From 26af0cb6c379add26a39526ac0b86ddab684bcff Mon Sep 17 00:00:00 2001
From: lijunwei <lijunwei@kylinos.cn>
Date: Thu, 11 Apr 2024 18:07:19 +0800
Subject: [PATCH] Hide BIOS unsupported hash algorithm from UI

---
 ...Config-Hide-BIOS-unsupported-hash-al.patch | 153 ++++++++++++++++++
 edk2.spec                                     |   6 +-
 2 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 0040-SecurityPkg-Tcg2Config-Hide-BIOS-unsupported-hash-al.patch

diff --git a/0040-SecurityPkg-Tcg2Config-Hide-BIOS-unsupported-hash-al.patch b/0040-SecurityPkg-Tcg2Config-Hide-BIOS-unsupported-hash-al.patch
new file mode 100644
index 0000000..ca82c39
--- /dev/null
+++ b/0040-SecurityPkg-Tcg2Config-Hide-BIOS-unsupported-hash-al.patch
@@ -0,0 +1,153 @@
+From f527f4d3532f7e6d03e9e00775331278de5f5ad3 Mon Sep 17 00:00:00 2001
+From: Wei6 Xu <wei6.xu@intel.com>
+Date: Mon, 18 Mar 2024 16:12:50 +0800
+Subject: [PATCH] SecurityPkg/Tcg2Config: Hide BIOS unsupported hash algorithm
+ from UI
+
+REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4731
+
+TCG2 configuration UI shows all the hash algorithms that TPM hardware
+supports in the checkbox. If user only selects one algorithm that is
+supported by TPM hardware but not supported by BIOS and uncheck the
+others, the SyncPcrAllocationsAndPcrMask in Tcg2Pei will not be able
+to decide a viable PCR to activate, then an assert occurs.
+
+Add check against PcdTcg2HashAlgorithmBitmap when deciding whether
+to suppress the hash algorithm checkbox to avoid user to select the
+hash algorithm which may cause an assert.
+
+Cc: Rahul Kumar <rahul1.kumar@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
+Reviewed-by: Rahul Kumar <rahul1.kumar@intel.com>
+---
+ SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c | 61 ++++++++++++++-------
+ 1 file changed, 41 insertions(+), 20 deletions(-)
+
+diff --git a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
+index 6eb04c0144..39b6390395 100644
+--- a/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
++++ b/SecurityPkg/Tcg/Tcg2Config/Tcg2ConfigImpl.c
+@@ -722,33 +722,50 @@ FillBufferWithBootHashAlg (
+ }
+ 
+ /**
+-  Set ConfigInfo according to TpmAlgHash.
++  Set ConfigInfo according to TpmAlgHash and BiosHashAlgBitmap.
+ 
+   @param[in,out] Tcg2ConfigInfo       TCG2 config info.
+   @param[in]     TpmAlgHash           TpmAlgHash.
++  @param[in]     BiosHashAlgBitmap    Bios Hash Algorithm Bitmap.
+ 
+ **/
+ VOID
+ SetConfigInfo (
+   IN OUT TCG2_CONFIGURATION_INFO  *Tcg2ConfigInfo,
+-  IN UINT32                       TpmAlgHash
++  IN UINT32                       TpmAlgHash,
++  IN UINT32                       BiosHashAlgBitmap
+   )
+ {
+   switch (TpmAlgHash) {
+     case TPM_ALG_SHA1:
+-      Tcg2ConfigInfo->Sha1Supported = TRUE;
++      if ((BiosHashAlgBitmap & HASH_ALG_SHA1) != 0) {
++        Tcg2ConfigInfo->Sha1Supported = TRUE;
++      }
++
+       break;
+     case TPM_ALG_SHA256:
+-      Tcg2ConfigInfo->Sha256Supported = TRUE;
++      if ((BiosHashAlgBitmap & HASH_ALG_SHA256) != 0) {
++        Tcg2ConfigInfo->Sha256Supported = TRUE;
++      }
++
+       break;
+     case TPM_ALG_SHA384:
+-      Tcg2ConfigInfo->Sha384Supported = TRUE;
++      if ((BiosHashAlgBitmap & HASH_ALG_SHA384) != 0) {
++        Tcg2ConfigInfo->Sha384Supported = TRUE;
++      }
++
+       break;
+     case TPM_ALG_SHA512:
+-      Tcg2ConfigInfo->Sha512Supported = TRUE;
++      if ((BiosHashAlgBitmap & HASH_ALG_SHA512) != 0) {
++        Tcg2ConfigInfo->Sha512Supported = TRUE;
++      }
++
+       break;
+     case TPM_ALG_SM3_256:
+-      Tcg2ConfigInfo->Sm3Supported = TRUE;
++      if ((BiosHashAlgBitmap & HASH_ALG_SM3_256) != 0) {
++        Tcg2ConfigInfo->Sm3Supported = TRUE;
++      }
++
+       break;
+   }
+ }
+@@ -809,16 +826,17 @@ InstallTcg2ConfigForm (
+   IN OUT TCG2_CONFIG_PRIVATE_DATA  *PrivateData
+   )
+ {
+-  EFI_STATUS                      Status;
+-  EFI_HII_HANDLE                  HiiHandle;
+-  EFI_HANDLE                      DriverHandle;
+-  EFI_HII_CONFIG_ACCESS_PROTOCOL  *ConfigAccess;
+-  UINTN                           Index;
+-  TPML_PCR_SELECTION              Pcrs;
+-  CHAR16                          TempBuffer[1024];
+-  TCG2_CONFIGURATION_INFO         Tcg2ConfigInfo;
+-  TPM2_PTP_INTERFACE_TYPE         TpmDeviceInterfaceDetected;
+-  BOOLEAN                         IsCmdImp = FALSE;
++  EFI_STATUS                       Status;
++  EFI_HII_HANDLE                   HiiHandle;
++  EFI_HANDLE                       DriverHandle;
++  EFI_HII_CONFIG_ACCESS_PROTOCOL   *ConfigAccess;
++  UINTN                            Index;
++  TPML_PCR_SELECTION               Pcrs;
++  CHAR16                           TempBuffer[1024];
++  TCG2_CONFIGURATION_INFO          Tcg2ConfigInfo;
++  TPM2_PTP_INTERFACE_TYPE          TpmDeviceInterfaceDetected;
++  BOOLEAN                          IsCmdImp;
++  EFI_TCG2_EVENT_ALGORITHM_BITMAP  BiosHashAlgorithmBitmap;
+ 
+   DriverHandle = NULL;
+   ConfigAccess = &PrivateData->ConfigAccess;
+@@ -879,6 +897,8 @@ InstallTcg2ConfigForm (
+       break;
+   }
+ 
++  BiosHashAlgorithmBitmap = PcdGet32 (PcdTcg2HashAlgorithmBitmap);
++
+   ZeroMem (&Tcg2ConfigInfo, sizeof (Tcg2ConfigInfo));
+   Status = Tpm2GetCapabilityPcrs (&Pcrs);
+   if (EFI_ERROR (Status)) {
+@@ -897,20 +917,21 @@ InstallTcg2ConfigForm (
+     TempBuffer[0] = 0;
+     for (Index = 0; Index < Pcrs.count; Index++) {
+       AppendBufferWithTpmAlgHash (TempBuffer, sizeof (TempBuffer), Pcrs.pcrSelections[Index].hash);
+-      SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash);
++      SetConfigInfo (&Tcg2ConfigInfo, Pcrs.pcrSelections[Index].hash, BiosHashAlgorithmBitmap);
+     }
+ 
+     HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_TPM2_SUPPORTED_HASH_ALGO_CONTENT), TempBuffer, NULL);
+   }
+ 
+-  Status = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp);
++  IsCmdImp = FALSE;
++  Status   = Tpm2GetCapabilityIsCommandImplemented (TPM_CC_ChangeEPS, &IsCmdImp);
+   if (EFI_ERROR (Status)) {
+     DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityIsCmdImpl fails %r\n", Status));
+   }
+ 
+   Tcg2ConfigInfo.ChangeEPSSupported = IsCmdImp;
+ 
+-  FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), PcdGet32 (PcdTcg2HashAlgorithmBitmap));
++  FillBufferWithBootHashAlg (TempBuffer, sizeof (TempBuffer), BiosHashAlgorithmBitmap);
+   HiiSetString (PrivateData->HiiHandle, STRING_TOKEN (STR_BIOS_HASH_ALGO_CONTENT), TempBuffer, NULL);
+ 
+   //
+-- 
+2.20.1
+
diff --git a/edk2.spec b/edk2.spec
index ec38354..28c25ab 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -7,7 +7,7 @@
 
 Name: edk2
 Version: %{stable_date}
-Release: 5
+Release: 6
 Summary: EFI Development Kit II
 License: BSD-2-Clause-Patent and OpenSSL and MIT 
 URL: https://github.com/tianocore/edk2
@@ -60,6 +60,7 @@ patch36: 0036-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Re.patch
 patch37: 0037-NetworkPkg-Dhcp6Dxe-Removes-duplicate-check-and-repl.patch
 patch38: 0038-NetworkPkg-Dhcp6Dxe-Packet-Length-is-not-updated-bef.patch
 patch39: 0039-NetworkPkg-Updating-SecurityFixes.yaml.patch
+patch40: 0040-SecurityPkg-Tcg2Config-Hide-BIOS-unsupported-hash-al.patch
 
 BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command isl 
 
@@ -297,6 +298,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys
 %endif
 
 %changelog
+* Thu Apr 11 2024 lijunwei<lijunwei@kylinos.cn> - 202308-6
+- Hide BIOS unsupported hash algorithm from UI
+
 * Thu Mar 7 2024 yexiao<yexiao7@huawei.com> - 202308-5
 - fix CVE-2023-45229、CVE-2023-45230、CVE-2023-45231、CVE-2023-45232、CVE-2023-45233、CVE-2023-45234、CVE-2023-45235
 
-- 
Gitee