From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.92.40.21]) by mx.groups.io with SMTP id smtpd.web08.28246.1628801950406926434 for ; Thu, 12 Aug 2021 13:59:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=XS+8AFdg; spf=pass (domain: outlook.com, ip: 40.92.40.21, mailfrom: spbrogan@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D/hdCRi3tSyZsg3RB0tvTsOskmQLdCqk3ldHCNm4GAbv8DafsfnwnzwSycK+3ADUs2zlG96/ku4I5kRIKkqjWs4pg21GFT2nNkYY62BdIKth6/Ai4/yX9K9kc01ftzWKJx08Z8iVElT8KiN41Tej27smhyj88enNpHqBfy8JDrAOvbcuuIO9xtouiaft3ZolmV/Rl0WWmhwDQh9Ywpe9jmzq7DNzIGLv46CC9rVt72CoAN/KgKDVrXe8GA5BItSOT/n7pTcLpBV0Gb2Ky/vUHhPRwrhzGaRUBNYACSd0iWzPbGW0IuhQUXt+Tf9VLo04JEtRdg1MTFGHO7AfjrAe8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ae3jIlilJ9oG6IoUK3VKrx620h3TQXvcP2IJwAQHOE=; b=n3i4y3huvwWnVRCQ1G/ZwDokJB1g1S9GAly9tNtBziETXDwv5AMHBWlORTXKLMl1uYG3r5/jJDOf7DspoJCfcbQi19xI0KzFjrlK6pWCi38RaS4c6EolvWoGS7uoBNAy4jgnjWGgkdCCBajMCCwMoUzgKP+9JcuYrU2vn+8J9KP3U2BbDoTejO7fk4pATJ19UCaQnvW3INlLFkAZs3hyBiRV0a0t7YpN1i3cG7XXtjOxcH9cE+JGMBywBwJCcFyWVJMqZcUkRhc6JTwPvBxBojiIQvB+sYGJZ3ZXmVo0Ci1KyPopwH9AjWj94mmSZmSzWjORtmY0KcIDyjLnw0KSlg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ae3jIlilJ9oG6IoUK3VKrx620h3TQXvcP2IJwAQHOE=; b=XS+8AFdg9qE+9NYqLh4kmHEX37ZqXsmBPVv6STGXbsPz+lTJ8yscTsn+Kkijuqqgwr/qHpa3OyPF0Lw4gnSLkKWF2lskQ4F2UUJIuGAT51F1p9xD8NYssUfXxh3qMggsuyPwLrTREyrD18ox04QjELT9X3ozQxBUNwdTL+66Vw/kKFS8w90fN9QC67P4Q5cu2uFAmcS8B9sY+8bh+6XRgSJSWmD91KeOuvb7+L+t9/T/rvgxHag2ZTYjMNfE/ig7+3nRBe4Cv38Saz9+jV09J47yCN+8FdjYwgEWXwdtqi0zY6/vjkDJw6mz2dSrM19/eJ/ZWWqDjAVod9720ClYwg== Received: from BN7NAM10FT014.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e8f::45) by BN7NAM10HT234.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e8f::283) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.14; Thu, 12 Aug 2021 20:59:08 +0000 Received: from BY3PR19MB4900.namprd19.prod.outlook.com (2a01:111:e400:7e8f::4e) by BN7NAM10FT014.mail.protection.outlook.com (2a01:111:e400:7e8f::324) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.16 via Frontend Transport; Thu, 12 Aug 2021 20:59:08 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:FB241746EA52929C99091AC787E7B47D303EA584B086AB52CA5B8315968B893F;UpperCasedChecksum:FDA1C741973266E4CD3486873730A45CA1E96C9B40132E90DEF1AEDBEA5429FB;SizeAsReceived:8935;Count:48 Received: from BY3PR19MB4900.namprd19.prod.outlook.com ([fe80::4991:e984:f0a1:b0c]) by BY3PR19MB4900.namprd19.prod.outlook.com ([fe80::4991:e984:f0a1:b0c%7]) with mapi id 15.20.4415.018; Thu, 12 Aug 2021 20:59:08 +0000 Subject: Re: [edk2-devel] [PATCH v4 1/6] OvmfPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms To: devel@edk2.groups.io, stefanb@linux.vnet.ibm.com, jiewen.yao@intel.com Cc: marcandre.lureau@redhat.com, lersek@redhat.com, dick_wilkins@phoenix.com, James.Bottomley@HansenPartnership.com, Stefan Berger References: <20210812165931.3071083-1-stefanb@linux.vnet.ibm.com> <20210812165931.3071083-2-stefanb@linux.vnet.ibm.com> From: "Sean" Message-ID: Date: Thu, 12 Aug 2021 13:59:06 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 In-Reply-To: <20210812165931.3071083-2-stefanb@linux.vnet.ibm.com> X-TMN: [bBHK/e7vaNhgAueSaLr6fkAxqvUfT0Fc] X-ClientProxiedBy: MW4PR04CA0012.namprd04.prod.outlook.com (2603:10b6:303:69::17) To BY3PR19MB4900.namprd19.prod.outlook.com (2603:10b6:a03:354::11) Return-Path: spbrogan@outlook.com X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.2.78] (50.47.113.221) by MW4PR04CA0012.namprd04.prod.outlook.com (2603:10b6:303:69::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.16 via Frontend Transport; Thu, 12 Aug 2021 20:59:07 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 48 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: a7b7fb00-320e-4c3f-4cd8-08d95dd406ba X-MS-TrafficTypeDiagnostic: BN7NAM10HT234: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: hZTe6Ck2XqYoLVt4hvOhZv96VGvnZzaTLSL9aRu/Abw1dz2urE7DUQksPMqVYV5j2oDDSJ02FDboyZnoOJfl+cLEvdMrE9y9a8VjF1KPam00aKhqQ8go14pLua1sb/fIX599nP6y/+DDdfbKzylSFj78KxYdpkU9NWJTL/aWK3OsAres2hshLf5rlIApw88VWIDUdU/zTghNXGGKmKQ3Wd8qAIZBbj2RQTyHnGyb4LLHoDLc3GK8CwVOiywEMtNst2j9wo5bKeBLrjeSe7YxjvOzYz563SuhSZtsp3qEAW/JZVquF5fh/Bbt5HqoLs57KvnEf9wZXjISAv8/7EA06zgA1Lh2dLyssDtu0IRlkJtTUwdn8ePZcyoaHp0WuNOLCIN/m1+Pi2JszPzWNIHS0nQNh8NOPoPwX44wNVI5MfSyOX5tTDJwUrdDgZ2h74lgzxiwfvVRqcXJIUpqLsSGgfQuMQ8DwE/X3WswM3UZU/g= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zmgy+qP8Ai864w7TvBH3veGnTaHN+2OVuZT3tiXOSd/7Xp/ZNnCaWwsaDHEuCil9WsTG9LCXpkTEAK9Ci745Oylg9RPR15UJ5PXawrHqn0PEDmy8zOajLRga946E8/UfEwp9hAtClQnGFHK7mvDHlw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a7b7fb00-320e-4c3f-4cd8-08d95dd406ba X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 20:59:08.0602 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: BN7NAM10FT014.eop-nam10.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7NAM10HT234 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit This seems like a bad place for a general purpose lib that many other platforms may take a dependency on. In v1 this was SecurityPkg. OvmfPkg is a platform package and therefore not a good place to define broad interfaces. What caused this to move here? Thanks Sean On 8/12/2021 9:59 AM, Stefan Berger wrote: > Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms. Fix some bugs > from the original code and simplify parts of it. > > Signed-off-by: Stefan Berger > --- > .../Include/Library/TpmPlatformHierarchyLib.h | 27 +++ > .../PeiDxeTpmPlatformHierarchyLib.c | 200 ++++++++++++++++++ > .../PeiDxeTpmPlatformHierarchyLib.inf | 40 ++++ > 3 files changed, 267 insertions(+) > create mode 100644 OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c > create mode 100644 OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf > > diff --git a/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h > new file mode 100644 > index 0000000000..a872fa09dc > --- /dev/null > +++ b/OvmfPkg/Include/Library/TpmPlatformHierarchyLib.h > @@ -0,0 +1,27 @@ > +/** @file > + TPM Platform Hierarchy configuration library. > + > + This library provides functions for customizing the TPM's Platform Hierarchy > + Authorization Value (platformAuth) and Platform Hierarchy Authorization > + Policy (platformPolicy) can be defined through this function. > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.
> +Copyright (c) Microsoft Corporation.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_ > +#define _TPM_PLATFORM_HIERARCHY_LIB_H_ > + > +/** > + This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event. > + > +**/ > +VOID > +EFIAPI > +ConfigureTpmPlatformHierarchy ( > + VOID > + ); > + > +#endif > diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c > new file mode 100644 > index 0000000000..a0dc848abd > --- /dev/null > +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c > @@ -0,0 +1,200 @@ > +/** @file > + TPM Platform Hierarchy configuration library. > + > + This library provides functions for customizing the TPM's Platform Hierarchy > + Authorization Value (platformAuth) and Platform Hierarchy Authorization > + Policy (platformPolicy) can be defined through this function. > + > + Copyright (c) 2019, Intel Corporation. All rights reserved.
> + Copyright (c) Microsoft Corporation.
> + SPDX-License-Identifier: BSD-2-Clause-Patent > + > + @par Specification Reference: > + https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/ > +**/ > + > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +// > +// The authorization value may be no larger than the digest produced by the hash > +// algorithm used for context integrity. > +// > + > +UINT16 mAuthSize; > + > +/** > + Generate high-quality entropy source through RDRAND. > + > + @param[in] Length Size of the buffer, in bytes, to fill with. > + @param[out] Entropy Pointer to the buffer to store the entropy data. > + > + @retval EFI_SUCCESS Entropy generation succeeded. > + @retval EFI_NOT_READY Failed to request random data. > + > +**/ > +EFI_STATUS > +EFIAPI > +RdRandGenerateEntropy ( > + IN UINTN Length, > + OUT UINT8 *Entropy > + ) > +{ > + EFI_STATUS Status; > + UINTN BlockCount; > + UINT64 Seed[2]; > + UINT8 *Ptr; > + > + Status = EFI_NOT_READY; > + BlockCount = Length / sizeof(Seed); > + Ptr = (UINT8 *)Entropy; > + > + // > + // Generate high-quality seed for DRBG Entropy > + // > + while (BlockCount > 0) { > + Status = GetRandomNumber128 (Seed); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + CopyMem (Ptr, Seed, sizeof(Seed)); > + > + BlockCount--; > + Ptr = Ptr + sizeof(Seed); > + } > + > + // > + // Populate the remained data as request. > + // > + Status = GetRandomNumber128 (Seed); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + CopyMem (Ptr, Seed, (Length % sizeof(Seed))); > + > + return Status; > +} > + > +/** > + This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value > + and limits an authValue to being no larger than the largest digest produced by a TPM. > + > + @param[out] AuthSize Tpm2 Auth size > + > + @retval EFI_SUCCESS Auth size returned. > + @retval EFI_DEVICE_ERROR Can not return platform auth due to device error. > + > +**/ > +EFI_STATUS > +EFIAPI > +GetAuthSize ( > + OUT UINT16 *AuthSize > + ) > +{ > + EFI_STATUS Status; > + TPML_PCR_SELECTION Pcrs; > + UINTN Index; > + UINT16 DigestSize; > + > + Status = EFI_SUCCESS; > + > + while (mAuthSize == 0) { > + > + mAuthSize = SHA1_DIGEST_SIZE; > + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); > + Status = Tpm2GetCapabilityPcrs (&Pcrs); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); > + break; > + } > + > + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); > + > + for (Index = 0; Index < Pcrs.count; Index++) { > + DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); > + > + switch (Pcrs.pcrSelections[Index].hash) { > + case TPM_ALG_SHA1: > + DigestSize = SHA1_DIGEST_SIZE; > + break; > + case TPM_ALG_SHA256: > + DigestSize = SHA256_DIGEST_SIZE; > + break; > + case TPM_ALG_SHA384: > + DigestSize = SHA384_DIGEST_SIZE; > + break; > + case TPM_ALG_SHA512: > + DigestSize = SHA512_DIGEST_SIZE; > + break; > + case TPM_ALG_SM3_256: > + DigestSize = SM3_256_DIGEST_SIZE; > + break; > + default: > + DigestSize = SHA1_DIGEST_SIZE; > + break; > + } > + > + if (DigestSize > mAuthSize) { > + mAuthSize = DigestSize; > + } > + } > + break; > + } > + > + *AuthSize = mAuthSize; > + return Status; > +} > + > +/** > + Set PlatformAuth to random value. > +**/ > +VOID > +RandomizePlatformAuth ( > + VOID > + ) > +{ > + EFI_STATUS Status; > + UINT16 AuthSize; > + TPM2B_AUTH NewPlatformAuth; > + > + // > + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null > + // > + > + GetAuthSize (&AuthSize); > + > + NewPlatformAuth.size = AuthSize; > + > + // > + // Create the random bytes in the destination buffer > + // > + > + RdRandGenerateEntropy (NewPlatformAuth.size, NewPlatformAuth.buffer); > + > + // > + // Send Tpm2HierarchyChangeAuth command with the new Auth value > + // > + Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth); > + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); > + ZeroMem (NewPlatformAuth.buffer, AuthSize); > +} > + > +/** > + This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth) > + and Platform Hierarchy Authorization Policy (platformPolicy) > + > +**/ > +VOID > +EFIAPI > +ConfigureTpmPlatformHierarchy ( > + ) > +{ > + RandomizePlatformAuth (); > +} > diff --git a/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf > new file mode 100644 > index 0000000000..a413e02302 > --- /dev/null > +++ b/OvmfPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf > @@ -0,0 +1,40 @@ > +### @file > +# > +# TPM Platform Hierarchy configuration library. > +# > +# This library provides functions for customizing the TPM's Platform Hierarchy > +# Authorization Value (platformAuth) and Platform Hierarchy Authorization > +# Policy (platformPolicy) can be defined through this function. > +# > +# Copyright (c) 2019, Intel Corporation. All rights reserved.
> +# Copyright (c) Microsoft Corporation.
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +### > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = PeiDxeTpmPlatformHierarchyLib > + FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 > + MODULE_TYPE = PEIM > + VERSION_STRING = 1.0 > + LIBRARY_CLASS = TpmPlatformHierarchyLib|PEIM DXE_DRIVER > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + RngLib > + Tpm2CommandLib > + Tpm2DeviceLib > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[Sources] > + PeiDxeTpmPlatformHierarchyLib.c >