SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation

According to TCG PP1.3 spec, error PCR bank allocation input should be rejected by Physical Presence. Firmware has to ensure that at least one PCR banks is active. Cc: Long Qin <[email protected]> Cc: Yao Jiewen <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Chao Zhang <[email protected]> Reviewed-by: Long Qin <[email protected]> Reviewed-by: Yao Jiewen <[email protected]>
freebsd · Jan 15, 2018 · d02a848 · d02a848
1 parent 2067d9f
commit d02a848
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -186,6 +186,18 @@ Tcg2ExecutePhysicalPresence (
     case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
       Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
       ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+
       Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
       if (EFI_ERROR (Status)) {
         return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;