* [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
@ 2023-12-04 8:50 chris.chiang
2023-12-04 16:52 ` Chiu, Chasel
2023-12-05 3:17 ` Chiu, Chasel
0 siblings, 2 replies; 4+ messages in thread
From: chris.chiang @ 2023-12-04 8:50 UTC (permalink / raw)
To: devel; +Cc: Chiang-Chris, Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong
From: Chiang-Chris <chris.chiang@intel.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
Signed-off-by: Chiang-Chris <chris.chiang@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
---
Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc | 2 +-
Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc | 2 +-
Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 -
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c | 266 --------------------
Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf | 45 ----
5 files changed, 2 insertions(+), 314 deletions(-)
diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
index 260f3b94c5..b469938823 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
+++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
@@ -66,7 +66,7 @@
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
[LibraryClasses.common.DXE_DRIVER]
- TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
[LibraryClasses.common.DXE_SMM_DRIVER]
SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf
diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
index 595f0ee490..7afbb2900f 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
+++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
@@ -52,7 +52,7 @@
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterPei.inf
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
- TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+ TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/BaseFspMeasurementLib.inf
FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapperPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 087fa48dd0..ee5d211128 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -203,7 +203,6 @@
MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
- MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
deleted file mode 100644
index 9812ab99ab..0000000000
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/** @file
- TPM Platform Hierarchy configuration library.
-
- This library provides functions for customizing the TPM's Platform Hierarchy
- Authorization Value (platformAuth) and Platform Hierarchy Authorization
- Policy (platformPolicy) can be defined through this function.
-
- Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
- Copyright (c) Microsoft Corporation.<BR>
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
- @par Specification Reference:
- https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
-**/
-
-#include <Uefi.h>
-
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/PcdLib.h>
-#include <Library/RngLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/Tpm2DeviceLib.h>
-
-//
-// The authorization value may be no larger than the digest produced by the hash
-// algorithm used for context integrity.
-//
-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
-
-UINT16 mAuthSize;
-
-/**
- Generate high-quality entropy source through RDRAND.
-
- @param[in] Length Size of the buffer, in bytes, to fill with.
- @param[out] Entropy Pointer to the buffer to store the entropy data.
-
- @retval EFI_SUCCESS Entropy generation succeeded.
- @retval EFI_NOT_READY Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
- IN UINTN Length,
- OUT UINT8 *Entropy
- )
-{
- EFI_STATUS Status;
- UINTN BlockCount;
- UINT64 Seed[2];
- UINT8 *Ptr;
-
- Status = EFI_NOT_READY;
- BlockCount = Length / 64;
- Ptr = (UINT8 *)Entropy;
-
- //
- // Generate high-quality seed for DRBG Entropy
- //
- while (BlockCount > 0) {
- Status = GetRandomNumber128 (Seed);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- CopyMem (Ptr, Seed, 64);
-
- BlockCount--;
- Ptr = Ptr + 64;
- }
-
- //
- // Populate the remained data as request.
- //
- Status = GetRandomNumber128 (Seed);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- CopyMem (Ptr, Seed, (Length % 64));
-
- return Status;
-}
-
-/**
- This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
- and limits an authValue to being no larger than the largest digest produced by a TPM.
-
- @param[out] AuthSize Tpm2 Auth size
-
- @retval EFI_SUCCESS Auth size returned.
- @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.
