[edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration

[edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration

[Rodrigo Gonzalez del Cueto]

[PATCH 5] Split up TpmPlatformHierarchyLib from Tcg2PlatformDxe modifications
  [PATCH 1/2] Add new library class TpmPlatformHierarchyLib
  [PATCH 2/2] Add usage in Tcg2PlatformDxe

Rodrigo Gonzalez del Cueto (2):
  MinPlatformPkg: Library for customizing TPM platform hierarchy
  MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib

 .../Include/Library/TpmPlatformHierarchyLib.h |  29 +++
 .../Intel/MinPlatformPkg/MinPlatformPkg.dec   |   2 +
 .../Intel/MinPlatformPkg/MinPlatformPkg.dsc   |   1 +
 .../TpmPlatformHierarchyLib.c                 | 214 ++++++++++++++++++
 .../TpmPlatformHierarchyLib.inf               |  45 ++++
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     | 168 ++------------
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  12 +-
 7 files changed, 315 insertions(+), 156 deletions(-)
 create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf

-- 
2.22.0.windows.1

[edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy

[Rodrigo Gonzalez del Cueto]

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331

In V5:
  + Fixed build of MinPlatformPkg

This change is split into two commits:
  1) This commit: Add new library class TpmPlatformHierarchyLib
  2) Second commit: Add usage in Tcg2PlatformDxe

In order to enable some TPM use cases BIOS should enable to customize
the configuration of the TPM platform, provisioning of endorsement,
platform and storage hierarchy.

Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
 .../Include/Library/TpmPlatformHierarchyLib.h |  29 +++
 .../Intel/MinPlatformPkg/MinPlatformPkg.dec   |   2 +
 .../Intel/MinPlatformPkg/MinPlatformPkg.dsc   |   1 +
 .../TpmPlatformHierarchyLib.c                 | 214 ++++++++++++++++++
 .../TpmPlatformHierarchyLib.inf               |  45 ++++
 5 files changed, 291 insertions(+)
 create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf

diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 000000000000..ed9709b24a73
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,29 @@
+/** @file
+    TPM Platform Hierarchy configuration library.
+
+    This library provides functions for customizing the TPM's Platform Hierarchy
+    Authorization Value (platformAuth) and Platform Hierarchy Authorization
+    Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_
+
+#include <PiDxe.h>
+#include <Uefi.h>
+
+/**
+   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  VOID
+  );
+
+#endif
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
index a851021c0b79..92bda3784ffc 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
 MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h
 SecBoardInitLib|Include/Library/SecBoardInitLib.h
 
+TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
+
 TestPointLib|Include/Library/TestPointLib.h
 TestPointCheckLib|Include/Library/TestPointCheckLib.h
 
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 5f9363ff3228..a01f229a891d 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -102,6 +102,7 @@
   FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPlatformLib/DxeFspWrapperPlatformLib.inf
   TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTestPointCheckLib.inf
   TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf
+  TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.DXE_SMM_DRIVER]
   SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.inf
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
new file mode 100644
index 000000000000..41ddb26f4046
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
@@ -0,0 +1,214 @@
+/** @file
+    TPM Platform Hierarchy configuration library.
+
+    This library provides functions for customizing the TPM's Platform Hierarchy
+    Authorization Value (platformAuth) and Platform Hierarchy Authorization
+    Policy (platformPolicy) can be defined through this function.
+
+    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+    SPDX-License-Identifier: BSD-2-Clause-Patent
+
+    @par Specification Reference:
+    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
+**/
+
+#include <PiDxe.h>
+
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/RngLib.h>
+#include <Library/UefiLib.h>
+#include <Protocol/DxeSmmReadyToLock.h>
+
+//
+// The authorization value may be no larger than the digest produced by the hash
+//   algorithm used for context integrity.
+//
+#define      MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+UINT16       mAuthSize;
+
+/**
+  Generate high-quality entropy source through RDRAND.
+
+  @param[in]   Length        Size of the buffer, in bytes, to fill with.
+  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
+
+  @retval EFI_SUCCESS        Entropy generation succeeded.
+  @retval EFI_NOT_READY      Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+RdRandGenerateEntropy (
+  IN UINTN         Length,
+  OUT UINT8        *Entropy
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       BlockCount;
+  UINT64      Seed[2];
+  UINT8       *Ptr;
+
+  Status = EFI_NOT_READY;
+  BlockCount = Length / 64;
+  Ptr = (UINT8 *)Entropy;
+
+  //
+  // Generate high-quality seed for DRBG Entropy
+  //
+  while (BlockCount > 0) {
+    Status = GetRandomNumber128 (Seed);
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+    CopyMem (Ptr, Seed, 64);
+
+    BlockCount--;
+    Ptr = Ptr + 64;
+  }
+
+  //
+  // Populate the remained data as request.
+  //
+  Status = GetRandomNumber128 (Seed);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+  CopyMem (Ptr, Seed, (Length % 64));
+
+  return Status;
+}
+
+/**
+  This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
+  and limits an authValue to being no larger than the largest digest produced by a TPM.
+
+  @param[out] AuthSize                 Tpm2 Auth size
+
+  @retval EFI_SUCCESS                  Auth size returned.
+  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device error.
+
+**/
+EFI_STATUS
+EFIAPI
+GetAuthSize (
+  OUT UINT16            *AuthSize
+  )
+{
+  EFI_STATUS            Status;
+  TPML_PCR_SELECTION    Pcrs;
+  UINTN                 Index;
+  UINT16                DigestSize;
+
+  Status = EFI_SUCCESS;
+
+  while (mAuthSize == 0) {
+
+    mAuthSize = SHA1_DIGEST_SIZE;
+    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
+    Status = Tpm2GetCapabilityPcrs (&Pcrs);
+
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
+      break;
+    }
+
+    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
+
+    for (Index = 0; Index < Pcrs.count; Index++) {
+      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
+
+      switch (Pcrs.pcrSelections[Index].hash) {
+      case TPM_ALG_SHA1:
+        DigestSize = SHA1_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA256:
+        DigestSize = SHA256_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA384:
+        DigestSize = SHA384_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA512:
+        DigestSize = SHA512_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SM3_256:
+        DigestSize = SM3_256_DIGEST_SIZE;
+        break;
+      default:
+        DigestSize = SHA1_DIGEST_SIZE;
+        break;
+      }
+
+      if (DigestSize > mAuthSize) {
+        mAuthSize = DigestSize;
+      }
+    }
+    break;
+  }
+
+  *AuthSize = mAuthSize;
+  return Status;
+}
+
+/**
+  Set PlatformAuth to random value.
+**/
+VOID
+RandomizePlatformAuth (
+  VOID
+  )
+{
+  EFI_STATUS                        Status;
+  UINT16                            AuthSize;
+  UINT8                             *Rand;
+  UINTN                             RandSize;
+  TPM2B_AUTH                        NewPlatformAuth;
+
+  //
+  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+  //
+
+  GetAuthSize (&AuthSize);
+
+  ZeroMem (NewPlatformAuth.buffer, AuthSize);
+  NewPlatformAuth.size = AuthSize;
+
+  //
+  // Allocate one buffer to store random data.
+  //
+  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+  Rand = AllocatePool (RandSize);
+
+  RdRandGenerateEntropy (RandSize, Rand);
+  CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+  FreePool (Rand);
+
+  //
+  // Send Tpm2HierarchyChangeAuth command with the new Auth value
+  //
+  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+  ZeroMem (NewPlatformAuth.buffer, AuthSize);
+  ZeroMem (Rand, RandSize);
+}
+
+/**
+   This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+   and Platform Hierarchy Authorization Policy (platformPolicy)
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  )
+{
+  //
+  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+  //
+  RandomizePlatformAuth ();
+}
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
new file mode 100644
index 000000000000..0911bdffa01f
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
@@ -0,0 +1,45 @@
+### @file
+#
+#   TPM Platform Hierarchy configuration library.
+#
+#   This library provides functions for customizing the TPM's Platform Hierarchy
+#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
+#   Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = TpmPlatformHierarchyLib
+  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = TpmPlatformHierarchyLib
+
+[LibraryClasses]
+  MemoryAllocationLib
+  BaseLib
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  BaseMemoryLib
+  DebugLib
+  Tpm2CommandLib
+  Tpm2DeviceLib
+  RngLib
+  UefiLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[Sources]
+  TpmPlatformHierarchyLib.c
+
+[Depex]
+  gEfiTcg2ProtocolGuid
-- 
2.22.0.windows.1

Re: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy

[Nate DeSimone]

Reviewed-by: Nate DeSimone <nathaniel.l.desimone@intel.com>

-----Original Message-----
From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com> 
Sent: Thursday, November 14, 2019 1:05 PM
To: devel@edk2.groups.io.
Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331

In V5:
  + Fixed build of MinPlatformPkg

This change is split into two commits:
  1) This commit: Add new library class TpmPlatformHierarchyLib
  2) Second commit: Add usage in Tcg2PlatformDxe

In order to enable some TPM use cases BIOS should enable to customize the configuration of the TPM platform, provisioning of endorsement, platform and storage hierarchy.

Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
 .../Include/Library/TpmPlatformHierarchyLib.h |  29 +++
 .../Intel/MinPlatformPkg/MinPlatformPkg.dec   |   2 +
 .../Intel/MinPlatformPkg/MinPlatformPkg.dsc   |   1 +
 .../TpmPlatformHierarchyLib.c                 | 214 ++++++++++++++++++
 .../TpmPlatformHierarchyLib.inf               |  45 ++++
 5 files changed, 291 insertions(+)
 create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
 create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf

diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 000000000000..ed9709b24a73
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchy
+++ Lib.h
@@ -0,0 +1,29 @@
+/** @file+    TPM Platform Hierarchy configuration library.++    This library provides functions for customizing the TPM's Platform Hierarchy+    Authorization Value (platformAuth) and Platform Hierarchy Authorization+    Policy (platformPolicy) can be defined through this function.++Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+SPDX-License-Identifier: BSD-2-Clause-Patent++**/++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_+#define _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include <Uefi.h>++/**+   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+  VOID+  );++#endifdiff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
index a851021c0b79..92bda3784ffc 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
 MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h SecBoardInitLib|Include/Library/SecBoardInitLib.h +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+ TestPointLib|Include/Library/TestPointLib.h TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 5f9363ff3228..a01f229a891d 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -102,6 +102,7 @@
   FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPlatformLib/DxeFspWrapperPlatformLib.inf   TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTestPointCheckLib.inf   TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf+  TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf  [LibraryClasses.common.DXE_SMM_DRIVER]   SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.infdiff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
new file mode 100644
index 000000000000..41ddb26f4046
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/
+++ TpmPlatformHierarchyLib.c
@@ -0,0 +1,214 @@
+/** @file+    TPM Platform Hierarchy configuration library.++    This library provides functions for customizing the TPM's Platform Hierarchy+    Authorization Value (platformAuth) and Platform Hierarchy Authorization+    Policy (platformPolicy) can be defined through this function.++    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+    SPDX-License-Identifier: BSD-2-Clause-Patent++    @par Specification Reference:+    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/+**/++#include <PiDxe.h>++#include <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include <Library/UefiBootServicesTableLib.h>+#include <Library/MemoryAllocationLib.h>+#include <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+// The authorization value may be no larger than the digest produced by the hash+//   algorithm used for context integrity.+//+#define      MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16       mAuthSize;++/**+  Generate high-quality entropy source through RDRAND.++  @param[in]   Length        Size of the buffer, in bytes, to fill with.+  @param[out]  Entropy       Pointer to the buffer to store the entropy data.++  @retval EFI_SUCCESS        Entropy generation succeeded.+  @retval EFI_NOT_READY      Failed to request random data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+  IN UINTN         Length,+  OUT UINT8        *Entropy+  )+{+  EFI_STATUS  Status;+  UINTN       BlockCount;+  UINT64      Seed[2];+  UINT8       *Ptr;++  Status = EFI_NOT_READY;+  BlockCount = Length / 64;+  Ptr = (UINT8 *)Entropy;++  //+  // Generate high-quality seed for DRBG Entropy+  //+  while (BlockCount > 0) {+    Status = GetRandomNumber128 (Seed);+    if (EFI_ERROR (Status)) {+      return Status;+    }+    CopyMem (Ptr, Seed, 64);++    BlockCount--;+    Ptr = Ptr + 64;+  }++  //+  // Populate the remained data as request.+  //+  Status = GetRandomNumber128 (Seed);+  if (EFI_ERROR (Status)) {+    return Status;+  }+  CopyMem (Ptr, Seed, (Length % 64));++  return Status;+}++/**+  This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value+  and limits an authValue to being no larger than the largest digest produced by a TPM.++  @param[out] AuthSize                 Tpm2 Auth size++  @retval EFI_SUCCESS                  Auth size returned.+  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize (+  OUT UINT16            *AuthSize+  )+{+  EFI_STATUS            Status;+  TPML_PCR_SELECTION    Pcrs;+  UINTN                 Index;+  UINT16                DigestSize;++  Status = EFI_SUCCESS;++  while (mAuthSize == 0) {++    mAuthSize = SHA1_DIGEST_SIZE;+    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+    Status = Tpm2GetCapabilityPcrs (&Pcrs);++    if (EFI_ERROR (Status)) {+      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+      break;+    }++    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));++    for (Index = 0; Index < Pcrs.count; Index++) {+      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));++      switch (Pcrs.pcrSelections[Index].hash) {+      case TPM_ALG_SHA1:+        DigestSize = SHA1_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA256:+        DigestSize = SHA256_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA384:+        DigestSize = SHA384_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA512:+        DigestSize = SHA512_DIGEST_SIZE;+        break;+      case TPM_ALG_SM3_256:+        DigestSize = SM3_256_DIGEST_SIZE;+        break;+      default:+        DigestSize = SHA1_DIGEST_SIZE;+        break;+      }++      if (DigestSize > mAuthSize) {+        mAuthSize = DigestSize;+      }+    }+    break;+  }++  *AuthSize = mAuthSize;+  return Status;+}++/**+  Set PlatformAuth to random value.+**/+VOID+RandomizePlatformAuth (+  VOID+  )+{+  EFI_STATUS                        Status;+  UINT16                            AuthSize;+  UINT8                             *Rand;+  UINTN                             RandSize;+  TPM2B_AUTH                        NewPlatformAuth;++  //+  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null+  //++  GetAuthSize (&AuthSize);++  ZeroMem (NewPlatformAuth.buffer, AuthSize);+  NewPlatformAuth.size = AuthSize;++  //+  // Allocate one buffer to store random data.+  //+  RandSize = MAX_NEW_AUTHORIZATION_SIZE;+  Rand = AllocatePool (RandSize);++  RdRandGenerateEntropy (RandSize, Rand);+  CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);++  FreePool (Rand);++  //+  // Send Tpm2HierarchyChangeAuth command with the new Auth value+  //+  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);+  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));+  ZeroMem (NewPlatformAuth.buffer, AuthSize);+  ZeroMem (Rand, RandSize);+}++/**+   This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)+   and Platform Hierarchy Authorization Policy (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+  )+{+  //+  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null+  //+  RandomizePlatformAuth ();+}diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
new file mode 100644
index 000000000000..0911bdffa01f
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/
+++ TpmPlatformHierarchyLib.inf
@@ -0,0 +1,45 @@
+### @file+#+#   TPM Platform Hierarchy configuration library.+#+#   This library provides functions for customizing the TPM's Platform Hierarchy+#   Authorization Value (platformAuth) and Platform Hierarchy Authorization+#   Policy (platformPolicy) can be defined through this function.+#+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+#+# SPDX-License-Identifier: BSD-2-Clause-Patent+#+###++[Defines]+  INF_VERSION                    = 0x00010005+  BASE_NAME                      = TpmPlatformHierarchyLib+  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+  MODULE_TYPE                    = DXE_DRIVER+  VERSION_STRING                 = 1.0+  LIBRARY_CLASS                  = TpmPlatformHierarchyLib++[LibraryClasses]+  MemoryAllocationLib+  BaseLib+  UefiBootServicesTableLib+  UefiDriverEntryPoint+  BaseMemoryLib+  DebugLib+  Tpm2CommandLib+  Tpm2DeviceLib+  RngLib+  UefiLib++[Packages]+  MdePkg/MdePkg.dec+  MdeModulePkg/MdeModulePkg.dec+  SecurityPkg/SecurityPkg.dec+  CryptoPkg/CryptoPkg.dec++[Sources]+  TpmPlatformHierarchyLib.c++[Depex]+  gEfiTcg2ProtocolGuid-- 
2.22.0.windows.1

Re: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy

[Kubacki, Michael A]

Reviewed-by: Michael Kubacki <michael.a.kubacki@intel.com>

> -----Original Message-----
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>
> Sent: Thursday, November 14, 2019 1:05 PM
> To: devel@edk2.groups.io.
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>;
> Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for
> customizing TPM platform hierarchy
> 
> BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331
> 
> In V5:
>   + Fixed build of MinPlatformPkg
> 
> This change is split into two commits:
>   1) This commit: Add new library class TpmPlatformHierarchyLib
>   2) Second commit: Add usage in Tcg2PlatformDxe
> 
> In order to enable some TPM use cases BIOS should enable to customize the
> configuration of the TPM platform, provisioning of endorsement, platform
> and storage hierarchy.
> 
> Cc: Michael Kubacki <michael.a.kubacki@intel.com>
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> 
> Signed-off-by: Rodrigo Gonzalez del Cueto
> <rodrigo.gonzalez.del.cueto@intel.com>
> ---
>  .../Include/Library/TpmPlatformHierarchyLib.h |  29 +++
>  .../Intel/MinPlatformPkg/MinPlatformPkg.dec   |   2 +
>  .../Intel/MinPlatformPkg/MinPlatformPkg.dsc   |   1 +
>  .../TpmPlatformHierarchyLib.c                 | 214 ++++++++++++++++++
>  .../TpmPlatformHierarchyLib.inf               |  45 ++++
>  5 files changed, 291 insertions(+)
>  create mode 100644
> Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
>  create mode 100644
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPl
> atformHierarchyLib.c
>  create mode 100644
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPl
> atformHierarchyLib.inf
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> h
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> h
> new file mode 100644
> index 000000000000..ed9709b24a73
> --- /dev/null
> +++
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchy
> +++ Lib.h
> @@ -0,0 +1,29 @@
> +/** @file+    TPM Platform Hierarchy configuration library.++    This library
> provides functions for customizing the TPM's Platform Hierarchy+
> Authorization Value (platformAuth) and Platform Hierarchy Authorization+
> Policy (platformPolicy) can be defined through this function.++Copyright (c)
> 2019, Intel Corporation. All rights reserved.<BR>+SPDX-License-Identifier:
> BSD-2-Clause-Patent++**/++#ifndef
> _TPM_PLATFORM_HIERARCHY_LIB_H_+#define
> _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include
> <Uefi.h>++/**+   This service will perform the TPM Platform Hierarchy
> configuration at the SmmReadyToLock
> event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+  VOID+
> );++#endifdiff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> index a851021c0b79..92bda3784ffc 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
>  MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h
> SecBoardInitLib|Include/Library/SecBoardInitLib.h
> +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+
> TestPointLib|Include/Library/TestPointLib.h
> TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git
> a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> index 5f9363ff3228..a01f229a891d 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> @@ -102,6 +102,7 @@
> 
> FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrap
> perPlatformLib/DxeFspWrapperPlatformLib.inf
> TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTes
> tPointCheckLib.inf
> TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf
> +
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarc
> hyLib/TpmPlatformHierarchyLib.inf
> [LibraryClasses.common.DXE_SMM_DRIVER]
> SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/
> SpiFlashCommonLibNull.infdiff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> mPlatformHierarchyLib.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> mPlatformHierarchyLib.c
> new file mode 100644
> index 000000000000..41ddb26f4046
> --- /dev/null
> +++
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/
> +++ TpmPlatformHierarchyLib.c
> @@ -0,0 +1,214 @@
> +/** @file+    TPM Platform Hierarchy configuration library.++    This library
> provides functions for customizing the TPM's Platform Hierarchy+
> Authorization Value (platformAuth) and Platform Hierarchy Authorization+
> Policy (platformPolicy) can be defined through this function.++    Copyright
> (c) 2019, Intel Corporation. All rights reserved.<BR>+    SPDX-License-
> Identifier: BSD-2-Clause-Patent++    @par Specification Reference:+
> https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-
> guidance/+**/++#include <PiDxe.h>++#include
> <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include
> <Library/UefiBootServicesTableLib.h>+#include
> <Library/MemoryAllocationLib.h>+#include
> <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include
> <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+//
> The authorization value may be no larger than the digest produced by the
> hash+//   algorithm used for context integrity.+//+#define
> MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16
> mAuthSize;++/**+  Generate high-quality entropy source through
> RDRAND.++  @param[in]   Length        Size of the buffer, in bytes, to fill with.+
> @param[out]  Entropy       Pointer to the buffer to store the entropy data.++
> @retval EFI_SUCCESS        Entropy generation succeeded.+  @retval
> EFI_NOT_READY      Failed to request random
> data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+  IN UINTN
> Length,+  OUT UINT8        *Entropy+  )+{+  EFI_STATUS  Status;+  UINTN
> BlockCount;+  UINT64      Seed[2];+  UINT8       *Ptr;++  Status =
> EFI_NOT_READY;+  BlockCount = Length / 64;+  Ptr = (UINT8 *)Entropy;++
> //+  // Generate high-quality seed for DRBG Entropy+  //+  while (BlockCount
> > 0) {+    Status = GetRandomNumber128 (Seed);+    if (EFI_ERROR (Status))
> {+      return Status;+    }+    CopyMem (Ptr, Seed, 64);++    BlockCount--;+    Ptr
> = Ptr + 64;+  }++  //+  // Populate the remained data as request.+  //+  Status
> = GetRandomNumber128 (Seed);+  if (EFI_ERROR (Status)) {+    return
> Status;+  }+  CopyMem (Ptr, Seed, (Length % 64));++  return Status;+}++/**+
> This function returns the maximum size of TPM2B_AUTH; this structure is
> used for an authorization value+  and limits an authValue to being no larger
> than the largest digest produced by a TPM.++  @param[out] AuthSize
> Tpm2 Auth size++  @retval EFI_SUCCESS                  Auth size returned.+
> @retval EFI_DEVICE_ERROR             Can not return platform auth due to
> device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize (+  OUT UINT16
> *AuthSize+  )+{+  EFI_STATUS            Status;+  TPML_PCR_SELECTION    Pcrs;+
> UINTN                 Index;+  UINT16                DigestSize;++  Status =
> EFI_SUCCESS;++  while (mAuthSize == 0) {++    mAuthSize =
> SHA1_DIGEST_SIZE;+    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+
> Status = Tpm2GetCapabilityPcrs (&Pcrs);++    if (EFI_ERROR (Status)) {+
> DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+      break;+    }++
> DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));++
> for (Index = 0; Index < Pcrs.count; Index++) {+      DEBUG ((DEBUG_ERROR,
> "alg - %x\n", Pcrs.pcrSelections[Index].hash));++      switch
> (Pcrs.pcrSelections[Index].hash) {+      case TPM_ALG_SHA1:+        DigestSize
> = SHA1_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA256:+
> DigestSize = SHA256_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA384:+
> DigestSize = SHA384_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA512:+
> DigestSize = SHA512_DIGEST_SIZE;+        break;+      case
> TPM_ALG_SM3_256:+        DigestSize = SM3_256_DIGEST_SIZE;+        break;+
> default:+        DigestSize = SHA1_DIGEST_SIZE;+        break;+      }++      if
> (DigestSize > mAuthSize) {+        mAuthSize = DigestSize;+      }+    }+    break;+
> }++  *AuthSize = mAuthSize;+  return Status;+}++/**+  Set PlatformAuth to
> random value.+**/+VOID+RandomizePlatformAuth (+  VOID+  )+{+
> EFI_STATUS                        Status;+  UINT16                            AuthSize;+  UINT8
> *Rand;+  UINTN                             RandSize;+  TPM2B_AUTH
> NewPlatformAuth;++  //+  // Send Tpm2HierarchyChange Auth with random
> value to avoid PlatformAuth being null+  //++  GetAuthSize (&AuthSize);++
> ZeroMem (NewPlatformAuth.buffer, AuthSize);+  NewPlatformAuth.size =
> AuthSize;++  //+  // Allocate one buffer to store random data.+  //+  RandSize
> = MAX_NEW_AUTHORIZATION_SIZE;+  Rand = AllocatePool (RandSize);++
> RdRandGenerateEntropy (RandSize, Rand);+  CopyMem
> (NewPlatformAuth.buffer, Rand, AuthSize);++  FreePool (Rand);++  //+  //
> Send Tpm2HierarchyChangeAuth command with the new Auth value+  //+
> Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);+  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth
> Result: - %r\n", Status));+  ZeroMem (NewPlatformAuth.buffer, AuthSize);+
> ZeroMem (Rand, RandSize);+}++/**+   This service defines the configuration
> of the Platform Hierarchy Authorization Value (platformAuth)+   and Platform
> Hierarchy Authorization Policy
> (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+
> )+{+  //+  // Send Tpm2HierarchyChange Auth with random value to avoid
> PlatformAuth being null+  //+  RandomizePlatformAuth ();+}diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> mPlatformHierarchyLib.inf
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> mPlatformHierarchyLib.inf
> new file mode 100644
> index 000000000000..0911bdffa01f
> --- /dev/null
> +++
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/
> +++ TpmPlatformHierarchyLib.inf
> @@ -0,0 +1,45 @@
> +### @file+#+#   TPM Platform Hierarchy configuration library.+#+#   This
> library provides functions for customizing the TPM's Platform Hierarchy+#
> Authorization Value (platformAuth) and Platform Hierarchy Authorization+#
> Policy (platformPolicy) can be defined through this function.+#+# Copyright
> (c) 2019, Intel Corporation. All rights reserved.<BR>+#+# SPDX-License-
> Identifier: BSD-2-Clause-Patent+#+###++[Defines]+  INF_VERSION
> = 0x00010005+  BASE_NAME                      = TpmPlatformHierarchyLib+
> FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+
> MODULE_TYPE                    = DXE_DRIVER+  VERSION_STRING                 = 1.0+
> LIBRARY_CLASS                  = TpmPlatformHierarchyLib++[LibraryClasses]+
> MemoryAllocationLib+  BaseLib+  UefiBootServicesTableLib+
> UefiDriverEntryPoint+  BaseMemoryLib+  DebugLib+  Tpm2CommandLib+
> Tpm2DeviceLib+  RngLib+  UefiLib++[Packages]+  MdePkg/MdePkg.dec+
> MdeModulePkg/MdeModulePkg.dec+  SecurityPkg/SecurityPkg.dec+
> CryptoPkg/CryptoPkg.dec++[Sources]+
> TpmPlatformHierarchyLib.c++[Depex]+  gEfiTcg2ProtocolGuid--
> 2.22.0.windows.1

Re: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy

[Kubacki, Michael A]

Please include the version changes in a git note attached to the patch in the future.

Thanks,
Michael

> -----Original Message-----
> From: Chiu, Chasel <chasel.chiu@intel.com>
> Sent: Thursday, November 14, 2019 4:58 PM
> To: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>;
> devel@edk2.groups.io.
> Cc: Kubacki, Michael A <michael.a.kubacki@intel.com>; Desimone, Nathaniel
> L <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: RE: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for
> customizing TPM platform hierarchy
> 
> 
> You can remove V5 information when pushing the patch, only final version
> will be pushed so no need to describe different versions in commit message.
> 
> Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>
> 
> 
> > -----Original Message-----
> > From: Gonzalez Del Cueto, Rodrigo
> > <rodrigo.gonzalez.del.cueto@intel.com>
> > Sent: Friday, November 15, 2019 5:05 AM
> > To: devel@edk2.groups.io.
> > Cc: Gonzalez Del Cueto, Rodrigo
> > <rodrigo.gonzalez.del.cueto@intel.com>;
> > Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel
> > <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> > Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for
> > customizing TPM platform hierarchy
> >
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331
> >
> > In V5:
> >   + Fixed build of MinPlatformPkg
> >
> > This change is split into two commits:
> >   1) This commit: Add new library class TpmPlatformHierarchyLib
> >   2) Second commit: Add usage in Tcg2PlatformDxe
> >
> > In order to enable some TPM use cases BIOS should enable to customize
> > the configuration of the TPM platform, provisioning of endorsement,
> > platform and storage hierarchy.
> >
> > Cc: Michael Kubacki <michael.a.kubacki@intel.com>
> > Cc: Chasel Chiu <chasel.chiu@intel.com>
> > Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> > Cc: Liming Gao <liming.gao@intel.com>
> >
> > Signed-off-by: Rodrigo Gonzalez del Cueto
> > <rodrigo.gonzalez.del.cueto@intel.com>
> > ---
> >  .../Include/Library/TpmPlatformHierarchyLib.h |  29 +++
> >  .../Intel/MinPlatformPkg/MinPlatformPkg.dec   |   2 +
> >  .../Intel/MinPlatformPkg/MinPlatformPkg.dsc   |   1 +
> >  .../TpmPlatformHierarchyLib.c                 | 214
> > ++++++++++++++++++
> >  .../TpmPlatformHierarchyLib.inf               |  45 ++++
> >  5 files changed, 291 insertions(+)
> >  create mode 100644
> > Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> > h
> >  create mode 100644
> >
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmP
> > la
> > tformHierarchyLib.c
> >  create mode 100644
> >
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmP
> > la
> > tformHierarchyLib.inf
> >
> > diff --git
> > a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLi
> > b.h
> >
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> > h
> > new file mode 100644
> > index 000000000000..ed9709b24a73
> > --- /dev/null
> > +++
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarc
> > +++ hy
> > +++ Lib.h
> > @@ -0,0 +1,29 @@
> > +/** @file+    TPM Platform Hierarchy configuration library.++    This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy
> > Authorization+ Policy (platformPolicy) can be defined through this
> > function.++Copyright (c) 2019, Intel Corporation. All rights
> reserved.<BR>+SPDX-License-Identifier:
> > BSD-2-Clause-Patent++**/++#ifndef
> > _TPM_PLATFORM_HIERARCHY_LIB_H_+#define
> > _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include
> > <Uefi.h>++/**+   This service will perform the TPM Platform Hierarchy
> > configuration at the SmmReadyToLock
> > event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+
> > VOID+  );++#endifdiff --git
> > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > index a851021c0b79..92bda3784ffc 100644
> > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
> >  MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h
> > SecBoardInitLib|Include/Library/SecBoardInitLib.h
> > +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+
> > TestPointLib|Include/Library/TestPointLib.h
> > TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git
> > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > index 5f9363ff3228..a01f229a891d 100644
> > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > @@ -102,6 +102,7 @@
> >
> >
> FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrap
> p
> > erPlatformLib/DxeFspWrapperPlatformLib.inf
> >
> TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTes
> > TestPointCheckLib|tP
> > ointCheckLib.inf
> > TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.
> > TestPointLib|inf+
> >
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarc
> h
> > yLib/TpmPlatformHierarchyLib.inf
> > [LibraryClasses.common.DXE_SMM_DRIVER]
> >
> SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull
> > /SpiFlashCommonLibNull.infdiff --git
> >
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.c
> >
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.c
> > new file mode 100644
> > index 000000000000..41ddb26f4046
> > --- /dev/null
> > +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLi
> > +++ b/
> > +++ TpmPlatformHierarchyLib.c
> > @@ -0,0 +1,214 @@
> > +/** @file+    TPM Platform Hierarchy configuration library.++    This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy
> Authorization+
> > Policy (platformPolicy) can be defined through this function.++    Copyright
> > (c) 2019, Intel Corporation. All rights reserved.<BR>+
> > SPDX-License-Identifier: BSD-2-Clause-Patent++    @par Specification
> > Reference:+
> > https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g
> > uid ance/+**/++#include <PiDxe.h>++#include
> > <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include
> > <Library/UefiBootServicesTableLib.h>+#include
> > <Library/MemoryAllocationLib.h>+#include
> > <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include
> > <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+//
> The
> > authorization value may be no larger than the digest produced by the
> > hash+//   algorithm used for context integrity.+//+#define
> > MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16
> mAuthSize;++/**+
> > Generate high-quality entropy source through
> > RDRAND.++  @param[in]   Length        Size of the buffer, in bytes, to
> > fill with.+  @param[out]  Entropy       Pointer to the buffer to store the
> > entropy data.++  @retval EFI_SUCCESS        Entropy generation
> > succeeded.+  @retval EFI_NOT_READY      Failed to request random
> > data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+  IN UINTN
> > Length,+  OUT UINT8        *Entropy+  )+{+  EFI_STATUS  Status;+
> > UINTN       BlockCount;+  UINT64      Seed[2];+  UINT8
> > *Ptr;++  Status = EFI_NOT_READY;+  BlockCount = Length / 64;+  Ptr =
> > (UINT8 *)Entropy;++  //+  // Generate high-quality seed for DRBG Entropy+
> > //+  while (BlockCount > 0) {+    Status = GetRandomNumber128 (Seed);+
> > if (EFI_ERROR (Status)) {+      return Status;+    }+    CopyMem (Ptr,
> > Seed, 64);++    BlockCount--;+    Ptr = Ptr + 64;+  }++  //+  // Populate
> > the remained data as request.+  //+  Status = GetRandomNumber128
> > (Seed);+  if (EFI_ERROR (Status)) {+    return Status;+  }+  CopyMem (Ptr,
> > Seed, (Length % 64));++  return Status;+}++/**+  This function returns
> > the maximum size of TPM2B_AUTH; this structure is used for an
> > authorization
> > value+  and limits an authValue to being no larger than the largest
> > value+ digest
> > produced by a TPM.++  @param[out] AuthSize                 Tpm2
> > Auth size++  @retval EFI_SUCCESS                  Auth size
> > returned.+  @retval EFI_DEVICE_ERROR             Can not return
> > platform auth due to device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize
> (+
> > OUT UINT16            *AuthSize+  )+{+  EFI_STATUS
> > Status;+  TPML_PCR_SELECTION    Pcrs;+  UINTN
> > Index;+  UINT16                DigestSize;++  Status = EFI_SUCCESS;++
> > while (mAuthSize == 0) {++    mAuthSize = SHA1_DIGEST_SIZE;+
> > ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+    Status =
> > Tpm2GetCapabilityPcrs (&Pcrs);++    if (EFI_ERROR (Status)) {+
> > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+
> > break;+    }++    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs -
> > %08x\n", Pcrs.count));++    for (Index = 0; Index < Pcrs.count; Index++) {+
> > DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));++
> > switch (Pcrs.pcrSelections[Index].hash) {+      case TPM_ALG_SHA1:+
> > DigestSize = SHA1_DIGEST_SIZE;+        break;+      case
> > TPM_ALG_SHA256:+        DigestSize = SHA256_DIGEST_SIZE;+
> > break;+      case TPM_ALG_SHA384:+        DigestSize =
> > SHA384_DIGEST_SIZE;+        break;+      case TPM_ALG_SHA512:+
> > DigestSize = SHA512_DIGEST_SIZE;+        break;+      case
> > TPM_ALG_SM3_256:+        DigestSize = SM3_256_DIGEST_SIZE;+
> > break;+      default:+        DigestSize = SHA1_DIGEST_SIZE;+
> > break;+      }++      if (DigestSize > mAuthSize) {+        mAuthSize =
> > DigestSize;+      }+    }+    break;+  }++  *AuthSize = mAuthSize;+
> > return Status;+}++/**+  Set PlatformAuth to random
> > value.+**/+VOID+RandomizePlatformAuth (+  VOID+  )+{+  EFI_STATUS
> > Status;+  UINT16                            AuthSize;+  UINT8
> > *Rand;+  UINTN                             RandSize;+
> > TPM2B_AUTH                        NewPlatformAuth;++  //+  //
> > Send Tpm2HierarchyChange Auth with random value to avoid
> PlatformAuth
> > being null+  //++  GetAuthSize (&AuthSize);++  ZeroMem
> > (NewPlatformAuth.buffer, AuthSize);+  NewPlatformAuth.size =
> > AuthSize;++ //+  // Allocate one buffer to store random data.+  //+
> > RandSize = MAX_NEW_AUTHORIZATION_SIZE;+  Rand = AllocatePool
> > (RandSize);++ RdRandGenerateEntropy (RandSize, Rand);+  CopyMem
> > (NewPlatformAuth.buffer, Rand, AuthSize);++  FreePool (Rand);++  //+
> > // Send Tpm2HierarchyChangeAuth command with the new Auth value+
> //+
> > Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> > &NewPlatformAuth);+  DEBUG ((DEBUG_INFO,
> "Tpm2HierarchyChangeAuth
> > Result: - %r\n", Status));+  ZeroMem (NewPlatformAuth.buffer,
> AuthSize);+
> > ZeroMem (Rand, RandSize);+}++/**+   This service defines the
> > configuration of the Platform Hierarchy Authorization Value
> > (platformAuth)+ and Platform Hierarchy Authorization Policy
> > (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+
> > )+{+ //+  // Send Tpm2HierarchyChange Auth with random value to avoid
> > PlatformAuth being null+  //+  RandomizePlatformAuth ();+}diff --git
> >
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.inf
> >
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.inf
> > new file mode 100644
> > index 000000000000..0911bdffa01f
> > --- /dev/null
> > +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLi
> > +++ b/
> > +++ TpmPlatformHierarchyLib.inf
> > @@ -0,0 +1,45 @@
> > +### @file+#+#   TPM Platform Hierarchy configuration library.+#+#   This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+# Authorization Value (platformAuth) and Platform Hierarchy
> > Authorization+# Policy (platformPolicy) can be defined through this
> > function.+#+# Copyright
> > (c) 2019, Intel Corporation. All rights reserved.<BR>+#+#
> > SPDX-License-Identifier: BSD-2-Clause-Patent+#+###++[Defines]+
> > INF_VERSION                    = 0x00010005+  BASE_NAME
> > = TpmPlatformHierarchyLib+  FILE_GUID                      =
> > 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+  MODULE_TYPE
> > = DXE_DRIVER+  VERSION_STRING                 = 1.0+
> > LIBRARY_CLASS                  =
> > TpmPlatformHierarchyLib++[LibraryClasses]+  MemoryAllocationLib+
> > BaseLib+  UefiBootServicesTableLib+  UefiDriverEntryPoint+
> > BaseMemoryLib+  DebugLib+  Tpm2CommandLib+  Tpm2DeviceLib+
> > RngLib+  UefiLib++[Packages]+  MdePkg/MdePkg.dec+
> > MdeModulePkg/MdeModulePkg.dec+  SecurityPkg/SecurityPkg.dec+
> > CryptoPkg/CryptoPkg.dec++[Sources]+
> > TpmPlatformHierarchyLib.c++[Depex]+  gEfiTcg2ProtocolGuid--
> > 2.22.0.windows.1
> 

[edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib

[Rodrigo Gonzalez del Cueto]

This change is split into two commits:
  1) First commit: Add new library class TpmPlatformHierarchyLib
  2) This commit: Add usage in Tcg2PlatformDxe

Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's
ConfigureTpmPlatformHierarchy function to configure the TPM's Platform
Hierarchy.

Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     | 168 +++---------------
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  12 +-
 2 files changed, 24 insertions(+), 156 deletions(-)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
index d0d88b2e91d5..704c6d8d6baa 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
@@ -1,157 +1,31 @@
 /** @file
-  Platform specific TPM2 component.
+  Platform specific TPM2 component for configuring the Platform Hierarchy.
 
-Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+  Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
 #include <PiDxe.h>
 
 #include <Library/DebugLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
 #include <Library/UefiBootServicesTableLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/RngLib.h>
 #include <Library/UefiLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
 #include <Protocol/DxeSmmReadyToLock.h>
 
-#define MAX_NEW_AUTHORIZATION_SIZE        SHA512_DIGEST_SIZE
-
 /**
-  Generate high-quality entropy source through RDRAND.
-
-  @param[in]   Length        Size of the buffer, in bytes, to fill with.
-  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
-
-  @retval EFI_SUCCESS        Entropy generation succeeded.
-  @retval EFI_NOT_READY      Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
-  IN UINTN         Length,
-  OUT UINT8        *Entropy
-  )
-{
-  EFI_STATUS  Status;
-  UINTN       BlockCount;
-  UINT64      Seed[2];
-  UINT8       *Ptr;
-
-  Status = EFI_NOT_READY;
-  BlockCount = Length / 64;
-  Ptr = (UINT8 *)Entropy;
+   This callback function will run at the SmmReadyToLock event.
 
-  //
-  // Generate high-quality seed for DRBG Entropy
-  //
-  while (BlockCount > 0) {
-    Status = GetRandomNumber128(Seed);
-    if (EFI_ERROR(Status)) {
-      return Status;
-    }
-    CopyMem(Ptr, Seed, 64);
-
-    BlockCount--;
-    Ptr = Ptr + 64;
-  }
-
-  //
-  // Populate the remained data as request.
-  //
-  Status = GetRandomNumber128(Seed);
-  if (EFI_ERROR(Status)) {
-    return Status;
-  }
-  CopyMem(Ptr, Seed, (Length % 64));
-
-  return Status;
-}
-
-/**
-  Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
-  VOID
-  )
-{
-  EFI_STATUS                        Status;
-  UINT16                            AuthSize;
-  TPML_PCR_SELECTION                Pcrs;
-  UINT32                            Index;
-  UINT8                             *Rand;
-  UINTN                             RandSize;
-  TPM2B_AUTH                        NewPlatformAuth;
-
-  //
-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-  //
-  ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));
-  AuthSize = MAX_NEW_AUTHORIZATION_SIZE;
-
-  Status = Tpm2GetCapabilityPcrs(&Pcrs);
-  if (EFI_ERROR(Status)) {
-    DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
-  } else {
-    for (Index = 0; Index < Pcrs.count; Index++) {
-      switch (Pcrs.pcrSelections[Index].hash) {
-      case TPM_ALG_SHA1:
-        AuthSize = SHA1_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA256:
-        AuthSize = SHA256_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA384:
-        AuthSize = SHA384_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA512:
-        AuthSize = SHA512_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SM3_256:
-        AuthSize = SM3_256_DIGEST_SIZE;
-        break;
-      }
-    }
-  }
-
-  ZeroMem(NewPlatformAuth.buffer, AuthSize);
-  NewPlatformAuth.size = AuthSize;
-
-  //
-  // Allocate one buffer to store random data.
-  //
-  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
-  Rand = AllocatePool(RandSize);
-
-  RdRandGenerateEntropy(RandSize, Rand);
-  CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);
-
-  FreePool(Rand);
-
-  //
-  // Send Tpm2HierarchyChangeAuth command with the new Auth value
-  //
-  Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
-  DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
-  ZeroMem(NewPlatformAuth.buffer, AuthSize);
-  ZeroMem(Rand, RandSize);
-}
-
-/**
-  This is the Event call back function to notify the Library the system is entering
-  run time phase.
+   Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)
+   and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.
 
   @param  Event   Pointer to this event
   @param  Context Event hanlder private data
  **/
 VOID
 EFIAPI
-ReadyToLockEventCallBack (
+SmmReadyToLockEventCallBack (
   IN EFI_EVENT  Event,
   IN VOID       *Context
   )
@@ -172,22 +46,20 @@ ReadyToLockEventCallBack (
     return ;
   }
 
-  //
-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-  //
-  RandomizePlatformAuth();
+  ConfigureTpmPlatformHierarchy ();
 
   gBS->CloseEvent (Event);
 }
 
 /**
-  The driver's entry point.
+   The driver's entry point. Will register a function for callback during SmmReadyToLock event to
+   configure the TPM's platform authorization.
 
-  @param[in] ImageHandle  The firmware allocated handle for the EFI image.
-  @param[in] SystemTable  A pointer to the EFI System Table.
+   @param[in] ImageHandle  The firmware allocated handle for the EFI image.
+   @param[in] SystemTable  A pointer to the EFI System Table.
 
-  @retval EFI_SUCCESS     The entry point is executed successfully.
-  @retval other           Some error occurs when executing this entry point.
+   @retval EFI_SUCCESS     The entry point is executed successfully.
+   @retval other           Some error occurs when executing this entry point.
 **/
 EFI_STATUS
 EFIAPI
@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
   IN    EFI_SYSTEM_TABLE            *SystemTable
   )
 {
-  VOID                      *Registration;
-  EFI_EVENT                 Event;
+  VOID       *Registration;
+  EFI_EVENT  Event;
 
-  Event = EfiCreateProtocolNotifyEvent  (
+  Event = EfiCreateProtocolNotifyEvent (
             &gEfiDxeSmmReadyToLockProtocolGuid,
             TPL_CALLBACK,
-            ReadyToLockEventCallBack,
+            SmmReadyToLockEventCallBack,
             NULL,
             &Registration
             );
+
   ASSERT (Event != NULL);
 
   return EFI_SUCCESS;
 }
+
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
index e8ab5f35a0da..af29c1cd98c9 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
@@ -1,7 +1,7 @@
 ### @file
 # Platform specific TPM2 component.
 #
-# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
 #
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -21,23 +21,18 @@
 #
 
 [LibraryClasses]
-  MemoryAllocationLib
   BaseLib
   UefiBootServicesTableLib
   UefiDriverEntryPoint
-  UefiRuntimeServicesTableLib
-  BaseMemoryLib
   DebugLib
-  Tpm2CommandLib
-  Tpm2DeviceLib
-  RngLib
   UefiLib
+  TpmPlatformHierarchyLib
 
 [Packages]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
+  MinPlatformPkg/MinPlatformPkg.dec
   SecurityPkg/SecurityPkg.dec
-  CryptoPkg/CryptoPkg.dec
 
 [Sources]
   Tcg2PlatformDxe.c
@@ -47,4 +42,3 @@
 
 [Depex]
   gEfiTcg2ProtocolGuid
-
-- 
2.22.0.windows.1

Re: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib

[Nate DeSimone]

Reviewed-by: Nate DeSimone <nathaniel.l.desimone@intel.com>

-----Original Message-----
From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com> 
Sent: Thursday, November 14, 2019 1:05 PM
To: devel@edk2.groups.io.
Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>; Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
Subject: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib

This change is split into two commits:
  1) First commit: Add new library class TpmPlatformHierarchyLib
  2) This commit: Add usage in Tcg2PlatformDxe

Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's ConfigureTpmPlatformHierarchy function to configure the TPM's Platform Hierarchy.

Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     | 168 +++---------------
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  12 +-
 2 files changed, 24 insertions(+), 156 deletions(-)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
index d0d88b2e91d5..704c6d8d6baa 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.
+++ c
@@ -1,157 +1,31 @@
 /** @file-  Platform specific TPM2 component.+  Platform specific TPM2 component for configuring the Platform Hierarchy. -Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>-SPDX-License-Identifier: BSD-2-Clause-Patent+  Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>+  SPDX-License-Identifier: BSD-2-Clause-Patent  **/  #include <PiDxe.h>  #include <Library/DebugLib.h>-#include <Library/BaseMemoryLib.h>-#include <Library/UefiRuntimeServicesTableLib.h> #include <Library/UefiBootServicesTableLib.h>-#include <Library/MemoryAllocationLib.h>-#include <Library/Tpm2CommandLib.h>-#include <Library/RngLib.h> #include <Library/UefiLib.h>+#include <Library/TpmPlatformHierarchyLib.h> #include <Protocol/DxeSmmReadyToLock.h> -#define MAX_NEW_AUTHORIZATION_SIZE        SHA512_DIGEST_SIZE- /**-  Generate high-quality entropy source through RDRAND.--  @param[in]   Length        Size of the buffer, in bytes, to fill with.-  @param[out]  Entropy       Pointer to the buffer to store the entropy data.--  @retval EFI_SUCCESS        Entropy generation succeeded.-  @retval EFI_NOT_READY      Failed to request random data.--**/-EFI_STATUS-EFIAPI-RdRandGenerateEntropy (-  IN UINTN         Length,-  OUT UINT8        *Entropy-  )-{-  EFI_STATUS  Status;-  UINTN       BlockCount;-  UINT64      Seed[2];-  UINT8       *Ptr;--  Status = EFI_NOT_READY;-  BlockCount = Length / 64;-  Ptr = (UINT8 *)Entropy;+   This callback function will run at the SmmReadyToLock event. -  //-  // Generate high-quality seed for DRBG Entropy-  //-  while (BlockCount > 0) {-    Status = GetRandomNumber128(Seed);-    if (EFI_ERROR(Status)) {-      return Status;-    }-    CopyMem(Ptr, Seed, 64);--    BlockCount--;-    Ptr = Ptr + 64;-  }--  //-  // Populate the remained data as request.-  //-  Status = GetRandomNumber128(Seed);-  if (EFI_ERROR(Status)) {-    return Status;-  }-  CopyMem(Ptr, Seed, (Length % 64));--  return Status;-}--/**-  Set PlatformAuth to random value.-**/-VOID-RandomizePlatformAuth (-  VOID-  )-{-  EFI_STATUS                        Status;-  UINT16                            AuthSize;-  TPML_PCR_SELECTION                Pcrs;-  UINT32                            Index;-  UINT8                             *Rand;-  UINTN                             RandSize;-  TPM2B_AUTH                        NewPlatformAuth;--  //-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null-  //-  ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));-  AuthSize = MAX_NEW_AUTHORIZATION_SIZE;--  Status = Tpm2GetCapabilityPcrs(&Pcrs);-  if (EFI_ERROR(Status)) {-    DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));-  } else {-    for (Index = 0; Index < Pcrs.count; Index++) {-      switch (Pcrs.pcrSelections[Index].hash) {-      case TPM_ALG_SHA1:-        AuthSize = SHA1_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA256:-        AuthSize = SHA256_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA384:-        AuthSize = SHA384_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA512:-        AuthSize = SHA512_DIGEST_SIZE;-        break;-      case TPM_ALG_SM3_256:-        AuthSize = SM3_256_DIGEST_SIZE;-        break;-      }-    }-  }--  ZeroMem(NewPlatformAuth.buffer, AuthSize);-  NewPlatformAuth.size = AuthSize;--  //-  // Allocate one buffer to store random data.-  //-  RandSize = MAX_NEW_AUTHORIZATION_SIZE;-  Rand = AllocatePool(RandSize);--  RdRandGenerateEntropy(RandSize, Rand);-  CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);--  FreePool(Rand);--  //-  // Send Tpm2HierarchyChangeAuth command with the new Auth value-  //-  Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);-  DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));-  ZeroMem(NewPlatformAuth.buffer, AuthSize);-  ZeroMem(Rand, RandSize);-}--/**-  This is the Event call back function to notify the Library the system is entering-  run time phase.+   Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)+   and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.    @param  Event   Pointer to this event   @param  Context Event hanlder private data  **/ VOID EFIAPI-ReadyToLockEventCallBack (+SmmReadyToLockEventCallBack (   IN EFI_EVENT  Event,   IN VOID       *Context   )@@ -172,22 +46,20 @@ ReadyToLockEventCallBack (
     return ;   } -  //-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null-  //-  RandomizePlatformAuth();+  ConfigureTpmPlatformHierarchy ();    gBS->CloseEvent (Event); }  /**-  The driver's entry point.+   The driver's entry point. Will register a function for callback during SmmReadyToLock event to+   configure the TPM's platform authorization. -  @param[in] ImageHandle  The firmware allocated handle for the EFI image.-  @param[in] SystemTable  A pointer to the EFI System Table.+   @param[in] ImageHandle  The firmware allocated handle for the EFI image.+   @param[in] SystemTable  A pointer to the EFI System Table. -  @retval EFI_SUCCESS     The entry point is executed successfully.-  @retval other           Some error occurs when executing this entry point.+   @retval EFI_SUCCESS     The entry point is executed successfully.+   @retval other           Some error occurs when executing this entry point. **/ EFI_STATUS EFIAPI@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
   IN    EFI_SYSTEM_TABLE            *SystemTable   ) {-  VOID                      *Registration;-  EFI_EVENT                 Event;+  VOID       *Registration;+  EFI_EVENT  Event; -  Event = EfiCreateProtocolNotifyEvent  (+  Event = EfiCreateProtocolNotifyEvent (             &gEfiDxeSmmReadyToLockProtocolGuid,             TPL_CALLBACK,-            ReadyToLockEventCallBack,+            SmmReadyToLockEventCallBack,             NULL,             &Registration             );+   ASSERT (Event != NULL);    return EFI_SUCCESS; }+diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
index e8ab5f35a0da..af29c1cd98c9 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.
+++ inf
@@ -1,7 +1,7 @@
 ### @file # Platform specific TPM2 component. #-# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR> # # SPDX-License-Identifier: BSD-2-Clause-Patent #@@ -21,23 +21,18 @@
 #  [LibraryClasses]-  MemoryAllocationLib   BaseLib   UefiBootServicesTableLib   UefiDriverEntryPoint-  UefiRuntimeServicesTableLib-  BaseMemoryLib   DebugLib-  Tpm2CommandLib-  Tpm2DeviceLib-  RngLib   UefiLib+  TpmPlatformHierarchyLib  [Packages]   MdePkg/MdePkg.dec   MdeModulePkg/MdeModulePkg.dec+  MinPlatformPkg/MinPlatformPkg.dec   SecurityPkg/SecurityPkg.dec-  CryptoPkg/CryptoPkg.dec  [Sources]   Tcg2PlatformDxe.c@@ -47,4 +42,3 @@
  [Depex]   gEfiTcg2ProtocolGuid--- 
2.22.0.windows.1

Re: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib

[Kubacki, Michael A]

Reviewed-by: Michael Kubacki <michael.a.kubacki@intel.com>

> -----Original Message-----
> From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>
> Sent: Thursday, November 14, 2019 1:05 PM
> To: devel@edk2.groups.io.
> Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>;
> Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe
> to use TpmPlatformHierarchyLib
> 
> This change is split into two commits:
>   1) First commit: Add new library class TpmPlatformHierarchyLib
>   2) This commit: Add usage in Tcg2PlatformDxe
> 
> Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's
> ConfigureTpmPlatformHierarchy function to configure the TPM's Platform
> Hierarchy.
> 
> Cc: Michael Kubacki <michael.a.kubacki@intel.com>
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> 
> Signed-off-by: Rodrigo Gonzalez del Cueto
> <rodrigo.gonzalez.del.cueto@intel.com>
> ---
>  .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     | 168 +++---------------
>  .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  12 +-
>  2 files changed, 24 insertions(+), 156 deletions(-)
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
> index d0d88b2e91d5..704c6d8d6baa 100644
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
> +++
> b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.
> +++ c
> @@ -1,157 +1,31 @@
>  /** @file-  Platform specific TPM2 component.+  Platform specific TPM2
> component for configuring the Platform Hierarchy. -Copyright (c) 2017, Intel
> Corporation. All rights reserved.<BR>-SPDX-License-Identifier: BSD-2-Clause-
> Patent+  Copyright (c) 2017 - 2019, Intel Corporation. All rights
> reserved.<BR>+  SPDX-License-Identifier: BSD-2-Clause-Patent  **/  #include
> <PiDxe.h>  #include <Library/DebugLib.h>-#include
> <Library/BaseMemoryLib.h>-#include
> <Library/UefiRuntimeServicesTableLib.h> #include
> <Library/UefiBootServicesTableLib.h>-#include
> <Library/MemoryAllocationLib.h>-#include <Library/Tpm2CommandLib.h>-
> #include <Library/RngLib.h> #include <Library/UefiLib.h>+#include
> <Library/TpmPlatformHierarchyLib.h> #include
> <Protocol/DxeSmmReadyToLock.h> -#define
> MAX_NEW_AUTHORIZATION_SIZE        SHA512_DIGEST_SIZE- /**-  Generate
> high-quality entropy source through RDRAND.--  @param[in]   Length        Size
> of the buffer, in bytes, to fill with.-  @param[out]  Entropy       Pointer to the
> buffer to store the entropy data.--  @retval EFI_SUCCESS        Entropy
> generation succeeded.-  @retval EFI_NOT_READY      Failed to request
> random data.--**/-EFI_STATUS-EFIAPI-RdRandGenerateEntropy (-  IN
> UINTN         Length,-  OUT UINT8        *Entropy-  )-{-  EFI_STATUS  Status;-
> UINTN       BlockCount;-  UINT64      Seed[2];-  UINT8       *Ptr;--  Status =
> EFI_NOT_READY;-  BlockCount = Length / 64;-  Ptr = (UINT8 *)Entropy;+   This
> callback function will run at the SmmReadyToLock event. -  //-  // Generate
> high-quality seed for DRBG Entropy-  //-  while (BlockCount > 0) {-    Status =
> GetRandomNumber128(Seed);-    if (EFI_ERROR(Status)) {-      return Status;-
> }-    CopyMem(Ptr, Seed, 64);--    BlockCount--;-    Ptr = Ptr + 64;-  }--  //-  //
> Populate the remained data as request.-  //-  Status =
> GetRandomNumber128(Seed);-  if (EFI_ERROR(Status)) {-    return Status;-  }-
> CopyMem(Ptr, Seed, (Length % 64));--  return Status;-}--/**-  Set
> PlatformAuth to random value.-**/-VOID-RandomizePlatformAuth (-  VOID-
> )-{-  EFI_STATUS                        Status;-  UINT16                            AuthSize;-
> TPML_PCR_SELECTION                Pcrs;-  UINT32                            Index;-  UINT8
> *Rand;-  UINTN                             RandSize;-  TPM2B_AUTH
> NewPlatformAuth;--  //-  // Send Tpm2HierarchyChange Auth with random
> value to avoid PlatformAuth being null-  //-  ZeroMem(&Pcrs,
> sizeof(TPML_PCR_SELECTION));-  AuthSize =
> MAX_NEW_AUTHORIZATION_SIZE;--  Status =
> Tpm2GetCapabilityPcrs(&Pcrs);-  if (EFI_ERROR(Status)) {-
> DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));-  } else {-    for
> (Index = 0; Index < Pcrs.count; Index++) {-      switch
> (Pcrs.pcrSelections[Index].hash) {-      case TPM_ALG_SHA1:-        AuthSize =
> SHA1_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA256:-        AuthSize =
> SHA256_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA384:-        AuthSize =
> SHA384_DIGEST_SIZE;-        break;-      case TPM_ALG_SHA512:-        AuthSize =
> SHA512_DIGEST_SIZE;-        break;-      case TPM_ALG_SM3_256:-        AuthSize
> = SM3_256_DIGEST_SIZE;-        break;-      }-    }-  }--
> ZeroMem(NewPlatformAuth.buffer, AuthSize);-  NewPlatformAuth.size =
> AuthSize;--  //-  // Allocate one buffer to store random data.-  //-  RandSize =
> MAX_NEW_AUTHORIZATION_SIZE;-  Rand = AllocatePool(RandSize);--
> RdRandGenerateEntropy(RandSize, Rand);-
> CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);--  FreePool(Rand);--
> //-  // Send Tpm2HierarchyChangeAuth command with the new Auth value-
> //-  Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);-  DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth
> Result: - %r\n", Status));-  ZeroMem(NewPlatformAuth.buffer, AuthSize);-
> ZeroMem(Rand, RandSize);-}--/**-  This is the Event call back function to
> notify the Library the system is entering-  run time phase.+   Configuration of
> the TPM's Platform Hierarchy Authorization Value (platformAuth)+   and
> Platform Hierarchy Authorization Policy (platformPolicy) can be defined
> through this function.    @param  Event   Pointer to this event   @param
> Context Event hanlder private data  **/ VOID EFIAPI-
> ReadyToLockEventCallBack (+SmmReadyToLockEventCallBack (   IN
> EFI_EVENT  Event,   IN VOID       *Context   )@@ -172,22 +46,20 @@
> ReadyToLockEventCallBack (
>      return ;   } -  //-  // Send Tpm2HierarchyChange Auth with random value to
> avoid PlatformAuth being null-  //-  RandomizePlatformAuth();+
> ConfigureTpmPlatformHierarchy ();    gBS->CloseEvent (Event); }  /**-  The
> driver's entry point.+   The driver's entry point. Will register a function for
> callback during SmmReadyToLock event to+   configure the TPM's platform
> authorization. -  @param[in] ImageHandle  The firmware allocated handle for
> the EFI image.-  @param[in] SystemTable  A pointer to the EFI System
> Table.+   @param[in] ImageHandle  The firmware allocated handle for the EFI
> image.+   @param[in] SystemTable  A pointer to the EFI System Table. -
> @retval EFI_SUCCESS     The entry point is executed successfully.-  @retval
> other           Some error occurs when executing this entry point.+   @retval
> EFI_SUCCESS     The entry point is executed successfully.+   @retval other
> Some error occurs when executing this entry point. **/ EFI_STATUS
> EFIAPI@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
>    IN    EFI_SYSTEM_TABLE            *SystemTable   ) {-  VOID
> *Registration;-  EFI_EVENT                 Event;+  VOID       *Registration;+
> EFI_EVENT  Event; -  Event = EfiCreateProtocolNotifyEvent  (+  Event =
> EfiCreateProtocolNotifyEvent (
> &gEfiDxeSmmReadyToLockProtocolGuid,             TPL_CALLBACK,-
> ReadyToLockEventCallBack,+            SmmReadyToLockEventCallBack,
> NULL,             &Registration             );+   ASSERT (Event != NULL);    return
> EFI_SUCCESS; }+diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in
> f
> b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in
> f
> index e8ab5f35a0da..af29c1cd98c9 100644
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.in
> f
> +++
> b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.
> +++ inf
> @@ -1,7 +1,7 @@
>  ### @file # Platform specific TPM2 component. #-# Copyright (c) 2017, Intel
> Corporation. All rights reserved.<BR>+# Copyright (c) 2017 - 2019, Intel
> Corporation. All rights reserved.<BR> # # SPDX-License-Identifier: BSD-2-
> Clause-Patent #@@ -21,23 +21,18 @@
>  #  [LibraryClasses]-  MemoryAllocationLib   BaseLib
> UefiBootServicesTableLib   UefiDriverEntryPoint-
> UefiRuntimeServicesTableLib-  BaseMemoryLib   DebugLib-
> Tpm2CommandLib-  Tpm2DeviceLib-  RngLib   UefiLib+
> TpmPlatformHierarchyLib  [Packages]   MdePkg/MdePkg.dec
> MdeModulePkg/MdeModulePkg.dec+
> MinPlatformPkg/MinPlatformPkg.dec   SecurityPkg/SecurityPkg.dec-
> CryptoPkg/CryptoPkg.dec  [Sources]   Tcg2PlatformDxe.c@@ -47,4 +42,3 @@
>   [Depex]   gEfiTcg2ProtocolGuid---
> 2.22.0.windows.1