[RFC PATCH 0/3] ArmVirtPkg: Disable the TPM 2 platform hierarchy

[RFC PATCH 0/3] ArmVirtPkg: Disable the TPM 2 platform hierarchy

[Stefan Berger]

This series of patches disables the TPM 2 platform hierarchy.
We just added the same functionality to the OvmfPkg. However, on x86, we
could use the notification mechanism around gEfiDxeSmmReadyToLockProtocolGuid
to indirectly invoke ConfigureTpmPlatformHierarchy(). Since ARM does not
have an SMM mode this series now use direct invocation of this function
at the same place in PlatformBootManagerBeforeConsole() as it is done
on x86.

Regards,
   Stefan

Stefan Berger (3):
  ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib
  ArmVirtPkg: Reference new TPM classes in the build system for
    compilation
  ArmVirtPkg: Disable the TPM2 platform hierarchy

 ArmVirtPkg/ArmVirtCloudHv.dsc                 |  1 +
 ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
 ArmVirtPkg/ArmVirtQemu.dsc                    |  2 ++
 ArmVirtPkg/ArmVirtQemuKernel.dsc              |  1 +
 ArmVirtPkg/ArmVirtXen.dsc                     |  1 +
 .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
 .../PlatformBootManagerLib/PlatformBm.c       |  6 ++++
 .../PlatformBootManagerLib.inf                |  2 ++
 10 files changed, 93 insertions(+)
 create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf

-- 
2.31.1

[RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Stefan Berger]

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

Add a NULL implementation of the library class TpmPlatformHierarchyLib.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
 .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
 .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
 4 files changed, 80 insertions(+)
 create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
 create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
 create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf

diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
index 4e4d758015..f3bdca118b 100644
--- a/ArmVirtPkg/ArmVirtPkg.dec
+++ b/ArmVirtPkg/ArmVirtPkg.dec
@@ -27,6 +27,7 @@
 
 [LibraryClasses]
   ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
+  TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
 
 [Guids.common]
   gArmVirtTokenSpaceGuid = { 0x0B6F5CA7, 0x4F53, 0x445A, { 0xB7, 0x6E, 0x2E, 0x36, 0x5B, 0x80, 0x63, 0x66 } }
diff --git a/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
new file mode 100644
index 0000000000..8d61a4867b
--- /dev/null
+++ b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
@@ -0,0 +1,27 @@
+/** @file
+    TPM Platform Hierarchy configuration library.
+
+    This library provides functions for customizing the TPM's Platform Hierarchy
+    Authorization Value (platformAuth) and Platform Hierarchy Authorization
+    Policy (platformPolicy) can be defined through this function.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
+#define TPM_PLATFORM_HIERARCHY_LIB_H_
+
+/**
+   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
+
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  VOID
+  );
+
+#endif
diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
new file mode 100644
index 0000000000..bac1efda63
--- /dev/null
+++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
@@ -0,0 +1,22 @@
+/** @file
+    Null TPM Platform Hierarchy configuration library.
+
+    This library provides stub functions for customizing the TPM's Platform Hierarchy.
+
+    Copyright (c) 2021, IBM Corporation.
+    SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+
+/**
+  A NULL implementation of ConfigureTpmPlatformHierarchy.
+**/
+VOID
+EFIAPI
+ConfigureTpmPlatformHierarchy (
+  )
+{
+  /* no nothing */
+}
diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
new file mode 100644
index 0000000000..4f02818bbc
--- /dev/null
+++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
@@ -0,0 +1,30 @@
+### @file
+#   NULL TPM Platform Hierarchy configuration library.
+#
+#   This library provides functions for customizing the TPM's Platform Hierarchy
+#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
+#   Policy (platformPolicy) can be defined through this function.
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+###
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
+  FILE_GUID                      = 8947A3F2-BfB4-45EF-968D-5C40C1CE6A58
+  MODULE_TYPE                    = PEIM
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
+
+[LibraryClasses]
+  BaseLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+
+[Sources]
+  PeiDxeTpmPlatformHierarchyLib.c
-- 
2.31.1

[RFC PATCH 2/3] ArmVirtPkg: Reference new TPM classes in the build system for compilation

[Stefan Berger]

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc                                   | 1 +
 ArmVirtPkg/ArmVirtQemu.dsc                                      | 2 ++
 ArmVirtPkg/ArmVirtQemuKernel.dsc                                | 1 +
 ArmVirtPkg/ArmVirtXen.dsc                                       | 1 +
 .../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf   | 1 +
 5 files changed, 6 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index f292ba6079..45bf8562e7 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -55,6 +55,7 @@
   PciHostBridgeUtilityLib|ArmVirtPkg/Library/ArmVirtPciHostBridgeUtilityLib/ArmVirtPciHostBridgeUtilityLib.inf
 
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 !include MdePkg/MdeLibs.dsc.inc
 
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 97539edef7..bbe60b1bad 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -86,8 +86,10 @@
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
   Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
+  TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 !else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 !endif
 
 [LibraryClasses.common.PEIM]
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
index 28064199c8..d537d9f194 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -80,6 +80,7 @@
   PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
   PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.DXE_DRIVER]
   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
index 2b07a5ba19..81289e6838 100644
--- a/ArmVirtPkg/ArmVirtXen.dsc
+++ b/ArmVirtPkg/ArmVirtXen.dsc
@@ -50,6 +50,7 @@
   PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
   CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
+  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.UEFI_DRIVER]
   UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 11f52e019b..9f54224d3e 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -33,6 +33,7 @@
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
   OvmfPkg/OvmfPkg.dec
+  SecurityPkg/SecurityPkg.dec
   ShellPkg/ShellPkg.dec
 
 [LibraryClasses]
-- 
2.31.1

[RFC PATCH 3/3] ArmVirtPkg: Disable the TPM2 platform hierarchy

[Stefan Berger]

From: Stefan Berger <stefanb@linux.vnet.ibm.com>

Disable the TPM2 platform hierarchy by directly calling
ConfigureTpmPlatformHierarchy().

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c      | 6 ++++++
 .../PlatformBootManagerLib/PlatformBootManagerLib.inf       | 1 +
 2 files changed, 7 insertions(+)

diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
index 69448ff65b..1848042f86 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
@@ -16,6 +16,7 @@
 #include <Library/PcdLib.h>
 #include <Library/PlatformBmPrintScLib.h>
 #include <Library/QemuBootOrderLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
 #include <Library/UefiBootManagerLib.h>
 #include <Protocol/DevicePath.h>
 #include <Protocol/FirmwareVolume2.h>
@@ -696,6 +697,11 @@ PlatformBootManagerBeforeConsole (
   //
   EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);
 
+  //
+  // Disable the TPM 2 platform hierarchy
+  //
+  ConfigureTpmPlatformHierarchy ();
+
   //
   // Dispatch deferred images after EndOfDxe event.
   //
diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
index 9f54224d3e..997eb1a442 100644
--- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
+++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
@@ -48,6 +48,7 @@
   QemuBootOrderLib
   QemuLoadImageLib
   ReportStatusCodeLib
+  TpmPlatformHierarchyLib
   UefiBootManagerLib
   UefiBootServicesTableLib
   UefiLib
-- 
2.31.1

Re: [edk2-devel] [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Ard Biesheuvel]

On Thu, 16 Sept 2021 at 23:18, Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>
> Add a NULL implementation of the library class TpmPlatformHierarchyLib.
>

This patch introduces both the library class and the NULL
implementation, right?

> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
>  .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
>  .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
>  .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
>  4 files changed, 80 insertions(+)
>  create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>  create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>  create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
> index 4e4d758015..f3bdca118b 100644
> --- a/ArmVirtPkg/ArmVirtPkg.dec
> +++ b/ArmVirtPkg/ArmVirtPkg.dec
> @@ -27,6 +27,7 @@
>
>  [LibraryClasses]
>    ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
> +  TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
>
>  [Guids.common]
>    gArmVirtTokenSpaceGuid = { 0x0B6F5CA7, 0x4F53, 0x445A, { 0xB7, 0x6E, 0x2E, 0x36, 0x5B, 0x80, 0x63, 0x66 } }
> diff --git a/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..8d61a4867b
> --- /dev/null
> +++ b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
> +    TPM Platform Hierarchy configuration library.
> +
> +    This library provides functions for customizing the TPM's Platform Hierarchy
> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +    Policy (platformPolicy) can be defined through this function.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) Microsoft Corporation.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
> +#define TPM_PLATFORM_HIERARCHY_LIB_H_
> +
> +/**
> +   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
> +
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (
> +  VOID
> +  );
> +
> +#endif
> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..bac1efda63
> --- /dev/null
> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,22 @@
> +/** @file
> +    Null TPM Platform Hierarchy configuration library.
> +
> +    This library provides stub functions for customizing the TPM's Platform Hierarchy.
> +
> +    Copyright (c) 2021, IBM Corporation.
> +    SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Uefi.h>
> +
> +/**
> +  A NULL implementation of ConfigureTpmPlatformHierarchy.
> +**/
> +VOID
> +EFIAPI
> +ConfigureTpmPlatformHierarchy (

VOID

> +  )
> +{
> +  /* no nothing */

double negative :-)

> +}
> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..4f02818bbc
> --- /dev/null
> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,30 @@
> +### @file
> +#   NULL TPM Platform Hierarchy configuration library.
> +#
> +#   This library provides functions for customizing the TPM's Platform Hierarchy
> +#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
> +#   Policy (platformPolicy) can be defined through this function.
> +#
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +###
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005

1.27

> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull

Make this BasePlatform....

> +  FILE_GUID                      = 8947A3F2-BfB4-45EF-968D-5C40C1CE6A58
> +  MODULE_TYPE                    = PEIM

BASE

> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> +
> +[LibraryClasses]
> +  BaseLib
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +
> +[Sources]
> +  PeiDxeTpmPlatformHierarchyLib.c
> --
> 2.31.1
>
>
>
> ------------
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#80830): https://edk2.groups.io/g/devel/message/80830
> Mute This Topic: https://groups.io/mt/85662429/5717338
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [ardb+tianocore@kernel.org]
> ------------
>
>

Re: [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Sami Mujawar]

Hi Stefan,

Thank you for this patch.

I have a few minor comments marked inline as [SAMI].

Regards,

Sami Mujawar


On 16/09/2021 10:17 PM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>
> Add a NULL implementation of the library class TpmPlatformHierarchyLib.
[SAMI] Is it possible to add a link to the bugzilla
(https://bugzilla.tianocore.org/show_bug.cgi?id=3510), please?
Also, would it be possible to place 'PeiDxeTpmPlatformHierarchyLibNull'
in SecurityPkg (i.e. if this library can be useful for other
architectures).
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
>   .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
>   .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
>   .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
>   4 files changed, 80 insertions(+)
>   create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
> diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
> index 4e4d758015..f3bdca118b 100644
> --- a/ArmVirtPkg/ArmVirtPkg.dec
> +++ b/ArmVirtPkg/ArmVirtPkg.dec
> @@ -27,6 +27,7 @@
>
>
>   [LibraryClasses]
>
>     ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
>
> +  TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
[SAMI] The file 'ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h'
appears to be a copy of the header file
SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h. Is this needed
here or we could reference the one from SecurityPkg?
>
>
>
>   [Guids.common]
>
>     gArmVirtTokenSpaceGuid = { 0x0B6F5CA7, 0x4F53, 0x445A, { 0xB7, 0x6E, 0x2E, 0x36, 0x5B, 0x80, 0x63, 0x66 } }
>
> diff --git a/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> new file mode 100644
> index 0000000000..8d61a4867b
> --- /dev/null
> +++ b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> @@ -0,0 +1,27 @@
> +/** @file
>
> +    TPM Platform Hierarchy configuration library.
>
> +
>
> +    This library provides functions for customizing the TPM's Platform Hierarchy
>
> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> +    Policy (platformPolicy) can be defined through this function.
>
> +
>
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> +Copyright (c) Microsoft Corporation.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
>
> +#define TPM_PLATFORM_HIERARCHY_LIB_H_
>
> +
>
> +/**
>
> +   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
>
> +
>
> +**/
>
> +VOID
>
> +EFIAPI
>
> +ConfigureTpmPlatformHierarchy (
>
> +  VOID
>
> +  );
>
> +
>
> +#endif
>
> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> new file mode 100644
> index 0000000000..bac1efda63
> --- /dev/null
> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> @@ -0,0 +1,22 @@
> +/** @file
>
> +    Null TPM Platform Hierarchy configuration library.
>
> +
>
> +    This library provides stub functions for customizing the TPM's Platform Hierarchy.
>
> +
>
> +    Copyright (c) 2021, IBM Corporation.
>
> +    SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#include <Uefi.h>
>
> +
>
> +/**
>
> +  A NULL implementation of ConfigureTpmPlatformHierarchy.
>
> +**/
>
> +VOID
>
> +EFIAPI
>
> +ConfigureTpmPlatformHierarchy (
>
> +  )
>
> +{
>
> +  /* no nothing */
>
> +}
>
> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> new file mode 100644
> index 0000000000..4f02818bbc
> --- /dev/null
> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> @@ -0,0 +1,30 @@
> +### @file
>
> +#   NULL TPM Platform Hierarchy configuration library.
>
> +#
>
> +#   This library provides functions for customizing the TPM's Platform Hierarchy
>
> +#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> +#   Policy (platformPolicy) can be defined through this function.
>
> +#
>
> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) Microsoft Corporation.<BR>
>
> +#
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +###
>
> +
>
> +[Defines]
>
> +  INF_VERSION                    = 0x00010005
>
> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
>
> +  FILE_GUID                      = 8947A3F2-BfB4-45EF-968D-5C40C1CE6A58
>
> +  MODULE_TYPE                    = PEIM
>
> +  VERSION_STRING                 = 1.0
>
> +  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
>
> +
>
> +[LibraryClasses]
>
> +  BaseLib
>
> +
>
> +[Packages]
>
> +  MdePkg/MdePkg.dec
>
> +
>
> +[Sources]
>
> +  PeiDxeTpmPlatformHierarchyLib.c
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Re: [RFC PATCH 2/3] ArmVirtPkg: Reference new TPM classes in the build system for compilation

[Sami Mujawar]

Hi Stefan,

Thank you for this patch.

Please find my response inline marked [SAMI].

With that updated,

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar

On 16/09/2021 10:17 PM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
[SAMI] Is it possible to add the bugzilla reference here, please? Also
it would be very helpful to add the message from the cover letter here
as the coverletter would not be part of the patch in git.
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   ArmVirtPkg/ArmVirtCloudHv.dsc                                   | 1 +
>   ArmVirtPkg/ArmVirtQemu.dsc                                      | 2 ++
>   ArmVirtPkg/ArmVirtQemuKernel.dsc                                | 1 +
>   ArmVirtPkg/ArmVirtXen.dsc                                       | 1 +
>   .../Library/PlatformBootManagerLib/PlatformBootManagerLib.inf   | 1 +
>   5 files changed, 6 insertions(+)
>
> diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
> index f292ba6079..45bf8562e7 100644
> --- a/ArmVirtPkg/ArmVirtCloudHv.dsc
> +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
> @@ -55,6 +55,7 @@
>     PciHostBridgeUtilityLib|ArmVirtPkg/Library/ArmVirtPciHostBridgeUtilityLib/ArmVirtPciHostBridgeUtilityLib.inf
>
>
>
>     TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>
> +  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
>
>
>   !include MdePkg/MdeLibs.dsc.inc
>
>
>
> diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
> index 97539edef7..bbe60b1bad 100644
> --- a/ArmVirtPkg/ArmVirtQemu.dsc
> +++ b/ArmVirtPkg/ArmVirtQemu.dsc
> @@ -86,8 +86,10 @@
>     Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
>
>     Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
>
>     TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
>
> +  TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
>   !else
>
>     TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>
> +  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
>   !endif
>
>
>
>   [LibraryClasses.common.PEIM]
>
> diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> index 28064199c8..d537d9f194 100644
> --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
> +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
> @@ -80,6 +80,7 @@
>     PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridgeLib.inf
>
>     PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf
>
>     TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>
> +  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
>
>
>   [LibraryClasses.common.DXE_DRIVER]
>
>     ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
>
> diff --git a/ArmVirtPkg/ArmVirtXen.dsc b/ArmVirtPkg/ArmVirtXen.dsc
> index 2b07a5ba19..81289e6838 100644
> --- a/ArmVirtPkg/ArmVirtXen.dsc
> +++ b/ArmVirtPkg/ArmVirtXen.dsc
> @@ -50,6 +50,7 @@
>     PlatformBootManagerLib|ArmPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
>
>     CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
>
>     TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
>
> +  TpmPlatformHierarchyLib|ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>
>
>
>   [LibraryClasses.common.UEFI_DRIVER]
>
>     UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> index 11f52e019b..9f54224d3e 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> @@ -33,6 +33,7 @@
>     MdeModulePkg/MdeModulePkg.dec
>
>     MdePkg/MdePkg.dec
>
>     OvmfPkg/OvmfPkg.dec
>
> +  SecurityPkg/SecurityPkg.dec
>
>     ShellPkg/ShellPkg.dec
>
>
>
>   [LibraryClasses]
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Re: [RFC PATCH 3/3] ArmVirtPkg: Disable the TPM2 platform hierarchy

[Sami Mujawar]

[-- Attachment #1: Type: text/plain, Size: 3175 bytes --]

Hi Stefan,

I have a minor suggestion marked inline as [SAMI].

With that updated,

Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>

Regards,

Sami Mujawar


On 16/09/2021 10:17 PM, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>
> Disable the TPM2 platform hierarchy by directly calling
> ConfigureTpmPlatformHierarchy().
[SAMI] Please add the bugzilla reference. It will also be helpful to 
include the commit message from the cover letter here.

Also, your bugzilla description (pasted below) would be really useful 
reference:
     Per the TCG firmware specification "TCG PC Client Platform Firmware 
Profile Specification" the TPM 2 platform hierarchy needs to be disabled 
or a random password set and discarded before the firmware passes 
control to the next stage bootloader or kernel.
                  Current specs are here: 
https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf 


             Section 11 states:
            "Platform Firmware MUST protect access to the Platform Hierarchy and prevent access to the platform hierarchy by non-manufacturer-controlled components."
   

Please note - I have updated the specification link above to point to 
the latest TCG published spec.

> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>   ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c      | 6 ++++++
>   .../PlatformBootManagerLib/PlatformBootManagerLib.inf       | 1 +
>   2 files changed, 7 insertions(+)
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> index 69448ff65b..1848042f86 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBm.c
> @@ -16,6 +16,7 @@
>   #include <Library/PcdLib.h>
>
>   #include <Library/PlatformBmPrintScLib.h>
>
>   #include <Library/QemuBootOrderLib.h>
>
> +#include <Library/TpmPlatformHierarchyLib.h>
>
>   #include <Library/UefiBootManagerLib.h>
>
>   #include <Protocol/DevicePath.h>
>
>   #include <Protocol/FirmwareVolume2.h>
>
> @@ -696,6 +697,11 @@ PlatformBootManagerBeforeConsole (
>     //
>
>     EfiEventGroupSignal (&gEfiEndOfDxeEventGroupGuid);
>
>   
>
> +  //
>
> +  // Disable the TPM 2 platform hierarchy
>
> +  //
>
> +  ConfigureTpmPlatformHierarchy ();
>
> +
>
>     //
>
>     // Dispatch deferred images after EndOfDxe event.
>
>     //
>
> diff --git a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> index 9f54224d3e..997eb1a442 100644
> --- a/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> +++ b/ArmVirtPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf
> @@ -48,6 +48,7 @@
>     QemuBootOrderLib
>
>     QemuLoadImageLib
>
>     ReportStatusCodeLib
>
> +  TpmPlatformHierarchyLib
>
>     UefiBootManagerLib
>
>     UefiBootServicesTableLib
>
>     UefiLib
>


[-- Attachment #2: Type: text/html, Size: 5270 bytes --]

Re: [edk2-devel] [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Stefan Berger]

On 9/18/21 3:55 AM, Ard Biesheuvel wrote:
> On Thu, 16 Sept 2021 at 23:18, Stefan Berger <stefanb@linux.ibm.com> wrote:
>> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>
>> Add a NULL implementation of the library class TpmPlatformHierarchyLib.
>>
> This patch introduces both the library class and the NULL
> implementation, right?

No, we already added the library class when adding the 'foundation' for 
x86 support: 
https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib


>
>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Leif Lindholm <leif@nuviainc.com>
>> Cc: Sami Mujawar <sami.mujawar@arm.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
>>   .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
>>   .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
>>   .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
>>   4 files changed, 80 insertions(+)
>>   create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>>
>> diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
>> index 4e4d758015..f3bdca118b 100644
>> --- a/ArmVirtPkg/ArmVirtPkg.dec
>> +++ b/ArmVirtPkg/ArmVirtPkg.dec
>> @@ -27,6 +27,7 @@
>>
>>   [LibraryClasses]
>>     ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
>> +  TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
>>
>>   [Guids.common]
>>     gArmVirtTokenSpaceGuid = { 0x0B6F5CA7, 0x4F53, 0x445A, { 0xB7, 0x6E, 0x2E, 0x36, 0x5B, 0x80, 0x63, 0x66 } }
>> diff --git a/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>> new file mode 100644
>> index 0000000000..8d61a4867b
>> --- /dev/null
>> +++ b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>> @@ -0,0 +1,27 @@
>> +/** @file
>> +    TPM Platform Hierarchy configuration library.
>> +
>> +    This library provides functions for customizing the TPM's Platform Hierarchy
>> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
>> +    Policy (platformPolicy) can be defined through this function.
>> +
>> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +Copyright (c) Microsoft Corporation.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
>> +#define TPM_PLATFORM_HIERARCHY_LIB_H_
>> +
>> +/**
>> +   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
>> +
>> +**/
>> +VOID
>> +EFIAPI
>> +ConfigureTpmPlatformHierarchy (
>> +  VOID
>> +  );
>> +
>> +#endif
>> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>> new file mode 100644
>> index 0000000000..bac1efda63
>> --- /dev/null
>> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>> @@ -0,0 +1,22 @@
>> +/** @file
>> +    Null TPM Platform Hierarchy configuration library.
>> +
>> +    This library provides stub functions for customizing the TPM's Platform Hierarchy.
>> +
>> +    Copyright (c) 2021, IBM Corporation.
>> +    SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#include <Uefi.h>
>> +
>> +/**
>> +  A NULL implementation of ConfigureTpmPlatformHierarchy.
>> +**/
>> +VOID
>> +EFIAPI
>> +ConfigureTpmPlatformHierarchy (
> VOID
Ok , had copied signature 1:1 from here: 
https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c#L239
>
>> +  )
>> +{
>> +  /* no nothing */
> double negative :-)


Typo. Will fix.

>
>> +}
>> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>> new file mode 100644
>> index 0000000000..4f02818bbc
>> --- /dev/null
>> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>> @@ -0,0 +1,30 @@
>> +### @file
>> +#   NULL TPM Platform Hierarchy configuration library.
>> +#
>> +#   This library provides functions for customizing the TPM's Platform Hierarchy
>> +#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
>> +#   Policy (platformPolicy) can be defined through this function.
>> +#
>> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>> +# Copyright (c) Microsoft Corporation.<BR>
>> +#
>> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>> +#
>> +###
>> +
>> +[Defines]
>> +  INF_VERSION                    = 0x00010005
> 1.27
Originally all comes from this file here: 
https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L16


>> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
> Make this BasePlatform....

Even though it will be different than here? 
https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L17



>
>> +  FILE_GUID                      = 8947A3F2-BfB4-45EF-968D-5C40C1CE6A58
>> +  MODULE_TYPE                    = PEIM
> BASE
>
>> +  VERSION_STRING                 = 1.0
>> +  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
>> +
>> +[LibraryClasses]
>> +  BaseLib
>> +
>> +[Packages]
>> +  MdePkg/MdePkg.dec
>> +
>> +[Sources]
>> +  PeiDxeTpmPlatformHierarchyLib.c
>> --
>> 2.31.1
>>
>>
>>
>> ------------
>> Groups.io Links: You receive all messages sent to this group.
>> View/Reply Online (#80830): https://edk2.groups.io/g/devel/message/80830
>> Mute This Topic: https://groups.io/mt/85662429/5717338
>> Group Owner: devel+owner@edk2.groups.io
>> Unsubscribe: https://edk2.groups.io/g/devel/unsub [ardb+tianocore@kernel.org]
>> ------------
>>
>>

Re: [edk2-devel] [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Stefan Berger]

On 9/18/21 4:48 AM, Sami Mujawar wrote:
> Hi Stefan,
>
> Thank you for this patch.
>
> I have a few minor comments marked inline as [SAMI].
>
> Regards,
>
> Sami Mujawar
>
>
> On 16/09/2021 10:17 PM, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>>
>> Add a NULL implementation of the library class TpmPlatformHierarchyLib.
> [SAMI] Is it possible to add a link to the bugzilla
> (https://bugzilla.tianocore.org/show_bug.cgi?id=3510), please?
> Also, would it be possible to place 'PeiDxeTpmPlatformHierarchyLibNull'
> in SecurityPkg (i.e. if this library can be useful for other
> architectures).


Yes. I didn't put it there because it was 'specialized' for ARM, but I 
don't mind moving it there on next round.


>> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
>> Cc: Leif Lindholm <leif@nuviainc.com>
>> Cc: Sami Mujawar <sami.mujawar@arm.com>
>> Cc: Gerd Hoffmann <kraxel@redhat.com>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
>>   .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
>>   .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
>>   .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
>>   4 files changed, 80 insertions(+)
>>   create mode 100644 
>> ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
>>   create mode 100644 
>> ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
>>   create mode 100644 
>> ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
>>
>> diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
>> index 4e4d758015..f3bdca118b 100644
>> --- a/ArmVirtPkg/ArmVirtPkg.dec
>> +++ b/ArmVirtPkg/ArmVirtPkg.dec
>> @@ -27,6 +27,7 @@
>>
>>
>>   [LibraryClasses]
>>
>>     ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
>>
>> + TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
> [SAMI] The file 'ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h'
> appears to be a copy of the header file
> SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h. Is this needed
> here or we could reference the one from SecurityPkg?

I added it since one of the test builds complaint about a missing header 
file. This silenced it. If we move the NULL implementation to 
SecruityPkg, then we won't need this anymore.

Re: [edk2-devel] [RFC PATCH 2/3] ArmVirtPkg: Reference new TPM classes in the build system for compilation

[Stefan Berger]

On 9/18/21 4:49 AM, Sami Mujawar wrote:
> Hi Stefan,
>
> Thank you for this patch.
>
> Please find my response inline marked [SAMI].
>
> With that updated,
>
> Reviewed-by: Sami Mujawar <sami.mujawar@arm.com>
>
> Regards,
>
> Sami Mujawar
>
> On 16/09/2021 10:17 PM, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
> [SAMI] Is it possible to add the bugzilla reference here, please? Also
> it would be very helpful to add the message from the cover letter here
> as the coverletter would not be part of the patch in git.


Sure, I will add the link on next round.

    Stefan

Re: [edk2-devel] [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Ard Biesheuvel]

On Sat, 18 Sept 2021 at 13:54, Stefan Berger <stefanb@linux.ibm.com> wrote:
>
>
> On 9/18/21 3:55 AM, Ard Biesheuvel wrote:
> > On Thu, 16 Sept 2021 at 23:18, Stefan Berger <stefanb@linux.ibm.com> wrote:
> >> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
> >>
> >> Add a NULL implementation of the library class TpmPlatformHierarchyLib.
> >>
> > This patch introduces both the library class and the NULL
> > implementation, right?
>
> No, we already added the library class when adding the 'foundation' for
> x86 support:
> https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib
>
>
> >
> >> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> >> Cc: Leif Lindholm <leif@nuviainc.com>
> >> Cc: Sami Mujawar <sami.mujawar@arm.com>
> >> Cc: Gerd Hoffmann <kraxel@redhat.com>
> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> ---
> >>   ArmVirtPkg/ArmVirtPkg.dec                     |  1 +
> >>   .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++++++++++++++++
> >>   .../PeiDxeTpmPlatformHierarchyLib.c           | 22 ++++++++++++++
> >>   .../PeiDxeTpmPlatformHierarchyLib.inf         | 30 +++++++++++++++++++
> >>   4 files changed, 80 insertions(+)
> >>   create mode 100644 ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> >>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> >>   create mode 100644 ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> >>
> >> diff --git a/ArmVirtPkg/ArmVirtPkg.dec b/ArmVirtPkg/ArmVirtPkg.dec
> >> index 4e4d758015..f3bdca118b 100644
> >> --- a/ArmVirtPkg/ArmVirtPkg.dec
> >> +++ b/ArmVirtPkg/ArmVirtPkg.dec
> >> @@ -27,6 +27,7 @@
> >>
> >>   [LibraryClasses]
> >>     ArmVirtMemInfoLib|Include/Library/ArmVirtMemInfoLib.h
> >> +  TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h
> >>
> >>   [Guids.common]
> >>     gArmVirtTokenSpaceGuid = { 0x0B6F5CA7, 0x4F53, 0x445A, { 0xB7, 0x6E, 0x2E, 0x36, 0x5B, 0x80, 0x63, 0x66 } }
> >> diff --git a/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> >> new file mode 100644
> >> index 0000000000..8d61a4867b
> >> --- /dev/null
> >> +++ b/ArmVirtPkg/Include/Library/TpmPlatformHierarchyLib.h
> >> @@ -0,0 +1,27 @@
> >> +/** @file
> >> +    TPM Platform Hierarchy configuration library.
> >> +
> >> +    This library provides functions for customizing the TPM's Platform Hierarchy
> >> +    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> >> +    Policy (platformPolicy) can be defined through this function.
> >> +
> >> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +Copyright (c) Microsoft Corporation.<BR>
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#ifndef TPM_PLATFORM_HIERARCHY_LIB_H_
> >> +#define TPM_PLATFORM_HIERARCHY_LIB_H_
> >> +
> >> +/**
> >> +   This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.
> >> +
> >> +**/
> >> +VOID
> >> +EFIAPI
> >> +ConfigureTpmPlatformHierarchy (
> >> +  VOID
> >> +  );
> >> +
> >> +#endif
> >> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> >> new file mode 100644
> >> index 0000000000..bac1efda63
> >> --- /dev/null
> >> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c
> >> @@ -0,0 +1,22 @@
> >> +/** @file
> >> +    Null TPM Platform Hierarchy configuration library.
> >> +
> >> +    This library provides stub functions for customizing the TPM's Platform Hierarchy.
> >> +
> >> +    Copyright (c) 2021, IBM Corporation.
> >> +    SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +
> >> +**/
> >> +
> >> +#include <Uefi.h>
> >> +
> >> +/**
> >> +  A NULL implementation of ConfigureTpmPlatformHierarchy.
> >> +**/
> >> +VOID
> >> +EFIAPI
> >> +ConfigureTpmPlatformHierarchy (
> > VOID
> Ok , had copied signature 1:1 from here:
> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c#L239
> >
> >> +  )
> >> +{
> >> +  /* no nothing */
> > double negative :-)
>
>
> Typo. Will fix.
>
> >
> >> +}
> >> diff --git a/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> >> new file mode 100644
> >> index 0000000000..4f02818bbc
> >> --- /dev/null
> >> +++ b/ArmVirtPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
> >> @@ -0,0 +1,30 @@
> >> +### @file
> >> +#   NULL TPM Platform Hierarchy configuration library.
> >> +#
> >> +#   This library provides functions for customizing the TPM's Platform Hierarchy
> >> +#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
> >> +#   Policy (platformPolicy) can be defined through this function.
> >> +#
> >> +# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> >> +# Copyright (c) Microsoft Corporation.<BR>
> >> +#
> >> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >> +#
> >> +###
> >> +
> >> +[Defines]
> >> +  INF_VERSION                    = 0x00010005
> > 1.27
> Originally all comes from this file here:
> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L16
>

Doesn't matter. New INFs use the latest version

>
> >> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
> > Make this BasePlatform....
>
> Even though it will be different than here?
> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L17
>

Yes.

>
>
> >
> >> +  FILE_GUID                      = 8947A3F2-BfB4-45EF-968D-5C40C1CE6A58
> >> +  MODULE_TYPE                    = PEIM
> > BASE
> >
> >> +  VERSION_STRING                 = 1.0
> >> +  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> >> +
> >> +[LibraryClasses]
> >> +  BaseLib
> >> +
> >> +[Packages]
> >> +  MdePkg/MdePkg.dec
> >> +
> >> +[Sources]
> >> +  PeiDxeTpmPlatformHierarchyLib.c
> >> --
> >> 2.31.1
> >>
> >>
> >>
> >> ------------
> >> Groups.io Links: You receive all messages sent to this group.
> >> View/Reply Online (#80830): https://edk2.groups.io/g/devel/message/80830
> >> Mute This Topic: https://groups.io/mt/85662429/5717338
> >> Group Owner: devel+owner@edk2.groups.io
> >> Unsubscribe: https://edk2.groups.io/g/devel/unsub [ardb+tianocore@kernel.org]
> >> ------------
> >>
> >>
>
>
> 
>
>

Re: [edk2-devel] [RFC PATCH 1/3] ArmVirtPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib

[Stefan Berger]

On 9/22/21 7:39 AM, Ard Biesheuvel wrote:

>
>>>> +[Defines]
>>>> +  INF_VERSION                    = 0x00010005
>>> 1.27
>> Originally all comes from this file here:
>> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L16
>>
> Doesn't matter. New INFs use the latest version
>
>>>> +  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLibNull
>>> Make this BasePlatform....
>> Even though it will be different than here?
>> https://github.com/tianocore/edk2/blob/master/SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf#L17
>>
> Yes.



Fixed in upcoming v3.


    Stefan