-
-**/
-EFI_STATUS
-EFIAPI
-GetAuthSize (
- OUT UINT16 *AuthSize
- )
-{
- EFI_STATUS Status;
- TPML_PCR_SELECTION Pcrs;
- UINTN Index;
- UINT16 DigestSize;
-
- Status = EFI_SUCCESS;
-
- while (mAuthSize == 0) {
-
- mAuthSize = SHA1_DIGEST_SIZE;
- ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
- Status = Tpm2GetCapabilityPcrs (&Pcrs);
-
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- break;
- }
-
- DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
-
- for (Index = 0; Index < Pcrs.count; Index++) {
- DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
-
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- DigestSize = SHA1_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA256:
- DigestSize = SHA256_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA384:
- DigestSize = SHA384_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA512:
- DigestSize = SHA512_DIGEST_SIZE;
- break;
- case TPM_ALG_SM3_256:
- DigestSize = SM3_256_DIGEST_SIZE;
- break;
- default:
- DigestSize = SHA1_DIGEST_SIZE;
- break;
- }
-
- if (DigestSize > mAuthSize) {
- mAuthSize = DigestSize;
- }
- }
- break;
- }
-
- *AuthSize = mAuthSize;
- return Status;
-}
-
-/**
- Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT16 AuthSize;
- UINT8 *Rand;
- UINTN RandSize;
- TPM2B_AUTH NewPlatformAuth;
-
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
-
- GetAuthSize (&AuthSize);
-
- ZeroMem (NewPlatformAuth.buffer, AuthSize);
- NewPlatformAuth.size = AuthSize;
-
- //
- // Allocate one buffer to store random data.
- //
- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
- Rand = AllocatePool (RandSize);
-
- RdRandGenerateEntropy (RandSize, Rand);
- CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
-
- FreePool (Rand);
-
- //
- // Send Tpm2HierarchyChangeAuth command with the new Auth value
- //
- Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
- DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
- ZeroMem (NewPlatformAuth.buffer, AuthSize);
- ZeroMem (Rand, RandSize);
-}
-
-/**
- Disable the TPM platform hierarchy.
-
- @retval EFI_SUCCESS The TPM was disabled successfully.
- @retval Others An error occurred attempting to disable the TPM platform hierarchy.
-
-**/
-EFI_STATUS
-DisableTpmPlatformHierarchy (
- VOID
- )
-{
- EFI_STATUS Status;
-
- // Make sure that we have use of the TPM.
- Status = Tpm2RequestUseTpm ();
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
- ASSERT_EFI_ERROR (Status);
- return Status;
- }
-
- // Let's do what we can to shut down the hierarchies.
-
- // Disable the PH NV.
- // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
- // been known to store the EK cert in the PH NV. If we disable it, the
- // EK cert will be unreadable.
-
- // Disable the PH.
- Status = Tpm2HierarchyControl (
- TPM_RH_PLATFORM, // AuthHandle
- NULL, // AuthSession
- TPM_RH_PLATFORM, // Hierarchy
- NO // State
- );
- DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
- ASSERT_EFI_ERROR (Status);
- }
-
- return Status;
-}
-
-/**
- This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
- and Platform Hierarchy Authorization Policy (platformPolicy)
-
-**/
-VOID
-EFIAPI
-ConfigureTpmPlatformHierarchy (
- )
-{
- if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
- //
- RandomizePlatformAuth ();
- } else {
- //
- // Disable the hierarchy entirely (do not randomize it)
- //
- DisableTpmPlatformHierarchy ();
- }
-}
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
deleted file mode 100644
index b7a7fb0a08..0000000000
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+++ /dev/null
@@ -1,45 +0,0 @@
-### @file
-#
-# TPM Platform Hierarchy configuration library.
-#
-# This library provides functions for customizing the TPM's Platform Hierarchy
-# Authorization Value (platformAuth) and Platform Hierarchy Authorization
-# Policy (platformPolicy) can be defined through this function.
-#
-# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
-# Copyright (c) Microsoft Corporation.<BR>
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-###
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = PeiDxeTpmPlatformHierarchyLib
- FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
- MODULE_TYPE = PEIM
- VERSION_STRING = 1.0
- LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
-
-[LibraryClasses]
- BaseLib
- BaseMemoryLib
- DebugLib
- MemoryAllocationLib
- PcdLib
- RngLib
- Tpm2CommandLib
- Tpm2DeviceLib
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
- MinPlatformPkg/MinPlatformPkg.dec
-
-[Sources]
- PeiDxeTpmPlatformHierarchyLib.c
-
-[Pcd]
- gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
--
2.43.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112056): https://edk2.groups.io/g/devel/message/112056
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
2023-12-04 8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
@ 2023-12-04 16:52 ` Chiu, Chasel
2023-12-05 0:30 ` Rodrigo Gonzalez del Cueto
2023-12-05 3:17 ` Chiu, Chasel
1 sibling, 1 reply; 4+ messages in thread
From: Chiu, Chasel @ 2023-12-04 16:52 UTC (permalink / raw)
To: Chiang, Chris, devel@edk2.groups.io
Cc: Desimone, Nathaniel L, Gao, Liming, Dong, Eric
Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>
Thanks,
Chasel
> -----Original Message-----
> From: Chiang, Chris <chris.chiang@intel.com>
> Sent: Monday, December 4, 2023 12:51 AM
> To: devel@edk2.groups.io
> Cc: Chiang, Chris <chris.chiang@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>;
> Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
>
> From: Chiang-Chris <chris.chiang@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
>
> Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
> Signed-off-by: Chiang-Chris <chris.chiang@intel.com>
>
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Eric Dong <eric.dong@intel.com>
> ---
> Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> | 2 +-
> Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> | 2 +-
> Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> | 1 -
>
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.c | 266 --------------------
>
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.inf | 45 ----
> 5 files changed, 2 insertions(+), 314 deletions(-)
>
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> index 260f3b94c5..b469938823 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> @@ -66,7 +66,7 @@
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
>
>
>
> [LibraryClasses.common.DXE_SMM_DRIVER]
>
>
> SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL
> ib.inf
>
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> index 595f0ee490..7afbb2900f 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> @@ -52,7 +52,7 @@
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute
> rPei.inf
>
>
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout
> erPei.inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg
> 2PhysicalPresenceLib.inf
>
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
>
>
>
>
> FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Ba
> seFspMeasurementLib.inf
>
>
> FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp
> erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
>
> diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> index 087fa48dd0..ee5d211128 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> @@ -203,7 +203,6 @@
> MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
>
> MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
>
>
>
> -
> MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfor
> mHierarchyLib.inf
>
> MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
>
> MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
>
>
>
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> deleted file mode 100644
> index 9812ab99ab..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> +++ /dev/null
> @@ -1,266 +0,0 @@
> -/** @file
>
> - TPM Platform Hierarchy configuration library.
>
> -
>
> - This library provides functions for customizing the TPM's Platform Hierarchy
>
> - Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> - Policy (platformPolicy) can be defined through this function.
>
> -
>
> - Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> - Copyright (c) Microsoft Corporation.<BR>
>
> - SPDX-License-Identifier: BSD-2-Clause-Patent
>
> -
>
> - @par Specification Reference:
>
> - https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-
> guidance/
>
> -**/
>
> -
>
> -#include <Uefi.h>
>
> -
>
> -#include <Library/BaseMemoryLib.h>
>
> -#include <Library/DebugLib.h>
>
> -#include <Library/MemoryAllocationLib.h>
>
> -#include <Library/PcdLib.h>
>
> -#include <Library/RngLib.h>
>
> -#include <Library/Tpm2CommandLib.h>
>
> -#include <Library/Tpm2DeviceLib.h>
>
> -
>
> -//
>
> -// The authorization value may be no larger than the digest produced by the hash
>
> -// algorithm used for context integrity.
>
> -//
>
> -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
>
> -
>
> -UINT16 mAuthSize;
>
> -
>
> -/**
>
> - Generate high-quality entropy source through RDRAND.
>
> -
>
> - @param[in] Length Size of the buffer, in bytes, to fill with.
>
> - @param[out] Entropy Pointer to the buffer to store the entropy data.
>
> -
>
> - @retval EFI_SUCCESS Entropy generation succeeded.
>
> - @retval EFI_NOT_READY Failed to request random data.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -EFIAPI
>
> -RdRandGenerateEntropy (
>
> - IN UINTN Length,
>
> - OUT UINT8 *Entropy
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - UINTN BlockCount;
>
> - UINT64 Seed[2];
>
> - UINT8 *Ptr;
>
> -
>
> - Status = EFI_NOT_READY;
>
> - BlockCount = Length / 64;
>
> - Ptr = (UINT8 *)Entropy;
>
> -
>
> - //
>
> - // Generate high-quality seed for DRBG Entropy
>
> - //
>
> - while (BlockCount > 0) {
>
> - Status = GetRandomNumber128 (Seed);
>
> - if (EFI_ERROR (Status)) {
>
> - return Status;
>
> - }
>
> - CopyMem (Ptr, Seed, 64);
>
> -
>
> - BlockCount--;
>
> - Ptr = Ptr + 64;
>
> - }
>
> -
>
> - //
>
> - // Populate the remained data as request.
>
> - //
>
> - Status = GetRandomNumber128 (Seed);
>
> - if (EFI_ERROR (Status)) {
>
> - return Status;
>
> - }
>
> - CopyMem (Ptr, Seed, (Length % 64));
>
> -
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - This function returns the maximum size of TPM2B_AUTH; this structure is used
> for an authorization value
>
> - and limits an authValue to being no larger than the largest digest produced by a
> TPM.
>
> -
>
> - @param[out] AuthSize Tpm2 Auth size
>
> -
>
> - @retval EFI_SUCCESS Auth size returned.
>
> - @retval EFI_DEVICE_ERROR Can not return platform auth due to device
> error.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -EFIAPI
>
> -GetAuthSize (
>
> - OUT UINT16 *AuthSize
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - TPML_PCR_SELECTION Pcrs;
>
> - UINTN Index;
>
> - UINT16 DigestSize;
>
> -
>
> - Status = EFI_SUCCESS;
>
> -
>
> - while (mAuthSize == 0) {
>
> -
>
> - mAuthSize = SHA1_DIGEST_SIZE;
>
> - ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
>
> - Status = Tpm2GetCapabilityPcrs (&Pcrs);
>
> -
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
>
> - break;
>
> - }
>
> -
>
> - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
>
> -
>
> - for (Index = 0; Index < Pcrs.count; Index++) {
>
> - DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
>
> -
>
> - switch (Pcrs.pcrSelections[Index].hash) {
>
> - case TPM_ALG_SHA1:
>
> - DigestSize = SHA1_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA256:
>
> - DigestSize = SHA256_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA384:
>
> - DigestSize = SHA384_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA512:
>
> - DigestSize = SHA512_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SM3_256:
>
> - DigestSize = SM3_256_DIGEST_SIZE;
>
> - break;
>
> - default:
>
> - DigestSize = SHA1_DIGEST_SIZE;
>
> - break;
>
> - }
>
> -
>
> - if (DigestSize > mAuthSize) {
>
> - mAuthSize = DigestSize;
>
> - }
>
> - }
>
> - break;
>
> - }
>
> -
>
> - *AuthSize = mAuthSize;
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - Set PlatformAuth to random value.
>
> -**/
>
> -VOID
>
> -RandomizePlatformAuth (
>
> - VOID
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - UINT16 AuthSize;
>
> - UINT8 *Rand;
>
> - UINTN RandSize;
>
> - TPM2B_AUTH NewPlatformAuth;
>
> -
>
> - //
>
> - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
>
> - //
>
> -
>
> - GetAuthSize (&AuthSize);
>
> -
>
> - ZeroMem (NewPlatformAuth.buffer, AuthSize);
>
> - NewPlatformAuth.size = AuthSize;
>
> -
>
> - //
>
> - // Allocate one buffer to store random data.
>
> - //
>
> - RandSize = MAX_NEW_AUTHORIZATION_SIZE;
>
> - Rand = AllocatePool (RandSize);
>
> -
>
> - RdRandGenerateEntropy (RandSize, Rand);
>
> - CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
>
> -
>
> - FreePool (Rand);
>
> -
>
> - //
>
> - // Send Tpm2HierarchyChangeAuth command with the new Auth value
>
> - //
>
> - Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
>
> - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
>
> - ZeroMem (NewPlatformAuth.buffer, AuthSize);
>
> - ZeroMem (Rand, RandSize);
>
> -}
>
> -
>
> -/**
>
> - Disable the TPM platform hierarchy.
>
> -
>
> - @retval EFI_SUCCESS The TPM was disabled successfully.
>
> - @retval Others An error occurred attempting to disable the TPM
> platform hierarchy.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -DisableTpmPlatformHierarchy (
>
> - VOID
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> -
>
> - // Make sure that we have use of the TPM.
>
> - Status = Tpm2RequestUseTpm ();
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - ASSERT_EFI_ERROR (Status);
>
> - return Status;
>
> - }
>
> -
>
> - // Let's do what we can to shut down the hierarchies.
>
> -
>
> - // Disable the PH NV.
>
> - // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM
> parts have
>
> - // been known to store the EK cert in the PH NV. If we disable it, the
>
> - // EK cert will be unreadable.
>
> -
>
> - // Disable the PH.
>
> - Status = Tpm2HierarchyControl (
>
> - TPM_RH_PLATFORM, // AuthHandle
>
> - NULL, // AuthSession
>
> - TPM_RH_PLATFORM, // Hierarchy
>
> - NO // State
>
> - );
>
> - DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - ASSERT_EFI_ERROR (Status);
>
> - }
>
> -
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - This service defines the configuration of the Platform Hierarchy Authorization
> Value (platformAuth)
>
> - and Platform Hierarchy Authorization Policy (platformPolicy)
>
> -
>
> -**/
>
> -VOID
>
> -EFIAPI
>
> -ConfigureTpmPlatformHierarchy (
>
> - )
>
> -{
>
> - if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
>
> - //
>
> - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
>
> - //
>
> - RandomizePlatformAuth ();
>
> - } else {
>
> - //
>
> - // Disable the hierarchy entirely (do not randomize it)
>
> - //
>
> - DisableTpmPlatformHierarchy ();
>
> - }
>
> -}
>
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> deleted file mode 100644
> index b7a7fb0a08..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -### @file
>
> -#
>
> -# TPM Platform Hierarchy configuration library.
>
> -#
>
> -# This library provides functions for customizing the TPM's Platform Hierarchy
>
> -# Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> -# Policy (platformPolicy) can be defined through this function.
>
> -#
>
> -# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> -# Copyright (c) Microsoft Corporation.<BR>
>
> -#
>
> -# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> -#
>
> -###
>
> -
>
> -[Defines]
>
> - INF_VERSION = 0x00010005
>
> - BASE_NAME = PeiDxeTpmPlatformHierarchyLib
>
> - FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
>
> - MODULE_TYPE = PEIM
>
> - VERSION_STRING = 1.0
>
> - LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
>
> -
>
> -[LibraryClasses]
>
> - BaseLib
>
> - BaseMemoryLib
>
> - DebugLib
>
> - MemoryAllocationLib
>
> - PcdLib
>
> - RngLib
>
> - Tpm2CommandLib
>
> - Tpm2DeviceLib
>
> -
>
> -[Packages]
>
> - MdePkg/MdePkg.dec
>
> - MdeModulePkg/MdeModulePkg.dec
>
> - SecurityPkg/SecurityPkg.dec
>
> - CryptoPkg/CryptoPkg.dec
>
> - MinPlatformPkg/MinPlatformPkg.dec
>
> -
>
> -[Sources]
>
> - PeiDxeTpmPlatformHierarchyLib.c
>
> -
>
> -[Pcd]
>
> - gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
>
> --
> 2.43.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112048): https://edk2.groups.io/g/devel/message/112048
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
2023-12-04 16:52 ` Chiu, Chasel
@ 2023-12-05 0:30 ` Rodrigo Gonzalez del Cueto
0 siblings, 0 replies; 4+ messages in thread
From: Rodrigo Gonzalez del Cueto @ 2023-12-05 0:30 UTC (permalink / raw)
To: Chiu, Chasel, devel
[-- Attachment #1: Type: text/plain, Size: 446 bytes --]
Reviewed-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112055): https://edk2.groups.io/g/devel/message/112055
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 894 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
2023-12-04 8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
2023-12-04 16:52 ` Chiu, Chasel
@ 2023-12-05 3:17 ` Chiu, Chasel
1 sibling, 0 replies; 4+ messages in thread
From: Chiu, Chasel @ 2023-12-05 3:17 UTC (permalink / raw)
To: Chiang, Chris, devel@edk2.groups.io
Cc: Desimone, Nathaniel L, Gao, Liming, Dong, Eric
Patch pushed: https://github.com/tianocore/edk2-platforms/commit/f446fff05003f69a4396b2ec375301ecb5f63a2a
Thanks,
Chasel
> -----Original Message-----
> From: Chiang, Chris <chris.chiang@intel.com>
> Sent: Monday, December 4, 2023 12:51 AM
> To: devel@edk2.groups.io
> Cc: Chiang, Chris <chris.chiang@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>;
> Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
>
> From: Chiang-Chris <chris.chiang@intel.com>
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
>
> Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
> Signed-off-by: Chiang-Chris <chris.chiang@intel.com>
>
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Eric Dong <eric.dong@intel.com>
> ---
> Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> | 2 +-
> Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> | 2 +-
> Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> | 1 -
>
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.c | 266 --------------------
>
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.inf | 45 ----
> 5 files changed, 2 insertions(+), 314 deletions(-)
>
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> index 260f3b94c5..b469938823 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> @@ -66,7 +66,7 @@
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
>
>
>
> [LibraryClasses.common.DXE_DRIVER]
>
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
>
>
>
> [LibraryClasses.common.DXE_SMM_DRIVER]
>
>
> SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL
> ib.inf
>
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> index 595f0ee490..7afbb2900f 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> @@ -52,7 +52,7 @@
>
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute
> rPei.inf
>
>
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout
> erPei.inf
>
>
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg
> 2PhysicalPresenceLib.inf
>
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
>
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
>
>
>
>
> FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Ba
> seFspMeasurementLib.inf
>
>
> FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp
> erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
>
> diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> index 087fa48dd0..ee5d211128 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> @@ -203,7 +203,6 @@
> MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
>
> MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
>
>
>
> -
> MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfor
> mHierarchyLib.inf
>
> MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
>
> MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
>
>
>
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> deleted file mode 100644
> index 9812ab99ab..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> +++ /dev/null
> @@ -1,266 +0,0 @@
> -/** @file
>
> - TPM Platform Hierarchy configuration library.
>
> -
>
> - This library provides functions for customizing the TPM's Platform Hierarchy
>
> - Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> - Policy (platformPolicy) can be defined through this function.
>
> -
>
> - Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> - Copyright (c) Microsoft Corporation.<BR>
>
> - SPDX-License-Identifier: BSD-2-Clause-Patent
>
> -
>
> - @par Specification Reference:
>
> - https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-
> guidance/
>
> -**/
>
> -
>
> -#include <Uefi.h>
>
> -
>
> -#include <Library/BaseMemoryLib.h>
>
> -#include <Library/DebugLib.h>
>
> -#include <Library/MemoryAllocationLib.h>
>
> -#include <Library/PcdLib.h>
>
> -#include <Library/RngLib.h>
>
> -#include <Library/Tpm2CommandLib.h>
>
> -#include <Library/Tpm2DeviceLib.h>
>
> -
>
> -//
>
> -// The authorization value may be no larger than the digest produced by the hash
>
> -// algorithm used for context integrity.
>
> -//
>
> -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
>
> -
>
> -UINT16 mAuthSize;
>
> -
>
> -/**
>
> - Generate high-quality entropy source through RDRAND.
>
> -
>
> - @param[in] Length Size of the buffer, in bytes, to fill with.
>
> - @param[out] Entropy Pointer to the buffer to store the entropy data.
>
> -
>
> - @retval EFI_SUCCESS Entropy generation succeeded.
>
> - @retval EFI_NOT_READY Failed to request random data.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -EFIAPI
>
> -RdRandGenerateEntropy (
>
> - IN UINTN Length,
>
> - OUT UINT8 *Entropy
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - UINTN BlockCount;
>
> - UINT64 Seed[2];
>
> - UINT8 *Ptr;
>
> -
>
> - Status = EFI_NOT_READY;
>
> - BlockCount = Length / 64;
>
> - Ptr = (UINT8 *)Entropy;
>
> -
>
> - //
>
> - // Generate high-quality seed for DRBG Entropy
>
> - //
>
> - while (BlockCount > 0) {
>
> - Status = GetRandomNumber128 (Seed);
>
> - if (EFI_ERROR (Status)) {
>
> - return Status;
>
> - }
>
> - CopyMem (Ptr, Seed, 64);
>
> -
>
> - BlockCount--;
>
> - Ptr = Ptr + 64;
>
> - }
>
> -
>
> - //
>
> - // Populate the remained data as request.
>
> - //
>
> - Status = GetRandomNumber128 (Seed);
>
> - if (EFI_ERROR (Status)) {
>
> - return Status;
>
> - }
>
> - CopyMem (Ptr, Seed, (Length % 64));
>
> -
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - This function returns the maximum size of TPM2B_AUTH; this structure is used
> for an authorization value
>
> - and limits an authValue to being no larger than the largest digest produced by a
> TPM.
>
> -
>
> - @param[out] AuthSize Tpm2 Auth size
>
> -
>
> - @retval EFI_SUCCESS Auth size returned.
>
> - @retval EFI_DEVICE_ERROR Can not return platform auth due to device
> error.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -EFIAPI
>
> -GetAuthSize (
>
> - OUT UINT16 *AuthSize
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - TPML_PCR_SELECTION Pcrs;
>
> - UINTN Index;
>
> - UINT16 DigestSize;
>
> -
>
> - Status = EFI_SUCCESS;
>
> -
>
> - while (mAuthSize == 0) {
>
> -
>
> - mAuthSize = SHA1_DIGEST_SIZE;
>
> - ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
>
> - Status = Tpm2GetCapabilityPcrs (&Pcrs);
>
> -
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
>
> - break;
>
> - }
>
> -
>
> - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
>
> -
>
> - for (Index = 0; Index < Pcrs.count; Index++) {
>
> - DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
>
> -
>
> - switch (Pcrs.pcrSelections[Index].hash) {
>
> - case TPM_ALG_SHA1:
>
> - DigestSize = SHA1_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA256:
>
> - DigestSize = SHA256_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA384:
>
> - DigestSize = SHA384_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SHA512:
>
> - DigestSize = SHA512_DIGEST_SIZE;
>
> - break;
>
> - case TPM_ALG_SM3_256:
>
> - DigestSize = SM3_256_DIGEST_SIZE;
>
> - break;
>
> - default:
>
> - DigestSize = SHA1_DIGEST_SIZE;
>
> - break;
>
> - }
>
> -
>
> - if (DigestSize > mAuthSize) {
>
> - mAuthSize = DigestSize;
>
> - }
>
> - }
>
> - break;
>
> - }
>
> -
>
> - *AuthSize = mAuthSize;
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - Set PlatformAuth to random value.
>
> -**/
>
> -VOID
>
> -RandomizePlatformAuth (
>
> - VOID
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> - UINT16 AuthSize;
>
> - UINT8 *Rand;
>
> - UINTN RandSize;
>
> - TPM2B_AUTH NewPlatformAuth;
>
> -
>
> - //
>
> - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
>
> - //
>
> -
>
> - GetAuthSize (&AuthSize);
>
> -
>
> - ZeroMem (NewPlatformAuth.buffer, AuthSize);
>
> - NewPlatformAuth.size = AuthSize;
>
> -
>
> - //
>
> - // Allocate one buffer to store random data.
>
> - //
>
> - RandSize = MAX_NEW_AUTHORIZATION_SIZE;
>
> - Rand = AllocatePool (RandSize);
>
> -
>
> - RdRandGenerateEntropy (RandSize, Rand);
>
> - CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
>
> -
>
> - FreePool (Rand);
>
> -
>
> - //
>
> - // Send Tpm2HierarchyChangeAuth command with the new Auth value
>
> - //
>
> - Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
>
> - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
>
> - ZeroMem (NewPlatformAuth.buffer, AuthSize);
>
> - ZeroMem (Rand, RandSize);
>
> -}
>
> -
>
> -/**
>
> - Disable the TPM platform hierarchy.
>
> -
>
> - @retval EFI_SUCCESS The TPM was disabled successfully.
>
> - @retval Others An error occurred attempting to disable the TPM
> platform hierarchy.
>
> -
>
> -**/
>
> -EFI_STATUS
>
> -DisableTpmPlatformHierarchy (
>
> - VOID
>
> - )
>
> -{
>
> - EFI_STATUS Status;
>
> -
>
> - // Make sure that we have use of the TPM.
>
> - Status = Tpm2RequestUseTpm ();
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - ASSERT_EFI_ERROR (Status);
>
> - return Status;
>
> - }
>
> -
>
> - // Let's do what we can to shut down the hierarchies.
>
> -
>
> - // Disable the PH NV.
>
> - // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM
> parts have
>
> - // been known to store the EK cert in the PH NV. If we disable it, the
>
> - // EK cert will be unreadable.
>
> -
>
> - // Disable the PH.
>
> - Status = Tpm2HierarchyControl (
>
> - TPM_RH_PLATFORM, // AuthHandle
>
> - NULL, // AuthSession
>
> - TPM_RH_PLATFORM, // Hierarchy
>
> - NO // State
>
> - );
>
> - DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH = %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - if (EFI_ERROR (Status)) {
>
> - DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
>
> - ASSERT_EFI_ERROR (Status);
>
> - }
>
> -
>
> - return Status;
>
> -}
>
> -
>
> -/**
>
> - This service defines the configuration of the Platform Hierarchy Authorization
> Value (platformAuth)
>
> - and Platform Hierarchy Authorization Policy (platformPolicy)
>
> -
>
> -**/
>
> -VOID
>
> -EFIAPI
>
> -ConfigureTpmPlatformHierarchy (
>
> - )
>
> -{
>
> - if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
>
> - //
>
> - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
>
> - //
>
> - RandomizePlatformAuth ();
>
> - } else {
>
> - //
>
> - // Disable the hierarchy entirely (do not randomize it)
>
> - //
>
> - DisableTpmPlatformHierarchy ();
>
> - }
>
> -}
>
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> deleted file mode 100644
> index b7a7fb0a08..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -### @file
>
> -#
>
> -# TPM Platform Hierarchy configuration library.
>
> -#
>
> -# This library provides functions for customizing the TPM's Platform Hierarchy
>
> -# Authorization Value (platformAuth) and Platform Hierarchy Authorization
>
> -# Policy (platformPolicy) can be defined through this function.
>
> -#
>
> -# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
>
> -# Copyright (c) Microsoft Corporation.<BR>
>
> -#
>
> -# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> -#
>
> -###
>
> -
>
> -[Defines]
>
> - INF_VERSION = 0x00010005
>
> - BASE_NAME = PeiDxeTpmPlatformHierarchyLib
>
> - FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
>
> - MODULE_TYPE = PEIM
>
> - VERSION_STRING = 1.0
>
> - LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
>
> -
>
> -[LibraryClasses]
>
> - BaseLib
>
> - BaseMemoryLib
>
> - DebugLib
>
> - MemoryAllocationLib
>
> - PcdLib
>
> - RngLib
>
> - Tpm2CommandLib
>
> - Tpm2DeviceLib
>
> -
>
> -[Packages]
>
> - MdePkg/MdePkg.dec
>
> - MdeModulePkg/MdeModulePkg.dec
>
> - SecurityPkg/SecurityPkg.dec
>
> - CryptoPkg/CryptoPkg.dec
>
> - MinPlatformPkg/MinPlatformPkg.dec
>
> -
>
> -[Sources]
>
> - PeiDxeTpmPlatformHierarchyLib.c
>
> -
>
> -[Pcd]
>
> - gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
>
> --
> 2.43.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112061): https://edk2.groups.io/g/devel/message/112061
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-12-05 3:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-04 8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
2023-12-04 16:52 ` Chiu, Chasel
2023-12-05 0:30 ` Rodrigo Gonzalez del Cueto
2023-12-05 3:17 ` Chiu, Chasel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox