From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web09.809.1573773417877161366 for ; Thu, 14 Nov 2019 15:16:58 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: nathaniel.l.desimone@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Nov 2019 15:16:54 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,306,1569308400"; d="scan'208";a="195202430" Received: from orsmsx110.amr.corp.intel.com ([10.22.240.8]) by orsmga007.jf.intel.com with ESMTP; 14 Nov 2019 15:16:54 -0800 Received: from orsmsx114.amr.corp.intel.com ([169.254.8.67]) by ORSMSX110.amr.corp.intel.com ([169.254.10.52]) with mapi id 14.03.0439.000; Thu, 14 Nov 2019 15:16:54 -0800 From: "Nate DeSimone" To: "Gonzalez Del Cueto, Rodrigo" , "devel@edk2.groups.io" CC: "Kubacki, Michael A" , "Chiu, Chasel" , "Gao, Liming" Subject: Re: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Thread-Topic: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Thread-Index: AQHVmy88JZfdLOF+GEWpplBUS1++/6eLTKpQ Date: Thu, 14 Nov 2019 23:16:53 +0000 Message-ID: <02A34F284D1DA44BB705E61F7180EF0AB5BD200E@ORSMSX114.amr.corp.intel.com> References: <20191114210510.1736-1-rodrigo.gonzalez.del.cueto@intel.com> <20191114210510.1736-2-rodrigo.gonzalez.del.cueto@intel.com> In-Reply-To: <20191114210510.1736-2-rodrigo.gonzalez.del.cueto@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMGU0MDlmYWMtNTRhMS00MDAxLThhMmMtMTUxMmQ5YmE3OTJiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiMDdnampPelU4Vm1zaXl2ZHE3SGtHNFh1U1lQSmRqQmJKQkxIQ29cLzMrUTR1OFcweU1Fd3k1K3MrXC9yVDUwWHZQIn0= x-ctpclassification: CTP_NT x-originating-ip: [10.22.254.140] MIME-Version: 1.0 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Nate DeSimone -----Original Message----- From: Gonzalez Del Cueto, Rodrigo =20 Sent: Thursday, November 14, 2019 1:05 PM To: devel@edk2.groups.io. Cc: Gonzalez Del Cueto, Rodrigo ; Kub= acki, Michael A ; Chiu, Chasel ; Desimone, Nathaniel L ; Gao, Limi= ng Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customi= zing TPM platform hierarchy BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2331 In V5: + Fixed build of MinPlatformPkg This change is split into two commits: 1) This commit: Add new library class TpmPlatformHierarchyLib 2) Second commit: Add usage in Tcg2PlatformDxe In order to enable some TPM use cases BIOS should enable to customize the c= onfiguration of the TPM platform, provisioning of endorsement, platform and= storage hierarchy. Cc: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Signed-off-by: Rodrigo Gonzalez del Cueto --- .../Include/Library/TpmPlatformHierarchyLib.h | 29 +++ .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 + .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + .../TpmPlatformHierarchyLib.c | 214 ++++++++++++++++++ .../TpmPlatformHierarchyLib.inf | 45 ++++ 5 files changed, 291 insertions(+) create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatfo= rmHierarchyLib.h create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHi= erarchyLib/TpmPlatformHierarchyLib.c create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHi= erarchyLib/TpmPlatformHierarchyLib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHiera= rchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierar= chyLib.h new file mode 100644 index 000000000000..ed9709b24a73 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchy +++ Lib.h @@ -0,0 +1,29 @@ +/** @file+ TPM Platform Hierarchy configuration library.++ This libr= ary provides functions for customizing the TPM's Platform Hierarchy+ Aut= horization Value (platformAuth) and Platform Hierarchy Authorization+ Po= licy (platformPolicy) can be defined through this function.++Copyright (c) = 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: = BSD-2-Clause-Patent++**/++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_+#define _T= PM_PLATFORM_HIERARCHY_LIB_H_++#include +#include ++/**+ = This service will perform the TPM Platform Hierarchy configuration at the S= mmReadyToLock event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+ VOI= D+ );++#endifdiff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec= b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec index a851021c0b79..92bda3784ffc 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h SecBoa= rdInitLib|Include/Library/SecBoardInitLib.h +TpmPlatformHierarchyLib|Includ= e/Library/TpmPlatformHierarchyLib.h+ TestPointLib|Include/Library/TestPoint= Lib.h TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git a/Pl= atform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatform= Pkg/MinPlatformPkg.dsc index 5f9363ff3228..a01f229a891d 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -102,6 +102,7 @@ FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPla= tformLib/DxeFspWrapperPlatformLib.inf TestPointCheckLib|MinPlatformPkg/Te= st/Library/TestPointCheckLib/DxeTestPointCheckLib.inf TestPointLib|MinPla= tformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf+ TpmPlatformHierarc= hyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarc= hyLib.inf [LibraryClasses.common.DXE_SMM_DRIVER] SpiFlashCommonLib|MinPl= atformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.infdiff= --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/= TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPl= atformHierarchyLib/TpmPlatformHierarchyLib.c new file mode 100644 index 000000000000..41ddb26f4046 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ +++ TpmPlatformHierarchyLib.c @@ -0,0 +1,214 @@ +/** @file+ TPM Platform Hierarchy configuration library.++ This libr= ary provides functions for customizing the TPM's Platform Hierarchy+ Aut= horization Value (platformAuth) and Platform Hierarchy Authorization+ Po= licy (platformPolicy) can be defined through this function.++ Copyright = (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Iden= tifier: BSD-2-Clause-Patent++ @par Specification Reference:+ https://= trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/+**/+= +#include ++#include +#include +#include +#include +#include +#include +#include +#include ++//+// The authorization value may be no larger than the digest produ= ced by the hash+// algorithm used for context integrity.+//+#define = MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16 mAuthSize;++/**= + Generate high-quality entropy source through RDRAND.++ @param[in] Len= gth Size of the buffer, in bytes, to fill with.+ @param[out] Entro= py Pointer to the buffer to store the entropy data.++ @retval EFI_SU= CCESS Entropy generation succeeded.+ @retval EFI_NOT_READY Fai= led to request random data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+= IN UINTN Length,+ OUT UINT8 *Entropy+ )+{+ EFI_STATUS = Status;+ UINTN BlockCount;+ UINT64 Seed[2];+ UINT8 *Ptr= ;++ Status =3D EFI_NOT_READY;+ BlockCount =3D Length / 64;+ Ptr =3D (UIN= T8 *)Entropy;++ //+ // Generate high-quality seed for DRBG Entropy+ //+ = while (BlockCount > 0) {+ Status =3D GetRandomNumber128 (Seed);+ if = (EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr, Seed, 6= 4);++ BlockCount--;+ Ptr =3D Ptr + 64;+ }++ //+ // Populate the re= mained data as request.+ //+ Status =3D GetRandomNumber128 (Seed);+ if (= EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr, Seed, (Length = % 64));++ return Status;+}++/**+ This function returns the maximum size o= f TPM2B_AUTH; this structure is used for an authorization value+ and limit= s an authValue to being no larger than the largest digest produced by a TPM= .++ @param[out] AuthSize Tpm2 Auth size++ @retval EFI_SUC= CESS Auth size returned.+ @retval EFI_DEVICE_ERROR = Can not return platform auth due to device error.++**/+EFI_STATUS+EFI= API+GetAuthSize (+ OUT UINT16 *AuthSize+ )+{+ EFI_STATUS = Status;+ TPML_PCR_SELECTION Pcrs;+ UINTN Index;= + UINT16 DigestSize;++ Status =3D EFI_SUCCESS;++ while (m= AuthSize =3D=3D 0) {++ mAuthSize =3D SHA1_DIGEST_SIZE;+ ZeroMem (&Pcr= s, sizeof (TPML_PCR_SELECTION));+ Status =3D Tpm2GetCapabilityPcrs (&Pcr= s);++ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapab= ilityPcrs fail!\n"));+ break;+ }++ DEBUG ((DEBUG_ERROR, "Tpm2Get= CapabilityPcrs - %08x\n", Pcrs.count));++ for (Index =3D 0; Index < Pcrs= .count; Index++) {+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelecti= ons[Index].hash));++ switch (Pcrs.pcrSelections[Index].hash) {+ c= ase TPM_ALG_SHA1:+ DigestSize =3D SHA1_DIGEST_SIZE;+ break;+ = case TPM_ALG_SHA256:+ DigestSize =3D SHA256_DIGEST_SIZE;+ = break;+ case TPM_ALG_SHA384:+ DigestSize =3D SHA384_DIGEST_SI= ZE;+ break;+ case TPM_ALG_SHA512:+ DigestSize =3D SHA512= _DIGEST_SIZE;+ break;+ case TPM_ALG_SM3_256:+ DigestSize= =3D SM3_256_DIGEST_SIZE;+ break;+ default:+ DigestSize = =3D SHA1_DIGEST_SIZE;+ break;+ }++ if (DigestSize > mAuthS= ize) {+ mAuthSize =3D DigestSize;+ }+ }+ break;+ }++ *A= uthSize =3D mAuthSize;+ return Status;+}++/**+ Set PlatformAuth to random= value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ EFI_STATUS = Status;+ UINT16 AuthSize;+ UINT= 8 *Rand;+ UINTN Ra= ndSize;+ TPM2B_AUTH NewPlatformAuth;++ //+ // Sen= d Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being nu= ll+ //++ GetAuthSize (&AuthSize);++ ZeroMem (NewPlatformAuth.buffer, Aut= hSize);+ NewPlatformAuth.size =3D AuthSize;++ //+ // Allocate one buffer= to store random data.+ //+ RandSize =3D MAX_NEW_AUTHORIZATION_SIZE;+ Ra= nd =3D AllocatePool (RandSize);++ RdRandGenerateEntropy (RandSize, Rand);+= CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);++ FreePool (Rand);++ = //+ // Send Tpm2HierarchyChangeAuth command with the new Auth value+ //+ = Status =3D Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAut= h);+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)= );+ ZeroMem (NewPlatformAuth.buffer, AuthSize);+ ZeroMem (Rand, RandSize)= ;+}++/**+ This service defines the configuration of the Platform Hierarch= y Authorization Value (platformAuth)+ and Platform Hierarchy Authorizatio= n Policy (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+= )+{+ //+ // Send Tpm2HierarchyChange Auth with random value to avoid Pl= atformAuth being null+ //+ RandomizePlatformAuth ();+}diff --git a/Platfo= rm/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHier= archyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarc= hyLib/TpmPlatformHierarchyLib.inf new file mode 100644 index 000000000000..0911bdffa01f --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ +++ TpmPlatformHierarchyLib.inf @@ -0,0 +1,45 @@ +### @file+#+# TPM Platform Hierarchy configuration library.+#+# This l= ibrary provides functions for customizing the TPM's Platform Hierarchy+# = Authorization Value (platformAuth) and Platform Hierarchy Authorization+# = Policy (platformPolicy) can be defined through this function.+#+# Copyrigh= t (c) 2019, Intel Corporation. All rights reserved.
+#+# SPDX-License-Id= entifier: BSD-2-Clause-Patent+#+###++[Defines]+ INF_VERSION = =3D 0x00010005+ BASE_NAME =3D TpmPlatformHierarc= hyLib+ FILE_GUID =3D 7794F92C-4E8E-4E57-9E4A-49A0764C= 7D73+ MODULE_TYPE =3D DXE_DRIVER+ VERSION_STRING = =3D 1.0+ LIBRARY_CLASS =3D TpmPlatformHierarch= yLib++[LibraryClasses]+ MemoryAllocationLib+ BaseLib+ UefiBootServicesTa= bleLib+ UefiDriverEntryPoint+ BaseMemoryLib+ DebugLib+ Tpm2CommandLib+ = Tpm2DeviceLib+ RngLib+ UefiLib++[Packages]+ MdePkg/MdePkg.dec+ MdeModu= lePkg/MdeModulePkg.dec+ SecurityPkg/SecurityPkg.dec+ CryptoPkg/CryptoPkg.= dec++[Sources]+ TpmPlatformHierarchyLib.c++[Depex]+ gEfiTcg2ProtocolGuid-= -=20 2.22.0.windows.1