public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
To: devel@edk2.groups.io.
Cc: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>,
	Michael Kubacki <michael.a.kubacki@intel.com>,
	Chasel Chiu <chasel.chiu@intel.com>,
	Nate DeSimone <nathaniel.l.desimone@intel.com>,
	Liming Gao <liming.gao@intel.com>
Subject: [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib
Date: Thu, 14 Nov 2019 13:05:10 -0800	[thread overview]
Message-ID: <20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com> (raw)
In-Reply-To: <20191114210510.1736-1-rodrigo.gonzalez.del.cueto@intel.com>

This change is split into two commits:
  1) First commit: Add new library class TpmPlatformHierarchyLib
  2) This commit: Add usage in Tcg2PlatformDxe

Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's
ConfigureTpmPlatformHierarchy function to configure the TPM's Platform
Hierarchy.

Cc: Michael Kubacki <michael.a.kubacki@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <liming.gao@intel.com>

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
---
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c     | 168 +++---------------
 .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf   |  12 +-
 2 files changed, 24 insertions(+), 156 deletions(-)

diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
index d0d88b2e91d5..704c6d8d6baa 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
@@ -1,157 +1,31 @@
 /** @file
-  Platform specific TPM2 component.
+  Platform specific TPM2 component for configuring the Platform Hierarchy.
 
-Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+  Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
 #include <PiDxe.h>
 
 #include <Library/DebugLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
 #include <Library/UefiBootServicesTableLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/RngLib.h>
 #include <Library/UefiLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
 #include <Protocol/DxeSmmReadyToLock.h>
 
-#define MAX_NEW_AUTHORIZATION_SIZE        SHA512_DIGEST_SIZE
-
 /**
-  Generate high-quality entropy source through RDRAND.
-
-  @param[in]   Length        Size of the buffer, in bytes, to fill with.
-  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
-
-  @retval EFI_SUCCESS        Entropy generation succeeded.
-  @retval EFI_NOT_READY      Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
-  IN UINTN         Length,
-  OUT UINT8        *Entropy
-  )
-{
-  EFI_STATUS  Status;
-  UINTN       BlockCount;
-  UINT64      Seed[2];
-  UINT8       *Ptr;
-
-  Status = EFI_NOT_READY;
-  BlockCount = Length / 64;
-  Ptr = (UINT8 *)Entropy;
+   This callback function will run at the SmmReadyToLock event.
 
-  //
-  // Generate high-quality seed for DRBG Entropy
-  //
-  while (BlockCount > 0) {
-    Status = GetRandomNumber128(Seed);
-    if (EFI_ERROR(Status)) {
-      return Status;
-    }
-    CopyMem(Ptr, Seed, 64);
-
-    BlockCount--;
-    Ptr = Ptr + 64;
-  }
-
-  //
-  // Populate the remained data as request.
-  //
-  Status = GetRandomNumber128(Seed);
-  if (EFI_ERROR(Status)) {
-    return Status;
-  }
-  CopyMem(Ptr, Seed, (Length % 64));
-
-  return Status;
-}
-
-/**
-  Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
-  VOID
-  )
-{
-  EFI_STATUS                        Status;
-  UINT16                            AuthSize;
-  TPML_PCR_SELECTION                Pcrs;
-  UINT32                            Index;
-  UINT8                             *Rand;
-  UINTN                             RandSize;
-  TPM2B_AUTH                        NewPlatformAuth;
-
-  //
-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-  //
-  ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));
-  AuthSize = MAX_NEW_AUTHORIZATION_SIZE;
-
-  Status = Tpm2GetCapabilityPcrs(&Pcrs);
-  if (EFI_ERROR(Status)) {
-    DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
-  } else {
-    for (Index = 0; Index < Pcrs.count; Index++) {
-      switch (Pcrs.pcrSelections[Index].hash) {
-      case TPM_ALG_SHA1:
-        AuthSize = SHA1_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA256:
-        AuthSize = SHA256_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA384:
-        AuthSize = SHA384_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA512:
-        AuthSize = SHA512_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SM3_256:
-        AuthSize = SM3_256_DIGEST_SIZE;
-        break;
-      }
-    }
-  }
-
-  ZeroMem(NewPlatformAuth.buffer, AuthSize);
-  NewPlatformAuth.size = AuthSize;
-
-  //
-  // Allocate one buffer to store random data.
-  //
-  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
-  Rand = AllocatePool(RandSize);
-
-  RdRandGenerateEntropy(RandSize, Rand);
-  CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);
-
-  FreePool(Rand);
-
-  //
-  // Send Tpm2HierarchyChangeAuth command with the new Auth value
-  //
-  Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
-  DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
-  ZeroMem(NewPlatformAuth.buffer, AuthSize);
-  ZeroMem(Rand, RandSize);
-}
-
-/**
-  This is the Event call back function to notify the Library the system is entering
-  run time phase.
+   Configuration of the TPM's Platform Hierarchy Authorization Value (platformAuth)
+   and Platform Hierarchy Authorization Policy (platformPolicy) can be defined through this function.
 
   @param  Event   Pointer to this event
   @param  Context Event hanlder private data
  **/
 VOID
 EFIAPI
-ReadyToLockEventCallBack (
+SmmReadyToLockEventCallBack (
   IN EFI_EVENT  Event,
   IN VOID       *Context
   )
@@ -172,22 +46,20 @@ ReadyToLockEventCallBack (
     return ;
   }
 
-  //
-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-  //
-  RandomizePlatformAuth();
+  ConfigureTpmPlatformHierarchy ();
 
   gBS->CloseEvent (Event);
 }
 
 /**
-  The driver's entry point.
+   The driver's entry point. Will register a function for callback during SmmReadyToLock event to
+   configure the TPM's platform authorization.
 
-  @param[in] ImageHandle  The firmware allocated handle for the EFI image.
-  @param[in] SystemTable  A pointer to the EFI System Table.
+   @param[in] ImageHandle  The firmware allocated handle for the EFI image.
+   @param[in] SystemTable  A pointer to the EFI System Table.
 
-  @retval EFI_SUCCESS     The entry point is executed successfully.
-  @retval other           Some error occurs when executing this entry point.
+   @retval EFI_SUCCESS     The entry point is executed successfully.
+   @retval other           Some error occurs when executing this entry point.
 **/
 EFI_STATUS
 EFIAPI
@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
   IN    EFI_SYSTEM_TABLE            *SystemTable
   )
 {
-  VOID                      *Registration;
-  EFI_EVENT                 Event;
+  VOID       *Registration;
+  EFI_EVENT  Event;
 
-  Event = EfiCreateProtocolNotifyEvent  (
+  Event = EfiCreateProtocolNotifyEvent (
             &gEfiDxeSmmReadyToLockProtocolGuid,
             TPL_CALLBACK,
-            ReadyToLockEventCallBack,
+            SmmReadyToLockEventCallBack,
             NULL,
             &Registration
             );
+
   ASSERT (Event != NULL);
 
   return EFI_SUCCESS;
 }
+
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
index e8ab5f35a0da..af29c1cd98c9 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
@@ -1,7 +1,7 @@
 ### @file
 # Platform specific TPM2 component.
 #
-# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
 #
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -21,23 +21,18 @@
 #
 
 [LibraryClasses]
-  MemoryAllocationLib
   BaseLib
   UefiBootServicesTableLib
   UefiDriverEntryPoint
-  UefiRuntimeServicesTableLib
-  BaseMemoryLib
   DebugLib
-  Tpm2CommandLib
-  Tpm2DeviceLib
-  RngLib
   UefiLib
+  TpmPlatformHierarchyLib
 
 [Packages]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
+  MinPlatformPkg/MinPlatformPkg.dec
   SecurityPkg/SecurityPkg.dec
-  CryptoPkg/CryptoPkg.dec
 
 [Sources]
   Tcg2PlatformDxe.c
@@ -47,4 +42,3 @@
 
 [Depex]
   gEfiTcg2ProtocolGuid
-
-- 
2.22.0.windows.1


  parent reply	other threads:[~2019-11-14 21:05 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-14 21:05 [edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration Rodrigo Gonzalez del Cueto
2019-11-14 21:05 ` [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Rodrigo Gonzalez del Cueto
2019-11-14 23:16   ` Nate DeSimone
2019-11-14 23:19   ` Kubacki, Michael A
     [not found]   ` <3C3EFB470A303B4AB093197B6777CCEC505A6334@PGSMSX111.gar.corp.intel.com>
2019-11-15  1:11     ` Kubacki, Michael A
2019-11-14 21:05 ` Rodrigo Gonzalez del Cueto [this message]
2019-11-14 23:16   ` [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Nate DeSimone
2019-11-14 23:19   ` Kubacki, Michael A

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191114210510.1736-3-rodrigo.gonzalez.del.cueto@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox