[PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy

[PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy

[Stefan Berger]

This series imports code from the edk2-platforms project related to
changing the password of the TPM2 platform hierarchy and uses it to
disable the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It
addresses the Ovmf aspects of the following bugs:

https://bugzilla.tianocore.org/show_bug.cgi?id=3510
https://bugzilla.tianocore.org/show_bug.cgi?id=3499

I have patched the .dsc files and successfully test-built with most of
them. Some I could not build because they failed for other reasons
unrelated to this series.

I tested the changes with QEMU on x86 following the build of
ArmVirtQemu.dsc and OvmfPkgX64.dsc.

The disablement of the platform hierarchy is done after possibly
handling PPI. Following TPM 2 logs on Arm, only PCR extensions are
following afterwards until GRUB takes over.

Neither one of the following commands should work anymore on first
try:

With IBM tss2 tools:
tsshierarchychangeauth -hi p -pwdn newpass

With Intel tss2 tools:
tpm2_changeauth -c platform newpass

Regards,
  Stefan

v4:
 - Fixed and simplified code imported from edk2-platforms

v3:
 - Referencing Null implementation on Bhyve and Xen platforms
 - Add support in ArmVirtPkg

Stefan Berger (6):
  OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
    edk2-platforms
  OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
  OvmfPkg: Reference new TPM classes in the build system for compilation
  OvmfPkg: Disable the TPM2 platform hierarchy
  ArmVirtPkg: Reference new TPM classes in the build system for
    compilation
  ArmVirtPkg: Disable the TPM2 platform hierarchy

 ArmVirtPkg/ArmVirtCloudHv.dsc                 |   1 +
 ArmVirtPkg/ArmVirtQemu.dsc                    |   3 +
 ArmVirtPkg/ArmVirtQemuKernel.dsc              |   1 +
 ArmVirtPkg/ArmVirtXen.dsc                     |   1 +
 .../PlatformBootManagerLib/PlatformBm.c       |   6 +
 .../PlatformBootManagerLib.inf                |   1 +
 OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
 OvmfPkg/Bhyve/BhyveX64.dsc                    |   1 +
 .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
 .../PeiDxeTpmPlatformHierarchyLib.c           | 200 ++++++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
 .../PeiDxeTpmPlatformHierarchyLib.c           |  19 ++
 .../PeiDxeTpmPlatformHierarchyLib.inf         |  31 +++
 .../PlatformBootManagerLib/BdsPlatform.c      |   6 +
 .../PlatformBootManagerLib.inf                |   1 +
 .../PlatformBootManagerLibBhyve/BdsPlatform.c |   7 +
 .../PlatformBootManagerLibGrub/BdsPlatform.c  |   7 +
 OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
 OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
 OvmfPkg/OvmfPkgX64.dsc                        |   3 +
 OvmfPkg/OvmfXen.dsc                           |   1 +
 21 files changed, 365 insertions(+)
 create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf

-- 
2.31.1

[PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Stefan Berger]

Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Fix some bugs
from the original code and simplify parts of it.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
 .../PeiDxeTpmPlatformHierarchyLib.c           | 200 ++++++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
 3 files changed, 267 insertions(+)
 create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf

diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 0000000000..a872fa09dc
--- /dev/null
+++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,27 @@
+/** @file
+    TPM Platform Hierarchy configuration library.
+
+    This library provides functions for customizing the TPM's Platform Hierarchy
+    Authorization Value (platformAuth) and Platform Hierarchy Authorization
+    Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
+#define _TPM_PLATFORM_HIERARCHY_LIB_H_
+
+/**
+   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  VOID
+  );
+
+#endif
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..a0dc848abd
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,200 @@
+/** @file
+    TPM Platform Hierarchy configuration library.
+
+    This library provides functions for customizing the TPM's Platform Hierarchy
+    Authorization Value (platformAuth) and Platform Hierarchy Authorization
+    Policy (platformPolicy) can be defined through this function.
+
+    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+    Copyright (c) Microsoft Corporation.<BR>
+    SPDX-License-Identifier: BSD-2-Clause-Patent
+
+    @par Specification Reference:
+    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
+**/
+
+#include <Uefi.h>
+
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/RngLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/Tpm2DeviceLib.h>
+
+//
+// The authorization value may be no larger than the digest produced by the hash
+//   algorithm used for context integrity.
+//
+
+UINT16       mAuthSize;
+
+/**
+  Generate high-quality entropy source through RDRAND.
+
+  @param[in]   Length        Size of the buffer, in bytes, to fill with.
+  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
+
+  @retval EFI_SUCCESS        Entropy generation succeeded.
+  @retval EFI_NOT_READY      Failed to request random data.
+
+**/
+EFI_STATUS
+EFIAPI
+RdRandGenerateEntropy (
+  IN UINTN         Length,
+  OUT UINT8        *Entropy
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       BlockCount;
+  UINT64      Seed[2];
+  UINT8       *Ptr;
+
+  Status = EFI_NOT_READY;
+  BlockCount = Length / sizeof(Seed);
+  Ptr = (UINT8 *)Entropy;
+
+  //
+  // Generate high-quality seed for DRBG Entropy
+  //
+  while (BlockCount > 0) {
+    Status = GetRandomNumber128 (Seed);
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+    CopyMem (Ptr, Seed, sizeof(Seed));
+
+    BlockCount--;
+    Ptr = Ptr + sizeof(Seed);
+  }
+
+  //
+  // Populate the remained data as request.
+  //
+  Status = GetRandomNumber128 (Seed);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+  CopyMem (Ptr, Seed, (Length % sizeof(Seed)));
+
+  return Status;
+}
+
+/**
+  This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
+  and limits an authValue to being no larger than the largest digest produced by a TPM.
+
+  @param[out] AuthSize                 Tpm2 Auth size
+
+  @retval EFI_SUCCESS                  Auth size returned.
+  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device error.
+
+**/
+EFI_STATUS
+EFIAPI
+GetAuthSize (
+  OUT UINT16            *AuthSize
+  )
+{
+  EFI_STATUS            Status;
+  TPML_PCR_SELECTION    Pcrs;
+  UINTN                 Index;
+  UINT16                DigestSize;
+
+  Status = EFI_SUCCESS;
+
+  while (mAuthSize == 0) {
+
+    mAuthSize = SHA1_DIGEST_SIZE;
+    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
+    Status = Tpm2GetCapabilityPcrs (&Pcrs);
+
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
+      break;
+    }
+
+    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
+
+    for (Index = 0; Index < Pcrs.count; Index++) {
+      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
+
+      switch (Pcrs.pcrSelections[Index].hash) {
+      case TPM_ALG_SHA1:
+        DigestSize = SHA1_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA256:
+        DigestSize = SHA256_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA384:
+        DigestSize = SHA384_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SHA512:
+        DigestSize = SHA512_DIGEST_SIZE;
+        break;
+      case TPM_ALG_SM3_256:
+        DigestSize = SM3_256_DIGEST_SIZE;
+        break;
+      default:
+        DigestSize = SHA1_DIGEST_SIZE;
+        break;
+      }
+
+      if (DigestSize > mAuthSize) {
+        mAuthSize = DigestSize;
+      }
+    }
+    break;
+  }
+
+  *AuthSize = mAuthSize;
+  return Status;
+}
+
+/**
+  Set PlatformAuth to random value.
+**/
+VOID
+RandomizePlatformAuth (
+  VOID
+  )
+{
+  EFI_STATUS                        Status;
+  UINT16                            AuthSize;
+  TPM2B_AUTH                        NewPlatformAuth;
+
+  //
+  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
+  //
+
+  GetAuthSize (&AuthSize);
+
+  NewPlatformAuth.size = AuthSize;
+
+  //
+  // Create the random bytes in the destination buffer
+  //
+
+  RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer);
+
+  //
+  // Send Tpm2HierarchyChangeAuth command with the new Auth value
+  //
+  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
+  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
+  ZeroMem (NewPlatformAuth.buffer, AuthSize);
+}
+
+/**
+   This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
+   and Platform Hierarchy Authorization Policy (platformPolicy)
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  )
+{
+  RandomizePlatformAuth ();
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..a413e02302
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,40 @@
+### @file
+#
+#   TPM Platform Hierarchy configuration library.
+#
+#   This library provides functions for customizing the TPM's Platform Hierarchy
+#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
+#   Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLib
+  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  RngLib
+  Tpm2CommandLib
+  Tpm2DeviceLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[Sources]
+  PeiDxeTpmPlatformHierarchyLib.c
-- 
2.31.1

[PATCH v4 2/6] OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Stefan Berger]

Add a NULL implementation of the library class TpmPlatformHierarchyLib

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 .../PeiDxeTpmPlatformHierarchyLib.c           | 19 ++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         | 31 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf

diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..b63729594f
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,19 @@
+/** @file
+    Null TPM Platform Hierarchy configuration library.
+
+    This library provides stub functions for customizing the TPM's Platform Hierarchy.
+
+    Copyright (c) 2021, IBM Corporation.
+    SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  )
+{
+  /* no nothing */
+}
diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..2a3597004e
--- /dev/null
+++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,31 @@
+### @file
+#
+#   TPM Platform Hierarchy configuration library.
+#
+#   This library provides functions for customizing the TPM's Platform Hierarchy
+#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
+#   Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
+  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+  BaseLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+
+[Sources]
+  PeiDxeTpmPlatformHierarchyLib.c
-- 
2.31.1

[PATCH v4 3/6] OvmfPkg: Reference new TPM classes in the build system for compilation

[Stefan Berger]

Compile the added TPM related code now.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 OvmfPkg/AmdSev/AmdSevX64.dsc                                   | 3 +++
 OvmfPkg/Bhyve/BhyveX64.dsc                                     | 1 +
 .../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf  | 1 +
 OvmfPkg/OvmfPkgIa32.dsc                                        | 3 +++
 OvmfPkg/OvmfPkgIa32X64.dsc                                     | 3 +++
 OvmfPkg/OvmfPkgX64.dsc                                         | 3 +++
 OvmfPkg/OvmfXen.dsc                                            | 1 +
 7 files changed, 15 insertions(+)

diff --git a/OvmfPkg/AmdSev/AmdSevX64.dsc b/OvmfPkg/AmdSev/AmdSevX64.dsc
index e6cd10b759..db1deffcc8 100644
--- a/OvmfPkg/AmdSev/AmdSevX64.dsc
+++ b/OvmfPkg/AmdSev/AmdSevX64.dsc
@@ -209,9 +209,11 @@
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common]
@@ -836,6 +838,7 @@
   SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
     <LibraryClasses>
       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
       NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index d8fe607d1c..76904ae614 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -224,6 +224,7 @@
 
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common]
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
diff --git a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index e470b9a6a3..e7d1917022 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -56,6 +56,7 @@
   PlatformBmPrintScLib
   Tcg2PhysicalPresenceLib
   XenPlatformLib
+  TpmPlatformHierarchyLib
 
 [Pcd]
   gUefiOvmfPkgTokenSpaceGuid.PcdEmuVariableEvent
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index d1d92c97ba..7c2948c5e9 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -235,9 +235,11 @@
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common]
@@ -711,6 +713,7 @@
   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
     <LibraryClasses>
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+      TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index a467ab7090..88a014510f 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -239,9 +239,11 @@
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common]
@@ -1034,6 +1036,7 @@
   SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.inf {
     <LibraryClasses>
       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
       NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index e56b83d95e..ca434a5faa 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -239,9 +239,11 @@
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common]
@@ -723,6 +725,7 @@
   SecurityPkg/Tcg/Tcg2Pei/Tcg2Pei.inf {
     <LibraryClasses>
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
+      TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha384/HashInstanceLibSha384.inf
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 3c1ca6bfd4..b01873843b 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -216,6 +216,7 @@
 
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
   RealTimeClockLib|OvmfPkg/Library/XenRealTimeClockLib/XenRealTimeClockLib.inf
   TimeBaseLib|EmbeddedPkg/Library/TimeBaseLib/TimeBaseLib.inf
 !ifdef $(DEBUG_ON_HYPERVISOR_CONSOLE)
-- 
2.31.1

[PATCH v4 4/6] OvmfPkg: Disable the TPM2 platform hierarchy

[Stefan Berger]

Use the newly added function to disable the TPM2 platform hierarchy.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c      | 6 ++++++
 OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c | 7 +++++++
 OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c  | 7 +++++++
 3 files changed, 20 insertions(+)

diff --git a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
index b0e9742937..43e6ada2a2 100644
--- a/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c
@@ -11,6 +11,7 @@
 #include <Protocol/FirmwareVolume2.h>
 #include <Library/PlatformBmPrintScLib.h>
 #include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
 #include <Library/XenPlatformLib.h>
 
 
@@ -1516,6 +1517,11 @@ PlatformBootManagerAfterConsole (
   //
   Tcg2PhysicalPresenceLibProcessRequest (NULL);
 
+  //
+  // Disable the TPM 2 platform hierarchy
+  //
+  ConfigureTpmPlatformHierarchy ();
+
   //
   // Process QEMU's -kernel command line option
   //
diff --git a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
index eaade4adea..5197964adb 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibBhyve/BdsPlatform.c
@@ -12,6 +12,8 @@
 #include <Protocol/FirmwareVolume2.h>
 #include <Library/PlatformBmPrintScLib.h>
 #include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
+
 
 #include <Protocol/BlockIo.h>
 
@@ -1450,6 +1452,11 @@ PlatformBootManagerAfterConsole (
   //
   Tcg2PhysicalPresenceLibProcessRequest (NULL);
 
+  //
+  // Disable the TPM 2 platform hierarchy
+  //
+  ConfigureTpmPlatformHierarchy ();
+
   //
   // Perform some platform specific connect sequence
   //
diff --git a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
index 7cceeea487..0d7fe69d3f 100644
--- a/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
+++ b/OvmfPkg/Library/PlatformBootManagerLibGrub/BdsPlatform.c
@@ -12,6 +12,8 @@
 #include <Protocol/FirmwareVolume2.h>
 #include <Library/PlatformBmPrintScLib.h>
 #include <Library/Tcg2PhysicalPresenceLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
+
 
 
 //
@@ -1315,6 +1317,11 @@ PlatformBootManagerAfterConsole (
   //
   Tcg2PhysicalPresenceLibProcessRequest (NULL);
 
+  //
+  // Disable the TPM 2 platform hierachy
+  //
+  ConfigureTpmPlatformHierarchy ();
+
   //
   // Process QEMU's -kernel command line option
   //
-- 
2.31.1

[PATCH v4 5/6] ArmVirtPkg: Reference new TPM classes in the build system for compilation

[Stefan Berger]

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc    | 1 +
 ArmVirtPkg/ArmVirtQemu.dsc       | 3 +++
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 +
 ArmVirtPkg/ArmVirtXen.dsc        | 1 +
 4 files changed, 6 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index f292ba6079..cb135d08d9 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -55,6 +55,7 @@
   PciHostBridgeUtilityLib|ArmVirtPkg/Library/ArmVirtPciHostBridgeUtilityLib/ArmVirtPciHostBridgeUtilityLib.inf
 
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 !include MdePkg/MdeLibs.dsc.inc
 
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 97539edef7..10dfc382b5 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -86,8 +86,10 @@
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common.PEIM]
@@ -523,6 +525,7 @@
     <LibraryClasses>
       HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
       Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterDxe.inf
+      TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
       NULL|SecurityPkg/Library/Tpm2DeviceLibDTpm/Tpm2InstanceLibDTpm.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha1/HashInstanceLibSha1.inf
       NULL|SecurityPkg/Library/HashInstanceLibSha256/HashInstanceLibSha256.inf
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 28064199c8..d89da457e0 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -80,6 +80,7 @@
   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
   PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.DXE_DRIVER]
   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 2b07a5ba19..e41259fa54 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -50,6 +50,7 @@
   PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.UEFI_DRIVER]
   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
-- 
2.31.1

[PATCH v4 6/6] ArmVirtPkg: Disable the TPM2 platform hierarchy

[Stefan Berger]

Use the newly added function to disable the TPM2 platform hierarchy.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c      | 6 ++++++
 .../PlatformBootManagerLib/PlatformBootManagerLib.inf       | 1 +
 2 files changed, 7 insertions(+)

diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 69448ff65b..b5b775eebd 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -17,6 +17,7 @@
 #include <Library/PlatformBmPrintScLib.h>
 #include <Library/QemuBootOrderLib.h>
 #include <Library/UefiBootManagerLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
 #include <Protocol/DevicePath.h>
 #include <Protocol/FirmwareVolume2.h>
 #include <Protocol/GraphicsOutput.h>
@@ -832,6 +833,11 @@ PlatformBootManagerAfterConsole (
     EfiBootManagerConnectAll ();
   }
 
+  //
+  // Disable the TPM 2 platform hierarchy
+  //
+  ConfigureTpmPlatformHierarchy ();
+
   //
   // Enumerate all possible boot options, then filter and reorder them based on
   // the QEMU configuration.
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 11f52e019b..cead956bfc 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -51,6 +51,7 @@
   UefiBootServicesTableLib
   UefiLib
   UefiRuntimeServicesTableLib
+  TpmPlatformHierarchyLib
 
 [FixedPcd]
   gEfiMdePkgTokenSpaceGuid.PcdUartDefaultBaudRate
-- 
2.31.1

Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Sean]

This seems like a bad place for a general purpose lib that many other 
platforms may take a dependency on.

In v1 this was SecurityPkg.  OvmfPkg is a platform package and therefore 
not a good place to define broad interfaces.

What caused this to move here?

Thanks
Sean






On 8/12/2021 9:59 AM, Stefan Berger wrote:
> Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Fix some bugs
> from the original code and simplify parts of it.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
>   .../PeiDxeTpmPlatformHierarchyLib.c           | 200 ++++++++++++++++++
>   .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
>   3 files changed, 267 insertions(+)
>   create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> 
> diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..a872fa09dc
> --- /dev/null
> +++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
> +    TPM Platform Hierarchy configuration library.
> +
> +    This library provides functions for customizing the TPM's Platform Hierarchy
> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +    Policy (platformPolicy) can be defined through this function.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) Microsoft Corporation.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_
> +#define _TPM_PLATFORM_HIERARCHY_LIB_H_
> +
> +/**
> +   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> +  VOID
> +  );
> +
> +#endif
> diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..a0dc848abd
> --- /dev/null
> +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,200 @@
> +/** @file
> +    TPM Platform Hierarchy configuration library.
> +
> +    This library provides functions for customizing the TPM's Platform Hierarchy
> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +    Policy (platformPolicy) can be defined through this function.
> +
> +    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +    Copyright (c) Microsoft Corporation.<BR>
> +    SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +    @par Specification Reference:
> +    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
> +**/
> +
> +#include <Uefi.h>
> +
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/RngLib.h>
> +#include <Library/Tpm2CommandLib.h>
> +#include <Library/Tpm2DeviceLib.h>
> +
> +//
> +// The authorization value may be no larger than the digest produced by the hash
> +//   algorithm used for context integrity.
> +//
> +
> +UINT16       mAuthSize;
> +
> +/**
> +  Generate high-quality entropy source through RDRAND.
> +
> +  @param[in]   Length        Size of the buffer, in bytes, to fill with.
> +  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
> +
> +  @retval EFI_SUCCESS        Entropy generation succeeded.
> +  @retval EFI_NOT_READY      Failed to request random data.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +RdRandGenerateEntropy (
> +  IN UINTN         Length,
> +  OUT UINT8        *Entropy
> +  )
> +{
> +  EFI_STATUS  Status;
> +  UINTN       BlockCount;
> +  UINT64      Seed[2];
> +  UINT8       *Ptr;
> +
> +  Status = EFI_NOT_READY;
> +  BlockCount = Length / sizeof(Seed);
> +  Ptr = (UINT8 *)Entropy;
> +
> +  //
> +  // Generate high-quality seed for DRBG Entropy
> +  //
> +  while (BlockCount > 0) {
> +    Status = GetRandomNumber128 (Seed);
> +    if (EFI_ERROR (Status)) {
> +      return Status;
> +    }
> +    CopyMem (Ptr, Seed, sizeof(Seed));
> +
> +    BlockCount--;
> +    Ptr = Ptr + sizeof(Seed);
> +  }
> +
> +  //
> +  // Populate the remained data as request.
> +  //
> +  Status = GetRandomNumber128 (Seed);
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +  CopyMem (Ptr, Seed, (Length % sizeof(Seed)));
> +
> +  return Status;
> +}
> +
> +/**
> +  This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
> +  and limits an authValue to being no larger than the largest digest produced by a TPM.
> +
> +  @param[out] AuthSize                 Tpm2 Auth size
> +
> +  @retval EFI_SUCCESS                  Auth size returned.
> +  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device error.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetAuthSize (
> +  OUT UINT16            *AuthSize
> +  )
> +{
> +  EFI_STATUS            Status;
> +  TPML_PCR_SELECTION    Pcrs;
> +  UINTN                 Index;
> +  UINT16                DigestSize;
> +
> +  Status = EFI_SUCCESS;
> +
> +  while (mAuthSize == 0) {
> +
> +    mAuthSize = SHA1_DIGEST_SIZE;
> +    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> +    Status = Tpm2GetCapabilityPcrs (&Pcrs);
> +
> +    if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> +      break;
> +    }
> +
> +    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
> +
> +    for (Index = 0; Index < Pcrs.count; Index++) {
> +      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
> +
> +      switch (Pcrs.pcrSelections[Index].hash) {
> +      case TPM_ALG_SHA1:
> +        DigestSize = SHA1_DIGEST_SIZE;
> +        break;
> +      case TPM_ALG_SHA256:
> +        DigestSize = SHA256_DIGEST_SIZE;
> +        break;
> +      case TPM_ALG_SHA384:
> +        DigestSize = SHA384_DIGEST_SIZE;
> +        break;
> +      case TPM_ALG_SHA512:
> +        DigestSize = SHA512_DIGEST_SIZE;
> +        break;
> +      case TPM_ALG_SM3_256:
> +        DigestSize = SM3_256_DIGEST_SIZE;
> +        break;
> +      default:
> +        DigestSize = SHA1_DIGEST_SIZE;
> +        break;
> +      }
> +
> +      if (DigestSize > mAuthSize) {
> +        mAuthSize = DigestSize;
> +      }
> +    }
> +    break;
> +  }
> +
> +  *AuthSize = mAuthSize;
> +  return Status;
> +}
> +
> +/**
> +  Set PlatformAuth to random value.
> +**/
> +VOID
> +RandomizePlatformAuth (
> +  VOID
> +  )
> +{
> +  EFI_STATUS                        Status;
> +  UINT16                            AuthSize;
> +  TPM2B_AUTH                        NewPlatformAuth;
> +
> +  //
> +  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
> +  //
> +
> +  GetAuthSize (&AuthSize);
> +
> +  NewPlatformAuth.size = AuthSize;
> +
> +  //
> +  // Create the random bytes in the destination buffer
> +  //
> +
> +  RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer);
> +
> +  //
> +  // Send Tpm2HierarchyChangeAuth command with the new Auth value
> +  //
> +  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
> +  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
> +  ZeroMem (NewPlatformAuth.buffer, AuthSize);
> +}
> +
> +/**
> +   This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
> +   and Platform Hierarchy Authorization Policy (platformPolicy)
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> +  )
> +{
> +  RandomizePlatformAuth ();
> +}
> diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..a413e02302
> --- /dev/null
> +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,40 @@
> +### @file
> +#
> +#   TPM Platform Hierarchy configuration library.
> +#
> +#   This library provides functions for customizing the TPM's Platform Hierarchy
> +#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +#   Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLib
> +  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> +  MODULE_TYPE                    = PEIM
> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  RngLib
> +  Tpm2CommandLib
> +  Tpm2DeviceLib
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  CryptoPkg/CryptoPkg.dec
> +
> +[Sources]
> +  PeiDxeTpmPlatformHierarchyLib.c
> 

Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Stefan Berger]

On 8/12/21 4:59 PM, Sean Brogan wrote:
> This seems like a bad place for a general purpose lib that many other 
> platforms may take a dependency on.
>
> In v1 this was SecurityPkg.  OvmfPkg is a platform package and 
> therefore not a good place to define broad interfaces.
>
> What caused this to move here?


Option 2 from this message: 
https://listman.redhat.com/archives/edk2-devel-archive/2021-August/msg00398.html

   Stefan


>
> Thanks
> Sean
>
>

Re: [PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy

[Stefan Berger]

Yao,

   do you have any comments on this series? Would SecurityPkg be a 
better place for it?


     Stefan


On 8/12/21 12:59 PM, Stefan Berger wrote:
> This series imports code from the edk2-platforms project related to
> changing the password of the TPM2 platform hierarchy and uses it to
> disable the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It
> addresses the Ovmf aspects of the following bugs:
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=3510
> https://bugzilla.tianocore.org/show_bug.cgi?id=3499
>
> I have patched the .dsc files and successfully test-built with most of
> them. Some I could not build because they failed for other reasons
> unrelated to this series.
>
> I tested the changes with QEMU on x86 following the build of
> ArmVirtQemu.dsc and OvmfPkgX64.dsc.
>
> The disablement of the platform hierarchy is done after possibly
> handling PPI. Following TPM 2 logs on Arm, only PCR extensions are
> following afterwards until GRUB takes over.
>
> Neither one of the following commands should work anymore on first
> try:
>
> With IBM tss2 tools:
> tsshierarchychangeauth -hi p -pwdn newpass
>
> With Intel tss2 tools:
> tpm2_changeauth -c platform newpass
>
> Regards,
>    Stefan
>
> v4:
>   - Fixed and simplified code imported from edk2-platforms
>
> v3:
>   - Referencing Null implementation on Bhyve and Xen platforms
>   - Add support in ArmVirtPkg
>
> Stefan Berger (6):
>    OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
>      edk2-platforms
>    OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
>    OvmfPkg: Reference new TPM classes in the build system for compilation
>    OvmfPkg: Disable the TPM2 platform hierarchy
>    ArmVirtPkg: Reference new TPM classes in the build system for
>      compilation
>    ArmVirtPkg: Disable the TPM2 platform hierarchy
>
>   ArmVirtPkg/ArmVirtCloudHv.dsc                 |   1 +
>   ArmVirtPkg/ArmVirtQemu.dsc                    |   3 +
>   ArmVirtPkg/ArmVirtQemuKernel.dsc              |   1 +
>   ArmVirtPkg/ArmVirtXen.dsc                     |   1 +
>   .../PlatformBootManagerLib/PlatformBm.c       |   6 +
>   .../PlatformBootManagerLib.inf                |   1 +
>   OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
>   OvmfPkg/Bhyve/BhyveX64.dsc                    |   1 +
>   .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
>   .../PeiDxeTpmPlatformHierarchyLib.c           | 200 ++++++++++++++++++
>   .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
>   .../PeiDxeTpmPlatformHierarchyLib.c           |  19 ++
>   .../PeiDxeTpmPlatformHierarchyLib.inf         |  31 +++
>   .../PlatformBootManagerLib/BdsPlatform.c      |   6 +
>   .../PlatformBootManagerLib.inf                |   1 +
>   .../PlatformBootManagerLibBhyve/BdsPlatform.c |   7 +
>   .../PlatformBootManagerLibGrub/BdsPlatform.c  |   7 +
>   OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
>   OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
>   OvmfPkg/OvmfPkgX64.dsc                        |   3 +
>   OvmfPkg/OvmfXen.dsc                           |   1 +
>   21 files changed, 365 insertions(+)
>   create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>   create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>

Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Sean]

Thanks for the link as i missed that message.

To me this just points out more problems with how OVMF is being managed 
in the edk2 project and the uselessness of edk2 platforms as anything 
more than just a dumping ground repo to hold sample code.  But that is a 
problem larger than this patchset.

I guess if you are going doing option 2 can we rename the library 
interface you are defining in OvmfPkg so it doesn't conflict with the 
existing one in edk2-platforms/minplatform.  That would mean change:

* name in OvmfPkg.dec file
* header file in OvmfPkg/Include/Library
* all references in DSC file for mapping an instance
* all references in your INFs for dependency

Thanks
Sean






On 8/12/2021 3:19 PM, Stefan Berger wrote:
> 
> On 8/12/21 4:59 PM, Sean Brogan wrote:
>> This seems like a bad place for a general purpose lib that many other 
>> platforms may take a dependency on.
>>
>> In v1 this was SecurityPkg.  OvmfPkg is a platform package and 
>> therefore not a good place to define broad interfaces.
>>
>> What caused this to move here?
> 
> 
> Option 2 from this message: 
> https://listman.redhat.com/archives/edk2-devel-archive/2021-August/msg00398.html 
> 
> 
>    Stefan
> 
> 
>>
>> Thanks
>> Sean
>>
>>

Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Stefan Berger]

On 8/13/21 2:47 PM, Sean Brogan wrote:
> Thanks for the link as i missed that message.
>
> To me this just points out more problems with how OVMF is being 
> managed in the edk2 project and the uselessness of edk2 platforms as 
> anything more than just a dumping ground repo to hold sample code.  
> But that is a problem larger than this patchset.
>
> I guess if you are going doing option 2 can we rename the library 
> interface you are defining in OvmfPkg so it doesn't conflict with the 
> existing one in edk2-platforms/minplatform.  That would mean change:


I have now created v5 here with the latest code appearing in SecurityPkg 
again: 
https://github.com/stefanberger/edk2/commits/stefanberger/ovmf_disable_platform_hierarchy.v5

I can probably post that pretty quickly but I'll be out for a while. If 
it's urgent, someone else can pick it it up from there. I tested it on 
QEMU for x86 and aarch64 and test-compiled on various platforms that I 
touched (some didn't compile for me before the changes).

What I wasn't sure about is whether edk2-platforms is a 'holding area' 
for code to be imported ideally 1:1 into edk2. So I ended up making 
those changes already in v1 to cut out a dependency. If what I have in 
v5 (or also v4) is sufficient for general consumption, then let's put it 
into SecurityPkg.


    Stefan


>
> * name in OvmfPkg.dec file
> * header file in OvmfPkg/Include/Library
> * all references in DSC file for mapping an instance
> * all references in your INFs for dependency
>
> Thanks
> Sean
>
>
>
>
>
>
> On 8/12/2021 3:19 PM, Stefan Berger wrote:
>>
>> On 8/12/21 4:59 PM, Sean Brogan wrote:
>>> This seems like a bad place for a general purpose lib that many 
>>> other platforms may take a dependency on.
>>>
>>> In v1 this was SecurityPkg.  OvmfPkg is a platform package and 
>>> therefore not a good place to define broad interfaces.
>>>
>>> What caused this to move here?
>>
>>
>> Option 2 from this message: 
>> https://listman.redhat.com/archives/edk2-devel-archive/2021-August/msg00398.html 
>>
>>
>>    Stefan
>>
>>
>>>
>>> Thanks
>>> Sean
>>>
>>>

Re: [PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy

[Yao, Jiewen]

From what I have seen, OvmfPkg already duplicated a lots of common lib. It is NOT desired, but I can understand why.

Personally, I hope we can align the implementation in MinPlatformPkg. Then we just need move to whole design from in MinPlatformPkg to SecurityPkg. - That is my preference.
However, if there is real need to NOT take the full MinPlatformPkg implementation, I am also OK to add OvmfPkg specific implementation.

Since Marc-André Lureau and you are listed as OVMF TPM feature review, I would like to get your preference.
Do you want to take full MinPlatformPkg design to OvmfPkg?

Microsoft just posted a new TPM hierarchy design in MinPlatformPkg. I would like ask the Microsoft (Sean Brogan, Bret Barkelew, Michael Kubacki) as well
Do you think there is value to move TPM hierarchy design from MinPlatformPkg to SecurityPkg?

Thank you
Yao Jiewen

> -----Original Message-----
> From: Stefan Berger <stefanb@linux.ibm.com>
> Sent: Friday, August 13, 2021 8:32 PM
> To: Stefan Berger <stefanb@linux.vnet.ibm.com>; devel@edk2.groups.io; Yao,
> Jiewen <jiewen.yao@intel.com>
> Cc: marcandre.lureau@redhat.com; lersek@redhat.com;
> dick_wilkins@phoenix.com; James.Bottomley@HansenPartnership.com
> Subject: Re: [PATCH v4 0/6] Ovmf: Disable the TPM2 platform hierarchy
> 
> Yao,
> 
>    do you have any comments on this series? Would SecurityPkg be a
> better place for it?
> 
> 
>      Stefan
> 
> 
> On 8/12/21 12:59 PM, Stefan Berger wrote:
> > This series imports code from the edk2-platforms project related to
> > changing the password of the TPM2 platform hierarchy and uses it to
> > disable the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It
> > addresses the Ovmf aspects of the following bugs:
> >
> > https://bugzilla.tianocore.org/show_bug.cgi?id=3510
> > https://bugzilla.tianocore.org/show_bug.cgi?id=3499
> >
> > I have patched the .dsc files and successfully test-built with most of
> > them. Some I could not build because they failed for other reasons
> > unrelated to this series.
> >
> > I tested the changes with QEMU on x86 following the build of
> > ArmVirtQemu.dsc and OvmfPkgX64.dsc.
> >
> > The disablement of the platform hierarchy is done after possibly
> > handling PPI. Following TPM 2 logs on Arm, only PCR extensions are
> > following afterwards until GRUB takes over.
> >
> > Neither one of the following commands should work anymore on first
> > try:
> >
> > With IBM tss2 tools:
> > tsshierarchychangeauth -hi p -pwdn newpass
> >
> > With Intel tss2 tools:
> > tpm2_changeauth -c platform newpass
> >
> > Regards,
> >    Stefan
> >
> > v4:
> >   - Fixed and simplified code imported from edk2-platforms
> >
> > v3:
> >   - Referencing Null implementation on Bhyve and Xen platforms
> >   - Add support in ArmVirtPkg
> >
> > Stefan Berger (6):
> >    OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from
> >      edk2-platforms
> >    OvmfPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
> >    OvmfPkg: Reference new TPM classes in the build system for compilation
> >    OvmfPkg: Disable the TPM2 platform hierarchy
> >    ArmVirtPkg: Reference new TPM classes in the build system for
> >      compilation
> >    ArmVirtPkg: Disable the TPM2 platform hierarchy
> >
> >   ArmVirtPkg/ArmVirtCloudHv.dsc                 |   1 +
> >   ArmVirtPkg/ArmVirtQemu.dsc                    |   3 +
> >   ArmVirtPkg/ArmVirtQemuKernel.dsc              |   1 +
> >   ArmVirtPkg/ArmVirtXen.dsc                     |   1 +
> >   .../PlatformBootManagerLib/PlatformBm.c       |   6 +
> >   .../PlatformBootManagerLib.inf                |   1 +
> >   OvmfPkg/AmdSev/AmdSevX64.dsc                  |   3 +
> >   OvmfPkg/Bhyve/BhyveX64.dsc                    |   1 +
> >   .../Include/Library/TpmPlatformHierarchyLib.h |  27 +++
> >   .../PeiDxeTpmPlatformHierarchyLib.c           | 200 ++++++++++++++++++
> >   .../PeiDxeTpmPlatformHierarchyLib.inf         |  40 ++++
> >   .../PeiDxeTpmPlatformHierarchyLib.c           |  19 ++
> >   .../PeiDxeTpmPlatformHierarchyLib.inf         |  31 +++
> >   .../PlatformBootManagerLib/BdsPlatform.c      |   6 +
> >   .../PlatformBootManagerLib.inf                |   1 +
> >   .../PlatformBootManagerLibBhyve/BdsPlatform.c |   7 +
> >   .../PlatformBootManagerLibGrub/BdsPlatform.c  |   7 +
> >   OvmfPkg/OvmfPkgIa32.dsc                       |   3 +
> >   OvmfPkg/OvmfPkgIa32X64.dsc                    |   3 +
> >   OvmfPkg/OvmfPkgX64.dsc                        |   3 +
> >   OvmfPkg/OvmfXen.dsc                           |   1 +
> >   21 files changed, 365 insertions(+)
> >   create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h
> >   create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarch
> yLib.c
> >   create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarch
> yLib.inf
> >   create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHiera
> rchyLib.c
> >   create mode 100644
> OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHiera
> rchyLib.inf
> >

Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms

[Marvin Häuser]

Good day Stefan,

Do you think you could split the first patch into a 1:1 initial import 
and have a modifications commit separately?

One of my big issues with EDK II is duplicated code. I look at it, I 
don't understand why it is duplicated. I look at the differences, I 
don't understand why they are there. I dig deeper into the matter (e.g. 
git blame), and I realise there is no reason but someone was taking a 
copy+paste route, and future contributors did not know or care about the 
respective other piece of code. This series standalone is basically that 
out-of-the-box, with no future changes needed. I'll suggest once more to 
enforce a code duplication ban, both within edk2, and between edk2 and 
edk2-platforms.

It would of course be great if you submitted a follow-up series to drop 
the old library from edk2-platforms. If you plan not to, and all 
maintainers agree to merge this without such a series being submitted, 
please CC me so I know when this is merged and can propose such a patch 
set myself.

Best regards,
Marvin

On 13/08/2021 21:02, Stefan Berger wrote:
>
> On 8/13/21 2:47 PM, Sean Brogan wrote:
>> Thanks for the link as i missed that message.
>>
>> To me this just points out more problems with how OVMF is being 
>> managed in the edk2 project and the uselessness of edk2 platforms as 
>> anything more than just a dumping ground repo to hold sample code.  
>> But that is a problem larger than this patchset.
>>
>> I guess if you are going doing option 2 can we rename the library 
>> interface you are defining in OvmfPkg so it doesn't conflict with the 
>> existing one in edk2-platforms/minplatform. That would mean change:
>
>
> I have now created v5 here with the latest code appearing in 
> SecurityPkg again: 
> https://github.com/stefanberger/edk2/commits/stefanberger/ovmf_disable_platform_hierarchy.v5
>
> I can probably post that pretty quickly but I'll be out for a while. 
> If it's urgent, someone else can pick it it up from there. I tested it 
> on QEMU for x86 and aarch64 and test-compiled on various platforms 
> that I touched (some didn't compile for me before the changes).
>
> What I wasn't sure about is whether edk2-platforms is a 'holding area' 
> for code to be imported ideally 1:1 into edk2. So I ended up making 
> those changes already in v1 to cut out a dependency. If what I have in 
> v5 (or also v4) is sufficient for general consumption, then let's put 
> it into SecurityPkg.
>
>
>    Stefan
>
>
>>
>> * name in OvmfPkg.dec file
>> * header file in OvmfPkg/Include/Library
>> * all references in DSC file for mapping an instance
>> * all references in your INFs for dependency
>>
>> Thanks
>> Sean
>>
>>
>>
>>
>>
>>
>> On 8/12/2021 3:19 PM, Stefan Berger wrote:
>>>
>>> On 8/12/21 4:59 PM, Sean Brogan wrote:
>>>> This seems like a bad place for a general purpose lib that many 
>>>> other platforms may take a dependency on.
>>>>
>>>> In v1 this was SecurityPkg.  OvmfPkg is a platform package and 
>>>> therefore not a good place to define broad interfaces.
>>>>
>>>> What caused this to move here?
>>>
>>>
>>> Option 2 from this message: 
>>> https://listman.redhat.com/archives/edk2-devel-archive/2021-August/msg00398.html 
>>>
>>>
>>>    Stefan
>>>
>>>
>>>>
>>>> Thanks
>>>> Sean
>>>>
>>>>
>
>
> 
>
>