From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Jeremiah Cox <jerecox@microsoft.com>,
Chasel Chiu <chasel.chiu@intel.com>,
Nate DeSimone <nathaniel.l.desimone@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Eric Dong <eric.dong@intel.com>
Subject: [edk2-platforms][PATCH v2 4/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add disable support
Date: Mon, 7 Jun 2021 12:05:06 -0400 [thread overview]
Message-ID: <20210607160506.2411-5-mikuback@linux.microsoft.com> (raw)
In-Reply-To: <20210607160506.2411-1-mikuback@linux.microsoft.com>
From: Michael Kubacki <michael.kubacki@microsoft.com>
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3411
Adds a new PCD (PcdRandomizePlatformHierarchy) to MinPlatformPkg.dec
that allows a platform integrator to choose whether to randomize
or disable the TPM platform hierarchy. The current behavior to
randomize the platform hierachy is preserved in the default PCD
value. In the randomization case, the platform auth is randomized
and then it is "forgotten" to prevent future platform access.
The ConfigureTpmPlatformHierarchy() implementation is updated to
configure the TPM platform hierarchy based on the value of the
new PCD.
Co-authored-by: Jeremiah Cox <jerecox@microsoft.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c | 63 ++++++++++++++++++--
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec | 1 +
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf | 6 ++
3 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
index fa590089f0a0..9812ab99abf5 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -6,6 +6,7 @@
Policy (platformPolicy) can be defined through this function.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Specification Reference:
@@ -17,8 +18,10 @@
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
+#include <Library/PcdLib.h>
#include <Library/RngLib.h>
#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
//
// The authorization value may be no larger than the digest produced by the hash
@@ -194,6 +197,51 @@ RandomizePlatformAuth (
ZeroMem (Rand, RandSize);
}
+/**
+ Disable the TPM platform hierarchy.
+
+ @retval EFI_SUCCESS The TPM was disabled successfully.
+ @retval Others An error occurred attempting to disable the TPM platform hierarchy.
+
+**/
+EFI_STATUS
+DisableTpmPlatformHierarchy (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+
+ // Make sure that we have use of the TPM.
+ Status = Tpm2RequestUseTpm ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ return Status;
+ }
+
+ // Let's do what we can to shut down the hierarchies.
+
+ // Disable the PH NV.
+ // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
+ // been known to store the EK cert in the PH NV. If we disable it, the
+ // EK cert will be unreadable.
+
+ // Disable the PH.
+ Status = Tpm2HierarchyControl (
+ TPM_RH_PLATFORM, // AuthHandle
+ NULL, // AuthSession
+ TPM_RH_PLATFORM, // Hierarchy
+ NO // State
+ );
+ DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
+
/**
This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
and Platform Hierarchy Authorization Policy (platformPolicy)
@@ -204,8 +252,15 @@ EFIAPI
ConfigureTpmPlatformHierarchy (
)
{
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- RandomizePlatformAuth ();
+ if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+ RandomizePlatformAuth ();
+ } else {
+ //
+ // Disable the hierarchy entirely (do not randomize it)
+ //
+ DisableTpmPlatformHierarchy ();
+ }
}
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
index 947431470a1f..bcb42f0ef9e6 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
@@ -244,6 +244,7 @@ [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
gMinPlatformPkgTokenSpaceGuid.PcdPciNoExtendedConfigSpace |FALSE|BOOLEAN|0x4001004C
gMinPlatformPkgTokenSpaceGuid.PcdPciResourceAssigned |FALSE|BOOLEAN|0x4001004D
gMinPlatformPkgTokenSpaceGuid.PcdPciSegmentCount |0x1 |UINT8|0x4001004E
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy |TRUE |BOOLEAN|0x4001004F
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1AEventBlockAddress|0x1800|UINT16|0x00010035
gMinPlatformPkgTokenSpaceGuid.PcdAcpiPm1BEventBlockAddress|0x0000|UINT16|0x00010036
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
index 7165cda31357..b7a7fb0a088d 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -26,14 +26,20 @@ [LibraryClasses]
BaseMemoryLib
DebugLib
MemoryAllocationLib
+ PcdLib
RngLib
Tpm2CommandLib
+ Tpm2DeviceLib
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
CryptoPkg/CryptoPkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
[Sources]
PeiDxeTpmPlatformHierarchyLib.c
+
+[Pcd]
+ gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
--
2.28.0.windows.1
prev parent reply other threads:[~2021-06-07 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-07 16:05 [edk2-platforms][PATCH v2 0/4] MinPlatformPkg: Add TPM platform hier disable support Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 1/4] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 2/4] MinPlatformPkg/TpmPlatformHierarchyLib: Add PEI support Michael Kubacki
2021-06-07 16:05 ` [edk2-platforms][PATCH v2 3/4] MinPlatformPkg/Tcg2PlatformPei: Use TpmPlatformHierarchyLib Michael Kubacki
2021-06-07 16:05 ` Michael Kubacki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210607160506.2411-5-mikuback@linux.microsoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox