From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.741.1573773416714029098 for ; Thu, 14 Nov 2019 15:16:56 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: nathaniel.l.desimone@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Nov 2019 15:16:56 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,306,1569308400"; d="scan'208";a="214643287" Received: from orsmsx103.amr.corp.intel.com ([10.22.225.130]) by fmsmga001.fm.intel.com with ESMTP; 14 Nov 2019 15:16:55 -0800 Received: from orsmsx157.amr.corp.intel.com (10.22.240.23) by ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 Nov 2019 15:16:55 -0800 Received: from orsmsx114.amr.corp.intel.com ([169.254.8.67]) by ORSMSX157.amr.corp.intel.com ([169.254.9.64]) with mapi id 14.03.0439.000; Thu, 14 Nov 2019 15:16:55 -0800 From: "Nate DeSimone" To: "Gonzalez Del Cueto, Rodrigo" , "devel@edk2.groups.io" CC: "Kubacki, Michael A" , "Chiu, Chasel" , "Gao, Liming" Subject: Re: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Thread-Topic: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Thread-Index: AQHVmy89DyqnITo7Zka+1fx03cZIaaeLTK6Q Date: Thu, 14 Nov 2019 23:16:55 +0000 Message-ID: <02A34F284D1DA44BB705E61F7180EF0AB5BD201B@ORSMSX114.amr.corp.intel.com> References: <20191114210510.1736-1-rodrigo.gonzalez.del.cueto@intel.com> <20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com> In-Reply-To: <20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNmM0MTZjN2MtOTc4Ni00ZDM4LWExNzUtYTVlMWQ0MTI0MGRkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoicCtzTHJOejZhejVZYUJYa1F1UmdscFdUXC9zcG11QUdVYkxPVWx4eGs0Uk5XbTFZRysxNmYrRWdkdEsyYTdmQzYifQ== x-ctpclassification: CTP_NT x-originating-ip: [10.22.254.140] MIME-Version: 1.0 Return-Path: nathaniel.l.desimone@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Nate DeSimone -----Original Message----- From: Gonzalez Del Cueto, Rodrigo =20 Sent: Thursday, November 14, 2019 1:05 PM To: devel@edk2.groups.io. Cc: Gonzalez Del Cueto, Rodrigo ; Kub= acki, Michael A ; Chiu, Chasel ; Desimone, Nathaniel L ; Gao, Limi= ng Subject: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to = use TpmPlatformHierarchyLib This change is split into two commits: 1) First commit: Add new library class TpmPlatformHierarchyLib 2) This commit: Add usage in Tcg2PlatformDxe Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's ConfigureT= pmPlatformHierarchy function to configure the TPM's Platform Hierarchy. Cc: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Signed-off-by: Rodrigo Gonzalez del Cueto --- .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 168 +++--------------- .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 12 +- 2 files changed, 24 insertions(+), 156 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2Platform= Dxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c index d0d88b2e91d5..704c6d8d6baa 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe. +++ c @@ -1,157 +1,31 @@ /** @file- Platform specific TPM2 component.+ Platform specific TPM2 com= ponent for configuring the Platform Hierarchy. -Copyright (c) 2017, Intel C= orporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-= Patent+ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.=
+ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include #include -#include -#includ= e #include -#include -#include -#include #include +#in= clude #include -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE- /**- = Generate high-quality entropy source through RDRAND.-- @param[in] Lengt= h Size of the buffer, in bytes, to fill with.- @param[out] Entropy= Pointer to the buffer to store the entropy data.-- @retval EFI_SUCC= ESS Entropy generation succeeded.- @retval EFI_NOT_READY Faile= d to request random data.--**/-EFI_STATUS-EFIAPI-RdRandGenerateEntropy (- = IN UINTN Length,- OUT UINT8 *Entropy- )-{- EFI_STATUS St= atus;- UINTN BlockCount;- UINT64 Seed[2];- UINT8 *Ptr;-= - Status =3D EFI_NOT_READY;- BlockCount =3D Length / 64;- Ptr =3D (UINT8= *)Entropy;+ This callback function will run at the SmmReadyToLock event.= - //- // Generate high-quality seed for DRBG Entropy- //- while (Block= Count > 0) {- Status =3D GetRandomNumber128(Seed);- if (EFI_ERROR(Sta= tus)) {- return Status;- }- CopyMem(Ptr, Seed, 64);-- BlockCo= unt--;- Ptr =3D Ptr + 64;- }-- //- // Populate the remained data as r= equest.- //- Status =3D GetRandomNumber128(Seed);- if (EFI_ERROR(Status)= ) {- return Status;- }- CopyMem(Ptr, Seed, (Length % 64));-- return S= tatus;-}--/**- Set PlatformAuth to random value.-**/-VOID-RandomizePlatfor= mAuth (- VOID- )-{- EFI_STATUS Status;- UINT16 = AuthSize;- TPML_PCR_SELECTION Pcr= s;- UINT32 Index;- UINT8 = *Rand;- UINTN RandSize;- TPM2B_AUTH = NewPlatformAuth;-- //- // Send Tpm2HierarchyChange A= uth with random value to avoid PlatformAuth being null- //- ZeroMem(&Pcrs= , sizeof(TPML_PCR_SELECTION));- AuthSize =3D MAX_NEW_AUTHORIZATION_SIZE;--= Status =3D Tpm2GetCapabilityPcrs(&Pcrs);- if (EFI_ERROR(Status)) {- D= EBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));- } else {- for (I= ndex =3D 0; Index < Pcrs.count; Index++) {- switch (Pcrs.pcrSelections= [Index].hash) {- case TPM_ALG_SHA1:- AuthSize =3D SHA1_DIGEST_S= IZE;- break;- case TPM_ALG_SHA256:- AuthSize =3D SHA256_= DIGEST_SIZE;- break;- case TPM_ALG_SHA384:- AuthSize =3D= SHA384_DIGEST_SIZE;- break;- case TPM_ALG_SHA512:- Auth= Size =3D SHA512_DIGEST_SIZE;- break;- case TPM_ALG_SM3_256:- = AuthSize =3D SM3_256_DIGEST_SIZE;- break;- }- }- }-- = ZeroMem(NewPlatformAuth.buffer, AuthSize);- NewPlatformAuth.size =3D AuthS= ize;-- //- // Allocate one buffer to store random data.- //- RandSize = =3D MAX_NEW_AUTHORIZATION_SIZE;- Rand =3D AllocatePool(RandSize);-- RdRan= dGenerateEntropy(RandSize, Rand);- CopyMem(NewPlatformAuth.buffer, Rand, A= uthSize);-- FreePool(Rand);-- //- // Send Tpm2HierarchyChangeAuth comman= d with the new Auth value- //- Status =3D Tpm2HierarchyChangeAuth(TPM_RH_= PLATFORM, NULL, &NewPlatformAuth);- DEBUG((DEBUG_INFO, "Tpm2HierarchyChang= eAuth Result: - %r\n", Status));- ZeroMem(NewPlatformAuth.buffer, AuthSize= );- ZeroMem(Rand, RandSize);-}--/**- This is the Event call back function= to notify the Library the system is entering- run time phase.+ Configur= ation of the TPM's Platform Hierarchy Authorization Value (platformAuth)+ = and Platform Hierarchy Authorization Policy (platformPolicy) can be define= d through this function. @param Event Pointer to this event @param = Context Event hanlder private data **/ VOID EFIAPI-ReadyToLockEventCallBa= ck (+SmmReadyToLockEventCallBack ( IN EFI_EVENT Event, IN VOID *= Context )@@ -172,22 +46,20 @@ ReadyToLockEventCallBack ( return ; } - //- // Send Tpm2HierarchyChange Auth with random valu= e to avoid PlatformAuth being null- //- RandomizePlatformAuth();+ Config= ureTpmPlatformHierarchy (); gBS->CloseEvent (Event); } /**- The driver= 's entry point.+ The driver's entry point. Will register a function for c= allback during SmmReadyToLock event to+ configure the TPM's platform auth= orization. - @param[in] ImageHandle The firmware allocated handle for the= EFI image.- @param[in] SystemTable A pointer to the EFI System Table.+ = @param[in] ImageHandle The firmware allocated handle for the EFI image.+ = @param[in] SystemTable A pointer to the EFI System Table. - @retval EFI= _SUCCESS The entry point is executed successfully.- @retval other = Some error occurs when executing this entry point.+ @retval EFI_SUC= CESS The entry point is executed successfully.+ @retval other = Some error occurs when executing this entry point. **/ EFI_STATUS EFIAPI= @@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint ( IN EFI_SYSTEM_TABLE *SystemTable ) {- VOID = *Registration;- EFI_EVENT Event;+ VOID *Re= gistration;+ EFI_EVENT Event; - Event =3D EfiCreateProtocolNotifyEvent = (+ Event =3D EfiCreateProtocolNotifyEvent ( &gEfiDxeSmmReadyTo= LockProtocolGuid, TPL_CALLBACK,- ReadyToLockEventCal= lBack,+ SmmReadyToLockEventCallBack, NULL, = &Registration );+ ASSERT (Event !=3D NULL); return EFI_= SUCCESS; }+diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/T= cg2PlatformDxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2= PlatformDxe.inf index e8ab5f35a0da..af29c1cd98c9 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe. +++ inf @@ -1,7 +1,7 @@ ### @file # Platform specific TPM2 component. #-# Copyright (c) 2017, Inte= l Corporation. All rights reserved.
+# Copyright (c) 2017 - 2019, Intel = Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Cl= ause-Patent #@@ -21,23 +21,18 @@ # [LibraryClasses]- MemoryAllocationLib BaseLib UefiBootServicesTabl= eLib UefiDriverEntryPoint- UefiRuntimeServicesTableLib- BaseMemoryLib = DebugLib- Tpm2CommandLib- Tpm2DeviceLib- RngLib UefiLib+ TpmPlatform= HierarchyLib [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.de= c+ MinPlatformPkg/MinPlatformPkg.dec SecurityPkg/SecurityPkg.dec- Crypt= oPkg/CryptoPkg.dec [Sources] Tcg2PlatformDxe.c@@ -47,4 +42,3 @@ [Depex] gEfiTcg2ProtocolGuid---=20 2.22.0.windows.1