From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 1F78DAC0895 for ; Tue, 5 Dec 2023 01:40:49 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=pST8lXXSwJyfIQM/q2c0e3fWcM0GHAO4SR8RfEdpcC0=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1701740448; v=1; b=DnY4R5yY0Mi8QOjMCUQ9a3+kraWqJosQ5afRT1+zvXtNBqWZxyzEtsr3UYXdM+Knl41rbF7n NM3EW+x8Ys4r4p/YTvAe2DAVt0+0vI4mn9GpauxyOVfI8ylZ2C2VM1AvlVAd5MfnZi7bJgBSQJj +OUIgGJ517PAbHuy29vXBk5k= X-Received: by 127.0.0.2 with SMTP id tD0qYY7687511xD3Yx233toi; Mon, 04 Dec 2023 17:40:48 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.64703.1701679883712407336 for ; Mon, 04 Dec 2023 00:51:23 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10913"; a="373135662" X-IronPort-AV: E=Sophos;i="6.04,249,1695711600"; d="scan'208";a="373135662" X-Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 00:51:23 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10913"; a="763878583" X-IronPort-AV: E=Sophos;i="6.04,249,1695711600"; d="scan'208";a="763878583" X-Received: from chiangc2-desk2.gar.corp.intel.com ([10.225.76.25]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 00:51:21 -0800 From: chris.chiang@intel.com To: devel@edk2.groups.io Cc: Chiang-Chris , Chasel Chiu , Nate DeSimone , Liming Gao , Eric Dong Subject: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib Date: Mon, 4 Dec 2023 16:50:35 +0800 Message-ID: <20231204085035.1438-1-chris.chiang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,chris.chiang@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 1TQglQVOuqKE6VOSAWlM1AVox7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=DnY4R5yY; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io From: Chiang-Chris REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4612 Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library Signed-off-by: Chiang-Chris Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong --- Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc = | 2 +- Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc = | 2 +- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc = | 1 - Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.c | 266 -------------------- Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.inf | 45 ---- 5 files changed, 2 insertions(+), 314 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Pla= tform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc index 260f3b94c5..b469938823 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc @@ -66,7 +66,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.in= f=0D =0D [LibraryClasses.common.DXE_DRIVER]=0D - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHier= archyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLi= b/PeiDxeTpmPlatformHierarchyLib.inf=0D =0D [LibraryClasses.common.DXE_SMM_DRIVER]=0D SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL= ib.inf=0D diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Pla= tform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc index 595f0ee490..7afbb2900f 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc @@ -52,7 +52,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute= rPei.inf=0D HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou= terPei.inf=0D Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf=0D - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHier= archyLib/PeiDxeTpmPlatformHierarchyLib.inf=0D + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLi= b/PeiDxeTpmPlatformHierarchyLib.inf=0D =0D FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Base= FspMeasurementLib.inf=0D FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp= erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf=0D diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dsc index 087fa48dd0..ee5d211128 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -203,7 +203,6 @@ MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf=0D MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf=0D =0D - MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfo= rmHierarchyLib.inf=0D MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf=0D MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf=0D =0D diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/T= cg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c deleted file mode 100644 index 9812ab99ab..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.c +++ /dev/null @@ -1,266 +0,0 @@ -/** @file=0D - TPM Platform Hierarchy configuration library.=0D -=0D - This library provides functions for customizing the TPM's Platform Hie= rarchy=0D - Authorization Value (platformAuth) and Platform Hierarchy Authorizatio= n=0D - Policy (platformPolicy) can be defined through this function.=0D -=0D - Copyright (c) 2019, Intel Corporation. All rights reserved.
=0D - Copyright (c) Microsoft Corporation.
=0D - SPDX-License-Identifier: BSD-2-Clause-Patent=0D -=0D - @par Specification Reference:=0D - https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g= uidance/=0D -**/=0D -=0D -#include =0D -=0D -#include =0D -#include =0D -#include =0D -#include =0D -#include =0D -#include =0D -#include =0D -=0D -//=0D -// The authorization value may be no larger than the digest produced by th= e hash=0D -// algorithm used for context integrity.=0D -//=0D -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE=0D -=0D -UINT16 mAuthSize;=0D -=0D -/**=0D - Generate high-quality entropy source through RDRAND.=0D -=0D - @param[in] Length Size of the buffer, in bytes, to fill with.=0D - @param[out] Entropy Pointer to the buffer to store the entropy da= ta.=0D -=0D - @retval EFI_SUCCESS Entropy generation succeeded.=0D - @retval EFI_NOT_READY Failed to request random data.=0D -=0D -**/=0D -EFI_STATUS=0D -EFIAPI=0D -RdRandGenerateEntropy (=0D - IN UINTN Length,=0D - OUT UINT8 *Entropy=0D - )=0D -{=0D - EFI_STATUS Status;=0D - UINTN BlockCount;=0D - UINT64 Seed[2];=0D - UINT8 *Ptr;=0D -=0D - Status =3D EFI_NOT_READY;=0D - BlockCount =3D Length / 64;=0D - Ptr =3D (UINT8 *)Entropy;=0D -=0D - //=0D - // Generate high-quality seed for DRBG Entropy=0D - //=0D - while (BlockCount > 0) {=0D - Status =3D GetRandomNumber128 (Seed);=0D - if (EFI_ERROR (Status)) {=0D - return Status;=0D - }=0D - CopyMem (Ptr, Seed, 64);=0D -=0D - BlockCount--;=0D - Ptr =3D Ptr + 64;=0D - }=0D -=0D - //=0D - // Populate the remained data as request.=0D - //=0D - Status =3D GetRandomNumber128 (Seed);=0D - if (EFI_ERROR (Status)) {=0D - return Status;=0D - }=0D - CopyMem (Ptr, Seed, (Length % 64));=0D -=0D - return Status;=0D -}=0D -=0D -/**=0D - This function returns the maximum size of TPM2B_AUTH; this structure is = used for an authorization value=0D - and limits an authValue to being no larger than the largest digest produ= ced by a TPM.=0D -=0D - @param[out] AuthSize Tpm2 Auth size=0D -=0D - @retval EFI_SUCCESS Auth size returned.=0D - @retval EFI_DEVICE_ERROR Can not return platform auth due to= device error.=0D -=0D -**/=0D -EFI_STATUS=0D -EFIAPI=0D -GetAuthSize (=0D - OUT UINT16 *AuthSize=0D - )=0D -{=0D - EFI_STATUS Status;=0D - TPML_PCR_SELECTION Pcrs;=0D - UINTN Index;=0D - UINT16 DigestSize;=0D -=0D - Status =3D EFI_SUCCESS;=0D -=0D - while (mAuthSize =3D=3D 0) {=0D -=0D - mAuthSize =3D SHA1_DIGEST_SIZE;=0D - ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));=0D - Status =3D Tpm2GetCapabilityPcrs (&Pcrs);=0D -=0D - if (EFI_ERROR (Status)) {=0D - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));=0D - break;=0D - }=0D -=0D - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));=0D -=0D - for (Index =3D 0; Index < Pcrs.count; Index++) {=0D - DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));= =0D -=0D - switch (Pcrs.pcrSelections[Index].hash) {=0D - case TPM_ALG_SHA1:=0D - DigestSize =3D SHA1_DIGEST_SIZE;=0D - break;=0D - case TPM_ALG_SHA256:=0D - DigestSize =3D SHA256_DIGEST_SIZE;=0D - break;=0D - case TPM_ALG_SHA384:=0D - DigestSize =3D SHA384_DIGEST_SIZE;=0D - break;=0D - case TPM_ALG_SHA512:=0D - DigestSize =3D SHA512_DIGEST_SIZE;=0D - break;=0D - case TPM_ALG_SM3_256:=0D - DigestSize =3D SM3_256_DIGEST_SIZE;=0D - break;=0D - default:=0D - DigestSize =3D SHA1_DIGEST_SIZE;=0D - break;=0D - }=0D -=0D - if (DigestSize > mAuthSize) {=0D - mAuthSize =3D DigestSize;=0D - }=0D - }=0D - break;=0D - }=0D -=0D - *AuthSize =3D mAuthSize;=0D - return Status;=0D -}=0D -=0D -/**=0D - Set PlatformAuth to random value.=0D -**/=0D -VOID=0D -RandomizePlatformAuth (=0D - VOID=0D - )=0D -{=0D - EFI_STATUS Status;=0D - UINT16 AuthSize;=0D - UINT8 *Rand;=0D - UINTN RandSize;=0D - TPM2B_AUTH NewPlatformAuth;=0D -=0D - //=0D - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null=0D - //=0D -=0D - GetAuthSize (&AuthSize);=0D -=0D - ZeroMem (NewPlatformAuth.buffer, AuthSize);=0D - NewPlatformAuth.size =3D AuthSize;=0D -=0D - //=0D - // Allocate one buffer to store random data.=0D - //=0D - RandSize =3D MAX_NEW_AUTHORIZATION_SIZE;=0D - Rand =3D AllocatePool (RandSize);=0D -=0D - RdRandGenerateEntropy (RandSize, Rand);=0D - CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);=0D -=0D - FreePool (Rand);=0D -=0D - //=0D - // Send Tpm2HierarchyChangeAuth command with the new Auth value=0D - //=0D - Status =3D Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformA= uth);=0D - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));= =0D - ZeroMem (NewPlatformAuth.buffer, AuthSize);=0D - ZeroMem (Rand, RandSize);=0D -}=0D -=0D -/**=0D - Disable the TPM platform hierarchy.=0D -=0D - @retval EFI_SUCCESS The TPM was disabled successfully.=0D - @retval Others An error occurred attempting to disable the = TPM platform hierarchy.=0D -=0D -**/=0D -EFI_STATUS=0D -DisableTpmPlatformHierarchy (=0D - VOID=0D - )=0D -{=0D - EFI_STATUS Status;=0D -=0D - // Make sure that we have use of the TPM.=0D - Status =3D Tpm2RequestUseTpm ();=0D - if (EFI_ERROR (Status)) {=0D - DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC= allerBaseName, __FUNCTION__, Status));=0D - ASSERT_EFI_ERROR (Status);=0D - return Status;=0D - }=0D -=0D - // Let's do what we can to shut down the hierarchies.=0D -=0D - // Disable the PH NV.=0D - // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP= M parts have=0D - // been known to store the EK cert in the PH NV. If we d= isable it, the=0D - // EK cert will be unreadable.=0D -=0D - // Disable the PH.=0D - Status =3D Tpm2HierarchyControl (=0D - TPM_RH_PLATFORM, // AuthHandle=0D - NULL, // AuthSession=0D - TPM_RH_PLATFORM, // Hierarchy=0D - NO // State=0D - );=0D - DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBaseN= ame, __FUNCTION__, Status));=0D - if (EFI_ERROR (Status)) {=0D - DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerB= aseName, __FUNCTION__, Status));=0D - ASSERT_EFI_ERROR (Status);=0D - }=0D -=0D - return Status;=0D -}=0D -=0D -/**=0D - This service defines the configuration of the Platform Hierarchy Author= ization Value (platformAuth)=0D - and Platform Hierarchy Authorization Policy (platformPolicy)=0D -=0D -**/=0D -VOID=0D -EFIAPI=0D -ConfigureTpmPlatformHierarchy (=0D - )=0D -{=0D - if (PcdGetBool (PcdRandomizePlatformHierarchy)) {=0D - //=0D - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu= th being null=0D - //=0D - RandomizePlatformAuth ();=0D - } else {=0D - //=0D - // Disable the hierarchy entirely (do not randomize it)=0D - //=0D - DisableTpmPlatformHierarchy ();=0D - }=0D -}=0D diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg= /Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf deleted file mode 100644 index b7a7fb0a08..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.inf +++ /dev/null @@ -1,45 +0,0 @@ -### @file=0D -#=0D -# TPM Platform Hierarchy configuration library.=0D -#=0D -# This library provides functions for customizing the TPM's Platform Hie= rarchy=0D -# Authorization Value (platformAuth) and Platform Hierarchy Authorizatio= n=0D -# Policy (platformPolicy) can be defined through this function.=0D -#=0D -# Copyright (c) 2019, Intel Corporation. All rights reserved.
=0D -# Copyright (c) Microsoft Corporation.
=0D -#=0D -# SPDX-License-Identifier: BSD-2-Clause-Patent=0D -#=0D -###=0D -=0D -[Defines]=0D - INF_VERSION =3D 0x00010005=0D - BASE_NAME =3D PeiDxeTpmPlatformHierarchyLib=0D - FILE_GUID =3D 7794F92C-4E8E-4E57-9E4A-49A0764C7D73= =0D - MODULE_TYPE =3D PEIM=0D - VERSION_STRING =3D 1.0=0D - LIBRARY_CLASS =3D TpmPlatformHierarchyLib|PEIM DXE_DRIV= ER=0D -=0D -[LibraryClasses]=0D - BaseLib=0D - BaseMemoryLib=0D - DebugLib=0D - MemoryAllocationLib=0D - PcdLib=0D - RngLib=0D - Tpm2CommandLib=0D - Tpm2DeviceLib=0D -=0D -[Packages]=0D - MdePkg/MdePkg.dec=0D - MdeModulePkg/MdeModulePkg.dec=0D - SecurityPkg/SecurityPkg.dec=0D - CryptoPkg/CryptoPkg.dec=0D - MinPlatformPkg/MinPlatformPkg.dec=0D -=0D -[Sources]=0D - PeiDxeTpmPlatformHierarchyLib.c=0D -=0D -[Pcd]=0D - gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy=0D --=20 2.43.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112056): https://edk2.groups.io/g/devel/message/112056 Mute This Topic: https://groups.io/mt/102974261/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-