From: "Kubacki, Michael A" <michael.a.kubacki@intel.com>
To: "Chiu, Chasel" <chasel.chiu@intel.com>,
"Gonzalez Del Cueto,
Rodrigo" <rodrigo.gonzalez.del.cueto@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Desimone, Nathaniel L" <nathaniel.l.desimone@intel.com>,
"Gao, Liming" <liming.gao@intel.com>
Subject: Re: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy
Date: Fri, 15 Nov 2019 01:11:45 +0000 [thread overview]
Message-ID: <BY5PR11MB4484313AD71BA2BE81FD0682B5700@BY5PR11MB4484.namprd11.prod.outlook.com> (raw)
In-Reply-To: <3C3EFB470A303B4AB093197B6777CCEC505A6334@PGSMSX111.gar.corp.intel.com>
Please include the version changes in a git note attached to the patch in the future.
Thanks,
Michael
> -----Original Message-----
> From: Chiu, Chasel <chasel.chiu@intel.com>
> Sent: Thursday, November 14, 2019 4:58 PM
> To: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cueto@intel.com>;
> devel@edk2.groups.io.
> Cc: Kubacki, Michael A <michael.a.kubacki@intel.com>; Desimone, Nathaniel
> L <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: RE: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for
> customizing TPM platform hierarchy
>
>
> You can remove V5 information when pushing the patch, only final version
> will be pushed so no need to describe different versions in commit message.
>
> Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>
>
>
> > -----Original Message-----
> > From: Gonzalez Del Cueto, Rodrigo
> > <rodrigo.gonzalez.del.cueto@intel.com>
> > Sent: Friday, November 15, 2019 5:05 AM
> > To: devel@edk2.groups.io.
> > Cc: Gonzalez Del Cueto, Rodrigo
> > <rodrigo.gonzalez.del.cueto@intel.com>;
> > Kubacki, Michael A <michael.a.kubacki@intel.com>; Chiu, Chasel
> > <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > <nathaniel.l.desimone@intel.com>; Gao, Liming <liming.gao@intel.com>
> > Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for
> > customizing TPM platform hierarchy
> >
> > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331
> >
> > In V5:
> > + Fixed build of MinPlatformPkg
> >
> > This change is split into two commits:
> > 1) This commit: Add new library class TpmPlatformHierarchyLib
> > 2) Second commit: Add usage in Tcg2PlatformDxe
> >
> > In order to enable some TPM use cases BIOS should enable to customize
> > the configuration of the TPM platform, provisioning of endorsement,
> > platform and storage hierarchy.
> >
> > Cc: Michael Kubacki <michael.a.kubacki@intel.com>
> > Cc: Chasel Chiu <chasel.chiu@intel.com>
> > Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
> > Cc: Liming Gao <liming.gao@intel.com>
> >
> > Signed-off-by: Rodrigo Gonzalez del Cueto
> > <rodrigo.gonzalez.del.cueto@intel.com>
> > ---
> > .../Include/Library/TpmPlatformHierarchyLib.h | 29 +++
> > .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 +
> > .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 +
> > .../TpmPlatformHierarchyLib.c | 214
> > ++++++++++++++++++
> > .../TpmPlatformHierarchyLib.inf | 45 ++++
> > 5 files changed, 291 insertions(+)
> > create mode 100644
> > Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> > h
> > create mode 100644
> >
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmP
> > la
> > tformHierarchyLib.c
> > create mode 100644
> >
> Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmP
> > la
> > tformHierarchyLib.inf
> >
> > diff --git
> > a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLi
> > b.h
> >
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.
> > h
> > new file mode 100644
> > index 000000000000..ed9709b24a73
> > --- /dev/null
> > +++
> b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarc
> > +++ hy
> > +++ Lib.h
> > @@ -0,0 +1,29 @@
> > +/** @file+ TPM Platform Hierarchy configuration library.++ This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy
> > Authorization+ Policy (platformPolicy) can be defined through this
> > function.++Copyright (c) 2019, Intel Corporation. All rights
> reserved.<BR>+SPDX-License-Identifier:
> > BSD-2-Clause-Patent++**/++#ifndef
> > _TPM_PLATFORM_HIERARCHY_LIB_H_+#define
> > _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include
> > <Uefi.h>++/**+ This service will perform the TPM Platform Hierarchy
> > configuration at the SmmReadyToLock
> > event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+
> > VOID+ );++#endifdiff --git
> > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > index a851021c0b79..92bda3784ffc 100644
> > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec
> > @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h
> > MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h
> > SecBoardInitLib|Include/Library/SecBoardInitLib.h
> > +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+
> > TestPointLib|Include/Library/TestPointLib.h
> > TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git
> > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > index 5f9363ff3228..a01f229a891d 100644
> > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc
> > @@ -102,6 +102,7 @@
> >
> >
> FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrap
> p
> > erPlatformLib/DxeFspWrapperPlatformLib.inf
> >
> TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTes
> > TestPointCheckLib|tP
> > ointCheckLib.inf
> > TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.
> > TestPointLib|inf+
> >
> TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarc
> h
> > yLib/TpmPlatformHierarchyLib.inf
> > [LibraryClasses.common.DXE_SMM_DRIVER]
> >
> SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull
> > /SpiFlashCommonLibNull.infdiff --git
> >
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.c
> >
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.c
> > new file mode 100644
> > index 000000000000..41ddb26f4046
> > --- /dev/null
> > +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLi
> > +++ b/
> > +++ TpmPlatformHierarchyLib.c
> > @@ -0,0 +1,214 @@
> > +/** @file+ TPM Platform Hierarchy configuration library.++ This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy
> Authorization+
> > Policy (platformPolicy) can be defined through this function.++ Copyright
> > (c) 2019, Intel Corporation. All rights reserved.<BR>+
> > SPDX-License-Identifier: BSD-2-Clause-Patent++ @par Specification
> > Reference:+
> > https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g
> > uid ance/+**/++#include <PiDxe.h>++#include
> > <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include
> > <Library/UefiBootServicesTableLib.h>+#include
> > <Library/MemoryAllocationLib.h>+#include
> > <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include
> > <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+//
> The
> > authorization value may be no larger than the digest produced by the
> > hash+// algorithm used for context integrity.+//+#define
> > MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16
> mAuthSize;++/**+
> > Generate high-quality entropy source through
> > RDRAND.++ @param[in] Length Size of the buffer, in bytes, to
> > fill with.+ @param[out] Entropy Pointer to the buffer to store the
> > entropy data.++ @retval EFI_SUCCESS Entropy generation
> > succeeded.+ @retval EFI_NOT_READY Failed to request random
> > data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+ IN UINTN
> > Length,+ OUT UINT8 *Entropy+ )+{+ EFI_STATUS Status;+
> > UINTN BlockCount;+ UINT64 Seed[2];+ UINT8
> > *Ptr;++ Status = EFI_NOT_READY;+ BlockCount = Length / 64;+ Ptr =
> > (UINT8 *)Entropy;++ //+ // Generate high-quality seed for DRBG Entropy+
> > //+ while (BlockCount > 0) {+ Status = GetRandomNumber128 (Seed);+
> > if (EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr,
> > Seed, 64);++ BlockCount--;+ Ptr = Ptr + 64;+ }++ //+ // Populate
> > the remained data as request.+ //+ Status = GetRandomNumber128
> > (Seed);+ if (EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr,
> > Seed, (Length % 64));++ return Status;+}++/**+ This function returns
> > the maximum size of TPM2B_AUTH; this structure is used for an
> > authorization
> > value+ and limits an authValue to being no larger than the largest
> > value+ digest
> > produced by a TPM.++ @param[out] AuthSize Tpm2
> > Auth size++ @retval EFI_SUCCESS Auth size
> > returned.+ @retval EFI_DEVICE_ERROR Can not return
> > platform auth due to device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize
> (+
> > OUT UINT16 *AuthSize+ )+{+ EFI_STATUS
> > Status;+ TPML_PCR_SELECTION Pcrs;+ UINTN
> > Index;+ UINT16 DigestSize;++ Status = EFI_SUCCESS;++
> > while (mAuthSize == 0) {++ mAuthSize = SHA1_DIGEST_SIZE;+
> > ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+ Status =
> > Tpm2GetCapabilityPcrs (&Pcrs);++ if (EFI_ERROR (Status)) {+
> > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+
> > break;+ }++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs -
> > %08x\n", Pcrs.count));++ for (Index = 0; Index < Pcrs.count; Index++) {+
> > DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));++
> > switch (Pcrs.pcrSelections[Index].hash) {+ case TPM_ALG_SHA1:+
> > DigestSize = SHA1_DIGEST_SIZE;+ break;+ case
> > TPM_ALG_SHA256:+ DigestSize = SHA256_DIGEST_SIZE;+
> > break;+ case TPM_ALG_SHA384:+ DigestSize =
> > SHA384_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA512:+
> > DigestSize = SHA512_DIGEST_SIZE;+ break;+ case
> > TPM_ALG_SM3_256:+ DigestSize = SM3_256_DIGEST_SIZE;+
> > break;+ default:+ DigestSize = SHA1_DIGEST_SIZE;+
> > break;+ }++ if (DigestSize > mAuthSize) {+ mAuthSize =
> > DigestSize;+ }+ }+ break;+ }++ *AuthSize = mAuthSize;+
> > return Status;+}++/**+ Set PlatformAuth to random
> > value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ EFI_STATUS
> > Status;+ UINT16 AuthSize;+ UINT8
> > *Rand;+ UINTN RandSize;+
> > TPM2B_AUTH NewPlatformAuth;++ //+ //
> > Send Tpm2HierarchyChange Auth with random value to avoid
> PlatformAuth
> > being null+ //++ GetAuthSize (&AuthSize);++ ZeroMem
> > (NewPlatformAuth.buffer, AuthSize);+ NewPlatformAuth.size =
> > AuthSize;++ //+ // Allocate one buffer to store random data.+ //+
> > RandSize = MAX_NEW_AUTHORIZATION_SIZE;+ Rand = AllocatePool
> > (RandSize);++ RdRandGenerateEntropy (RandSize, Rand);+ CopyMem
> > (NewPlatformAuth.buffer, Rand, AuthSize);++ FreePool (Rand);++ //+
> > // Send Tpm2HierarchyChangeAuth command with the new Auth value+
> //+
> > Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL,
> > &NewPlatformAuth);+ DEBUG ((DEBUG_INFO,
> "Tpm2HierarchyChangeAuth
> > Result: - %r\n", Status));+ ZeroMem (NewPlatformAuth.buffer,
> AuthSize);+
> > ZeroMem (Rand, RandSize);+}++/**+ This service defines the
> > configuration of the Platform Hierarchy Authorization Value
> > (platformAuth)+ and Platform Hierarchy Authorization Policy
> > (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+
> > )+{+ //+ // Send Tpm2HierarchyChange Auth with random value to avoid
> > PlatformAuth being null+ //+ RandomizePlatformAuth ();+}diff --git
> >
> a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.inf
> >
> b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp
> > m
> > PlatformHierarchyLib.inf
> > new file mode 100644
> > index 000000000000..0911bdffa01f
> > --- /dev/null
> > +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLi
> > +++ b/
> > +++ TpmPlatformHierarchyLib.inf
> > @@ -0,0 +1,45 @@
> > +### @file+#+# TPM Platform Hierarchy configuration library.+#+# This
> > library provides functions for customizing the TPM's Platform
> > Hierarchy+# Authorization Value (platformAuth) and Platform Hierarchy
> > Authorization+# Policy (platformPolicy) can be defined through this
> > function.+#+# Copyright
> > (c) 2019, Intel Corporation. All rights reserved.<BR>+#+#
> > SPDX-License-Identifier: BSD-2-Clause-Patent+#+###++[Defines]+
> > INF_VERSION = 0x00010005+ BASE_NAME
> > = TpmPlatformHierarchyLib+ FILE_GUID =
> > 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+ MODULE_TYPE
> > = DXE_DRIVER+ VERSION_STRING = 1.0+
> > LIBRARY_CLASS =
> > TpmPlatformHierarchyLib++[LibraryClasses]+ MemoryAllocationLib+
> > BaseLib+ UefiBootServicesTableLib+ UefiDriverEntryPoint+
> > BaseMemoryLib+ DebugLib+ Tpm2CommandLib+ Tpm2DeviceLib+
> > RngLib+ UefiLib++[Packages]+ MdePkg/MdePkg.dec+
> > MdeModulePkg/MdeModulePkg.dec+ SecurityPkg/SecurityPkg.dec+
> > CryptoPkg/CryptoPkg.dec++[Sources]+
> > TpmPlatformHierarchyLib.c++[Depex]+ gEfiTcg2ProtocolGuid--
> > 2.22.0.windows.1
>
next prev parent reply other threads:[~2019-11-15 1:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 21:05 [edk2-platforms][Patch V5 0/2] MinPlatformPkg: Introduce library for customizing TPM platform configuration Rodrigo Gonzalez del Cueto
2019-11-14 21:05 ` [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy Rodrigo Gonzalez del Cueto
2019-11-14 23:16 ` Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
[not found] ` <3C3EFB470A303B4AB093197B6777CCEC505A6334@PGSMSX111.gar.corp.intel.com>
2019-11-15 1:11 ` Kubacki, Michael A [this message]
2019-11-14 21:05 ` [edk2-platforms][Patch V5 2/2] MinPlatformPkg: Tcg2PlatformDxe to use TpmPlatformHierarchyLib Rodrigo Gonzalez del Cueto
2019-11-14 23:16 ` Nate DeSimone
2019-11-14 23:19 ` Kubacki, Michael A
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BY5PR11MB4484313AD71BA2BE81FD0682B5700@BY5PR11MB4484.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox