From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46])
 by mx.groups.io with SMTP id smtpd.web11.1328.1627667734554151217
 for <devel@edk2.groups.io>;
 Fri, 30 Jul 2021 10:55:34 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=1FR7Czlz;
 spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.46, mailfrom: bret@corthon.com)
Received: by mail-pj1-f46.google.com with SMTP id m10-20020a17090a34cab0290176b52c60ddso15403042pjf.4
        for <devel@edk2.groups.io>; Fri, 30 Jul 2021 10:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=corthon-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=etp/r3vxthbNq0TOW00NuduVlUd8eLe6hk+bfQGaK6c=;
        b=1FR7Czlzp4wjrc1AIjlGQwwS2FncEXURP3kLdOiHsBpw4yFbcqy/ScAPIc4oHlGpcX
         AtbD0B7rI4/7B0mRnvOVKrL78ymIYYnqjHbvMWGz0ZxW42GR3/5igfJ7wTCYWPutC8ix
         KUAdBYRdIZj/CEarA69/RVc6c9TjgC568OyBvELgaax2uWazcss1ghE9U0lVLwyNtJiT
         VU42xwmJF4l6zxf9Gp0Yl5xS1BHJIYMSbJ8JNGpZUSNJoihCbXYCKVt5wdx/DoX8mS11
         tdrex1zYeEQPJhlCaLn4AyZFqX4KFEHyng9eBtlTxJhdlO5Kdx0mJ8P1yE38w0+uMlC1
         eTug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=etp/r3vxthbNq0TOW00NuduVlUd8eLe6hk+bfQGaK6c=;
        b=TQE4T2zPZLFfqawe6yU4jgH9FSzQZbzhfrXY/fzm1ct7fYhmXC3EmaYwCYxm1MNtZo
         2geEAjUepu4f7icwGbNKmlYPUcB56HCXWIZujH5RgrVgTdlyi6otKQHUZW88xNVVY4/p
         FBfFwx1ZLfzCYL/sV4YoMoPK3SoQ+qZYmbH7HLI6FFOAgAGtpOG8Wc9YGH7SJ9lytweQ
         Qr/IHUGcLp+wScKx5eESMhXpykptZ8F2bmnXpzBNj3+aZo4TBdxtdHmjTTSzF8TWYjMd
         PcMilFg7dntzxLUK5fsoI5nlBvMcWCjEbhZD+o5lZ5qm30wusXhLwb3k7bZGyJRNKuew
         ipZA==
X-Gm-Message-State: AOAM530ER17EvUsFOTmt0AZQy6A9mqSbgN+0jBG204WgLYTs4wd+sJqv
	fT98a8++dst+WN0BvD2vlttIwnRBR8zltt65Lhs=
X-Google-Smtp-Source: ABdhPJwi+lJupJTWNOOFSS9tOgAOBGW6ob6QQP2UQ2emH+zTQORjL50nVDOrk++Q5bhLmS6B89AoSA==
X-Received: by 2002:a17:90b:158:: with SMTP id em24mr4350947pjb.174.1627667733571;
        Fri, 30 Jul 2021 10:55:33 -0700 (PDT)
Return-Path: <bret@corthon.com>
Received: from localhost.localdomain (174-21-73-17.tukw.qwest.net. [174.21.73.17])
        by smtp.gmail.com with ESMTPSA id q4sm3183932pfn.23.2021.07.30.10.55.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jul 2021 10:55:32 -0700 (PDT)
From: "Bret Barkelew" <bret@corthon.com>
X-Google-Original-From: "brbarkel@microsoft.com" <brbarkel@microsoft.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Qi Zhang <qi1.zhang@intel.com>,
	Rahul Kumar <rahul1.kumar@intel.com>
Subject: [PATCH v1 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
Date: Fri, 30 Jul 2021 10:55:17 -0700
Message-Id: <20210730175517.2445-1-brbarkel@microsoft.com>
X-Mailer: git-send-email 2.31.1.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Used to provision and maintain certain HW-defined NV spaces.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2994

Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
 SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 +++++++++++++++++=
+++
 SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
 2 files changed, 144 insertions(+)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP=
kg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 87572de20164..7931fade9190 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)=0D
 #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)=0D
 =0D
+#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)=0D
+=0D
 #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)=0D
 #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)=0D
 #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)=0D
@@ -74,6 +76,20 @@ typedef struct {
   TPMS_AUTH_RESPONSE         AuthSession;=0D
 } TPM2_NV_UNDEFINESPACE_RESPONSE;=0D
 =0D
+typedef struct {=0D
+  TPM2_COMMAND_HEADER       Header;=0D
+  TPMI_RH_NV_INDEX          NvIndex;=0D
+  TPMI_RH_PLATFORM          Platform;=0D
+  UINT32                    AuthSessionSize;=0D
+  TPMS_AUTH_COMMAND         AuthSession;=0D
+} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;=0D
+=0D
+typedef struct {=0D
+  TPM2_RESPONSE_HEADER       Header;=0D
+  UINT32                     AuthSessionSize;=0D
+  TPMS_AUTH_RESPONSE         AuthSession;=0D
+} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;=0D
+=0D
 typedef struct {=0D
   TPM2_COMMAND_HEADER       Header;=0D
   TPMI_RH_NV_AUTH           AuthHandle;=0D
@@ -506,6 +522,112 @@ Done:
   return Status;=0D
 }=0D
 =0D
+/**=0D
+  This command removes an index from the TPM.=0D
+=0D
+  @param[in]  NvIndex             The NV Index.=0D
+  @param[in]  IndexAuthSession    Auth session context for the Index auth/=
policy=0D
+  @param[in]  PlatAuthSession     Auth session context for the Platform au=
th/policy=0D
+=0D
+  @retval EFI_SUCCESS             Operation completed successfully.=0D
+  @retval EFI_NOT_FOUND           The command was returned successfully, b=
ut NvIndex is not found.=0D
+  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deleti=
on through this call.=0D
+  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current po=
licy session.=0D
+  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.=0D
+  @retval EFI_DEVICE_ERROR        The command was unsuccessful.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+Tpm2NvUndefineSpaceSpecial (=0D
+  IN      TPMI_RH_NV_INDEX          NvIndex,=0D
+  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,=0D
+  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL=0D
+  )=0D
+{=0D
+  EFI_STATUS                              Status;=0D
+  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;=0D
+  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;=0D
+  UINT32                                  SendBufferSize;=0D
+  UINT32                                  RecvBufferSize;=0D
+  UINT8                                   *Buffer;=0D
+  UINT32                                  IndexAuthSize, PlatAuthSize;=0D
+  TPM_RC                                  ResponseCode;=0D
+=0D
+  //=0D
+  // Construct command=0D
+  //=0D
+  SendBuffer.Header.tag =3D SwapBytes16(TPM_ST_SESSIONS);=0D
+  SendBuffer.Header.commandCode =3D SwapBytes32(TPM_CC_NV_UndefineSpaceSpe=
cial);=0D
+=0D
+  SendBuffer.NvIndex =3D SwapBytes32 (NvIndex);=0D
+  SendBuffer.Platform =3D SwapBytes32 (TPM_RH_PLATFORM);=0D
+=0D
+  //=0D
+  // Marshall the Auth Sessions for the two handles.=0D
+  Buffer =3D (UINT8 *)&SendBuffer.AuthSession;=0D
+  // IndexAuthSession=0D
+  IndexAuthSize =3D CopyAuthSessionCommand (IndexAuthSession, Buffer);=0D
+  Buffer +=3D IndexAuthSize;=0D
+  // PlatAuthSession=0D
+  PlatAuthSize =3D CopyAuthSessionCommand (PlatAuthSession, Buffer);=0D
+  Buffer +=3D PlatAuthSize;=0D
+  // AuthSessionSize=0D
+  SendBuffer.AuthSessionSize =3D SwapBytes32(IndexAuthSize + PlatAuthSize)=
;=0D
+=0D
+  // Update total command size.=0D
+  SendBufferSize =3D (UINT32)(Buffer - (UINT8 *)&SendBuffer);=0D
+  SendBuffer.Header.paramSize =3D SwapBytes32 (SendBufferSize);=0D
+=0D
+  //=0D
+  // send Tpm command=0D
+  //=0D
+  RecvBufferSize =3D sizeof (RecvBuffer);=0D
+  Status =3D Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &Rec=
vBufferSize, (UINT8 *)&RecvBuffer);=0D
+  if (EFI_ERROR (Status)) {=0D
+    goto Done;=0D
+  }=0D
+=0D
+  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {=0D
+    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Erro=
r - %x\n", RecvBufferSize));=0D
+    Status =3D EFI_DEVICE_ERROR;=0D
+    goto Done;=0D
+  }=0D
+=0D
+  ResponseCode =3D SwapBytes32(RecvBuffer.Header.responseCode);=0D
+  if (ResponseCode !=3D TPM_RC_SUCCESS) {=0D
+    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n=
", SwapBytes32(RecvBuffer.Header.responseCode)));=0D
+  }=0D
+  switch (ResponseCode) {=0D
+  case TPM_RC_SUCCESS:=0D
+    // return data=0D
+    break;=0D
+  case TPM_RC_ATTRIBUTES:=0D
+  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:=0D
+    Status =3D EFI_UNSUPPORTED;=0D
+    break;=0D
+  case TPM_RC_NV_AUTHORIZATION:=0D
+    Status =3D EFI_SECURITY_VIOLATION;=0D
+    break;=0D
+  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DE=
FINED:=0D
+    Status =3D EFI_NOT_FOUND;=0D
+    break;=0D
+  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:=0D
+    Status =3D EFI_INVALID_PARAMETER;=0D
+    break;=0D
+  default:=0D
+    Status =3D EFI_DEVICE_ERROR;=0D
+    break;=0D
+  }=0D
+=0D
+Done:=0D
+  //=0D
+  // Clear AuthSession Content=0D
+  //=0D
+  ZeroMem (&SendBuffer, sizeof(SendBuffer));=0D
+  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));=0D
+  return Status;=0D
+} // Tpm2NvUndefineSpaceSpecial()=0D
+=0D
 /**=0D
   This command reads a value from an area in NV memory previously defined =
by TPM2_NV_DefineSpace().=0D
 =0D
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Inc=
lude/Library/Tpm2CommandLib.h
index ee8eb622951c..8d7b4998d98d 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
   IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL=0D
   );=0D
 =0D
+/**=0D
+  This command removes an index from the TPM.=0D
+=0D
+  @param[in]  NvIndex             The NV Index.=0D
+  @param[in]  IndexAuthSession    Auth session context for the Index auth/=
policy=0D
+  @param[in]  PlatAuthSession     Auth session context for the Platform au=
th/policy=0D
+=0D
+  @retval EFI_SUCCESS             Operation completed successfully.=0D
+  @retval EFI_NOT_FOUND           The command was returned successfully, b=
ut NvIndex is not found.=0D
+  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deleti=
on through this call.=0D
+  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current po=
licy session.=0D
+  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.=0D
+  @retval EFI_DEVICE_ERROR        The command was unsuccessful.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+Tpm2NvUndefineSpaceSpecial (=0D
+  IN      TPMI_RH_NV_INDEX          NvIndex,=0D
+  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,=0D
+  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL=0D
+  );=0D
+=0D
 /**=0D
   This command reads a value from an area in NV memory previously defined =
by TPM2_NV_DefineSpace().=0D
 =0D
--=20
2.31.1.windows.1