diff --git a/SecurityPkg/Include/Library/Tcg2PreUefiEventLogLib.h b/SecurityPkg/Include/Library/Tcg2PreUefiEventLogLib.h new file mode 100644 index 0000000000..c738476add --- /dev/null +++ b/SecurityPkg/Include/Library/Tcg2PreUefiEventLogLib.h @@ -0,0 +1,23 @@ +/** @file -- Tcg2PreUefiEventLogLib.h + This describes the interface that should be published by instances of the + Tcg2PreUefiEventLogLib. This library can be used to publish TPM EventLog + entries for measurements that may have been made prior to driver + initialization. + +Copyright (c) Microsoft Corporation. +SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef TCG_2_PRE_UEFI_EVENT_LOG_LIB_H_ +#define TCG_2_PRE_UEFI_EVENT_LOG_LIB_H_ + +/** + Create the EventLog entries. +**/ +VOID +EFIAPI +CreateTcg2PreUefiEventLogEntries ( + VOID + ); + +#endif // TCG_2_PRE_UEFI_EVENT_LOG_LIB_H_ diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Include/Library/Tpm2CommandLib.h index f423d0d0ba..ad8d08b048 100644 --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h @@ -1241,4 +1241,24 @@ Tpm2PcrReadForActiveBank ( OUT TPML_DIGEST *HashList ); +// MU_CHANGE [BEGIN] + +/** + Check if all hash algorithms supported in HashAlgorithmMask are + present in the DigestList. + + @param DigestList Digest list + @param HashAlgorithmMask Bitfield of allowed hash algorithms. + + @retval TRUE All hash algorithms present. + @retval FALSE Some hash algorithms not present. +**/ +BOOLEAN +IsDigestListInSyncWithHashAlgorithmMask ( + IN TPML_DIGEST_VALUES *DigestList, + IN UINT32 HashAlgorithmMask + ); + +// MU_CHANGE [END] + #endif diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index dc11f38cb3..60e4095535 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -212,6 +212,25 @@ AuthVariableLibInitialize ( if (!EFI_ERROR (Status)) { if (mPlatformMode == USER_MODE) { SecureBootEnable = *(UINT8 *)Data; + // MU_CHANGE_173316 + // MU_CHANGE [BEGIN] - In our implementation, we do not allow SecureBootEnable to override mPlatformMode. + // If SecureBootEnable is FOUND and mPlatformMode is USER_MODE, ensure that + // SecureBootEnable == SECURE_BOOT_ENABLE. + if (SecureBootEnable == SECURE_BOOT_DISABLE) { + SecureBootEnable = SECURE_BOOT_ENABLE; + Status = AuthServiceInternalUpdateVariable ( + EFI_SECURE_BOOT_ENABLE_NAME, + &gEfiSecureBootEnableDisableGuid, + &SecureBootEnable, + sizeof (UINT8), + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + // MU_CHANGE [END] } } else if (mPlatformMode == USER_MODE) { // diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c index 3e046604b1..198075cb19 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c @@ -374,14 +374,19 @@ Tcg2UserConfirm ( IN UINT32 TpmPpCommandParameter ) { - CHAR16 *ConfirmText; - CHAR16 *TmpStr1; - CHAR16 *TmpStr2; - UINTN BufSize; - BOOLEAN CautionKey; - BOOLEAN NoPpiInfo; - UINT16 Index; - CHAR16 DstStr[81]; + CHAR16 *ConfirmText; + CHAR16 *TmpStr1; + CHAR16 *TmpStr2; + UINTN BufSize; + BOOLEAN CautionKey; + BOOLEAN NoPpiInfo; + // MU_CHANGE_70401 + // MU_CHANGE [BEGIN] - Add a boolean to track the results and remove temporary string buffer. + // We now hand the full string off to a helper function to display the user confirmation dialog. + BOOLEAN Result; + // UINT16 Index; + // CHAR16 DstStr[81]; + // MU_CHANGE [END] CHAR16 TempBuffer[1024]; CHAR16 TempBuffer2[1024]; EFI_TCG2_PROTOCOL *Tcg2Protocol; @@ -583,11 +588,14 @@ Tcg2UserConfirm ( BufSize -= StrSize (ConfirmText); UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, TmpStr2); - DstStr[80] = L'\0'; - for (Index = 0; Index < StrLen (ConfirmText); Index += 80) { - StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1); - Print (DstStr); - } + // MU_CHANGE_70401 + // MU_CHANGE [BEGIN] - We now hand the full string off to a helper function to display the user confirmation dialog. + // DstStr[80] = L'\0'; + // for (Index = 0; Index < StrLen (ConfirmText); Index += 80) { + // StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1); + // Print (DstStr); + // } + Result = PromptForUserConfirmation (ConfirmText); // JBB TODO: Alter EDKII to call out to a vendor function to do this. FreePool (TmpStr1); FreePool (TmpStr2); @@ -598,7 +606,9 @@ Tcg2UserConfirm ( // return TRUE; // } - return FALSE; + // return FALSE; + return Result; + // MU_CHANGE [END] } /** @@ -662,17 +672,28 @@ Tcg2HaveValidTpmRequest ( break; case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: - if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS) == 0) { - *RequestConfirmed = TRUE; + // MU_CHANGE_108842 + // MU_CHANGE [BEGIN] - Do not allow Flags to bypass confirmation in production mode. + + if (PcdGetBool (PcdDisallowPPIPersistentClearPermissions)) { + if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS) == 0) { + *RequestConfirmed = TRUE; + } } + // MU_CHANGE [END] break; case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS: - if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS) == 0) { - *RequestConfirmed = TRUE; + // MU_CHANGE_108842 + // MU_CHANGE [BEGIN] - Do not allow Flags to bypass confirmation in production mode. + if (PcdGetBool (PcdDisallowPPIPersistentClearPermissions)) { + if ((Flags.PPFlags & TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS) == 0) { + *RequestConfirmed = TRUE; + } } + // MU_CHANGE [END] break; case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: @@ -680,17 +701,27 @@ Tcg2HaveValidTpmRequest ( break; case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: - if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) { - *RequestConfirmed = TRUE; + // MU_CHANGE_108842 + // MU_CHANGE [BEGIN] - Do not allow Flags to bypass confirmation in production mode. + if (PcdGetBool (PcdDisallowPPIPersistentClearPermissions)) { + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } } + // MU_CHANGE [END] break; case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: - if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) { - *RequestConfirmed = TRUE; + // MU_CHANGE_108842 + // MU_CHANGE [BEGIN] - Do not allow Flags to bypass confirmation in production mode. + if (PcdGetBool (PcdDisallowPPIPersistentClearPermissions)) { + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } } + // MU_CHANGE [END] break; case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: @@ -898,7 +929,7 @@ Tcg2ExecutePendingTpmRequest ( return; } - Print (L"Rebooting system to make TPM2 settings in effect\n"); + // Print (L"Rebooting system to make TPM2 settings in effect\n"); // MU_CHANGE gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); ASSERT (FALSE); } @@ -922,12 +953,16 @@ Tcg2PhysicalPresenceLibProcessRequest ( IN TPM2B_AUTH *PlatformAuth OPTIONAL ) { - EFI_STATUS Status; - UINTN DataSize; - EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; - EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; + EFI_STATUS Status; + UINTN DataSize; + EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; + // EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; // MU_CHANGE EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; + // MU_CHANGE_212735 + // MU_CHANGE [BEGIN] + + /* // // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. @@ -952,6 +987,8 @@ Tcg2PhysicalPresenceLibProcessRequest ( DEBUG ((DEBUG_INFO, "S4 Resume, Skip TPM PP process!\n")); return; } + */ + // MU_CHANGE [END] // // Initialize physical presence flags. @@ -965,6 +1002,10 @@ Tcg2PhysicalPresenceLibProcessRequest ( &PpiFlags ); if (EFI_ERROR (Status)) { + // MU_CHANGE_212735 + // MU_CHANGE [BEGIN] + + /* PpiFlags.PPFlags = PcdGet32 (PcdTcg2PhysicalPresenceFlags); Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, @@ -977,8 +1018,11 @@ Tcg2PhysicalPresenceLibProcessRequest ( DEBUG ((DEBUG_ERROR, "[TPM2] Set physical presence flag failed, Status = %r\n", Status)); return; } - DEBUG ((DEBUG_INFO, "[TPM2] Initial physical presence flags value is 0x%x\n", PpiFlags.PPFlags)); + */ + + return; + // MU_CHANGE [END] } // @@ -994,6 +1038,11 @@ Tcg2PhysicalPresenceLibProcessRequest ( ); if (EFI_ERROR (Status)) { ZeroMem ((VOID *)&TcgPpData, sizeof (TcgPpData)); + // MU_CHANGE_212735 + // MU_CHANGE [BEGIN] + + /* + ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData)); DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE); Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_VARIABLE, @@ -1006,6 +1055,10 @@ Tcg2PhysicalPresenceLibProcessRequest ( DEBUG ((DEBUG_ERROR, "[TPM2] Set physical presence variable failed, Status = %r\n", Status)); return; } + */ + + return; + // MU_CHANGE [END] } DEBUG ((DEBUG_INFO, "[TPM2] Flags=%x, PPRequest=%x (LastPPRequest=%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPRequest)); diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf index 1653de0d96..2a899ab783 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf @@ -58,6 +58,7 @@ [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdDisallowPPIPersistentClearPermissions ## CONSUMES # MU_CHANGE 108842 [Guids] ## SOMETIMES_CONSUMES ## HII diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni index 765a7b3bb2..8e14e7a042 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni @@ -12,8 +12,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string TPM_PPI_HEAD_STR #language en-US "A configuration change was requested to allow the Operating System to %s the computer's TPM (Trusted Platform Module) without asking for user confirmation in the future.\n\n" #string TPM_ACCEPT_KEY #language en-US "Press F10 " -#string TPM_CAUTION_KEY #language en-US "Press F12 " -#string TPM_REJECT_KEY #language en-US "to %s the TPM \nPress ESC to reject this change request and continue\n" + +/** +MU_CHANGE_70401 +MU_CHANGE [BEGIN] - Alter the strings to reflect the new dialog box. +**/ +#string TPM_CAUTION_KEY #language en-US "Press OK " +#string TPM_REJECT_KEY #language en-US "to %s the TPM \nPress CANCEL to reject this change request and continue\n" +// #string TPM_CAUTION_KEY #language en-US "Press F12 " +// #string TPM_REJECT_KEY #language en-US "to %s the TPM \nPress ESC to reject this change request and continue\n" +/** +MU_CHANGE [END] +**/ #string TPM_ENABLE #language en-US "enable" #string TPM_DISABLE #language en-US "disable" diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceMinimumLib/DxeTcg2PhysicalPresenceMinimumLib.inf b/SecurityPkg/Library/DxeTcg2PhysicalPresenceMinimumLib/DxeTcg2PhysicalPresenceMinimumLib.inf index 83604fa3ab..89b0d4b66a 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceMinimumLib/DxeTcg2PhysicalPresenceMinimumLib.inf +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceMinimumLib/DxeTcg2PhysicalPresenceMinimumLib.inf @@ -8,8 +8,7 @@ # SPDX-License-Identifier: BSD-2-Clause-Patent # ## - -#Override : 00000002 | SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf | 6205753f2abf9126f2711c5f154f9f99 | 2024-07-24T18-06-30 | 69ff4b6fc889c8e66101cad3dcf8be3d516e038d +#Override : 00000002 | SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf | 9755efb1cbfd445f85b13fac552bcadc| 2024-07-24T18-06-30 | 69ff4b6fc889c8e66101cad3dcf8be3d516e038d # This is not a true override, but spell changes to ensure mu_tiano_plus passes CI is required and changes the hash. [Defines] diff --git a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/MmTcg2PhysicalPresenceLibCommon.c b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/MmTcg2PhysicalPresenceLibCommon.c index f2ab4f1250..248b2df2af 100644 --- a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/MmTcg2PhysicalPresenceLibCommon.c +++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/MmTcg2PhysicalPresenceLibCommon.c @@ -128,6 +128,21 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx ( goto EXIT; } + // MU_CHANGE_108842 + // MSChange [BEGIN] - Do not allow the PPI flags (persistent clear permission) request in ship mode. + if (PcdGetBool (PcdDisallowPPIPersistentClearPermissions)) { + if ((*OperationRequest == TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_CHANGE_PCRS_FALSE) || + (*OperationRequest == TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_CHANGE_EPS_FALSE) || + (*OperationRequest == TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_TURN_OFF_FALSE)) + { + DEBUG ((DEBUG_ERROR, "[TPM2] Refusing to process PPI flags request in production!\n")); + ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_BLOCKED_BY_BIOS_SETTINGS; + goto EXIT; + } + } + + // MU_CHANGE [END] + if ((*OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && (*OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN)) { diff --git a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf index d911adbdb6..71078d6162 100644 --- a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf +++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.inf @@ -53,6 +53,7 @@ [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdDisallowPPIPersistentClearPermissions ## CONSUMES # MU_CHANGE 108842 [Depex] gEfiSmmVariableProtocolGuid diff --git a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalPresenceLib.inf b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalPresenceLib.inf index 6d11b6b9f1..af5a8b8ff8 100644 --- a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalPresenceLib.inf +++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/StandaloneMmTcg2PhysicalPresenceLib.inf @@ -57,6 +57,7 @@ [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer ## CONSUMES gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags ## SOMETIMES_CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdDisallowPPIPersistentClearPermissions ## CONSUMES # MU_CHANGE 108842 [Depex] gEfiSmmVariableProtocolGuid diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c index 78f428c514..98e3f0574b 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c @@ -246,6 +246,87 @@ IsHashAlgSupportedInHashAlgorithmMask ( return FALSE; } +// MU_CHANGE [BEGIN] + +/** + Check if DigestList has an entry for HashAlg. + + @param DigestList Digest list. + @param HashAlg Hash algorithm id. + + @retval TRUE Match found. + @retval FALSE No match found. +**/ +BOOLEAN +CheckDigestListForHashAlg ( + IN TPML_DIGEST_VALUES *DigestList, + IN TPM_ALG_ID HashAlg + ) +{ + UINT32 Index; + + for (Index = 0; Index < DigestList->count; Index++) { + if (DigestList->digests[Index].hashAlg == HashAlg) { + DEBUG ((DEBUG_INFO, "Hash alg 0x%x found in DigestList.\n", HashAlg)); + return TRUE; + } + } + + DEBUG ((DEBUG_INFO, "Hash alg 0x%x not found in DigestList.\n", HashAlg)); + return FALSE; +} + +/** + Check if all hash algorithms supported in HashAlgorithmMask are + present in the DigestList. + + @param DigestList Digest list. + @param HashAlgorithmMask Bitfield of allowed hash algorithms. + + @retval TRUE All hash algorithms present. + @retval FALSE Some hash algorithms not present. +**/ +BOOLEAN +IsDigestListInSyncWithHashAlgorithmMask ( + IN TPML_DIGEST_VALUES *DigestList, + IN UINT32 HashAlgorithmMask + ) +{ + if ((HashAlgorithmMask & HASH_ALG_SHA1) != 0) { + if (!CheckDigestListForHashAlg (DigestList, TPM_ALG_SHA1)) { + return FALSE; + } + } + + if ((HashAlgorithmMask & HASH_ALG_SHA256) != 0) { + if (!CheckDigestListForHashAlg (DigestList, TPM_ALG_SHA256)) { + return FALSE; + } + } + + if ((HashAlgorithmMask & HASH_ALG_SHA384) != 0) { + if (!CheckDigestListForHashAlg (DigestList, TPM_ALG_SHA384)) { + return FALSE; + } + } + + if ((HashAlgorithmMask & HASH_ALG_SHA512) != 0) { + if (!CheckDigestListForHashAlg (DigestList, TPM_ALG_SHA512)) { + return FALSE; + } + } + + if ((HashAlgorithmMask & HASH_ALG_SM3_256) != 0) { + if (!CheckDigestListForHashAlg (DigestList, TPM_ALG_SM3_256)) { + return FALSE; + } + } + + return TRUE; +} + +// MU_CHANGE [END] + /** Copy TPML_DIGEST_VALUES into a buffer diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 3dfb8d3172..7926b70742 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -666,5 +666,12 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdEnforceSelfsignedPk|FALSE|BOOLEAN|0x00010024 # MU_CHANGE [END] +# MU_CHANGE [BEGIN] - 108842 + ## Disallow persistent clear permissions for PPI flags + # TRUE - Flags disabled - permission disallowed + # FALSE - Flags enabled - permission allowed + gEfiSecurityPkgTokenSpaceGuid.PcdDisallowPPIPersistentClearPermissions|TRUE|BOOLEAN|0x00010028 +## MU_CHANGE [END] + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index b8266e3b43..5312de456b 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -268,12 +268,16 @@ SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf # MU_CHANGE [BEGIN] - SecurityPkg/Library/OemTpm2InitLibNull/OemTpm2InitLib.inf - SecurityPkg/Library/OemTpm2InitLibNull/OemTpm2InitLibVendorNull.inf SecurityPkg/Library/BaseHash2CryptoLibNull/BaseHash2CryptoLibNull.inf SecurityPkg/Library/DxeHash2CryptoLib/DxeHash2CryptoLib.inf + SecurityPkg/Library/OemTpm2InitLibNull/OemTpm2InitLib.inf + SecurityPkg/Library/OemTpm2InitLibNull/OemTpm2InitLibVendorNull.inf SecurityPkg/Library/Tpm2DebugLib/Tpm2DebugLibSimple.inf SecurityPkg/Library/Tpm2DebugLib/Tpm2DebugLibVerbose.inf + SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf + SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf + SecurityPkg/Library/TcgPpVendorLibNull/TcgPpVendorLibNull.inf SecurityPkg/Library/Tpm2DebugLib/Tpm2DebugLibNull.inf SecurityPkg/Library/Tcg2PhysicalPresencePromptLib/Tcg2PhysicalPresencePromptLibConsole.inf SecurityPkg/Library/Tcg2PreUefiEventLogLibNull/Tcg2PreUefiEventLogLibNull.inf diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c index 3ff42e09d5..f1f0bd47d7 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c @@ -2912,6 +2912,7 @@ DriverEntry ( // Get supported PCR and current Active PCRs // Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePCRBanks); + DEBUG ((DEBUG_INFO, "TpmHashAlgorithmBitmap = 0x%X, ActivePCRBanks = 0x%X\n", TpmHashAlgorithmBitmap, ActivePCRBanks)); // MU_CHANGE ASSERT_EFI_ERROR (Status); mTcgDxeData.BsCap.HashAlgorithmBitmap = TpmHashAlgorithmBitmap & PcdGet32 (PcdTcg2HashAlgorithmBitmap); diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c index 459abd81b3..771b7e604b 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -46,6 +46,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent // MU_CHANGE [BEGIN] - Add the OemTpm2InitLib #include // MU_CHANGE [END] +// MU_CHANGE_131467 +// MU_CHANGE [BEGIN] - Move to 256-bit PCRs. +#include +// MU_CHANGE [END] #define PERF_ID_TCG2_PEI 0x3080 typedef struct { @@ -355,7 +359,14 @@ SyncPcrAllocationsAndPcrMask ( // Determine the current TPM support and the Platform PCR mask. // Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &TpmActivePcrBanks); - ASSERT_EFI_ERROR (Status); + // MU_CHANGE [BEGIN] + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to determine TPM capabilities!\n", __func__)); + ASSERT_EFI_ERROR (Status); + return; + } + + // MU_CHANGE [END] Tpm2PcrMask = PcdGet32 (PcdTpm2HashMask); if (Tpm2PcrMask == 0) { @@ -1057,6 +1068,11 @@ PeimEntryMP ( Status = PeiServicesInstallPpi (&mTcgPpiList); ASSERT_EFI_ERROR (Status); + // MU_CHANGE_103691 + // MU_CHANGE [BEGIN] - Add support for measurements extended before Tcg2 stack is available. + CreateTcg2PreUefiEventLogEntries (); + // MU_CHANGE [END] + if (PcdGet8 (PcdTpm2ScrtmPolicy) == 1) { Status = MeasureCRTMVersion (); } @@ -1188,6 +1204,11 @@ PeimEntryMA ( } if (EFI_ERROR (Status)) { + // MU_CHANGE_58957 + // MU_CHANGE [BEGIN] - Make sure that TPM2_Startup() can report an error. + DEBUG ((DEBUG_ERROR, "Tcg2Pei::%a - TPM failed Startup!\n", __func__)); + ASSERT_EFI_ERROR (Status); + // MU_CHANGE [END] goto Done; } } @@ -1220,6 +1241,10 @@ PeimEntryMA ( if (PcdGet8 (PcdTpm2SelfTestPolicy) == 1) { Status = Tpm2SelfTest (NO); if (EFI_ERROR (Status)) { + // MU_CHANGE_58957 + // MU_CHANGE [BEGIN] - Make sure that TPM2_Startup() can report an error. + DEBUG ((DEBUG_ERROR, "Tcg2Pei::%a - TPM failed Startup!\n", __func__)); + // MU_CHANGE [END] goto Done; } }