diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 5312de456b..553e9d22a9 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -95,6 +95,11 @@ MemLibWrapper|SecurityPkg/DeviceSecurity/OsStub/MemLibWrapper/MemLibWrapper.inf NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf # MU_CHANGE: /GS and -fstack-protector support + ## MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + DeviceStateLib|MdeModulePkg/Library/DeviceStateLib/DeviceStateLib.inf + PanicLib|MdePkg/Library/BasePanicLibNull/BasePanicLibNull.inf + # MU_CHANGE [END] + [LibraryClasses.X64, LibraryClasses.IA32] Tcg2PreUefiEventLogLib|SecurityPkg/Library/Tcg2PreUefiEventLogLibNull/Tcg2PreUefiEventLogLibNull.inf ## MU_CHANGE diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c index 2b7181703f..968872063a 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c @@ -50,6 +50,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent // MU_CHANGE [BEGIN] - Add the OemTpm2InitLib #include // MU_CHANGE [END] +// MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled +#include +#include +// MU_CHANGE [END] // #define PERF_ID_TCG2_DXE 0x3120 // MU_CHANGE @@ -2500,11 +2504,27 @@ MeasureSecureBootPolicy ( EFI_STATUS Status; VOID *Protocol; + DEVICE_STATE CurrentDeviceState; // MU_CHANGE - Measure Firmware Debugger Enabled + Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol); if (EFI_ERROR (Status)) { return; } + // MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + CurrentDeviceState = GetDeviceState (); + + if ((CurrentDeviceState & DEVICE_STATE_SOURCE_DEBUG_ENABLED) != 0) { + Status = MeasureLaunchOfFirmwareDebugger (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed to measure Firmware Debugger Enabled!\n")); + PanicReport (__FILE__, __LINE__, "Failed to measure Firmware Debugger Enabled!\n"); + return; + } + } + + // MU_CHANGE [END] + if (PcdGetBool (PcdFirmwareDebuggerInitialized)) { Status = MeasureLaunchOfFirmwareDebugger (); DEBUG ((DEBUG_INFO, "MeasureLaunchOfFirmwareDebugger - %r\n", Status)); diff --git a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf index 06304be77e..c359ade3f8 100644 --- a/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf +++ b/SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf @@ -71,6 +71,10 @@ OemTpm2InitLib ## MU_CHANGE [END] PcdLib # MU_CHANGE + ## MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + DeviceStateLib + PanicLib + ## MU_CHANGE [END] [Guids] ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot" diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c index 771b7e604b..4029944262 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.c @@ -50,6 +50,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent // MU_CHANGE [BEGIN] - Move to 256-bit PCRs. #include // MU_CHANGE [END] +// MU_CHANGE [BEGIN] - Measure DebugEnabled and Insecure Device State into PCR7 +#include +#include +// MU_CHANGE [END] #define PERF_ID_TCG2_PEI 0x3080 typedef struct { @@ -644,6 +648,39 @@ MeasureCRTMVersion ( ); } +// MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + +/** + Measure and log firmware debugger enabled, and extend the measurement result into a specific PCR. + + @retval EFI_SUCCESS Operation completed successfully. + @retval EFI_OUT_OF_RESOURCES Out of memory. + @retval EFI_DEVICE_ERROR The operation was unsuccessful. +**/ +EFI_STATUS +MeasureFirmwareDebuggerEnabled ( + VOID + ) +{ + TCG_PCR_EVENT_HDR TcgEventHdr; + + TcgEventHdr.PCRIndex = 7; + TcgEventHdr.EventType = EV_EFI_ACTION; + TcgEventHdr.EventSize = sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1; + + DEBUG ((DEBUG_INFO, "Measuring Device State: Firmware Debugger Enabled\n")); + return HashLogExtendEvent ( + &mEdkiiTcgPpi, + 0, + (UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING, + sizeof (FIRMWARE_DEBUGGER_EVENT_STRING) - 1, + &TcgEventHdr, + (UINT8 *)FIRMWARE_DEBUGGER_EVENT_STRING + ); +} + +// MU_CHANGE [END] + /** Get the FvName from the FV header. @@ -1062,6 +1099,8 @@ PeimEntryMP ( { EFI_STATUS Status; + DEVICE_STATE CurrentDeviceState; // MU_CHANGE - Measure Firmware Debugger Enabled + // // install Tcg Services // @@ -1073,6 +1112,20 @@ PeimEntryMP ( CreateTcg2PreUefiEventLogEntries (); // MU_CHANGE [END] + // MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + CurrentDeviceState = GetDeviceState (); + + if ((CurrentDeviceState & DEVICE_STATE_SOURCE_DEBUG_ENABLED) != 0) { + Status = MeasureFirmwareDebuggerEnabled (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed to measure Firmware Debugger Enabled!\n")); + PanicReport (__FILE__, __LINE__, "Failed to measure Firmware Debugger Enabled!\n"); + return Status; + } + } + + // MU_CHANGE [END] + if (PcdGet8 (PcdTpm2ScrtmPolicy) == 1) { Status = MeasureCRTMVersion (); } diff --git a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf index 8bea3aaf39..b75d4f6eba 100644 --- a/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf +++ b/SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf @@ -64,6 +64,10 @@ Tcg2PreUefiEventLogLib ## MU_CHANGE [END] + ## MU_CHANGE [BEGIN] - Measure Firmware Debugger Enabled + DeviceStateLib + PanicLib + ## MU_CHANGE [END] [Guids] gTcgEventEntryHobGuid ## PRODUCES ## HOB gTpmErrorHobGuid ## SOMETIMES_PRODUCES ## HOB