From: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
To: devel@edk2.groups.io.
Cc: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>,
Michael Kubacki <michael.a.kubacki@intel.com>,
Chasel Chiu <chasel.chiu@intel.com>,
Nate DeSimone <nathaniel.l.desimone@intel.com>,
Liming Gao <liming.gao@intel.com>
Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy
Date: Thu, 14 Nov 2019 13:05:09 -0800 [thread overview]
Message-ID: <20191114210510.1736-2-rodrigo.gonzalez.del.cueto@intel.com> (raw)
In-Reply-To: <20191114210510.1736-1-rodrigo.gonzalez.del.cueto@intel.com>
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331
In V5:
+ Fixed build of MinPlatformPkg
This change is split into two commits:
1) This commit: Add new library class TpmPlatformHierarchyLib
2) Second commit: Add usage in Tcg2PlatformDxe
In order to enable some TPM use cases BIOS should enable to customize
the configuration of the TPM platform, provisioning of endorsement,
platform and storage hierarchy.
Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
.../Include/Library/TpmPlatformHierarchyLib.h | 29 +++
.../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 +
.../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 +
.../TpmPlatformHierarchyLib.c | 214 ++++++++++++++++++
.../TpmPlatformHierarchyLib.inf | 45 ++++
5 files changed, 291 insertions(+)
create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 000000000000..ed9709b24a73
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,29 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_
+
+#include <PiDxe.h>
+#include <Uefi.h>
+
+/**
+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ VOID
+ );
+
+#endif
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
index a851021c0b79..92bda3784ffc 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h
SecBoardInitLib|Include/Library/SecBoardInitLib.h
+TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
+
TestPointLib|Include/Library/TestPointLib.h
TestPointCheckLib|Include/Library/TestPointCheckLib.h
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 5f9363ff3228..a01f229a891d 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -102,6 +102,7 @@
FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPlatformLib/DxeFspWrapperPlatformLib.inf
TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTestPointCheckLib.inf
TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf
+ TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
[LibraryClasses.common.DXE_SMM_DRIVER]
SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.inf
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
new file mode 100644
index 000000000000..41ddb26f4046
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
@@ -0,0 +1,214 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
+**/
+
+#include <PiDxe.h>
+
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/RngLib.h>
+#include <Library/UefiLib.h>
+#include <Protocol/DxeSmmReadyToLock.h>
+
+//
+// The authorization value may be no larger than the digest produced by the hash
+// algorithm used for context integrity.
+//
+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+UINT16 mAuthSize;
+
+/**
+ Generate high-quality entropy source through RDRAND.
+
+ @param[in] Length Size of the buffer, in bytes, to fill with.
+ @param[out] Entropy Pointer to the buffer to store the entropy data.
+
+ @retval EFI_SUCCESS Entropy generation succeeded.
+ @retval EFI_NOT_READY Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+RdRandGenerateEntropy (
+ IN UINTN Length,
+ OUT UINT8 *Entropy
+ )
+{
+ EFI_STATUS Status;
+ UINTN BlockCount;
+ UINT64 Seed[2];
+ UINT8 *Ptr;
+
+ Status = EFI_NOT_READY;
+ BlockCount = Length / 64;
+ Ptr = (UINT8 *)Entropy;
+
+ //
+ // Generate high-quality seed for DRBG Entropy
+ //
+ while (BlockCount > 0) {
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, 64);
+
+ BlockCount--;
+ Ptr = Ptr + 64;
+ }
+
+ //
+ // Populate the remained data as request.
+ //
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, (Length % 64));
+
+ return Status;
+}
+
+/**
+ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
+ and limits an authValue to being no larger than the largest digest produced by a TPM.
+
+ @param[out] AuthSize Tpm2 Auth size
+
+ @retval EFI_SUCCESS Auth size returned.
+ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
+
+**/
+EFI_STATUS
+EFIAPI
+GetAuthSize (
+ OUT UINT16 *AuthSize
+ )
+{
+ EFI_STATUS Status;
+ TPML_PCR_SELECTION Pcrs;
+ UINTN Index;
+ UINT16 DigestSize;
+
+ Status = EFI_SUCCESS;
+
+ while (mAuthSize == 0) {
+
+ mAuthSize = SHA1_DIGEST_SIZE;
+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
+ Status = Tpm2GetCapabilityPcrs (&Pcrs);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
+ break;
+ }
+
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
+
+ for (Index = 0; Index < Pcrs.count; Index++) {
+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
+
+ switch (Pcrs.pcrSelections[Index].hash) {
+ case TPM_ALG_SHA1:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA256:
+ DigestSize = SHA256_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA384:
+ DigestSize = SHA384_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA512:
+ DigestSize = SHA512_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SM3_256:
+ DigestSize = SM3_256_DIGEST_SIZE;
+ break;
+ default:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ }
+
+ if (DigestSize > mAuthSize) {
+ mAuthSize = DigestSize;
+ }
+ }
+ break;
+ }
+
+ *AuthSize = mAuthSize;
+ return Status;
+}
+
+/**
+ Set PlatformAuth to random value.
+**/
+VOID
+RandomizePlatformAuth (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT16 AuthSize;
+ UINT8 *Rand;
+ UINTN RandSize;
+ TPM2B_AUTH NewPlatformAuth;
+
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+
+ GetAuthSize (&AuthSize);
+
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ NewPlatformAuth.size = AuthSize;
+
+ //
+ // Allocate one buffer to store random data.
+ //
+ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+ Rand = AllocatePool (RandSize);
+
+ RdRandGenerateEntropy (RandSize, Rand);
+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+ FreePool (Rand);
+
+ //
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value
+ //
+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ ZeroMem (Rand, RandSize);
+}
+
+/**
+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+ and Platform Hierarchy Authorization Policy (platformPolicy)
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ )
+{
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+ RandomizePlatformAuth ();
+}
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
new file mode 100644
index 000000000000..0911bdffa01f
--- /dev/null
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
@@ -0,0 +1,45 @@
+### @file
+#
+# TPM Platform Hierarchy configuration library.
+#
+# This library provides functions for customizing the TPM's Platform Hierarchy
+# Authorization Value (platformAuth) and Platform Hierarchy Authorization
+# Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = TpmPlatformHierarchyLib
+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TpmPlatformHierarchyLib
+
+[LibraryClasses]
+ MemoryAllocationLib
+ BaseLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ BaseMemoryLib
+ DebugLib
+ Tpm2CommandLib
+ Tpm2DeviceLib
+ RngLib
+ UefiLib
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[Sources]
+ TpmPlatformHierarchyLib.c
+
+[Depex]
+ gEfiTcg2ProtocolGuid
--
2.22.0.windows.1
next prev parent reply other threads:[~2019-11-14 21:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 21:05 [edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration Rodrigo Gonzalez del Cueto
2019-11-14 21:05 ` Rodrigo Gonzalez del Cueto [this message]
2019-11-14 23:16 ` [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
[not found] ` <3C3EFB470A303B4AB093197B6777CCEC505A6334@PGSMSX111.gar.corp.intel.com>
2019-11-15 1:11 ` Kubacki, Michael A
2019-11-14 21:05 ` [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Rodrigo Gonzalez del Cueto
2019-11-14 23:16 ` Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191114210510.1736-2-rodrigo.gonzalez.del.cueto@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox