* [edk2-platforms][PATCH v2 1/4] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC
2021-06-07 16:05 [edk2-platforms][PATCH v2 0/4] MinPlatformPkg: Add TPM platform hier disable support Michael Kubacki
@ 2021-06-07 16:05 ` Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 2/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add PEI support Michael Kubacki
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Michael Kubacki @ 2021-06-07 16:05 UTC (permalink / raw)
To: devel; +Cc: Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong
From: Michael Kubacki <michael.kubacki@microsoft.com>
Adds TpmPlatformHierarchyLib to the [Components] section in
MinPlatformPkg.dsc so it is always built in the package build.
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 35cbd40abb05..7e952dfaf300 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -200,6 +200,7 @@ [Components]
MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
+ MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
!if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable == TRUE
MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
--
2.28.0.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [edk2-platforms][PATCH v2 2/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add PEI support
2021-06-07 16:05 [edk2-platforms][PATCH v2 0/4] MinPlatformPkg: Add TPM platform hier disable support Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 1/4] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki
@ 2021-06-07 16:05 ` Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 3/4] MinPlatformPkg/Tcg2PlatformPei: Use TpmPlatformHierarchyLib Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support Michael Kubacki
3 siblings, 0 replies; 5+ messages in thread
From: Michael Kubacki @ 2021-06-07 16:05 UTC (permalink / raw)
To: devel; +Cc: Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong
From: Michael Kubacki <michael.kubacki@microsoft.com>
Expands the TpmPlatformHierarchyLib instance in MinPlatformPkg to
support PEIM in addition to DXE_DRIVER.
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Platform/Intel/MinPlatformPkg/Tcg/Library/{TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c => PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c} | 9 +++------
Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h | 4 +---
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 4 ++--
Platform/Intel/MinPlatformPkg/Tcg/Library/{TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf => PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf} | 20 +++++++-------------
4 files changed, 13 insertions(+), 24 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
similarity index 93%
rename from Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
rename to Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
index 41ddb26f4046..fa590089f0a0 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -12,16 +12,13 @@
https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
**/
-#include <PiDxe.h>
+#include <Uefi.h>
-#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
-#include <Library/UefiBootServicesTableLib.h>
+#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
-#include <Library/Tpm2CommandLib.h>
#include <Library/RngLib.h>
-#include <Library/UefiLib.h>
-#include <Protocol/DxeSmmReadyToLock.h>
+#include <Library/Tpm2CommandLib.h>
//
// The authorization value may be no larger than the digest produced by the hash
diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
index ed9709b24a73..a872fa09dc6a 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
+++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -6,6 +6,7 @@
Policy (platformPolicy) can be defined through this function.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -13,9 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
#define _TPM_PLATFORM_HIERARCHY_LIB_H_
-#include <PiDxe.h>
-#include <Uefi.h>
-
/**
This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 7e952dfaf300..0240a803f868 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -106,7 +106,7 @@ [LibraryClasses.common.DXE_DRIVER]
FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPlatformLib/DxeFspWrapperPlatformLib.inf
TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTestPointCheckLib.inf
TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf
- TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
+ TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common.DXE_SMM_DRIVER]
SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.inf
@@ -200,7 +200,7 @@ [Components]
MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
- MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
+ MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable == TRUE
MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
similarity index 70%
rename from Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
rename to Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
index 0911bdffa01f..7165cda31357 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -7,6 +7,7 @@
# Policy (platformPolicy) can be defined through this function.
#
# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -14,23 +15,19 @@
[Defines]
INF_VERSION = 0x00010005
- BASE_NAME = TpmPlatformHierarchyLib
+ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
- MODULE_TYPE = DXE_DRIVER
+ MODULE_TYPE = PEIM
VERSION_STRING = 1.0
- LIBRARY_CLASS = TpmPlatformHierarchyLib
+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
[LibraryClasses]
- MemoryAllocationLib
BaseLib
- UefiBootServicesTableLib
- UefiDriverEntryPoint
BaseMemoryLib
DebugLib
- Tpm2CommandLib
- Tpm2DeviceLib
+ MemoryAllocationLib
RngLib
- UefiLib
+ Tpm2CommandLib
[Packages]
MdePkg/MdePkg.dec
@@ -39,7 +36,4 @@ [Packages]
CryptoPkg/CryptoPkg.dec
[Sources]
- TpmPlatformHierarchyLib.c
-
-[Depex]
- gEfiTcg2ProtocolGuid
+ PeiDxeTpmPlatformHierarchyLib.c
--
2.28.0.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [edk2-platforms][PATCH v2 3/4] MinPlatformPkg/Tcg2PlatformPei: Use TpmPlatformHierarchyLib
2021-06-07 16:05 [edk2-platforms][PATCH v2 0/4] MinPlatformPkg: Add TPM platform hier disable support Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 1/4] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 2/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add PEI support Michael Kubacki
@ 2021-06-07 16:05 ` Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support Michael Kubacki
3 siblings, 0 replies; 5+ messages in thread
From: Michael Kubacki @ 2021-06-07 16:05 UTC (permalink / raw)
To: devel; +Cc: Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong
From: Michael Kubacki <michael.kubacki@microsoft.com>
Eliminates code duplication in the module with
TpmPlatformHierarchyLib. Pre-existing behavior of randomzing the
TPM platform auth is retained by calling the implementation of
ConfigureTpmPlatformHierarchy() in TpmPlatformHierarchyLib.
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 130 +-------------------
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 +
Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf | 2 +
3 files changed, 8 insertions(+), 125 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
index 3a2d7d31e983..66ec75ad0e0f 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c
@@ -1,6 +1,7 @@
/** @file
Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -13,134 +14,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/HobLib.h>
#include <Library/Tpm2CommandLib.h>
#include <Library/Tpm2DeviceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Library/RngLib.h>
#include <Ppi/EndOfPeiPhase.h>
#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
-/**
- Generate high-quality entropy source through RDRAND.
-
- @param[in] Length Size of the buffer, in bytes, to fill with.
- @param[out] Entropy Pointer to the buffer to store the entropy data.
-
- @retval EFI_SUCCESS Entropy generation succeeded.
- @retval EFI_NOT_READY Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
- IN UINTN Length,
- OUT UINT8 *Entropy
- )
-{
- EFI_STATUS Status;
- UINTN BlockCount;
- UINT64 Seed[2];
- UINT8 *Ptr;
-
- Status = EFI_NOT_READY;
- BlockCount = Length / 64;
- Ptr = (UINT8 *)Entropy;
-
- //
- // Generate high-quality seed for DRBG Entropy
- //
- while (BlockCount > 0) {
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, 64);
-
- BlockCount--;
- Ptr = Ptr + 64;
- }
-
- //
- // Populate the remained data as request.
- //
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, (Length % 64));
-
- return Status;
-}
-
-/**
- Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT16 AuthSize;
- TPML_PCR_SELECTION Pcrs;
- UINT32 Index;
- UINT8 *Rand;
- UINTN RandSize;
- TPM2B_AUTH NewPlatformAuth;
-
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));
- AuthSize = MAX_NEW_AUTHORIZATION_SIZE;
-
- Status = Tpm2GetCapabilityPcrs(&Pcrs);
- if (EFI_ERROR(Status)) {
- DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- } else {
- for (Index = 0; Index < Pcrs.count; Index++) {
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- AuthSize = SHA1_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA256:
- AuthSize = SHA256_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA384:
- AuthSize = SHA384_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA512:
- AuthSize = SHA512_DIGEST_SIZE;
- break;
- case TPM_ALG_SM3_256:
- AuthSize = SM3_256_DIGEST_SIZE;
- break;
- }
- }
- }
-
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- NewPlatformAuth.size = AuthSize;
-
- //
- // Allocate one buffer to store random data.
- //
- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
- Rand = AllocatePool(RandSize);
-
- RdRandGenerateEntropy(RandSize, Rand);
- CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);
-
- FreePool(Rand);
-
- //
- // Send Tpm2HierarchyChangeAuth command with the new Auth value
- //
- Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
- DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- ZeroMem(Rand, RandSize);
-}
-
/**
This function handles PlatformInit task at the end of PEI
@@ -179,9 +59,9 @@ PlatformInitEndOfPei (
//
// If there is S3 error on TPM_SU_STATE and success on TPM_SU_CLEAR,
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ // configure the TPM Platform Hierarchy.
//
- RandomizePlatformAuth();
+ ConfigureTpmPlatformHierarchy ();
return EFI_SUCCESS;
}
@@ -198,7 +78,7 @@ static EFI_PEI_NOTIFY_DESCRIPTOR mEndOfPeiNotifyList = {
@param[in] FileHandle Handle of the file being invoked.
@param[in] PeiServices Pointer to PEI Services table.
- @retval EFI_SUCCESS Install function successfully.
+ @retval EFI_SUCCESS Install function successfully.
**/
EFI_STATUS
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 0240a803f868..0665a18cdcbe 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -98,6 +98,7 @@ [LibraryClasses.common.PEIM]
TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/PeiTestPointCheckLib.inf
TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/PeiTestPointLib.inf
SetCacheMtrrLib|MinPlatformPkg/Library/SetCacheMtrrLib/SetCacheMtrrLibNull.inf
+ TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common.DXE_DRIVER]
#
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
index 1aabfe7ba88d..579f09b940e7 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
@@ -29,11 +29,13 @@ [LibraryClasses]
DebugLib
Tpm2DeviceLib
Tpm2CommandLib
+ TpmPlatformHierarchyLib
RngLib
[Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
[Sources]
Tcg2PlatformPei.c
--
2.28.0.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support
2021-06-07 16:05 [edk2-platforms][PATCH v2 0/4] MinPlatformPkg: Add TPM platform hier disable support Michael Kubacki
` (2 preceding siblings ...)
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 3/4] MinPlatformPkg/Tcg2PlatformPei: Use TpmPlatformHierarchyLib Michael Kubacki
@ 2021-06-07 16:05 ` Michael Kubacki
3 siblings, 0 replies; 5+ messages in thread
From: Michael Kubacki @ 2021-06-07 16:05 UTC (permalink / raw)
To: devel; +Cc: Jeremiah Cox, Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong
From: Michael Kubacki <michael.kubacki@microsoft.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3411
Adds a new PCD (PcdRandomizePlatformHierarchy) to MinPlatformPkg.dec
that allows a platform integrator to choose whether to randomize
or disable the TPM platform hierarchy. The current behavior to
randomize the platform hierachy is preserved in the default PCD
value. In the randomization case, the platform auth is randomized
and then it is "forgotten" to prevent future platform access.
The ConfigureTpmPlatformHierarchy() implementation is updated to
configure the TPM platform hierarchy based on the value of the
new PCD.
Co-authored-by: Jeremiah Cox <jerecox@microsoft.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c | 63 ++++++++++++++++++--
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec | 1 +
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf | 6 ++
3 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
index fa590089f0a0..9812ab99abf5 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -6,6 +6,7 @@
Policy (platformPolicy) can be defined through this function.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Specification Reference:
@@ -17,8 +18,10 @@
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/PcdLib.h>
#include <Library/RngLib.h>
#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
//
// The authorization value may be no larger than the digest produced by the hash
@@ -194,6 +197,51 @@ RandomizePlatformAuth (
ZeroMem (Rand, RandSize);
}
+/**
+ Disable the TPM platform hierarchy.
+
+ @retval EFI_SUCCESS The TPM was disabled successfully.
+ @retval Others An error occurred attempting to disable the TPM platform hierarchy.
+
+**/
+EFI_STATUS
+DisableTpmPlatformHierarchy (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ // Make sure that we have use of the TPM.
+ Status = Tpm2RequestUseTpm ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+ }
+
+ // Let's do what we can to shut down the hierarchies.
+
+ // Disable the PH NV.
+ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
+ // been known to store the EK cert in the PH NV. If we disable it, the
+ // EK cert will be unreadable.
+
+ // Disable the PH.
+ Status = Tpm2HierarchyControl (
+ TPM_RH_PLATFORM, // AuthHandle
+ NULL, // AuthSession
+ TPM_RH_PLATFORM, // Hierarchy
+ NO // State
+ );
+ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
and Platform Hierarchy Authorization Policy (platformPolicy)
@@ -204,8 +252,15 @@ EFIAPI
ConfigureTpmPlatformHierarchy (
)
{
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- RandomizePlatformAuth ();
+ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+ RandomizePlatformAuth ();
+ } else {
+ //
+ // Disable the hierarchy entirely (do not randomize it)
+ //
+ DisableTpmPlatformHierarchy ();
+ }
}
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
index 947431470a1f..bcb42f0ef9e6 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -244,6 +244,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
gMinPlatformPkgTokenSpaceGuid.PcdPciNoExtendedConfigSpace |FALSE|BOOLEAN|0x4001004C
gMinPlatformPkgTokenSpaceGuid.PcdPciResourceAssigned |FALSE|BOOLEAN|0x4001004D
gMinPlatformPkgTokenSpaceGuid.PcdPciSegmentCount |0x1 |UINT8|0x4001004E
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy |TRUE |BOOLEAN|0x4001004F
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1AEventBlockAddress|0x1800|UINT16|0x00010035
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1BEventBlockAddress|0x0000|UINT16|0x00010036
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
index 7165cda31357..b7a7fb0a088d 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -26,14 +26,20 @@ [LibraryClasses]
BaseMemoryLib
DebugLib
MemoryAllocationLib
+ PcdLib
RngLib
Tpm2CommandLib
+ Tpm2DeviceLib
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
[Sources]
PeiDxeTpmPlatformHierarchyLib.c
+
+[Pcd]
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
--
2.28.0.windows.1
^ permalink raw reply related [flat|nested] 5+ messages in thread