Rodrigo Gonzalez del Cueto
 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3515

In V3: Cleaned up comments, debug prints and updated patch to use the
new debug ENUM definitions.

- Replaced EFI_D_INFO with DEBUG_INFO.
- Replaced EFI_D_VERBOSE with DEBUG_VERBOSE.

In V2: Add case to RegisterHashInterfaceLib logic

RegisterHashInterfaceLib needs to correctly handle registering the HashLib
instance supported algorithm bitmap when PcdTpm2HashMask is set to zero.

The current implementation of SyncPcrAllocationsAndPcrMask() triggers
PCR bank reallocation only based on the intersection between
TpmActivePcrBanks and PcdTpm2HashMask.

When the software HashLibBaseCryptoRouter solution is used, no PCR bank
reallocation is occurring based on the supported hashing algorithms
registered by the HashLib instances.

Need to have an additional check for the intersection between the
TpmActivePcrBanks and the PcdTcg2HashAlgorithmBitmap populated by the
HashLib instances present on the platform's BIOS.

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@...>

Cc: Jian J Wang <jian.j.wang@...>
Cc: Jiewen Yao <jiewen.yao@...>
---
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c | 6 +++++-
SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c | 6 +++++-
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c | 67 ++++++++++++++++++++++++++++++++++++++++++-------------------------
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf | 1 +
4 files changed, 53 insertions(+), 27 deletions(-)

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
index 7a0f61efbb..0821159120 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.c
@@ -230,13 +230,17 @@ RegisterHashInterfaceLib (
{
UINTN Index;
UINT32 HashMask;
+ UINT32 Tpm2HashMask;
EFI_STATUS Status;

//
// Check allow
//
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
- if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+ Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);
+
+ if ((Tpm2HashMask != 0) &&
+ ((HashMask & Tpm2HashMask) == 0)) {
return EFI_UNSUPPORTED;
}

diff --git a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
index 42cb562f67..6ae51dbce4 100644
--- a/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
+++ b/SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.c
@@ -327,13 +327,17 @@ RegisterHashInterfaceLib (
UINTN Index;
HASH_INTERFACE_HOB *HashInterfaceHob;
UINT32 HashMask;
+ UINT32 Tpm2HashMask;
EFI_STATUS Status;

//
// Check allow
//
HashMask = Tpm2GetHashMaskFromAlgo (&HashInterface->HashGuid);
- if ((HashMask & PcdGet32 (PcdTpm2HashMask)) == 0) {
+ Tpm2HashMask = PcdGet32 (PcdTpm2HashMask);
+
+ if ((Tpm2HashMask != 0) &&
+ ((HashMask & Tpm2HashMask) == 0)) {
return EFI_UNSUPPORTED;
}

diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
index 93a8803ff6..582b9377e5 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c
@@ -1,7 +1,7 @@
/** @file
Initialize TPM2 device and measure FVs before handing off control to DXE.

-Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2021, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2017, Microsoft Corporation. All rights reserved. <BR>
SPDX-License-Identifier: BSD-2-Clause-Patent

@@ -253,7 +253,7 @@ EndofPeiSignalNotifyCallBack (

/**
Make sure that the current PCR allocations, the TPM supported PCRs,
- and the PcdTpm2HashMask are all in agreement.
+ PcdTcg2HashAlgorithmBitmap and the PcdTpm2HashMask are all in agreement.
**/
VOID
SyncPcrAllocationsAndPcrMask (
@@ -262,52 +262,68 @@ SyncPcrAllocationsAndPcrMask (
{
EFI_STATUS Status;
EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
+ EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap;
UINT32 TpmActivePcrBanks;
UINT32 NewTpmActivePcrBanks;
UINT32 Tpm2PcrMask;
UINT32 NewTpm2PcrMask;

- DEBUG ((EFI_D_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));
+ DEBUG ((DEBUG_ERROR, "SyncPcrAllocationsAndPcrMask!\n"));

//
// Determine the current TPM support and the Platform PCR mask.
//
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks);
+
ASSERT_EFI_ERROR (Status);

+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmHashAlgorithmBitmap: 0x%08x\n", TpmHashAlgorithmBitmap));
+ DEBUG ((DEBUG_INFO, "Tpm2GetCapabilitySupportedAndActivePcrs - TpmActivePcrBanks 0x%08x\n", TpmActivePcrBanks));
+
Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask);
if (Tpm2PcrMask == 0) {
//
- // if PcdTPm2HashMask is zero, use ActivePcr setting
+ // If PcdTpm2HashMask is zero, use ActivePcr setting.
+ // Only when PcdTpm2HashMask is initialized to 0, will it be updated to current Active Pcrs.
//
PcdSet32S (PcdTpm2HashMask, TpmActivePcrBanks);
Tpm2PcrMask = TpmActivePcrBanks;
}
+ DEBUG ((DEBUG_INFO, "Tpm2PcrMask 0x%08x\n", Tpm2PcrMask));

//
- // Find the intersection of Pcd support and TPM support.
- // If banks are missing from the TPM support that are in the PCD, update the PCD.
- // If banks are missing from the PCD that are active in the TPM, reallocate the banks and reboot.
- //
-
- //
- // If there are active PCR banks that are not supported by the Platform mask,
- // update the TPM allocations and reboot the machine.
+ // The Active PCRs in the TPM need to be a strict subset of the hashing algorithms supported by BIOS.
//
- if ((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) {
- NewTpmActivePcrBanks = TpmActivePcrBanks & Tpm2PcrMask;
-
- DEBUG ((EFI_D_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n", __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));
+ // * Find the intersection of Pcd support and TPM active PCRs. If banks are missing from the TPM support
+ // that are in the PCD, update the PCD.
+ // * Find intersection of TPM Active PCRs and BIOS supported algorithms. If there are active PCR banks
+ // that are not supported by the platform, update the TPM allocations and reboot.
+ // Note: When the HashLibBaseCryptoRouter solution is used, the hash algorithm support from BIOS is reported
+ // by Tcg2HashAlgorithmBitmap, which is populated by HashLib instances at runtime.
+ BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
+ DEBUG ((DEBUG_INFO, "Tcg2HashAlgorithmBitmap: 0x%08x\n", BiosHashAlgorithmBitmap));
+
+ if (((TpmActivePcrBanks & Tpm2PcrMask) != TpmActivePcrBanks) ||
+ ((TpmActivePcrBanks & BiosHashAlgorithmBitmap) != TpmActivePcrBanks)) {
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & Tpm2PcrMask = 0x%08x\n", (TpmActivePcrBanks & Tpm2PcrMask)));
+ DEBUG ((DEBUG_INFO, "TpmActivePcrBanks & BiosHashAlgorithmBitmap = 0x%08x\n", (TpmActivePcrBanks & BiosHashAlgorithmBitmap)));
+ NewTpmActivePcrBanks = TpmActivePcrBanks;
+ NewTpmActivePcrBanks &= Tpm2PcrMask;
+ NewTpmActivePcrBanks &= BiosHashAlgorithmBitmap;
+ DEBUG ((DEBUG_INFO, "NewTpmActivePcrBanks 0x%08x\n", NewTpmActivePcrBanks));
+
+ DEBUG ((DEBUG_INFO, "%a - Reallocating PCR banks from 0x%X to 0x%X.\n", __FUNCTION__, TpmActivePcrBanks, NewTpmActivePcrBanks));
if (NewTpmActivePcrBanks == 0) {
- DEBUG ((EFI_D_ERROR, "%a - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - No viable PCRs active! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
ASSERT (FALSE);
} else {
+ DEBUG ((DEBUG_ERROR, "Tpm2PcrAllocateBanks (TpmHashAlgorithmBitmap: 0x%08x, NewTpmActivePcrBanks: 0x%08x)\n", TpmHashAlgorithmBitmap, NewTpmActivePcrBanks));
Status = Tpm2PcrAllocateBanks (NULL, (UINT32)TpmHashAlgorithmBitmap, NewTpmActivePcrBanks);
if (EFI_ERROR (Status)) {
//
// We can't do much here, but we hope that this doesn't happen.
//
- DEBUG ((EFI_D_ERROR, "%a - Failed to reallocate PCRs!\n", __FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - Failed to reallocate PCRs!\n", __FUNCTION__));
ASSERT_EFI_ERROR (Status);
}
//
@@ -324,13 +340,14 @@ SyncPcrAllocationsAndPcrMask (
if ((Tpm2PcrMask & TpmHashAlgorithmBitmap) != Tpm2PcrMask) {
NewTpm2PcrMask = Tpm2PcrMask & TpmHashAlgorithmBitmap;

- DEBUG ((EFI_D_INFO, "%a - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask));
+ DEBUG ((DEBUG_ERROR, "%a - Updating PcdTpm2HashMask from 0x%X to 0x%X.\n", __FUNCTION__, Tpm2PcrMask, NewTpm2PcrMask));
if (NewTpm2PcrMask == 0) {
- DEBUG ((EFI_D_ERROR, "%a - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
+ DEBUG ((DEBUG_ERROR, "%a - No viable PCRs supported! Please set a less restrictive value for PcdTpm2HashMask!\n", __FUNCTION__));
ASSERT (FALSE);
}

Status = PcdSet32S (PcdTpm2HashMask, NewTpm2PcrMask);
+ DEBUG ((DEBUG_ERROR, "Set PcdTpm2Hash Mask to 0x%08x\n", NewTpm2PcrMask));
ASSERT_EFI_ERROR (Status);
}
}
@@ -365,7 +382,7 @@ LogHashEvent (
RetStatus = EFI_SUCCESS;
for (Index = 0; Index < sizeof(mTcg2EventInfo)/sizeof(mTcg2EventInfo[0]); Index++) {
if ((SupportedEventLogs & mTcg2EventInfo[Index].LogFormat) != 0) {
- DEBUG ((EFI_D_INFO, " LogFormat - 0x%08x\n", mTcg2EventInfo[Index].LogFormat));
+ DEBUG ((DEBUG_INFO, " LogFormat - 0x%08x\n", mTcg2EventInfo[Index].LogFormat));
switch (mTcg2EventInfo[Index].LogFormat) {
case EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2:
Status = GetDigestFromDigestList (TPM_ALG_SHA1, DigestList, &NewEventHdr->Digest);
@@ -476,7 +493,7 @@ HashLogExtendEvent (
}

if (Status == EFI_DEVICE_ERROR) {
- DEBUG ((EFI_D_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n", Status));
+ DEBUG ((DEBUG_ERROR, "HashLogExtendEvent - %r. Disable TPM.\n", Status));
BuildGuidHob (&gTpmErrorHobGuid,0);
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
@@ -1011,7 +1028,7 @@ PeimEntryMA (
}

if (GetFirstGuidHob (&gTpmErrorHobGuid) != NULL) {
- DEBUG ((EFI_D_ERROR, "TPM2 error!\n"));
+ DEBUG ((DEBUG_ERROR, "TPM2 error!\n"));
return EFI_DEVICE_ERROR;
}

@@ -1075,7 +1092,7 @@ PeimEntryMA (
for (PcrIndex = 0; PcrIndex < 8; PcrIndex++) {
Status = MeasureSeparatorEventWithError (PcrIndex);
if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Separator Event with Error not Measured. Error!\n"));
+ DEBUG ((DEBUG_ERROR, "Separator Event with Error not Measured. Error!\n"));
}
}
}
@@ -1106,7 +1123,7 @@ PeimEntryMA (

Done:
if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "TPM2 error! Build Hob\n"));
+ DEBUG ((DEBUG_ERROR, "TPM2 error! Build Hob\n"));
BuildGuidHob (&gTpmErrorHobGuid,0);
REPORT_STATUS_CODE (
EFI_ERROR_CODE | EFI_ERROR_MINOR,
diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
index 06c26a2904..17ad116126 100644
--- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
+++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf
@@ -86,6 +86,7 @@
## SOMETIMES_CONSUMES
## SOMETIMES_PRODUCES
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap ## CONSUMES

[Depex]
gEfiPeiMasterBootModePpiGuid AND
--
2.33.1.windows.1


Re: [PATCH v1 05/16] ArmPkg and MdePkg: Move the Arm CompilerIntrinsicsLib to MdePkg

Bret Barkelew
 

Will address.


On Wed, Nov 3, 2021 at 11:24 PM Andrew Fish <afish@...> wrote:


> On Nov 3, 2021, at 11:23 PM, gaoliming <gaoliming@...> wrote:
>
> Lefi:
>
>> -----邮件原件-----
>> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Leif Lindholm
>> 发送时间: 2021年11月2日 17:51
>> 收件人: brbarkel@... <bret@...>
>> 抄送: devel@edk2.groups.io; Ard Biesheuvel <ardb+tianocore@...>;
>> Michael D Kinney <michael.d.kinney@...>; Liming Gao
>> <gaoliming@...>; Zhiguang Liu <zhiguang.liu@...>; Sami
>> Mujawar <sami.mujawar@...>; Jiewen Yao <jiewen.yao@...>;
>> Supreeth Venkatesh <supreeth.venkatesh@...>; Maciej Rabeda
>> <maciej.rabeda@...>; Jiaxin Wu <jiaxin.wu@...>; Siyuan
>> Fu <siyuan.fu@...>; Ray Ni <ray.ni@...>; Zhichao Gao
>> <zhichao.gao@...>; Sean Brogan <sean.brogan@...>
>> 主题: Re: [edk2-devel] [PATCH v1 05/16] ArmPkg and MdePkg: Move the Arm
>> CompilerIntrinsicsLib to MdePkg
>>
>> On Mon, Nov 01, 2021 at 12:56:37 -0700, brbarkel@... wrote:
>>> From: Bret Barkelew <brbarkel@...>
>>>
>>> This aligns better with Mu's philosophy around dependency structuring
>>> and is one of the steps to enable Basecore to have zero CI dependencies
>>> on other Mu repos.
>>>
>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3649
>>>
>>
>> Only one comment on this patch really.
>>
>>> ArmPkg/Library/CompilerIntrinsicsLib/CompilerIntrinsicsLib.inf =>
>> MdePkg/Library/CompilerIntrinsicsLib/ArmCompilerIntrinsicsLib.inf | 3 +--
>>
>> Could we just keep the .inf name as is?
>>
> I agree your suggestion. CompilerIntrinsicsLib can support X86 in future.
> So,
> CompilerIntrinsicsLib.inf should be used.
>

+1

Thanks,

Andrew Fish

> Thanks
> Liming
>
>> I think we're getting closer to the x86 folk accepting that they
>> need this too, rather than keep inventing new dialects of C in the
>> desperate hope that the compiler won't generate stdlib calls it's
>> fully permitted to generate whenever it feels like.
>>
>> /
>>    Leif
>>
>>
>>
>>
>
>
>
>
>
>
>
>


Re: [Patch V2 7/7] BaseTools/Conf: Fix Linux GCC ARM build issues with HII

Michael D Kinney
 

Hi Leif,

I will add NOOPT information to the commit message.

Unfortunately, this change caused a boot to shell failure for ArmVirtPkg QEMU. TFTP dynamic shell command failed to find HII package.

https://github.com/tianocore/edk2/pull/2166
https://dev.azure.com/tianocore/edk2-ci/_build/results?buildId=32907&view=logs&j=cf2d8b26-a21c-5c68-abf4-b944c123e462&t=5ffbbe5c-1d3a-55f5-5ef3-8a0ef80d76a1&l=547

I am investigating and will send a V3 with updates.

Mike

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Leif Lindholm
Sent: Thursday, November 4, 2021 3:50 AM
To: Kinney, Michael D <michael.d.kinney@...>
Cc: devel@edk2.groups.io; Feng, Bob C <bob.c.feng@...>; Liming Gao <gaoliming@...>; Chen, Christine
<yuwei.chen@...>; Ard Biesheuvel <ardb+tianocore@...>
Subject: Re: [edk2-devel] [Patch V2 7/7] BaseTools/Conf: Fix Linux GCC ARM build issues with HII

On Wed, Nov 03, 2021 at 15:59:54 -0700, Michael D Kinney wrote:
Update builds_rules.template to add $(SLINK) to the GCC
steps for processing HII resources to produce a static
library instead of an object file. This improves linker
compatibility and specifically fixes a link failure seen
on Linux GCC ARM builds of the MdeModulePkg due to
mismatched ABI types between the HII resource section
and the rest of the libraries.

Cc: Bob Feng <bob.c.feng@...>
Cc: Liming Gao <gaoliming@...>
Cc: Yuwei Chen <yuwei.chen@...>
Cc: Leif Lindholm <leif@...>
Cc: Ard Biesheuvel <ardb+tianocore@...>
Signed-off-by: Michael D Kinney <michael.d.kinney@...>
This arguably looks like a plain fix in the first place.

However, I am only able to trigger the build failure for the NOOPT
target. That may be useful to mention in the commit message.

With that:
Reviewed-by: Leif Lindholm <leif@...>

---
BaseTools/Conf/build_rule.template | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/BaseTools/Conf/build_rule.template b/BaseTools/Conf/build_rule.template
index 3add1029f276..5f59044da36d 100755
--- a/BaseTools/Conf/build_rule.template
+++ b/BaseTools/Conf/build_rule.template
@@ -668,6 +668,8 @@

<Command.GCC>
"$(GENFW)" -o $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc -g $(MODULE_GUID) --hiibinpackage $(HII_BINARY_PACKAGES)
$(GENFW_FLAGS)
- "$(RC)" $(RC_FLAGS) $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc ${dst}
+ "$(RC)" $(RC_FLAGS) $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc.obj
+ "$(SLINK)" cr ${dst} $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc.obj
+
<Command.XCODE, Command.RVCT, Command.CLANGGCC>
"$(GENFW)" -o $(OUTPUT_DIR)(+)$(MODULE_NAME)hii.rc -g $(MODULE_GUID) --hiibinpackage $(HII_BINARY_PACKAGES)
$(GENFW_FLAGS)
--
2.32.0.windows.1



Re: [PATCH 1/1] OvmfPkg/AmdSev: remove unused SMM bits from .dsc and .fdf files

Dov Murik
 

Thanks Gerd,


On 04/11/2021 11:21, Gerd Hoffmann wrote:
Signed-off-by: Gerd Hoffmann <kraxel@...>

Reviewed-by: Dov Murik <dovmurik@...>
Tested-by: Dov Murik <dovmurik@...>


-Dov


---
OvmfPkg/AmdSev/AmdSevX64.dsc | 47 ------------------------------------
OvmfPkg/AmdSev/AmdSevX64.fdf | 15 ------------
2 files changed, 62 deletions(-)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index 5ee54451169b..d54ef2916536 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -93,14 +93,6 @@ [BuildOptions.common.EDKII.DXE_RUNTIME_DRIVER]
XCODE:*_*_*_MTOC_FLAGS = -align 0x1000
CLANGPDB:*_*_*_DLINK_FLAGS = /ALIGN:4096

-# Force PE/COFF sections to be aligned at 4KB boundaries to support page level
-# protection of DXE_SMM_DRIVER/SMM_CORE modules
-[BuildOptions.common.EDKII.DXE_SMM_DRIVER, BuildOptions.common.EDKII.SMM_CORE]
- GCC:*_*_*_DLINK_FLAGS = -z common-page-size=0x1000
- XCODE:*_*_*_DLINK_FLAGS = -seg1addr 0x1000 -segalign 0x1000
- XCODE:*_*_*_MTOC_FLAGS = -align 0x1000
- CLANGPDB:*_*_*_DLINK_FLAGS = /ALIGN:4096
-
################################################################################
#
# SKU Identification section - list of all SKU IDs supported by this Platform.
@@ -390,45 +382,6 @@ [LibraryClasses.common.UEFI_APPLICATION]
!endif
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf

-[LibraryClasses.common.DXE_SMM_DRIVER]
- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
- TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
- ResetSystemLib|OvmfPkg/Library/ResetSystemLib/DxeResetSystemLib.inf
- MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAllocationLib.inf
- ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
- HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
- SmmMemLib|MdePkg/Library/SmmMemLib/SmmMemLib.inf
- MmServicesTableLib|MdePkg/Library/MmServicesTableLib/MmServicesTableLib.inf
- SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf
-!ifdef $(DEBUG_ON_SERIAL_PORT)
- DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
-!else
- DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
-!endif
- CpuExceptionHandlerLib|UefiCpuPkg/Library/CpuExceptionHandlerLib/SmmCpuExceptionHandlerLib.inf
-!if $(SOURCE_DEBUG_ENABLE) == TRUE
- DebugAgentLib|SourceLevelDebugPkg/Library/DebugAgent/SmmDebugAgentLib.inf
-!endif
- BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
- PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
-
-[LibraryClasses.common.SMM_CORE]
- PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
- TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
- ResetSystemLib|OvmfPkg/Library/ResetSystemLib/DxeResetSystemLib.inf
- SmmCorePlatformHookLib|MdeModulePkg/Library/SmmCorePlatformHookLibNull/SmmCorePlatformHookLibNull.inf
- MemoryAllocationLib|MdeModulePkg/Library/PiSmmCoreMemoryAllocationLib/PiSmmCoreMemoryAllocationLib.inf
- ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
- HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
- SmmMemLib|MdePkg/Library/SmmMemLib/SmmMemLib.inf
- SmmServicesTableLib|MdeModulePkg/Library/PiSmmCoreSmmServicesTableLib/PiSmmCoreSmmServicesTableLib.inf
-!ifdef $(DEBUG_ON_SERIAL_PORT)
- DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
-!else
- DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
-!endif
- PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
-
################################################################################
#
# Pcd Section - list of all EDK II PCD Entries defined by this Platform.
diff --git a/OvmfPkg/AmdSev/AmdSevX64.fdf b/OvmfPkg/AmdSev/AmdSevX64.fdf
index 56626098862c..804ad4e2bb6b 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.fdf
+++ b/OvmfPkg/AmdSev/AmdSevX64.fdf
@@ -445,18 +445,3 @@ [Rule.Common.SEC.RESET_VECTOR]
FILE RAW = $(NAMED_GUID) {
RAW BIN Align = 16 |.bin
}
-
-[Rule.Common.SMM_CORE]
- FILE SMM_CORE = $(NAMED_GUID) {
- PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
- UI STRING="$(MODULE_NAME)" Optional
- VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
- }
-
-[Rule.Common.DXE_SMM_DRIVER]
- FILE SMM = $(NAMED_GUID) {
- SMM_DEPEX SMM_DEPEX Optional $(INF_OUTPUT)/$(MODULE_NAME).depex
- PE32 PE32 $(INF_OUTPUT)/$(MODULE_NAME).efi
- UI STRING="$(MODULE_NAME)" Optional
- VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
- }


Event: TianoCore Community Meeting - EMEA / NAMO - 11/04/2021 #cal-reminder

devel@edk2.groups.io Calendar <noreply@...>
 

Reminder: TianoCore Community Meeting - EMEA / NAMO

When:
11/04/2021
9:00am to 10:00am
(UTC-07:00) America/Los Angeles

Where:
https://teams.microsoft.com/l/meetup-join/19%3ameeting_N2UyMTVhZjUtOTk3Ni00MmI0LTg0NmItNzIwYTkyMGJhYzNh%40thread.v2/0?context=%7b%22Tid%22%3a%2246c98d88-e344-4ed4-8496-4ed7712e255d%22%2c%22Oid%22%3a%22b286b53a-1218-4db3-bfc9-3d4c5aa7669e%22%7d

Organizer: Soumya Guptha

View Event

Description:

Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

Join with a video conferencing device

teams@...

Video Conference ID: 111 422 379 4

Alternate VTC dialing instructions

Or call in (audio only)

+1 916-245-6934,,482062805#   United States, Sacramento

Phone Conference ID: 482 062 805#

Find a local number | Reset PIN

Learn More | Meeting options


Event: TianoCore Community Meeting - EMEA / NAMO - 11/04/2021 #cal-reminder

devel@edk2.groups.io Calendar <noreply@...>
 

Reminder: TianoCore Community Meeting - EMEA / NAMO

When:
11/04/2021
9:00am to 10:00am
(UTC-07:00) America/Los Angeles

Where:
https://teams.microsoft.com/l/meetup-join/19%3ameeting_N2UyMTVhZjUtOTk3Ni00MmI0LTg0NmItNzIwYTkyMGJhYzNh%40thread.v2/0?context=%7b%22Tid%22%3a%2246c98d88-e344-4ed4-8496-4ed7712e255d%22%2c%22Oid%22%3a%22b286b53a-1218-4db3-bfc9-3d4c5aa7669e%22%7d

Organizer: Soumya Guptha

View Event

Description:

Microsoft Teams meeting

Join on your computer or mobile app

Click here to join the meeting

Join with a video conferencing device

teams@...

Video Conference ID: 111 422 379 4

Alternate VTC dialing instructions

Or call in (audio only)

+1 916-245-6934,,482062805#   United States, Sacramento

Phone Conference ID: 482 062 805#

Find a local number | Reset PIN

Learn More | Meeting options


Re: [PATCH V3 14/29] UefiCpuPkg: Enable Tdx support in MpInitLib

Lendacky, Thomas
 

On 11/4/21 3:10 AM, Gerd Hoffmann wrote:
On Wed, Nov 03, 2021 at 12:57:37PM +0000, Xu, Min M wrote:
On November 3, 2021 2:09 PM, Gerd Hoffmann wrote:
+++ b/UefiCpuPkg/Library/MpInitLib/X64/IntelTdcall.nasm
@@ -0,0 +1,120 @@
+;--------------------------------------------------------------------
+----------
+;*
+;* Copyright (c) 2020 - 2021, Intel Corporation. All rights
+reserved.<BR>
+;* SPDX-License-Identifier: BSD-2-Clause-Patent
+;*
+;*
+;--------------------------------------------------------------------
+----------
+
+DEFAULT REL
+SECTION .text
+
+%macro tdcall 0
+ db 0x66,0x0f,0x01,0xcc
+%endmacro
Hmm, could you just use TdxLib instead of bringing your own copy of the
assembler code?
My initial thought was to include TdxLib in the .dsc as little as
possible. For example, DxeMpInitLib is included in
OvmfPkg/Microvm/MicrovmX64.dsc. If TdxLib is used by DxeMpInitLib,
then it has to be included in MicrovmX64.dsc as well.
Hmm, yes. Adding a TdxLib dependency has its downsides indeed.

So I copy the assemble code in MpInitLib.
The problem with copying code is that long-term maintenance becomes
harder. When a bug is found you have to find and fix all the copies of
that code. That's why I strongly prefer to avoid code copy&paste.
Sometimes there is no easy way around creating a copy though.
Can't you create something in MdePkg/Library/Baselib and then use it everywhere it's needed?

Thanks,
Tom

take care,
Gerd

7641 - 7660 of 90923