From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web12.265.1634146403719105857 for ; Wed, 13 Oct 2021 10:33:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20210112.gappssmtp.com header.s=20210112 header.b=zkWB3+l7; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.210.169, mailfrom: bret@corthon.com) Received: by mail-pf1-f169.google.com with SMTP id g14so3137468pfm.1 for ; Wed, 13 Oct 2021 10:33:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2PGGi1l9IutJ4o5IckpZkOPfBz6KUkoGDqTPwruKc64=; b=zkWB3+l7RxHTjB1YFTcqyqHMXD3Rm81pJ8GHV1SEV2FYHwVkS9ZdKOPjUuKWXJwzKK TB1dj3YQp8IZK144Qt4G+DQTECOghhLfWbOkIz76nd4+msHlukW33uaQal2XRnS0wcR1 zJTRai0BIQdL7N9AeXPyOURewm3IdLuxHPRiaEFYe0L78+N1oH9MF1xx5ePeRURbTGsa tdkmppE/daGQOJXyjUX+miqy7GiVNbjr4B3KxZ/K1ugFQtHcOSUNSkRjqOniqHoeMXuE HSFOMD7743VbExyAXIPWoq7OP2aPIF8R1i1MhVTCyrTt783X6dttXXRotgSFRy8IoSbs FNOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2PGGi1l9IutJ4o5IckpZkOPfBz6KUkoGDqTPwruKc64=; b=fl58Z+EhOdtU78+7PTIdiL//1iBnwfnVyGduUQ7dvr5024tv1EsUcMaoLhoH8OqV7B KUeTSyrP/eihDYOjVR9GWHHKUrL+XCKG46/CHf+pZJYoon11p+JOxw9iIeM1HzxQkG/L h+sDeeR+3fTAQlqgfP/iqXXlfkEkVhRtSyQo9It8/KLGvTjjMAozNzjWOy/OMGipxzmz zbRns8HXrg3UiiHlBt46hsuCrTxsEIkEyWcFQWxhFelfuku1XgzGULwp9QRF2k8PqqH1 BMh0ogM91E2+ud4XPOppMRSY55nwNq0UzzyjWEIacQkHhu0dEXyZIXh3+lgu9RVtUsJu kX0g== X-Gm-Message-State: AOAM530GiSuSfVFQlPmCmCgnRbSTkwUIgcuGyEKEYrGmacLoMelQGQPy llnygWZs2eGdC85ore3nRDbBDVAhv0T8TICP X-Google-Smtp-Source: ABdhPJzL5/JAZhDJtb2iL+rSU2VqPznEICidqaReSJj8mwjS1frBoBgYevasmczurEfOpU6l9ek2Hw== X-Received: by 2002:a63:7542:: with SMTP id f2mr414161pgn.64.1634146402539; Wed, 13 Oct 2021 10:33:22 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-94-94.tukw.qwest.net. [174.21.94.94]) by smtp.gmail.com with ESMTPSA id me18sm133366pjb.33.2021.10.13.10.33.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Oct 2021 10:33:21 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: "brbarkel@microsoft.com" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Qi Zhang , Rahul Kumar Subject: [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib Date: Wed, 13 Oct 2021 10:33:09 -0700 Message-Id: <20211013173309.1300-1-brbarkel@microsoft.com> X-Mailer: git-send-email 2.31.1.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Used to provision and maintain certain HW-defined NV spaces. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2994 Signed-off-by: Bret Barkelew Reviewed-by: Jiewen Yao Cc: Jiewen Yao Cc: Jian J Wang Cc: Qi Zhang Cc: Rahul Kumar --- SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 +++++++++++++++++= +++ SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++ 2 files changed, 144 insertions(+) diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityP= kg/Library/Tpm2CommandLib/Tpm2NVStorage.c index 87572de20164..275cb1683f51 100644 --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)=0D #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)=0D =0D +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)=0D +=0D #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)=0D #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)=0D #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)=0D @@ -74,6 +76,20 @@ typedef struct { TPMS_AUTH_RESPONSE AuthSession;=0D } TPM2_NV_UNDEFINESPACE_RESPONSE;=0D =0D +typedef struct {=0D + TPM2_COMMAND_HEADER Header;=0D + TPMI_RH_NV_INDEX NvIndex;=0D + TPMI_RH_PLATFORM Platform;=0D + UINT32 AuthSessionSize;=0D + TPMS_AUTH_COMMAND AuthSession;=0D +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;=0D +=0D +typedef struct {=0D + TPM2_RESPONSE_HEADER Header;=0D + UINT32 AuthSessionSize;=0D + TPMS_AUTH_RESPONSE AuthSession;=0D +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;=0D +=0D typedef struct {=0D TPM2_COMMAND_HEADER Header;=0D TPMI_RH_NV_AUTH AuthHandle;=0D @@ -506,6 +522,112 @@ Done: return Status;=0D }=0D =0D +/**=0D + This command allows removal of a platform-created NV Index that has TPMA= _NV_POLICY_DELETE SET.=0D +=0D + @param[in] NvIndex The NV Index.=0D + @param[in] IndexAuthSession Auth session context for the Index auth/= policy=0D + @param[in] PlatAuthSession Auth session context for the Platform au= th/policy=0D +=0D + @retval EFI_SUCCESS Operation completed successfully.=0D + @retval EFI_NOT_FOUND The command was returned successfully, b= ut NvIndex is not found.=0D + @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti= on through this call.=0D + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po= licy session.=0D + @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D + @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +Tpm2NvUndefineSpaceSpecial (=0D + IN TPMI_RH_NV_INDEX NvIndex,=0D + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D + )=0D +{=0D + EFI_STATUS Status;=0D + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;=0D + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;=0D + UINT32 SendBufferSize;=0D + UINT32 RecvBufferSize;=0D + UINT8 *Buffer;=0D + UINT32 IndexAuthSize, PlatAuthSize;=0D + TPM_RC ResponseCode;=0D +=0D + //=0D + // Construct command=0D + //=0D + SendBuffer.Header.tag =3D SwapBytes16(TPM_ST_SESSIONS);=0D + SendBuffer.Header.commandCode =3D SwapBytes32(TPM_CC_NV_UndefineSpaceSpe= cial);=0D +=0D + SendBuffer.NvIndex =3D SwapBytes32 (NvIndex);=0D + SendBuffer.Platform =3D SwapBytes32 (TPM_RH_PLATFORM);=0D +=0D + //=0D + // Marshall the Auth Sessions for the two handles.=0D + Buffer =3D (UINT8 *)&SendBuffer.AuthSession;=0D + // IndexAuthSession=0D + IndexAuthSize =3D CopyAuthSessionCommand (IndexAuthSession, Buffer);=0D + Buffer +=3D IndexAuthSize;=0D + // PlatAuthSession=0D + PlatAuthSize =3D CopyAuthSessionCommand (PlatAuthSession, Buffer);=0D + Buffer +=3D PlatAuthSize;=0D + // AuthSessionSize=0D + SendBuffer.AuthSessionSize =3D SwapBytes32(IndexAuthSize + PlatAuthSize)= ;=0D +=0D + // Update total command size.=0D + SendBufferSize =3D (UINT32)(Buffer - (UINT8 *)&SendBuffer);=0D + SendBuffer.Header.paramSize =3D SwapBytes32 (SendBufferSize);=0D +=0D + //=0D + // send Tpm command=0D + //=0D + RecvBufferSize =3D sizeof (RecvBuffer);=0D + Status =3D Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &Rec= vBufferSize, (UINT8 *)&RecvBuffer);=0D + if (EFI_ERROR (Status)) {=0D + goto Done;=0D + }=0D +=0D + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {=0D + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Erro= r - %x\n", RecvBufferSize));=0D + Status =3D EFI_DEVICE_ERROR;=0D + goto Done;=0D + }=0D +=0D + ResponseCode =3D SwapBytes32(RecvBuffer.Header.responseCode);=0D + if (ResponseCode !=3D TPM_RC_SUCCESS) {=0D + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n= ", SwapBytes32(RecvBuffer.Header.responseCode)));=0D + }=0D + switch (ResponseCode) {=0D + case TPM_RC_SUCCESS:=0D + // return data=0D + break;=0D + case TPM_RC_ATTRIBUTES:=0D + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:=0D + Status =3D EFI_UNSUPPORTED;=0D + break;=0D + case TPM_RC_NV_AUTHORIZATION:=0D + Status =3D EFI_SECURITY_VIOLATION;=0D + break;=0D + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DE= FINED:=0D + Status =3D EFI_NOT_FOUND;=0D + break;=0D + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:=0D + Status =3D EFI_INVALID_PARAMETER;=0D + break;=0D + default:=0D + Status =3D EFI_DEVICE_ERROR;=0D + break;=0D + }=0D +=0D +Done:=0D + //=0D + // Clear AuthSession Content=0D + //=0D + ZeroMem (&SendBuffer, sizeof(SendBuffer));=0D + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));=0D + return Status;=0D +}=0D +=0D /**=0D This command reads a value from an area in NV memory previously defined = by TPM2_NV_DefineSpace().=0D =0D diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Inc= lude/Library/Tpm2CommandLib.h index ee8eb622951c..92967662ce96 100644 --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace ( IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL=0D );=0D =0D +/**=0D + This command allows removal of a platform-created NV Index that has TPMA= _NV_POLICY_DELETE SET.=0D +=0D + @param[in] NvIndex The NV Index.=0D + @param[in] IndexAuthSession Auth session context for the Index auth/= policy=0D + @param[in] PlatAuthSession Auth session context for the Platform au= th/policy=0D +=0D + @retval EFI_SUCCESS Operation completed successfully.=0D + @retval EFI_NOT_FOUND The command was returned successfully, b= ut NvIndex is not found.=0D + @retval EFI_UNSUPPORTED Selected NvIndex does not support deleti= on through this call.=0D + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current po= licy session.=0D + @retval EFI_INVALID_PARAMETER The command was unsuccessful.=0D + @retval EFI_DEVICE_ERROR The command was unsuccessful.=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +Tpm2NvUndefineSpaceSpecial (=0D + IN TPMI_RH_NV_INDEX NvIndex,=0D + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,=0D + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL=0D + );=0D +=0D /**=0D This command reads a value from an area in NV memory previously defined = by TPM2_NV_DefineSpace().=0D =0D --=20 2.31.1.windows.1