* [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy
@ 2021-08-10 17:20 Stefan Berger
2021-08-10 17:20 ` [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger
This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It
addresses the Ovmf aspects of the following bugs:
https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499
I have patched the .dsc files and successfully test-built with most of
them. Some I could not build because they failed for other reasons
unrelated to this series.
I tested the changes with QEMU on x86 following the build of
ArmVirtQemu.dsc and OvmfPkgX64.dsc.
The disablement of the platform hierarchy is done after possibly
handling PPI. Following TPM 2 logs on Arm, only PCR extensions are
following afterwards until GRUB takes over.
Regards,
Stefan
v3:
- Referencing Null implementation on Bhyve and Xen platforms
- Add support in ArmVirtPkg
Stefan Berger (6):
OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
edk2-platforms
OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
OvmfPkg: Reference new TPM classes in the build system for compilation
OvmfPkg: Disable the TPM2 platform hierarchy
ArmVirtPkg: Reference new TPM classes in the build system for
compilation
ArmVirtPkg: Disable the TPM2 platform hierarchy
ArmVirtPkg/ArmVirtCloudHv.dsc | 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 3 +
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
ArmVirtPkg/ArmVirtXen.dsc | 1 +
.../PlatformBootManagerLib/PlatformBm.c | 6 +
.../PlatformBootManagerLib.inf | 1 +
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c | 210 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
.../PeiDxeTpmPlatformHierarchyLib.c | 19 ++
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++
.../PlatformBootManagerLib/BdsPlatform.c | 6 +
.../PlatformBootManagerLib.inf | 1 +
.../PlatformBootManagerLibBhyve/BdsPlatform.c | 6 +
.../PlatformBootManagerLibGrub/BdsPlatform.c | 6 +
OvmfPkg/OvmfPkgIa32.dsc | 3 +
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +
OvmfPkg/OvmfPkgX64.dsc | 3 +
OvmfPkg/OvmfXen.dsc | 1 +
21 files changed, 373 insertions(+)
create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
--
2.31.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
2021-08-12 13:48 ` Marc-André Lureau
2021-08-10 17:20 ` [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
` (4 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so
that ConfigureTpmPlatformHierarchy() is the only public function provided
by this file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
.../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
.../PeiDxeTpmPlatformHierarchyLib.c | 210 ++++++++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
3 files changed, 277 insertions(+)
create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 0000000000..a872fa09dc
--- /dev/null
+++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,27 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_
+
+/**
+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ VOID
+ );
+
+#endif
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..ba2d99bb53
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,210 @@
+/** @file
+ TPM Platform Hierarchy configuration library.
+
+ This library provides functions for customizing the TPM's Platform Hierarchy
+ Authorization Value (platformAuth) and Platform Hierarchy Authorization
+ Policy (platformPolicy) can be defined through this function.
+
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) Microsoft Corporation.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
+**/
+
+#include <Uefi.h>
+
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/RngLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+//
+// The authorization value may be no larger than the digest produced by the hash
+// algorithm used for context integrity.
+//
+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
+
+UINT16 mAuthSize;
+
+/**
+ Generate high-quality entropy source through RDRAND.
+
+ @param[in] Length Size of the buffer, in bytes, to fill with.
+ @param[out] Entropy Pointer to the buffer to store the entropy data.
+
+ @retval EFI_SUCCESS Entropy generation succeeded.
+ @retval EFI_NOT_READY Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+RdRandGenerateEntropy (
+ IN UINTN Length,
+ OUT UINT8 *Entropy
+ )
+{
+ EFI_STATUS Status;
+ UINTN BlockCount;
+ UINT64 Seed[2];
+ UINT8 *Ptr;
+
+ Status = EFI_NOT_READY;
+ BlockCount = Length / 64;
+ Ptr = (UINT8 *)Entropy;
+
+ //
+ // Generate high-quality seed for DRBG Entropy
+ //
+ while (BlockCount > 0) {
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, 64);
+
+ BlockCount--;
+ Ptr = Ptr + 64;
+ }
+
+ //
+ // Populate the remained data as request.
+ //
+ Status = GetRandomNumber128 (Seed);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ CopyMem (Ptr, Seed, (Length % 64));
+
+ return Status;
+}
+
+/**
+ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
+ and limits an authValue to being no larger than the largest digest produced by a TPM.
+
+ @param[out] AuthSize Tpm2 Auth size
+
+ @retval EFI_SUCCESS Auth size returned.
+ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
+
+**/
+EFI_STATUS
+EFIAPI
+GetAuthSize (
+ OUT UINT16 *AuthSize
+ )
+{
+ EFI_STATUS Status;
+ TPML_PCR_SELECTION Pcrs;
+ UINTN Index;
+ UINT16 DigestSize;
+
+ Status = EFI_SUCCESS;
+
+ while (mAuthSize == 0) {
+
+ mAuthSize = SHA1_DIGEST_SIZE;
+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
+ Status = Tpm2GetCapabilityPcrs (&Pcrs);
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
+ break;
+ }
+
+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
+
+ for (Index = 0; Index < Pcrs.count; Index++) {
+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
+
+ switch (Pcrs.pcrSelections[Index].hash) {
+ case TPM_ALG_SHA1:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA256:
+ DigestSize = SHA256_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA384:
+ DigestSize = SHA384_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA512:
+ DigestSize = SHA512_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SM3_256:
+ DigestSize = SM3_256_DIGEST_SIZE;
+ break;
+ default:
+ DigestSize = SHA1_DIGEST_SIZE;
+ break;
+ }
+
+ if (DigestSize > mAuthSize) {
+ mAuthSize = DigestSize;
+ }
+ }
+ break;
+ }
+
+ *AuthSize = mAuthSize;
+ return Status;
+}
+
+/**
+ Set PlatformAuth to random value.
+**/
+VOID
+RandomizePlatformAuth (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT16 AuthSize;
+ UINT8 *Rand;
+ UINTN RandSize;
+ TPM2B_AUTH NewPlatformAuth;
+
+ //
+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+ //
+
+ GetAuthSize (&AuthSize);
+
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ NewPlatformAuth.size = AuthSize;
+
+ //
+ // Allocate one buffer to store random data.
+ //
+ RandSize = MAX_NEW_AUTHORIZATION_SIZE;
+ Rand = AllocatePool (RandSize);
+
+ RdRandGenerateEntropy (RandSize, Rand);
+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
+
+ FreePool (Rand);
+
+ //
+ // Send Tpm2HierarchyChangeAuth command with the new Auth value
+ //
+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+ ZeroMem (NewPlatformAuth.buffer, AuthSize);
+ ZeroMem (Rand, RandSize);
+}
+
+/**
+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+ and Platform Hierarchy Authorization Policy (platformPolicy)
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ )
+{
+ RandomizePlatformAuth ();
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..a413e02302
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,40 @@
+### @file
+#
+# TPM Platform Hierarchy configuration library.
+#
+# This library provides functions for customizing the TPM's Platform Hierarchy
+# Authorization Value (platformAuth) and Platform Hierarchy Authorization
+# Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PeiDxeTpmPlatformHierarchyLib
+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ RngLib
+ Tpm2CommandLib
+ Tpm2DeviceLib
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-10 17:20 ` [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
2021-08-12 13:50 ` Marc-André Lureau
2021-08-10 17:20 ` [PATCH v3 3/6] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
` (3 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Add a NULL implementation of the library class TpmPlatformHierarchyLib
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
.../PeiDxeTpmPlatformHierarchyLib.c | 19 ++++++++++++
.../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..a4d38a1465
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,19 @@
+/** @file
+ Null TPM Platform Hierarchy configuration library.
+
+ This library provides stub functions for customizing the TPM's Platform Hierarchy.
+
+ Copyright (c) 2021, IBM Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+ )
+{
+ /* no nothing */
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..f0c474d57c
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,31 @@
+### @file
+#
+# TPM Platform Hierarchy configuration library.
+#
+# This library provides functions for customizing the TPM's Platform Hierarchy
+# Authorization Value (platformAuth) and Platform Hierarchy Authorization
+# Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PeiDxeTpmPlatformHierarchyLibNull
+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+ MODULE_TYPE = PEIM
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+ BaseLib
+
+[Packages]
+ MdePkg/MdePkg.dec
+
+[Sources]
+ PeiDxeTpmPlatformHierarchyLib.c
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 3/6] OvmfPkg: Reference new TPM classes in the build system for compilation
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-10 17:20 ` [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-08-10 17:20 ` [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
2021-08-10 17:20 ` [PATCH v3 4/6] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Compile the added TPM related code now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +++
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
.../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 3 +++
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
OvmfPkg/OvmfPkgX64.dsc | 3 +++
OvmfPkg/OvmfXen.dsc | 1 +
7 files changed, 15 insertions(+)
diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index e6cd10b759..db1deffcc8 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -209,9 +209,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -836,6 +838,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index d8fe607d1c..76904ae614 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -224,6 +224,7 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index e470b9a6a3..e7d1917022 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -56,6 +56,7 @@
PlatformBmPrintScLib
Tcg2PhysicalPresenceLib
XenPlatformLib
+ TpmPlatformHierarchyLib
[Pcd]
gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d1d92c97ba..7c2948c5e9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -235,9 +235,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -711,6 +713,7 @@
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a467ab7090..88a014510f 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -239,9 +239,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -1034,6 +1036,7 @@
SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
<LibraryClasses>
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e56b83d95e..ca434a5faa 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -239,9 +239,11 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common]
@@ -723,6 +725,7 @@
SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 3c1ca6bfd4..b01873843b 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -216,6 +216,7 @@
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf
TimeBaseLib|EmbeddedPkg/Library/TimeBaseLib/TimeBaseLib.inf
!ifdef $(DEBUG_ON_HYPERVISOR_CONSOLE)
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 4/6] OvmfPkg: Disable the TPM2 platform hierarchy
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
` (2 preceding siblings ...)
2021-08-10 17:20 ` [PATCH v3 3/6] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
2021-08-10 17:20 ` [PATCH v3 5/6] ArmVirtPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-08-10 17:20 ` [PATCH v3 6/6] ArmVirtPkg: Disable the TPM2 platform hierarchy Stefan Berger
5 siblings, 0 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c | 6 ++++++
OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 6 ++++++
OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c | 6 ++++++
3 files changed, 18 insertions(+)
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index b0e9742937..5bf145ba25 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -11,6 +11,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Library/XenPlatformLib.h>
@@ -1516,6 +1517,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierarchy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Process QEMU's -kernel command line option
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
index eaade4adea..09418dc4ff 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@@ -12,6 +12,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Protocol/BlockIo.h>
@@ -1450,6 +1451,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierarchy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Perform some platform specific connect sequence
//
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 7cceeea487..508e2b6403 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -12,6 +12,7 @@
#include <Protocol/FirmwareVolume2.h>
#include <Library/PlatformBmPrintScLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
//
@@ -1315,6 +1316,11 @@ PlatformBootManagerAfterConsole (
//
Tcg2PhysicalPresenceLibProcessRequest (NULL);
+ //
+ // Disable the TPM 2 platform hierachy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Process QEMU's -kernel command line option
//
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 5/6] ArmVirtPkg: Reference new TPM classes in the build system for compilation
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
` (3 preceding siblings ...)
2021-08-10 17:20 ` [PATCH v3 4/6] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
2021-08-10 17:20 ` [PATCH v3 6/6] ArmVirtPkg: Disable the TPM2 platform hierarchy Stefan Berger
5 siblings, 0 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
ArmVirtPkg/ArmVirtCloudHv.dsc | 1 +
ArmVirtPkg/ArmVirtQemu.dsc | 3 +++
ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
ArmVirtPkg/ArmVirtXen.dsc | 1 +
4 files changed, 6 insertions(+)
diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index f292ba6079..cb135d08d9 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -55,6 +55,7 @@
PciHostBridgeUtilityLib|ArmVirtPkg/Library/ArmVirtPciHostBridgeUtilityLib/ArmVirtPciHostBridgeUtilityLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!include MdePkg/MdeLibs.dsc.inc
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 97539edef7..10dfc382b5 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -86,8 +86,10 @@
Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
!else
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
!endif
[LibraryClasses.common.PEIM]
@@ -523,6 +525,7 @@
<LibraryClasses>
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 28064199c8..d89da457e0 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -80,6 +80,7 @@
PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common.DXE_DRIVER]
ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 2b07a5ba19..e41259fa54 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -50,6 +50,7 @@
PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+ TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common.UEFI_DRIVER]
UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 6/6] ArmVirtPkg: Disable the TPM2 platform hierarchy
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
` (4 preceding siblings ...)
2021-08-10 17:20 ` [PATCH v3 5/6] ArmVirtPkg: Reference new TPM classes in the build system for compilation Stefan Berger
@ 2021-08-10 17:20 ` Stefan Berger
5 siblings, 0 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-10 17:20 UTC (permalink / raw)
To: devel, jiewen.yao
Cc: marcandre.lureau, lersek, dick_wilkins, James.Bottomley,
Stefan Berger, Stefan Berger
Use the newly added function to disable the TPM2 platform hierarchy.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c | 6 ++++++
.../PlatformBootManagerLib/PlatformBootManagerLib.inf | 1 +
2 files changed, 7 insertions(+)
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 69448ff65b..a45824ab06 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -17,6 +17,7 @@
#include <Library/PlatformBmPrintScLib.h>
#include <Library/QemuBootOrderLib.h>
#include <Library/UefiBootManagerLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Protocol/DevicePath.h>
#include <Protocol/FirmwareVolume2.h>
#include <Protocol/GraphicsOutput.h>
@@ -832,6 +833,11 @@ PlatformBootManagerAfterConsole (
EfiBootManagerConnectAll ();
}
+ //
+ // Disable the TPM 2 platform hierarchy
+ //
+ ConfigureTpmPlatformHierarchy ();
+
//
// Enumerate all possible boot options, then filter and reorder them based on
// the QEMU configuration.
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 11f52e019b..cead956bfc 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -51,6 +51,7 @@
UefiBootServicesTableLib
UefiLib
UefiRuntimeServicesTableLib
+ TpmPlatformHierarchyLib
[FixedPcd]
gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
--
2.31.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms
2021-08-10 17:20 ` [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
@ 2021-08-12 13:48 ` Marc-André Lureau
2021-08-12 15:30 ` [edk2-devel] " Stefan Berger
0 siblings, 1 reply; 10+ messages in thread
From: Marc-André Lureau @ 2021-08-12 13:48 UTC (permalink / raw)
To: Stefan Berger
Cc: edk2-devel-groups-io, jiewen.yao, Laszlo Ersek, dick_wilkins,
James.Bottomley, Stefan Berger
[-- Attachment #1: Type: text/plain, Size: 9980 bytes --]
Hi
On Tue, Aug 10, 2021 at 9:22 PM Stefan Berger <stefanb@linux.vnet.ibm.com>
wrote:
> Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so
> that ConfigureTpmPlatformHierarchy() is the only public function provided
> by this file.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
> .../PeiDxeTpmPlatformHierarchyLib.c | 210 ++++++++++++++++++
> .../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
> 3 files changed, 277 insertions(+)
> create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..a872fa09dc
> --- /dev/null
> +++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's Platform
> Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) Microsoft Corporation.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
> +#define _TPM_PLATFORM_HIERARCHY_LIB_H_
> +
> +/**
> + This service will perform the TPM Platform Hierarchy configuration at
> the SmmReadyToLock event.
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + VOID
> + );
> +
> +#endif
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..ba2d99bb53
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,210 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's Platform
> Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) Microsoft Corporation.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Specification Reference:
> +
> https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
> +**/
> +
> +#include <Uefi.h>
> +
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/RngLib.h>
> +#include <Library/Tpm2CommandLib.h>
> +#include <Library/Tpm2DeviceLib.h>
> +
> +//
> +// The authorization value may be no larger than the digest produced by
> the hash
> +// algorithm used for context integrity.
> +//
> +#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
> +
> +UINT16 mAuthSize;
> +
> +/**
> + Generate high-quality entropy source through RDRAND.
> +
> + @param[in] Length Size of the buffer, in bytes, to fill with.
> + @param[out] Entropy Pointer to the buffer to store the entropy
> data.
> +
> + @retval EFI_SUCCESS Entropy generation succeeded.
> + @retval EFI_NOT_READY Failed to request random data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +RdRandGenerateEntropy (
> + IN UINTN Length,
> + OUT UINT8 *Entropy
> + )
> +{
> + EFI_STATUS Status;
> + UINTN BlockCount;
> + UINT64 Seed[2];
> + UINT8 *Ptr;
> +
> + Status = EFI_NOT_READY;
> + BlockCount = Length / 64;
> + Ptr = (UINT8 *)Entropy;
> +
> + //
> + // Generate high-quality seed for DRBG Entropy
> + //
> + while (BlockCount > 0) {
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, 64);
>
This looks like it's copying past the Seed buffer, which is 2 * sizeof(u64)
= 16.
+
> + BlockCount--;
> + Ptr = Ptr + 64;
> + }
> +
> + //
> + // Populate the remained data as request.
> + //
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, (Length % 64));
>
And then again.
Isn't there a better way to fill a buffer with random data in edk2?
+
> + return Status;
> +}
> +
> +/**
> + This function returns the maximum size of TPM2B_AUTH; this structure is
> used for an authorization value
> + and limits an authValue to being no larger than the largest digest
> produced by a TPM.
> +
> + @param[out] AuthSize Tpm2 Auth size
> +
> + @retval EFI_SUCCESS Auth size returned.
> + @retval EFI_DEVICE_ERROR Can not return platform auth due
> to device error.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetAuthSize (
> + OUT UINT16 *AuthSize
> + )
> +{
> + EFI_STATUS Status;
> + TPML_PCR_SELECTION Pcrs;
> + UINTN Index;
> + UINT16 DigestSize;
> +
> + Status = EFI_SUCCESS;
> +
> + while (mAuthSize == 0) {
>
This is a bit odd, but ok.
+
> + mAuthSize = SHA1_DIGEST_SIZE;
> + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> + Status = Tpm2GetCapabilityPcrs (&Pcrs);
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> + break;
> + }
> +
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
> +
> + for (Index = 0; Index < Pcrs.count; Index++) {
> + DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
> +
> + switch (Pcrs.pcrSelections[Index].hash) {
> + case TPM_ALG_SHA1:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA256:
> + DigestSize = SHA256_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA384:
> + DigestSize = SHA384_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA512:
> + DigestSize = SHA512_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SM3_256:
> + DigestSize = SM3_256_DIGEST_SIZE;
> + break;
> + default:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + }
> +
> + if (DigestSize > mAuthSize) {
> + mAuthSize = DigestSize;
> + }
> + }
> + break;
> + }
> +
> + *AuthSize = mAuthSize;
> + return Status;
> +}
> +
> +/**
> + Set PlatformAuth to random value.
> +**/
> +VOID
> +RandomizePlatformAuth (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + UINT16 AuthSize;
> + UINT8 *Rand;
> + UINTN RandSize;
> + TPM2B_AUTH NewPlatformAuth;
> +
> + //
> + // Send Tpm2HierarchyChange Auth with random value to avoid
> PlatformAuth being null
> + //
> +
> + GetAuthSize (&AuthSize);
> +
> + ZeroMem (NewPlatformAuth.buffer, AuthSize);
> + NewPlatformAuth.size = AuthSize;
> +
> + //
> + // Allocate one buffer to store random data.
> + //
> + RandSize = MAX_NEW_AUTHORIZATION_SIZE;
> + Rand = AllocatePool (RandSize);
> +
> + RdRandGenerateEntropy (RandSize, Rand);
> + CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
>
Why generate random data for MAX_NEW_AUTHORIZATION to only copy a subset
after?
+
> + FreePool (Rand);
> +
> + //
> + // Send Tpm2HierarchyChangeAuth command with the new Auth value
> + //
> + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
> + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
> + ZeroMem (NewPlatformAuth.buffer, AuthSize);
> + ZeroMem (Rand, RandSize);
>
Isn't Rand free at this point?
+}
> +
> +/**
> + This service defines the configuration of the Platform Hierarchy
> Authorization Value (platformAuth)
> + and Platform Hierarchy Authorization Policy (platformPolicy)
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + )
> +{
> + RandomizePlatformAuth ();
> +}
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..a413e02302
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,40 @@
> +### @file
> +#
> +# TPM Platform Hierarchy configuration library.
> +#
> +# This library provides functions for customizing the TPM's Platform
> Hierarchy
> +# Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> +# Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = PeiDxeTpmPlatformHierarchyLib
> + FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> + MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + RngLib
> + Tpm2CommandLib
> + Tpm2DeviceLib
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[Sources]
> + PeiDxeTpmPlatformHierarchyLib.c
> --
> 2.31.1
>
>
[-- Attachment #2: Type: text/html, Size: 12944 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
2021-08-10 17:20 ` [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
@ 2021-08-12 13:50 ` Marc-André Lureau
0 siblings, 0 replies; 10+ messages in thread
From: Marc-André Lureau @ 2021-08-12 13:50 UTC (permalink / raw)
To: Stefan Berger
Cc: edk2-devel-groups-io, jiewen.yao, Laszlo Ersek, dick_wilkins,
James.Bottomley, Stefan Berger
[-- Attachment #1: Type: text/plain, Size: 2916 bytes --]
Hi
On Tue, Aug 10, 2021 at 9:20 PM Stefan Berger <stefanb@linux.vnet.ibm.com>
wrote:
> Add a NULL implementation of the library class TpmPlatformHierarchyLib
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
This patch doesn't pass BaseTools/Scripts/PatchCheck.py
---
> .../PeiDxeTpmPlatformHierarchyLib.c | 19 ++++++++++++
> .../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++++++++++++++++++
> 2 files changed, 50 insertions(+)
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..a4d38a1465
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,19 @@
> +/** @file
> + Null TPM Platform Hierarchy configuration library.
> +
> + This library provides stub functions for customizing the TPM's
> Platform Hierarchy.
> +
> + Copyright (c) 2021, IBM Corporation.
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Uefi.h>
> +
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + )
> +{
> + /* no nothing */
> +}
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..f0c474d57c
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,31 @@
> +### @file
> +#
> +# TPM Platform Hierarchy configuration library.
> +#
> +# This library provides functions for customizing the TPM's Platform
> Hierarchy
> +# Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> +# Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = PeiDxeTpmPlatformHierarchyLibNull
> + FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
>
Looking at other files, I think it must be unique. (don't ask me why though)
+ MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> +
> +[LibraryClasses]
> + BaseLib
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> +
> +[Sources]
> + PeiDxeTpmPlatformHierarchyLib.c
> --
> 2.31.1
>
>
[-- Attachment #2: Type: text/html, Size: 3984 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [edk2-devel] [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms
2021-08-12 13:48 ` Marc-André Lureau
@ 2021-08-12 15:30 ` Stefan Berger
0 siblings, 0 replies; 10+ messages in thread
From: Stefan Berger @ 2021-08-12 15:30 UTC (permalink / raw)
To: devel, mlureau, Stefan Berger
Cc: jiewen.yao, Laszlo Ersek, dick_wilkins, James.Bottomley
[-- Attachment #1: Type: text/plain, Size: 14127 bytes --]
On 8/12/21 9:48 AM, Marc-André Lureau wrote:
> Hi On Tue, Aug 10, 2021 at 9:22 PM Stefan Berger
> <stefanb@linux.vnet.ibm.com> wrote: Import
> PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify it so that
> ConfigureTpmPlatformHierarchy() is the only public function provided
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> Hi
>
> On Tue, Aug 10, 2021 at 9:22 PM Stefan Berger
> <stefanb@linux.vnet.ibm.com <mailto:stefanb@linux.vnet.ibm.com>> wrote:
>
> Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Modify
> it so
> that ConfigureTpmPlatformHierarchy() is the only public function
> provided
> by this file.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com
> <mailto:stefanb@linux.ibm.com>>
> ---
> .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++
> .../PeiDxeTpmPlatformHierarchyLib.c | 210
> ++++++++++++++++++
> .../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++
> 3 files changed, 277 insertions(+)
> create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..a872fa09dc
> --- /dev/null
> +++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's
> Platform Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) Microsoft Corporation.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
> +#define _TPM_PLATFORM_HIERARCHY_LIB_H_
> +
> +/**
> + This service will perform the TPM Platform Hierarchy
> configuration at the SmmReadyToLock event.
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + VOID
> + );
> +
> +#endif
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..ba2d99bb53
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,210 @@
> +/** @file
> + TPM Platform Hierarchy configuration library.
> +
> + This library provides functions for customizing the TPM's
> Platform Hierarchy
> + Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> + Policy (platformPolicy) can be defined through this function.
> +
> + Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> + Copyright (c) Microsoft Corporation.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> + @par Specification Reference:
> +
> https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
> <https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/>
> +**/
> +
> +#include <Uefi.h>
> +
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/RngLib.h>
> +#include <Library/Tpm2CommandLib.h>
> +#include <Library/Tpm2DeviceLib.h>
> +
> +//
> +// The authorization value may be no larger than the digest
> produced by the hash
> +// algorithm used for context integrity.
> +//
> +#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
> +
> +UINT16 mAuthSize;
> +
> +/**
> + Generate high-quality entropy source through RDRAND.
> +
> + @param[in] Length Size of the buffer, in bytes, to
> fill with.
> + @param[out] Entropy Pointer to the buffer to store the
> entropy data.
> +
> + @retval EFI_SUCCESS Entropy generation succeeded.
> + @retval EFI_NOT_READY Failed to request random data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +RdRandGenerateEntropy (
> + IN UINTN Length,
> + OUT UINT8 *Entropy
> + )
> +{
> + EFI_STATUS Status;
> + UINTN BlockCount;
> + UINT64 Seed[2];
> + UINT8 *Ptr;
> +
> + Status = EFI_NOT_READY;
> + BlockCount = Length / 64;
> + Ptr = (UINT8 *)Entropy;
> +
> + //
> + // Generate high-quality seed for DRBG Entropy
> + //
> + while (BlockCount > 0) {
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, 64);
>
>
> This looks like it's copying past the Seed buffer, which is 2 *
> sizeof(u64) = 16.
Ha! Thanks for looking at this. Those seem to be the pitfalls of blindly
importing code from edk2-platforms. Now the question is whether to leave
it broken in edk2-platforms or fix it there first before trying to
import it to edk2. In the interest of time I'd rather fix it here.
Obviously the BlockCount is also wrong.
>
> +
> + BlockCount--;
> + Ptr = Ptr + 64;
> + }
> +
> + //
> + // Populate the remained data as request.
> + //
> + Status = GetRandomNumber128 (Seed);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + CopyMem (Ptr, Seed, (Length % 64));
>
>
> And then again.
>
> Isn't there a better way to fill a buffer with random data in edk2?
I don't know. On ARM it *looks like* the path goes down to an assembly
instruction getting 64bit random number from the hardware:
MdePkg/Library/BaseRngLib/AArch64/ArmRng.asm
On x86 it will end up calling GenerateRandomNumberViaNist800Algorithm:
MdePkg/Library/DxeRngLib/DxeRngLib.c
CryptoPkg/Drvier/Crypto.c has this here:
BOOLEAN
EFIAPI
CryptoServiceRandomSeed (
IN CONST UINT8 *Seed OPTIONAL,
IN UINTN SeedSize
)
{
return CALL_BASECRYPTLIB (Random.Services.Seed, RandomSeed, (Seed,
SeedSize)
}
and this one:
BOOLEAN
EFIAPI
CryptoServiceRandomBytes (
OUT UINT8 *Output,
IN UINTN Size
)
{
return CALL_BASECRYPTLIB (Random.Services.Bytes, RandomBytes,
(Output, Size)
}
Those are pseudorandom numbers. I don't know about others.
>
> +
> + return Status;
> +}
> +
> +/**
> + This function returns the maximum size of TPM2B_AUTH; this
> structure is used for an authorization value
> + and limits an authValue to being no larger than the largest
> digest produced by a TPM.
> +
> + @param[out] AuthSize Tpm2 Auth size
> +
> + @retval EFI_SUCCESS Auth size returned.
> + @retval EFI_DEVICE_ERROR Can not return platform
> auth due to device error.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetAuthSize (
> + OUT UINT16 *AuthSize
> + )
> +{
> + EFI_STATUS Status;
> + TPML_PCR_SELECTION Pcrs;
> + UINTN Index;
> + UINT16 DigestSize;
> +
> + Status = EFI_SUCCESS;
> +
> + while (mAuthSize == 0) {
>
>
> This is a bit odd, but ok.
>
> +
> + mAuthSize = SHA1_DIGEST_SIZE;
> + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> + Status = Tpm2GetCapabilityPcrs (&Pcrs);
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> + break;
> + }
> +
> + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n",
> Pcrs.count));
> +
> + for (Index = 0; Index < Pcrs.count; Index++) {
> + DEBUG ((DEBUG_ERROR, "alg - %x\n",
> Pcrs.pcrSelections[Index].hash));
> +
> + switch (Pcrs.pcrSelections[Index].hash) {
> + case TPM_ALG_SHA1:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA256:
> + DigestSize = SHA256_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA384:
> + DigestSize = SHA384_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SHA512:
> + DigestSize = SHA512_DIGEST_SIZE;
> + break;
> + case TPM_ALG_SM3_256:
> + DigestSize = SM3_256_DIGEST_SIZE;
> + break;
> + default:
> + DigestSize = SHA1_DIGEST_SIZE;
> + break;
> + }
> +
> + if (DigestSize > mAuthSize) {
> + mAuthSize = DigestSize;
> + }
> + }
> + break;
> + }
> +
> + *AuthSize = mAuthSize;
> + return Status;
> +}
> +
> +/**
> + Set PlatformAuth to random value.
> +**/
> +VOID
> +RandomizePlatformAuth (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + UINT16 AuthSize;
> + UINT8 *Rand;
> + UINTN RandSize;
> + TPM2B_AUTH NewPlatformAuth;
> +
> + //
> + // Send Tpm2HierarchyChange Auth with random value to avoid
> PlatformAuth being null
> + //
> +
> + GetAuthSize (&AuthSize);
> +
> + ZeroMem (NewPlatformAuth.buffer, AuthSize);
> + NewPlatformAuth.size = AuthSize;
> +
> + //
> + // Allocate one buffer to store random data.
> + //
> + RandSize = MAX_NEW_AUTHORIZATION_SIZE;
> + Rand = AllocatePool (RandSize);
> +
> + RdRandGenerateEntropy (RandSize, Rand);
> + CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
>
>
> Why generate random data for MAX_NEW_AUTHORIZATION to only copy a
> subset after?
>
> +
> + FreePool (Rand);
> +
> + //
> + // Send Tpm2HierarchyChangeAuth command with the new Auth value
> + //
> + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
> + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n",
> Status));
> + ZeroMem (NewPlatformAuth.buffer, AuthSize);
> + ZeroMem (Rand, RandSize);
>
>
> Isn't Rand free at this point?
Indeed!
>
> +}
> +
> +/**
> + This service defines the configuration of the Platform
> Hierarchy Authorization Value (platformAuth)
> + and Platform Hierarchy Authorization Policy (platformPolicy)
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> + )
> +{
> + RandomizePlatformAuth ();
> +}
> diff --git
> a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..a413e02302
> --- /dev/null
> +++
> b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,40 @@
> +### @file
> +#
> +# TPM Platform Hierarchy configuration library.
> +#
> +# This library provides functions for customizing the TPM's
> Platform Hierarchy
> +# Authorization Value (platformAuth) and Platform Hierarchy
> Authorization
> +# Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = PeiDxeTpmPlatformHierarchyLib
> + FILE_GUID =
> 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> + MODULE_TYPE = PEIM
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM
> DXE_DRIVER
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + RngLib
> + Tpm2CommandLib
> + Tpm2DeviceLib
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[Sources]
> + PeiDxeTpmPlatformHierarchyLib.c
> --
> 2.31.1
>
>
[-- Attachment #2: Type: text/html, Size: 20849 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-08-12 15:30 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-10 17:20 [PATCH v3 0/6] Ovmf: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-10 17:20 ` [PATCH v3 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms Stefan Berger
2021-08-12 13:48 ` Marc-André Lureau
2021-08-12 15:30 ` [edk2-devel] " Stefan Berger
2021-08-10 17:20 ` [PATCH v3 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib Stefan Berger
2021-08-12 13:50 ` Marc-André Lureau
2021-08-10 17:20 ` [PATCH v3 3/6] OvmfPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-08-10 17:20 ` [PATCH v3 4/6] OvmfPkg: Disable the TPM2 platform hierarchy Stefan Berger
2021-08-10 17:20 ` [PATCH v3 5/6] ArmVirtPkg: Reference new TPM classes in the build system for compilation Stefan Berger
2021-08-10 17:20 ` [PATCH v3 6/6] ArmVirtPkg: Disable the TPM2 platform hierarchy Stefan Berger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox