public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
@ 2023-12-04  8:50 chris.chiang
  2023-12-04 16:52 ` Chiu, Chasel
  2023-12-05  3:17 ` Chiu, Chasel
  0 siblings, 2 replies; 4+ messages in thread
From: chris.chiang @ 2023-12-04  8:50 UTC (permalink / raw)
  To: devel; +Cc: Chiang-Chris, Chasel Chiu, Nate DeSimone, Liming Gao, Eric Dong

From: Chiang-Chris <chris.chiang@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612

Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
Signed-off-by: Chiang-Chris <chris.chiang@intel.com>

Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
---
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc                                                  |   2 +-
 Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc                                                  |   2 +-
 Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc                                                          |   1 -
 Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c   | 266 --------------------
 Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf |  45 ----
 5 files changed, 2 insertions(+), 314 deletions(-)

diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
index 260f3b94c5..b469938823 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
+++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
@@ -66,7 +66,7 @@
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
 
 [LibraryClasses.common.DXE_DRIVER]
-  TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 
 [LibraryClasses.common.DXE_SMM_DRIVER]
   SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableLib.inf
diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
index 595f0ee490..7afbb2900f 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
+++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
@@ -52,7 +52,7 @@
   Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRouterPei.inf
   HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterPei.inf
   Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.inf
-  TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+  TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
 
   FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/BaseFspMeasurementLib.inf
   FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapperPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
index 087fa48dd0..ee5d211128 100644
--- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
+++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
@@ -203,7 +203,6 @@
   MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
   MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
 
-  MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
   MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
   MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
 
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
deleted file mode 100644
index 9812ab99ab..0000000000
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/** @file
-    TPM Platform Hierarchy configuration library.
-
-    This library provides functions for customizing the TPM's Platform Hierarchy
-    Authorization Value (platformAuth) and Platform Hierarchy Authorization
-    Policy (platformPolicy) can be defined through this function.
-
-    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
-    Copyright (c) Microsoft Corporation.<BR>
-    SPDX-License-Identifier: BSD-2-Clause-Patent
-
-    @par Specification Reference:
-    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
-**/
-
-#include <Uefi.h>
-
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/PcdLib.h>
-#include <Library/RngLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/Tpm2DeviceLib.h>
-
-//
-// The authorization value may be no larger than the digest produced by the hash
-//   algorithm used for context integrity.
-//
-#define      MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
-
-UINT16       mAuthSize;
-
-/**
-  Generate high-quality entropy source through RDRAND.
-
-  @param[in]   Length        Size of the buffer, in bytes, to fill with.
-  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
-
-  @retval EFI_SUCCESS        Entropy generation succeeded.
-  @retval EFI_NOT_READY      Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
-  IN UINTN         Length,
-  OUT UINT8        *Entropy
-  )
-{
-  EFI_STATUS  Status;
-  UINTN       BlockCount;
-  UINT64      Seed[2];
-  UINT8       *Ptr;
-
-  Status = EFI_NOT_READY;
-  BlockCount = Length / 64;
-  Ptr = (UINT8 *)Entropy;
-
-  //
-  // Generate high-quality seed for DRBG Entropy
-  //
-  while (BlockCount > 0) {
-    Status = GetRandomNumber128 (Seed);
-    if (EFI_ERROR (Status)) {
-      return Status;
-    }
-    CopyMem (Ptr, Seed, 64);
-
-    BlockCount--;
-    Ptr = Ptr + 64;
-  }
-
-  //
-  // Populate the remained data as request.
-  //
-  Status = GetRandomNumber128 (Seed);
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
-  CopyMem (Ptr, Seed, (Length % 64));
-
-  return Status;
-}
-
-/**
-  This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value
-  and limits an authValue to being no larger than the largest digest produced by a TPM.
-
-  @param[out] AuthSize                 Tpm2 Auth size
-
-  @retval EFI_SUCCESS                  Auth size returned.
-  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device error.
-
-**/
-EFI_STATUS
-EFIAPI
-GetAuthSize (
-  OUT UINT16            *AuthSize
-  )
-{
-  EFI_STATUS            Status;
-  TPML_PCR_SELECTION    Pcrs;
-  UINTN                 Index;
-  UINT16                DigestSize;
-
-  Status = EFI_SUCCESS;
-
-  while (mAuthSize == 0) {
-
-    mAuthSize = SHA1_DIGEST_SIZE;
-    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
-    Status = Tpm2GetCapabilityPcrs (&Pcrs);
-
-    if (EFI_ERROR (Status)) {
-      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
-      break;
-    }
-
-    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
-
-    for (Index = 0; Index < Pcrs.count; Index++) {
-      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
-
-      switch (Pcrs.pcrSelections[Index].hash) {
-      case TPM_ALG_SHA1:
-        DigestSize = SHA1_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA256:
-        DigestSize = SHA256_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA384:
-        DigestSize = SHA384_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SHA512:
-        DigestSize = SHA512_DIGEST_SIZE;
-        break;
-      case TPM_ALG_SM3_256:
-        DigestSize = SM3_256_DIGEST_SIZE;
-        break;
-      default:
-        DigestSize = SHA1_DIGEST_SIZE;
-        break;
-      }
-
-      if (DigestSize > mAuthSize) {
-        mAuthSize = DigestSize;
-      }
-    }
-    break;
-  }
-
-  *AuthSize = mAuthSize;
-  return Status;
-}
-
-/**
-  Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
-  VOID
-  )
-{
-  EFI_STATUS                        Status;
-  UINT16                            AuthSize;
-  UINT8                             *Rand;
-  UINTN                             RandSize;
-  TPM2B_AUTH                        NewPlatformAuth;
-
-  //
-  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-  //
-
-  GetAuthSize (&AuthSize);
-
-  ZeroMem (NewPlatformAuth.buffer, AuthSize);
-  NewPlatformAuth.size = AuthSize;
-
-  //
-  // Allocate one buffer to store random data.
-  //
-  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
-  Rand = AllocatePool (RandSize);
-
-  RdRandGenerateEntropy (RandSize, Rand);
-  CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
-
-  FreePool (Rand);
-
-  //
-  // Send Tpm2HierarchyChangeAuth command with the new Auth value
-  //
-  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
-  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
-  ZeroMem (NewPlatformAuth.buffer, AuthSize);
-  ZeroMem (Rand, RandSize);
-}
-
-/**
-  Disable the TPM platform hierarchy.
-
-  @retval   EFI_SUCCESS       The TPM was disabled successfully.
-  @retval   Others            An error occurred attempting to disable the TPM platform hierarchy.
-
-**/
-EFI_STATUS
-DisableTpmPlatformHierarchy (
-  VOID
-  )
-{
-  EFI_STATUS  Status;
-
-  // Make sure that we have use of the TPM.
-  Status = Tpm2RequestUseTpm ();
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
-    ASSERT_EFI_ERROR (Status);
-    return Status;
-  }
-
-  // Let's do what we can to shut down the hierarchies.
-
-  // Disable the PH NV.
-  // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM parts have
-  //                 been known to store the EK cert in the PH NV. If we disable it, the
-  //                 EK cert will be unreadable.
-
-  // Disable the PH.
-  Status =  Tpm2HierarchyControl (
-              TPM_RH_PLATFORM,     // AuthHandle
-              NULL,                // AuthSession
-              TPM_RH_PLATFORM,     // Hierarchy
-              NO                   // State
-              );
-  DEBUG ((DEBUG_VERBOSE, "%a:%a() -  Disable PH = %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "%a:%a() -  Disable PH Failed! %r\n", gEfiCallerBaseName, __FUNCTION__, Status));
-    ASSERT_EFI_ERROR (Status);
-  }
-
-  return Status;
-}
-
-/**
-   This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)
-   and Platform Hierarchy Authorization Policy (platformPolicy)
-
-**/
-VOID
-EFIAPI
-ConfigureTpmPlatformHierarchy (
-  )
-{
-  if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
-    //
-    // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null
-    //
-    RandomizePlatformAuth ();
-  } else {
-    //
-    // Disable the hierarchy entirely (do not randomize it)
-    //
-    DisableTpmPlatformHierarchy ();
-  }
-}
diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
deleted file mode 100644
index b7a7fb0a08..0000000000
--- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf
+++ /dev/null
@@ -1,45 +0,0 @@
-### @file
-#
-#   TPM Platform Hierarchy configuration library.
-#
-#   This library provides functions for customizing the TPM's Platform Hierarchy
-#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
-#   Policy (platformPolicy) can be defined through this function.
-#
-# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
-# Copyright (c) Microsoft Corporation.<BR>
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-###
-
-[Defines]
-  INF_VERSION                    = 0x00010005
-  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLib
-  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
-  MODULE_TYPE                    = PEIM
-  VERSION_STRING                 = 1.0
-  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
-
-[LibraryClasses]
-  BaseLib
-  BaseMemoryLib
-  DebugLib
-  MemoryAllocationLib
-  PcdLib
-  RngLib
-  Tpm2CommandLib
-  Tpm2DeviceLib
-
-[Packages]
-  MdePkg/MdePkg.dec
-  MdeModulePkg/MdeModulePkg.dec
-  SecurityPkg/SecurityPkg.dec
-  CryptoPkg/CryptoPkg.dec
-  MinPlatformPkg/MinPlatformPkg.dec
-
-[Sources]
-  PeiDxeTpmPlatformHierarchyLib.c
-
-[Pcd]
-  gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
-- 
2.43.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112056): https://edk2.groups.io/g/devel/message/112056
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
  2023-12-04  8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
@ 2023-12-04 16:52 ` Chiu, Chasel
  2023-12-05  0:30   ` Rodrigo Gonzalez del Cueto
  2023-12-05  3:17 ` Chiu, Chasel
  1 sibling, 1 reply; 4+ messages in thread
From: Chiu, Chasel @ 2023-12-04 16:52 UTC (permalink / raw)
  To: Chiang, Chris, devel@edk2.groups.io
  Cc: Desimone, Nathaniel L, Gao, Liming, Dong, Eric


Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>

Thanks,
Chasel



> -----Original Message-----
> From: Chiang, Chris <chris.chiang@intel.com>
> Sent: Monday, December 4, 2023 12:51 AM
> To: devel@edk2.groups.io
> Cc: Chiang, Chris <chris.chiang@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>;
> Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
> 
> From: Chiang-Chris <chris.chiang@intel.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
> 
> Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
> Signed-off-by: Chiang-Chris <chris.chiang@intel.com>
> 
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Eric Dong <eric.dong@intel.com>
> ---
>  Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> |   2 +-
>  Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> |   2 +-
>  Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> |   1 -
> 
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.c   | 266 --------------------
> 
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.inf |  45 ----
>  5 files changed, 2 insertions(+), 314 deletions(-)
> 
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> index 260f3b94c5..b469938823 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> @@ -66,7 +66,7 @@
> 
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> 
> 
> 
>  [LibraryClasses.common.DXE_DRIVER]
> 
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
> 
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> 
> 
> 
>  [LibraryClasses.common.DXE_SMM_DRIVER]
> 
> 
> SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL
> ib.inf
> 
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> index 595f0ee490..7afbb2900f 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> @@ -52,7 +52,7 @@
> 
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute
> rPei.inf
> 
> 
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout
> erPei.inf
> 
> 
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg
> 2PhysicalPresenceLib.inf
> 
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
> 
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> 
> 
> 
> 
> FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Ba
> seFspMeasurementLib.inf
> 
> 
> FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp
> erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
> 
> diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> index 087fa48dd0..ee5d211128 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> @@ -203,7 +203,6 @@
>    MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
> 
>    MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
> 
> 
> 
> -
> MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfor
> mHierarchyLib.inf
> 
>    MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> 
>    MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> 
> 
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> deleted file mode 100644
> index 9812ab99ab..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> +++ /dev/null
> @@ -1,266 +0,0 @@
> -/** @file
> 
> -    TPM Platform Hierarchy configuration library.
> 
> -
> 
> -    This library provides functions for customizing the TPM's Platform Hierarchy
> 
> -    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> 
> -    Policy (platformPolicy) can be defined through this function.
> 
> -
> 
> -    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> 
> -    Copyright (c) Microsoft Corporation.<BR>
> 
> -    SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> -
> 
> -    @par Specification Reference:
> 
> -    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-
> guidance/
> 
> -**/
> 
> -
> 
> -#include <Uefi.h>
> 
> -
> 
> -#include <Library/BaseMemoryLib.h>
> 
> -#include <Library/DebugLib.h>
> 
> -#include <Library/MemoryAllocationLib.h>
> 
> -#include <Library/PcdLib.h>
> 
> -#include <Library/RngLib.h>
> 
> -#include <Library/Tpm2CommandLib.h>
> 
> -#include <Library/Tpm2DeviceLib.h>
> 
> -
> 
> -//
> 
> -// The authorization value may be no larger than the digest produced by the hash
> 
> -//   algorithm used for context integrity.
> 
> -//
> 
> -#define      MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
> 
> -
> 
> -UINT16       mAuthSize;
> 
> -
> 
> -/**
> 
> -  Generate high-quality entropy source through RDRAND.
> 
> -
> 
> -  @param[in]   Length        Size of the buffer, in bytes, to fill with.
> 
> -  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
> 
> -
> 
> -  @retval EFI_SUCCESS        Entropy generation succeeded.
> 
> -  @retval EFI_NOT_READY      Failed to request random data.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -EFIAPI
> 
> -RdRandGenerateEntropy (
> 
> -  IN UINTN         Length,
> 
> -  OUT UINT8        *Entropy
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS  Status;
> 
> -  UINTN       BlockCount;
> 
> -  UINT64      Seed[2];
> 
> -  UINT8       *Ptr;
> 
> -
> 
> -  Status = EFI_NOT_READY;
> 
> -  BlockCount = Length / 64;
> 
> -  Ptr = (UINT8 *)Entropy;
> 
> -
> 
> -  //
> 
> -  // Generate high-quality seed for DRBG Entropy
> 
> -  //
> 
> -  while (BlockCount > 0) {
> 
> -    Status = GetRandomNumber128 (Seed);
> 
> -    if (EFI_ERROR (Status)) {
> 
> -      return Status;
> 
> -    }
> 
> -    CopyMem (Ptr, Seed, 64);
> 
> -
> 
> -    BlockCount--;
> 
> -    Ptr = Ptr + 64;
> 
> -  }
> 
> -
> 
> -  //
> 
> -  // Populate the remained data as request.
> 
> -  //
> 
> -  Status = GetRandomNumber128 (Seed);
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    return Status;
> 
> -  }
> 
> -  CopyMem (Ptr, Seed, (Length % 64));
> 
> -
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -  This function returns the maximum size of TPM2B_AUTH; this structure is used
> for an authorization value
> 
> -  and limits an authValue to being no larger than the largest digest produced by a
> TPM.
> 
> -
> 
> -  @param[out] AuthSize                 Tpm2 Auth size
> 
> -
> 
> -  @retval EFI_SUCCESS                  Auth size returned.
> 
> -  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device
> error.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -EFIAPI
> 
> -GetAuthSize (
> 
> -  OUT UINT16            *AuthSize
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS            Status;
> 
> -  TPML_PCR_SELECTION    Pcrs;
> 
> -  UINTN                 Index;
> 
> -  UINT16                DigestSize;
> 
> -
> 
> -  Status = EFI_SUCCESS;
> 
> -
> 
> -  while (mAuthSize == 0) {
> 
> -
> 
> -    mAuthSize = SHA1_DIGEST_SIZE;
> 
> -    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> 
> -    Status = Tpm2GetCapabilityPcrs (&Pcrs);
> 
> -
> 
> -    if (EFI_ERROR (Status)) {
> 
> -      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> 
> -      break;
> 
> -    }
> 
> -
> 
> -    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
> 
> -
> 
> -    for (Index = 0; Index < Pcrs.count; Index++) {
> 
> -      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
> 
> -
> 
> -      switch (Pcrs.pcrSelections[Index].hash) {
> 
> -      case TPM_ALG_SHA1:
> 
> -        DigestSize = SHA1_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA256:
> 
> -        DigestSize = SHA256_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA384:
> 
> -        DigestSize = SHA384_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA512:
> 
> -        DigestSize = SHA512_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SM3_256:
> 
> -        DigestSize = SM3_256_DIGEST_SIZE;
> 
> -        break;
> 
> -      default:
> 
> -        DigestSize = SHA1_DIGEST_SIZE;
> 
> -        break;
> 
> -      }
> 
> -
> 
> -      if (DigestSize > mAuthSize) {
> 
> -        mAuthSize = DigestSize;
> 
> -      }
> 
> -    }
> 
> -    break;
> 
> -  }
> 
> -
> 
> -  *AuthSize = mAuthSize;
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -  Set PlatformAuth to random value.
> 
> -**/
> 
> -VOID
> 
> -RandomizePlatformAuth (
> 
> -  VOID
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS                        Status;
> 
> -  UINT16                            AuthSize;
> 
> -  UINT8                             *Rand;
> 
> -  UINTN                             RandSize;
> 
> -  TPM2B_AUTH                        NewPlatformAuth;
> 
> -
> 
> -  //
> 
> -  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
> 
> -  //
> 
> -
> 
> -  GetAuthSize (&AuthSize);
> 
> -
> 
> -  ZeroMem (NewPlatformAuth.buffer, AuthSize);
> 
> -  NewPlatformAuth.size = AuthSize;
> 
> -
> 
> -  //
> 
> -  // Allocate one buffer to store random data.
> 
> -  //
> 
> -  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
> 
> -  Rand = AllocatePool (RandSize);
> 
> -
> 
> -  RdRandGenerateEntropy (RandSize, Rand);
> 
> -  CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
> 
> -
> 
> -  FreePool (Rand);
> 
> -
> 
> -  //
> 
> -  // Send Tpm2HierarchyChangeAuth command with the new Auth value
> 
> -  //
> 
> -  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
> 
> -  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
> 
> -  ZeroMem (NewPlatformAuth.buffer, AuthSize);
> 
> -  ZeroMem (Rand, RandSize);
> 
> -}
> 
> -
> 
> -/**
> 
> -  Disable the TPM platform hierarchy.
> 
> -
> 
> -  @retval   EFI_SUCCESS       The TPM was disabled successfully.
> 
> -  @retval   Others            An error occurred attempting to disable the TPM
> platform hierarchy.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -DisableTpmPlatformHierarchy (
> 
> -  VOID
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS  Status;
> 
> -
> 
> -  // Make sure that we have use of the TPM.
> 
> -  Status = Tpm2RequestUseTpm ();
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -    ASSERT_EFI_ERROR (Status);
> 
> -    return Status;
> 
> -  }
> 
> -
> 
> -  // Let's do what we can to shut down the hierarchies.
> 
> -
> 
> -  // Disable the PH NV.
> 
> -  // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM
> parts have
> 
> -  //                 been known to store the EK cert in the PH NV. If we disable it, the
> 
> -  //                 EK cert will be unreadable.
> 
> -
> 
> -  // Disable the PH.
> 
> -  Status =  Tpm2HierarchyControl (
> 
> -              TPM_RH_PLATFORM,     // AuthHandle
> 
> -              NULL,                // AuthSession
> 
> -              TPM_RH_PLATFORM,     // Hierarchy
> 
> -              NO                   // State
> 
> -              );
> 
> -  DEBUG ((DEBUG_VERBOSE, "%a:%a() -  Disable PH = %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    DEBUG ((DEBUG_ERROR, "%a:%a() -  Disable PH Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -    ASSERT_EFI_ERROR (Status);
> 
> -  }
> 
> -
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -   This service defines the configuration of the Platform Hierarchy Authorization
> Value (platformAuth)
> 
> -   and Platform Hierarchy Authorization Policy (platformPolicy)
> 
> -
> 
> -**/
> 
> -VOID
> 
> -EFIAPI
> 
> -ConfigureTpmPlatformHierarchy (
> 
> -  )
> 
> -{
> 
> -  if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
> 
> -    //
> 
> -    // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
> 
> -    //
> 
> -    RandomizePlatformAuth ();
> 
> -  } else {
> 
> -    //
> 
> -    // Disable the hierarchy entirely (do not randomize it)
> 
> -    //
> 
> -    DisableTpmPlatformHierarchy ();
> 
> -  }
> 
> -}
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> deleted file mode 100644
> index b7a7fb0a08..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -### @file
> 
> -#
> 
> -#   TPM Platform Hierarchy configuration library.
> 
> -#
> 
> -#   This library provides functions for customizing the TPM's Platform Hierarchy
> 
> -#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
> 
> -#   Policy (platformPolicy) can be defined through this function.
> 
> -#
> 
> -# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> 
> -# Copyright (c) Microsoft Corporation.<BR>
> 
> -#
> 
> -# SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> -#
> 
> -###
> 
> -
> 
> -[Defines]
> 
> -  INF_VERSION                    = 0x00010005
> 
> -  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLib
> 
> -  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> 
> -  MODULE_TYPE                    = PEIM
> 
> -  VERSION_STRING                 = 1.0
> 
> -  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> 
> -
> 
> -[LibraryClasses]
> 
> -  BaseLib
> 
> -  BaseMemoryLib
> 
> -  DebugLib
> 
> -  MemoryAllocationLib
> 
> -  PcdLib
> 
> -  RngLib
> 
> -  Tpm2CommandLib
> 
> -  Tpm2DeviceLib
> 
> -
> 
> -[Packages]
> 
> -  MdePkg/MdePkg.dec
> 
> -  MdeModulePkg/MdeModulePkg.dec
> 
> -  SecurityPkg/SecurityPkg.dec
> 
> -  CryptoPkg/CryptoPkg.dec
> 
> -  MinPlatformPkg/MinPlatformPkg.dec
> 
> -
> 
> -[Sources]
> 
> -  PeiDxeTpmPlatformHierarchyLib.c
> 
> -
> 
> -[Pcd]
> 
> -  gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
> 
> --
> 2.43.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112048): https://edk2.groups.io/g/devel/message/112048
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
  2023-12-04 16:52 ` Chiu, Chasel
@ 2023-12-05  0:30   ` Rodrigo Gonzalez del Cueto
  0 siblings, 0 replies; 4+ messages in thread
From: Rodrigo Gonzalez del Cueto @ 2023-12-05  0:30 UTC (permalink / raw)
  To: Chiu, Chasel, devel

[-- Attachment #1: Type: text/plain, Size: 446 bytes --]

Reviewed-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112055): https://edk2.groups.io/g/devel/message/112055
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 894 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
  2023-12-04  8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
  2023-12-04 16:52 ` Chiu, Chasel
@ 2023-12-05  3:17 ` Chiu, Chasel
  1 sibling, 0 replies; 4+ messages in thread
From: Chiu, Chasel @ 2023-12-05  3:17 UTC (permalink / raw)
  To: Chiang, Chris, devel@edk2.groups.io
  Cc: Desimone, Nathaniel L, Gao, Liming, Dong, Eric


Patch pushed: https://github.com/tianocore/edk2-platforms/commit/f446fff05003f69a4396b2ec375301ecb5f63a2a

Thanks,
Chasel


> -----Original Message-----
> From: Chiang, Chris <chris.chiang@intel.com>
> Sent: Monday, December 4, 2023 12:51 AM
> To: devel@edk2.groups.io
> Cc: Chiang, Chris <chris.chiang@intel.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>;
> Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib
> 
> From: Chiang-Chris <chris.chiang@intel.com>
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4612
> 
> Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library
> Signed-off-by: Chiang-Chris <chris.chiang@intel.com>
> 
> Cc: Chasel Chiu <chasel.chiu@intel.com>
> Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Eric Dong <eric.dong@intel.com>
> ---
>  Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> |   2 +-
>  Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> |   2 +-
>  Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> |   1 -
> 
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.c   | 266 --------------------
> 
> Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pei
> DxeTpmPlatformHierarchyLib.inf |  45 ----
>  5 files changed, 2 insertions(+), 314 deletions(-)
> 
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> index 260f3b94c5..b469938823 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc
> @@ -66,7 +66,7 @@
> 
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
> 
> 
> 
>  [LibraryClasses.common.DXE_DRIVER]
> 
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
> 
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> 
> 
> 
>  [LibraryClasses.common.DXE_SMM_DRIVER]
> 
> 
> SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL
> ib.inf
> 
> diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> index 595f0ee490..7afbb2900f 100644
> --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc
> @@ -52,7 +52,7 @@
> 
> Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute
> rPei.inf
> 
> 
> HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRout
> erPei.inf
> 
> 
> Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg
> 2PhysicalPresenceLib.inf
> 
> -
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierar
> chyLib/PeiDxeTpmPlatformHierarchyLib.inf
> 
> +
> TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> 
> 
> 
> 
> FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Ba
> seFspMeasurementLib.inf
> 
> 
> FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp
> erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf
> 
> diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> index 087fa48dd0..ee5d211128 100644
> --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> @@ -203,7 +203,6 @@
>    MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf
> 
>    MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf
> 
> 
> 
> -
> MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfor
> mHierarchyLib.inf
> 
>    MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf
> 
>    MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
> 
> 
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> deleted file mode 100644
> index 9812ab99ab..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.c
> +++ /dev/null
> @@ -1,266 +0,0 @@
> -/** @file
> 
> -    TPM Platform Hierarchy configuration library.
> 
> -
> 
> -    This library provides functions for customizing the TPM's Platform Hierarchy
> 
> -    Authorization Value (platformAuth) and Platform Hierarchy Authorization
> 
> -    Policy (platformPolicy) can be defined through this function.
> 
> -
> 
> -    Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> 
> -    Copyright (c) Microsoft Corporation.<BR>
> 
> -    SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> -
> 
> -    @par Specification Reference:
> 
> -    https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-
> guidance/
> 
> -**/
> 
> -
> 
> -#include <Uefi.h>
> 
> -
> 
> -#include <Library/BaseMemoryLib.h>
> 
> -#include <Library/DebugLib.h>
> 
> -#include <Library/MemoryAllocationLib.h>
> 
> -#include <Library/PcdLib.h>
> 
> -#include <Library/RngLib.h>
> 
> -#include <Library/Tpm2CommandLib.h>
> 
> -#include <Library/Tpm2DeviceLib.h>
> 
> -
> 
> -//
> 
> -// The authorization value may be no larger than the digest produced by the hash
> 
> -//   algorithm used for context integrity.
> 
> -//
> 
> -#define      MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
> 
> -
> 
> -UINT16       mAuthSize;
> 
> -
> 
> -/**
> 
> -  Generate high-quality entropy source through RDRAND.
> 
> -
> 
> -  @param[in]   Length        Size of the buffer, in bytes, to fill with.
> 
> -  @param[out]  Entropy       Pointer to the buffer to store the entropy data.
> 
> -
> 
> -  @retval EFI_SUCCESS        Entropy generation succeeded.
> 
> -  @retval EFI_NOT_READY      Failed to request random data.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -EFIAPI
> 
> -RdRandGenerateEntropy (
> 
> -  IN UINTN         Length,
> 
> -  OUT UINT8        *Entropy
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS  Status;
> 
> -  UINTN       BlockCount;
> 
> -  UINT64      Seed[2];
> 
> -  UINT8       *Ptr;
> 
> -
> 
> -  Status = EFI_NOT_READY;
> 
> -  BlockCount = Length / 64;
> 
> -  Ptr = (UINT8 *)Entropy;
> 
> -
> 
> -  //
> 
> -  // Generate high-quality seed for DRBG Entropy
> 
> -  //
> 
> -  while (BlockCount > 0) {
> 
> -    Status = GetRandomNumber128 (Seed);
> 
> -    if (EFI_ERROR (Status)) {
> 
> -      return Status;
> 
> -    }
> 
> -    CopyMem (Ptr, Seed, 64);
> 
> -
> 
> -    BlockCount--;
> 
> -    Ptr = Ptr + 64;
> 
> -  }
> 
> -
> 
> -  //
> 
> -  // Populate the remained data as request.
> 
> -  //
> 
> -  Status = GetRandomNumber128 (Seed);
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    return Status;
> 
> -  }
> 
> -  CopyMem (Ptr, Seed, (Length % 64));
> 
> -
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -  This function returns the maximum size of TPM2B_AUTH; this structure is used
> for an authorization value
> 
> -  and limits an authValue to being no larger than the largest digest produced by a
> TPM.
> 
> -
> 
> -  @param[out] AuthSize                 Tpm2 Auth size
> 
> -
> 
> -  @retval EFI_SUCCESS                  Auth size returned.
> 
> -  @retval EFI_DEVICE_ERROR             Can not return platform auth due to device
> error.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -EFIAPI
> 
> -GetAuthSize (
> 
> -  OUT UINT16            *AuthSize
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS            Status;
> 
> -  TPML_PCR_SELECTION    Pcrs;
> 
> -  UINTN                 Index;
> 
> -  UINT16                DigestSize;
> 
> -
> 
> -  Status = EFI_SUCCESS;
> 
> -
> 
> -  while (mAuthSize == 0) {
> 
> -
> 
> -    mAuthSize = SHA1_DIGEST_SIZE;
> 
> -    ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));
> 
> -    Status = Tpm2GetCapabilityPcrs (&Pcrs);
> 
> -
> 
> -    if (EFI_ERROR (Status)) {
> 
> -      DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
> 
> -      break;
> 
> -    }
> 
> -
> 
> -    DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));
> 
> -
> 
> -    for (Index = 0; Index < Pcrs.count; Index++) {
> 
> -      DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));
> 
> -
> 
> -      switch (Pcrs.pcrSelections[Index].hash) {
> 
> -      case TPM_ALG_SHA1:
> 
> -        DigestSize = SHA1_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA256:
> 
> -        DigestSize = SHA256_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA384:
> 
> -        DigestSize = SHA384_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SHA512:
> 
> -        DigestSize = SHA512_DIGEST_SIZE;
> 
> -        break;
> 
> -      case TPM_ALG_SM3_256:
> 
> -        DigestSize = SM3_256_DIGEST_SIZE;
> 
> -        break;
> 
> -      default:
> 
> -        DigestSize = SHA1_DIGEST_SIZE;
> 
> -        break;
> 
> -      }
> 
> -
> 
> -      if (DigestSize > mAuthSize) {
> 
> -        mAuthSize = DigestSize;
> 
> -      }
> 
> -    }
> 
> -    break;
> 
> -  }
> 
> -
> 
> -  *AuthSize = mAuthSize;
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -  Set PlatformAuth to random value.
> 
> -**/
> 
> -VOID
> 
> -RandomizePlatformAuth (
> 
> -  VOID
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS                        Status;
> 
> -  UINT16                            AuthSize;
> 
> -  UINT8                             *Rand;
> 
> -  UINTN                             RandSize;
> 
> -  TPM2B_AUTH                        NewPlatformAuth;
> 
> -
> 
> -  //
> 
> -  // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
> 
> -  //
> 
> -
> 
> -  GetAuthSize (&AuthSize);
> 
> -
> 
> -  ZeroMem (NewPlatformAuth.buffer, AuthSize);
> 
> -  NewPlatformAuth.size = AuthSize;
> 
> -
> 
> -  //
> 
> -  // Allocate one buffer to store random data.
> 
> -  //
> 
> -  RandSize = MAX_NEW_AUTHORIZATION_SIZE;
> 
> -  Rand = AllocatePool (RandSize);
> 
> -
> 
> -  RdRandGenerateEntropy (RandSize, Rand);
> 
> -  CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);
> 
> -
> 
> -  FreePool (Rand);
> 
> -
> 
> -  //
> 
> -  // Send Tpm2HierarchyChangeAuth command with the new Auth value
> 
> -  //
> 
> -  Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> &NewPlatformAuth);
> 
> -  DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
> 
> -  ZeroMem (NewPlatformAuth.buffer, AuthSize);
> 
> -  ZeroMem (Rand, RandSize);
> 
> -}
> 
> -
> 
> -/**
> 
> -  Disable the TPM platform hierarchy.
> 
> -
> 
> -  @retval   EFI_SUCCESS       The TPM was disabled successfully.
> 
> -  @retval   Others            An error occurred attempting to disable the TPM
> platform hierarchy.
> 
> -
> 
> -**/
> 
> -EFI_STATUS
> 
> -DisableTpmPlatformHierarchy (
> 
> -  VOID
> 
> -  )
> 
> -{
> 
> -  EFI_STATUS  Status;
> 
> -
> 
> -  // Make sure that we have use of the TPM.
> 
> -  Status = Tpm2RequestUseTpm ();
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -    ASSERT_EFI_ERROR (Status);
> 
> -    return Status;
> 
> -  }
> 
> -
> 
> -  // Let's do what we can to shut down the hierarchies.
> 
> -
> 
> -  // Disable the PH NV.
> 
> -  // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TPM
> parts have
> 
> -  //                 been known to store the EK cert in the PH NV. If we disable it, the
> 
> -  //                 EK cert will be unreadable.
> 
> -
> 
> -  // Disable the PH.
> 
> -  Status =  Tpm2HierarchyControl (
> 
> -              TPM_RH_PLATFORM,     // AuthHandle
> 
> -              NULL,                // AuthSession
> 
> -              TPM_RH_PLATFORM,     // Hierarchy
> 
> -              NO                   // State
> 
> -              );
> 
> -  DEBUG ((DEBUG_VERBOSE, "%a:%a() -  Disable PH = %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -  if (EFI_ERROR (Status)) {
> 
> -    DEBUG ((DEBUG_ERROR, "%a:%a() -  Disable PH Failed! %r\n",
> gEfiCallerBaseName, __FUNCTION__, Status));
> 
> -    ASSERT_EFI_ERROR (Status);
> 
> -  }
> 
> -
> 
> -  return Status;
> 
> -}
> 
> -
> 
> -/**
> 
> -   This service defines the configuration of the Platform Hierarchy Authorization
> Value (platformAuth)
> 
> -   and Platform Hierarchy Authorization Policy (platformPolicy)
> 
> -
> 
> -**/
> 
> -VOID
> 
> -EFIAPI
> 
> -ConfigureTpmPlatformHierarchy (
> 
> -  )
> 
> -{
> 
> -  if (PcdGetBool (PcdRandomizePlatformHierarchy)) {
> 
> -    //
> 
> -    // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
> being null
> 
> -    //
> 
> -    RandomizePlatformAuth ();
> 
> -  } else {
> 
> -    //
> 
> -    // Disable the hierarchy entirely (do not randomize it)
> 
> -    //
> 
> -    DisableTpmPlatformHierarchy ();
> 
> -  }
> 
> -}
> 
> diff --git
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> deleted file mode 100644
> index b7a7fb0a08..0000000000
> ---
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/P
> eiDxeTpmPlatformHierarchyLib.inf
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -### @file
> 
> -#
> 
> -#   TPM Platform Hierarchy configuration library.
> 
> -#
> 
> -#   This library provides functions for customizing the TPM's Platform Hierarchy
> 
> -#   Authorization Value (platformAuth) and Platform Hierarchy Authorization
> 
> -#   Policy (platformPolicy) can be defined through this function.
> 
> -#
> 
> -# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> 
> -# Copyright (c) Microsoft Corporation.<BR>
> 
> -#
> 
> -# SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> -#
> 
> -###
> 
> -
> 
> -[Defines]
> 
> -  INF_VERSION                    = 0x00010005
> 
> -  BASE_NAME                      = PeiDxeTpmPlatformHierarchyLib
> 
> -  FILE_GUID                      = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73
> 
> -  MODULE_TYPE                    = PEIM
> 
> -  VERSION_STRING                 = 1.0
> 
> -  LIBRARY_CLASS                  = TpmPlatformHierarchyLib|PEIM DXE_DRIVER
> 
> -
> 
> -[LibraryClasses]
> 
> -  BaseLib
> 
> -  BaseMemoryLib
> 
> -  DebugLib
> 
> -  MemoryAllocationLib
> 
> -  PcdLib
> 
> -  RngLib
> 
> -  Tpm2CommandLib
> 
> -  Tpm2DeviceLib
> 
> -
> 
> -[Packages]
> 
> -  MdePkg/MdePkg.dec
> 
> -  MdeModulePkg/MdeModulePkg.dec
> 
> -  SecurityPkg/SecurityPkg.dec
> 
> -  CryptoPkg/CryptoPkg.dec
> 
> -  MinPlatformPkg/MinPlatformPkg.dec
> 
> -
> 
> -[Sources]
> 
> -  PeiDxeTpmPlatformHierarchyLib.c
> 
> -
> 
> -[Pcd]
> 
> -  gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy
> 
> --
> 2.43.0.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112061): https://edk2.groups.io/g/devel/message/112061
Mute This Topic: https://groups.io/mt/102974261/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-12-05  3:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-04  8:50 [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib chris.chiang
2023-12-04 16:52 ` Chiu, Chasel
2023-12-05  0:30   ` Rodrigo Gonzalez del Cueto
2023-12-05  3:17 ` Chiu, Chasel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox