From: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
To: devel@edk2.groups.io.
Cc: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>,
Michael Kubacki <michael.a.kubacki@intel.com>,
Chasel Chiu <chasel.chiu@intel.com>,
Nate DeSimone <nathaniel.l.desimone@intel.com>,
Liming Gao <liming.gao@intel.com>
Subject: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib
Date: Thu, 14 Nov 2019 13:05:10 -0800 [thread overview]
Message-ID: <20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com> (raw)
In-Reply-To: <20191114210510.1736-1-rodrigo.gonzalez.del.cueto@intel.com>
This change is split into two commits:
1) First commit: Add new library class TpmPlatformHierarchyLib
2) This commit: Add usage in Tcg2PlatformDxe
Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's
ConfigureTpmPlatformHierarchy function to configure the TPM's Platform
Hierarchy.
Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 168 +++---------------
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 12 +-
2 files changed, 24 insertions(+), 156 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
index d0d88b2e91d5..704c6d8d6baa 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
@@ -1,157 +1,31 @@
/** @file
- Platform specific TPM2 component.
+ Platform specific TPM2 component for configuring the Platform Hierarchy.
-Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
#include <Library/DebugLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/RngLib.h>
#include <Library/UefiLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Protocol/DxeSmmReadyToLock.h>
-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
-
/**
- Generate high-quality entropy source through RDRAND.
-
- @param[in] Length Size of the buffer, in bytes, to fill with.
- @param[out] Entropy Pointer to the buffer to store the entropy data.
-
- @retval EFI_SUCCESS Entropy generation succeeded.
- @retval EFI_NOT_READY Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
- IN UINTN Length,
- OUT UINT8 *Entropy
- )
-{
- EFI_STATUS Status;
- UINTN BlockCount;
- UINT64 Seed[2];
- UINT8 *Ptr;
-
- Status = EFI_NOT_READY;
- BlockCount = Length / 64;
- Ptr = (UINT8 *)Entropy;
+ This callback function will run at the SmmReadyToLock event.
- //
- // Generate high-quality seed for DRBG Entropy
- //
- while (BlockCount > 0) {
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, 64);
-
- BlockCount--;
- Ptr = Ptr + 64;
- }
-
- //
- // Populate the remained data as request.
- //
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, (Length % 64));
-
- return Status;
-}
-
-/**
- Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT16 AuthSize;
- TPML_PCR_SELECTION Pcrs;
- UINT32 Index;
- UINT8 *Rand;
- UINTN RandSize;
- TPM2B_AUTH NewPlatformAuth;
-
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));
- AuthSize = MAX_NEW_AUTHORIZATION_SIZE;
-
- Status = Tpm2GetCapabilityPcrs(&Pcrs);
- if (EFI_ERROR(Status)) {
- DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- } else {
- for (Index = 0; Index < Pcrs.count; Index++) {
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- AuthSize = SHA1_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA256:
- AuthSize = SHA256_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA384:
- AuthSize = SHA384_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA512:
- AuthSize = SHA512_DIGEST_SIZE;
- break;
- case TPM_ALG_SM3_256:
- AuthSize = SM3_256_DIGEST_SIZE;
- break;
- }
- }
- }
-
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- NewPlatformAuth.size = AuthSize;
-
- //
- // Allocate one buffer to store random data.
- //
- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
- Rand = AllocatePool(RandSize);
-
- RdRandGenerateEntropy(RandSize, Rand);
- CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);
-
- FreePool(Rand);
-
- //
- // Send Tpm2HierarchyChangeAuth command with the new Auth value
- //
- Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
- DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- ZeroMem(Rand, RandSize);
-}
-
-/**
- This is the Event call back function to notify the Library the system is entering
- run time phase.
+ Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)
+ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.
@param Event Pointer to this event
@param Context Event hanlder private data
**/
VOID
EFIAPI
-ReadyToLockEventCallBack (
+SmmReadyToLockEventCallBack (
IN EFI_EVENT Event,
IN VOID *Context
)
@@ -172,22 +46,20 @@ ReadyToLockEventCallBack (
return ;
}
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- RandomizePlatformAuth();
+ ConfigureTpmPlatformHierarchy ();
gBS->CloseEvent (Event);
}
/**
- The driver's entry point.
+ The driver's entry point. Will register a function for callback during SmmReadyToLock event to
+ configure the TPM's platform authorization.
- @param[in] ImageHandle The firmware allocated handle for the EFI image.
- @param[in] SystemTable A pointer to the EFI System Table.
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
- @retval EFI_SUCCESS The entry point is executed successfully.
- @retval other Some error occurs when executing this entry point.
+ @retval EFI_SUCCESS The entry point is executed successfully.
+ @retval other Some error occurs when executing this entry point.
**/
EFI_STATUS
EFIAPI
@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- VOID *Registration;
- EFI_EVENT Event;
+ VOID *Registration;
+ EFI_EVENT Event;
- Event = EfiCreateProtocolNotifyEvent (
+ Event = EfiCreateProtocolNotifyEvent (
&gEfiDxeSmmReadyToLockProtocolGuid,
TPL_CALLBACK,
- ReadyToLockEventCallBack,
+ SmmReadyToLockEventCallBack,
NULL,
&Registration
);
+
ASSERT (Event != NULL);
return EFI_SUCCESS;
}
+
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
index e8ab5f35a0da..af29c1cd98c9 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
@@ -1,7 +1,7 @@
### @file
# Platform specific TPM2 component.
#
-# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -21,23 +21,18 @@
#
[LibraryClasses]
- MemoryAllocationLib
BaseLib
UefiBootServicesTableLib
UefiDriverEntryPoint
- UefiRuntimeServicesTableLib
- BaseMemoryLib
DebugLib
- Tpm2CommandLib
- Tpm2DeviceLib
- RngLib
UefiLib
+ TpmPlatformHierarchyLib
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
[Sources]
Tcg2PlatformDxe.c
@@ -47,4 +42,3 @@
[Depex]
gEfiTcg2ProtocolGuid
-
--
2.22.0.windows.1
next prev parent reply other threads:[~2019-11-14 21:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 21:05 [edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration Rodrigo Gonzalez del Cueto
2019-11-14 21:05 ` [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Rodrigo Gonzalez del Cueto
2019-11-14 23:16 ` Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
[not found] ` <3C3EFB470A303B4AB093197B6777CCEC505A6334@PGSMSX111.gar.corp.intel.com>
2019-11-15 1:11 ` Kubacki, Michael A
2019-11-14 21:05 ` Rodrigo Gonzalez del Cueto [this message]
2019-11-14 23:16 ` [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox