From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by mx.groups.io with SMTP id smtpd.web09.5798.1627483116270221597
 for <devel@edk2.groups.io>;
 Wed, 28 Jul 2021 07:38:36 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=rQjIjP06;
 spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com)
Received: from [10.124.238.202] (unknown [167.220.2.74])
	by linux.microsoft.com (Postfix) with ESMTPSA id 9A6542043BA2;
	Wed, 28 Jul 2021 07:38:35 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9A6542043BA2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
	s=default; t=1627483115;
	bh=5tLJkx/oQgNPt2f+FSYH2CRLBanW8iAjWs+UirTtoXs=;
	h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
	b=rQjIjP06P5J5ArGaDtTeQDCvBq0pdwBUup1x4Os2q6+gS8hQUQzB1obkDVUiS6143
	 SvY7+1Eg/y+DrEvd6LMa0oLJNxaP/9Dg6Yz30jEn0TklWgzyS5QRj9bZvEZ4U8veUa
	 xCkzET+J6HZqeVyHu1RIswjAmjO0Nb80ICzEYdNw=
Subject: Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth
To: devel@edk2.groups.io, jiewen.yao@intel.com,
 "bret.barkelew@microsoft.com" <bret.barkelew@microsoft.com>,
 "stefanb@linux.ibm.com" <stefanb@linux.ibm.com>,
 Jeremiah Cox <jerecox@microsoft.com>,
 Michael Kubacki <Michael.Kubacki@microsoft.com>
Cc: =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= <marcandre.lureau@redhat.com>
References: <66964f4b-5044-5200-5ebc-3394ef4f3603@linux.ibm.com>
 <MW4PR21MB190789CC47D2C62017774044EFE99@MW4PR21MB1907.namprd21.prod.outlook.com>
 <PH0PR11MB4885567FA2317371B6637C138CE99@PH0PR11MB4885.namprd11.prod.outlook.com>
From: "Michael Kubacki" <mikuback@linux.microsoft.com>
Message-ID: <03ed5dfe-d2b8-a926-763c-2cf5ab4dd037@linux.microsoft.com>
Date: Wed, 28 Jul 2021 10:38:35 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <PH0PR11MB4885567FA2317371B6637C138CE99@PH0PR11MB4885.namprd11.prod.outlook.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

The main commit of the series Bret mentioned (in edk2-platforms) is here:

https://github.com/tianocore/edk2-platforms/commit/bfabeef4c9a63374784bd19=
f18a869aa2769e011

Regards,
Michael

On 7/27/2021 12:25 PM, Yao, Jiewen wrote:
> Oops. Sorry for late response.
>=20
> The code is NOT in EDKII, but EDKII-platform as example.=20
> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/M=
inPlatformPkg/Tcg=20
> <https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/=
MinPlatformPkg/Tcg>
>=20
> We allow a platform having its own implementation. That is why it is NOT=
=
=20
> in EDKII.
>=20
> Thank you
>=20
> Yao Jiewen
>=20
> *From:* devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of *Bret=
=20
> Barkelew via groups.io
> *Sent:* Wednesday, July 28, 2021 12:11 AM
> *To:* devel@edk2.groups.io; stefanb@linux.ibm.com; Yao, Jiewen=20
> <jiewen.yao@intel.com>; Jeremiah Cox <jerecox@microsoft.com>; Michael=20
> Kubacki <Michael.Kubacki@microsoft.com>
> *Cc:* Marc-Andr=E9 Lureau <marcandre.lureau@redhat.com>
> *Subject:* Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to=20
> Tpm2HierarchyChangeAuth
>=20
> Adding @Jeremiah <mailto:jerecox@microsoft.com>=85
>=20
> Jeremiah, weren=92t you or @Michael <mailto:Michael.Kubacki@microsoft.co=
m>=20
> shopping this change to MinPlatform?
>=20
> - Bret
>=20
> *From: *Stefan Berger via groups.io <mailto:stefanb=3Dlinux.ibm.com@grou=
ps.io>
> *Sent: *Monday, July 26, 2021 7:48 AM
> *To: *Yao, Jiewen <mailto:jiewen.yao@intel.com>; devel@edk2.groups.io=20
> <mailto:devel@edk2.groups.io>
> *Cc: *Marc-Andr=E9 Lureau <mailto:marcandre.lureau@redhat.com>
> *Subject: *[EXTERNAL] [edk2-devel] Missing TPM 2 related call to=20
> Tpm2HierarchyChangeAuth
>=20
> Hello!
>=20
>  =A0=A0 The TPM 2 code in EDK2 is missing an important call to
> Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
> password of that hierarchy and discard the password. See also specs
> section 11:
> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftrus=
tedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_0=
2dec2020.pdf&amp;data=3D04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262ee=
e2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629=
077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC=
JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=3DN7VQIw87rHqUAFQ54TvhNwcsPFE=
wJzdZQ9JZrmX1S4E%3D&amp;reserved=3D0=20
> <https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Ftru=
stedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_=
02dec2020.pdf&amp;data=3D04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262e=
ee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63762=
9077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL=
CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=3DN7VQIw87rHqUAFQ54TvhNwcsPF=
EwJzdZQ9JZrmX1S4E%3D&amp;reserved=3D0>
>=20
> "Platform Firmware MUST protect access to the Platform Hierarchy and
> prevent access to the platform hierarchy by
> non-manufacturer-controlled components.=A0 "
>=20
> I was wondering where we could put that call so it's invoked after the
> user has possibly interacted with the menu and before passing control to
> the next stage such as boot loader.
>=20
> Regards,
>=20
>  =A0=A0 Stefan
>=20
>=20
>=20
>=20
>=20
>=20