* [edk2-platforms][PATCH v1 0/2] MinPlatformPkg: Disable TPM platform hierarchy @ 2021-06-03 1:38 Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 1/2] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy Michael Kubacki 0 siblings, 2 replies; 3+ messages in thread From: Michael Kubacki @ 2021-06-03 1:38 UTC (permalink / raw) To: devel; +Cc: Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong, Jiewen Yao From: Michael Kubacki <michael.kubacki@microsoft.com> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3411 This patch series mostly focuses on disabling the TPM platform hierarchy (patch 2/2) in ConfigureTpmPlatformHierarchy() with a preliminary change to add the library being modified to the [Components] section in the MinPlatformPkg DSC file. Cc: Chasel Chiu <chasel.chiu@intel.com> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Eric Dong <eric.dong@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Jeremiah Cox (1): MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy Michael Kubacki (1): MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c | 51 ++++++++++++++++++++ Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + 2 files changed, 52 insertions(+) -- 2.28.0.windows.1 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [edk2-platforms][PATCH v1 1/2] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC 2021-06-03 1:38 [edk2-platforms][PATCH v1 0/2] MinPlatformPkg: Disable TPM platform hierarchy Michael Kubacki @ 2021-06-03 1:38 ` Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy Michael Kubacki 1 sibling, 0 replies; 3+ messages in thread From: Michael Kubacki @ 2021-06-03 1:38 UTC (permalink / raw) To: devel; +Cc: Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong From: Michael Kubacki <michael.kubacki@microsoft.com> Adds TpmPlatformHierarchyLib to the [Components] section in MinPlatformPkg.dsc so it is always built in the package build. Cc: Chasel Chiu <chasel.chiu@intel.com> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Eric Dong <eric.dong@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> --- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc index 35cbd40abb05..7e952dfaf300 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -200,6 +200,7 @@ [Components] MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf + MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf !if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable == TRUE MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf -- 2.28.0.windows.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy 2021-06-03 1:38 [edk2-platforms][PATCH v1 0/2] MinPlatformPkg: Disable TPM platform hierarchy Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 1/2] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki @ 2021-06-03 1:38 ` Michael Kubacki 1 sibling, 0 replies; 3+ messages in thread From: Michael Kubacki @ 2021-06-03 1:38 UTC (permalink / raw) To: devel; +Cc: Michael Kubacki, Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong From: Jeremiah Cox <jerecox@microsoft.com> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3411 Updates the current ConfigureTpmPlatformHierarchy() implementation to instruct the TPM to disable the platform hierarchy to prevent later boot/OS code from accessing TPM platform features. This modifies the current behavior which instead randomizes the platform auth and then "forgets" it to prevent future platform feature access. Co-authored-by: Michael Kubacki <michael.kubacki@microsoft.com> Cc: Chasel Chiu <chasel.chiu@intel.com> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Cc: Eric Dong <eric.dong@intel.com> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> --- Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c | 51 ++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c index 41ddb26f4046..bc1dce9b1c51 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c @@ -18,6 +18,7 @@ #include <Library/BaseMemoryLib.h> #include <Library/UefiBootServicesTableLib.h> #include <Library/MemoryAllocationLib.h> +#include <Library/Tpm2DeviceLib.h> #include <Library/Tpm2CommandLib.h> #include <Library/RngLib.h> #include <Library/UefiLib.h> @@ -197,6 +198,51 @@ RandomizePlatformAuth ( ZeroMem (Rand, RandSize); } +/** + Disable the TPM platform hierarchy. + + @retval EFI_SUCCESS The TPM was disabled successfully. + @retval Others An error occurred attempting to disable the TPM platform hierarchy. + +**/ +EFI_STATUS +DisableTpmPlatformHierarchy ( + VOID + ) +{ + EFI_STATUS Status; + + // Make sure that we have use of the TPM. + Status = Tpm2RequestUseTpm (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } + + // Let's do what we can to shut down the hierarchies. + + // Disable the PH NV. + // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have + // been known to store the EK cert in the PH NV. If we disable it, the + // EK cert will be unreadable. + + // Disable the PH. + Status = Tpm2HierarchyControl ( + TPM_RH_PLATFORM, // AuthHandle + NULL, // AuthSession + TPM_RH_PLATFORM, // Hierarchy + NO // State + ); + DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) and Platform Hierarchy Authorization Policy (platformPolicy) @@ -211,4 +257,9 @@ ConfigureTpmPlatformHierarchy ( // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null // RandomizePlatformAuth (); + + // + // Disable the hierarchy entirely (do not randomize it) + // + DisableTpmPlatformHierarchy (); } -- 2.28.0.windows.1 ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-03 1:38 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-06-03 1:38 [edk2-platforms][PATCH v1 0/2] MinPlatformPkg: Disable TPM platform hierarchy Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 1/2] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki 2021-06-03 1:38 ` [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy Michael Kubacki
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox