Looks good. Reviewed-by: Rahul Kumar <rahul1.ku...@intel.com> -----Original Message----- From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Xu, Wei6 Sent: Monday, March 18, 2024 8:41 AM To: devel@edk2.groups.io Cc: Xu, Wei6 <wei6...@intel.com>; Kumar, Rahul R <rahul.r.ku...@intel.com>; Yao, Jiewen <jiewen....@intel.com> Subject: [edk2-devel] [PATCH] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm from UI
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731 TCG2 configuration UI shows all the hash algorithms that TPM hardware supports in the checkbox. If user only selects one algorithm that is supported by TPM hardware but not supported by BIOS and uncheck the others, the SyncPcrAllocationsAndPcrMask in Tcg2Pei will not be able to decide a viable PCR to activate, then an assert occurs. Add check against PcdTcg2HashAlgorithmBitmap when deciding whether to suppress the hash algorithm checkbox to avoid user to select the hash algorithm which may cause an assert. Cc: Rahul Kumar <rahul1.ku...@intel.com> Cc: Jiewen Yao <jiewen....@intel.com> Signed-off-by: Wei6 Xu <wei6...@intel.com> --- SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++------- 1 file changed, 41 insertions(+), 20 deletions(-) diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c index 6eb04c014448..39b639039525 100644 --- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c +++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c @@ -722,33 +722,50 @@ FillBufferWithBootHashAlg ( } /** - Set ConfigInfo according to TpmAlgHash. + Set ConfigInfo according to TpmAlgHash and BiosHashAlgBitmap. @param[in,out] Tcg2ConfigInfo TCG2 config info. @param[in] TpmAlgHash TpmAlgHash. + @param[in] BiosHashAlgBitmap Bios Hash Algorithm Bitmap. **/ VOID SetConfigInfo ( IN OUT TCG2_CONFIGURATION_INFO *Tcg2ConfigInfo, - IN UINT32 TpmAlgHash + IN UINT32 TpmAlgHash, + IN UINT32 BiosHashAlgBitmap ) { switch (TpmAlgHash) { case TPM_ALG_SHA1: - Tcg2ConfigInfo->Sha1Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA1) != 0) { + Tcg2ConfigInfo->Sha1Supported = TRUE; + } + break; case TPM_ALG_SHA256: - Tcg2ConfigInfo->Sha256Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA256) != 0) { + Tcg2ConfigInfo->Sha256Supported = TRUE; + } + break; case TPM_ALG_SHA384: - Tcg2ConfigInfo->Sha384Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA384) != 0) { + Tcg2ConfigInfo->Sha384Supported = TRUE; + } + break; case TPM_ALG_SHA512: - Tcg2ConfigInfo->Sha512Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SHA512) != 0) { + Tcg2ConfigInfo->Sha512Supported = TRUE; + } + break; case TPM_ALG_SM3_256: - Tcg2ConfigInfo->Sm3Supported = TRUE; + if ((BiosHashAlgBitmap & HASH_ALG_SM3_256) != 0) { + Tcg2ConfigInfo->Sm3Supported = TRUE; + } + break; } } @@ -809,16 +826,17 @@ InstallTcg2ConfigForm ( IN OUT TCG2_CONFIG_PRIVATE_DATA *PrivateData ) { - EFI_STATUS Status; - EFI_HII_HANDLE HiiHandle; - EFI_HANDLE DriverHandle; - EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; - UINTN Index; - TPML_PCR_SELECTION Pcrs; - CHAR16 TempBuffer[1024]; - TCG2_CONFIGURATION_INFO Tcg2ConfigInfo; - TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected; - BOOLEAN IsCmdImp = FALSE; + EFI_STATUS Status; + EFI_HII_HANDLE HiiHandle; + EFI_HANDLE DriverHandle; + EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; + UINTN Index; + TPML_PCR_SELECTION Pcrs; + CHAR16 TempBuffer[1024]; + TCG2_CONFIGURATION_INFO Tcg2ConfigInfo; + TPM2_PTP_INTERFACE_TYPE TpmDeviceInterfaceDetected; + BOOLEAN IsCmdImp; + EFI_TCG2_EVENT_ALGORITHM_BITMAP BiosHashAlgorithmBitmap; DriverHandle = NULL; ConfigAccess = &PrivateData->ConfigAccess; @@ -879,6 +897,8 @@ InstallTcg2ConfigForm ( break; } + BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap); + ZeroMem (&Tcg2ConfigInfo, sizeof (Tcg2ConfigInfo)); Status = Tpm2GetCapabilityPcrs (&Pcrs); if (EFI_ERROR (Status)) { @@ -897,20 +917,21 @@ InstallTcg2ConfigForm ( TempBuffer[0] = 0; for (Index = 0; Index < Pcrs.count; Index++) { AppendBufferWithTpmAlgHash (TempBuffer, sizeof (TempBuffer), Pcrs.pcrSelections[Index].hash); - SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash); + SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash, + BiosHashAlgorithmBitmap); } HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TPM2_SUPPORTED_HASH_ALGO_CONTENT), TempBuffer, NULL); } - Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp); + IsCmdImp = FALSE; + Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityIsCmdImpl fails %r\n", Status)); } Tcg2ConfigInfo.ChangeEPSSupported = IsCmdImp; - FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), PcdGet32 (PcdTcg2HashAlgorithmBitmap)); + FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), + BiosHashAlgorithmBitmap); HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_BIOS_HASH_ALGO_CONTENT), TempBuffer, NULL); // -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#117228): https://edk2.groups.io/g/devel/message/117228 Mute This Topic: https://groups.io/mt/105005532/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
