public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
@ 2021-10-13 17:33 Bret Barkelew
  2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
  0 siblings, 1 reply; 6+ messages in thread
From: Bret Barkelew @ 2021-10-13 17:33 UTC (permalink / raw)
  To: devel; +Cc: Jiewen Yao, Jian J Wang, Qi Zhang, Rahul Kumar

Used to provision and maintain certain HW-defined NV spaces.

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994

Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
 SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 ++++++++++++++++++++
 SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
 2 files changed, 144 insertions(+)

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 87572de20164..275cb1683f51 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
 #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
 
+#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
+
 #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
 #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
 #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
@@ -74,6 +76,20 @@ typedef struct {
   TPMS_AUTH_RESPONSE         AuthSession;
 } TPM2_NV_UNDEFINESPACE_RESPONSE;
 
+typedef struct {
+  TPM2_COMMAND_HEADER       Header;
+  TPMI_RH_NV_INDEX          NvIndex;
+  TPMI_RH_PLATFORM          Platform;
+  UINT32                    AuthSessionSize;
+  TPMS_AUTH_COMMAND         AuthSession;
+} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
+
+typedef struct {
+  TPM2_RESPONSE_HEADER       Header;
+  UINT32                     AuthSessionSize;
+  TPMS_AUTH_RESPONSE         AuthSession;
+} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
+
 typedef struct {
   TPM2_COMMAND_HEADER       Header;
   TPMI_RH_NV_AUTH           AuthHandle;
@@ -506,6 +522,112 @@ Done:
   return Status;
 }
 
+/**
+  This command allows removal of a platform-created NV Index that has TPMA_NV_POLICY_DELETE SET.
+
+  @param[in]  NvIndex             The NV Index.
+  @param[in]  IndexAuthSession    Auth session context for the Index auth/policy
+  @param[in]  PlatAuthSession     Auth session context for the Platform auth/policy
+
+  @retval EFI_SUCCESS             Operation completed successfully.
+  @retval EFI_NOT_FOUND           The command was returned successfully, but NvIndex is not found.
+  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion through this call.
+  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current policy session.
+  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
+  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2NvUndefineSpaceSpecial (
+  IN      TPMI_RH_NV_INDEX          NvIndex,
+  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
+  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
+  )
+{
+  EFI_STATUS                              Status;
+  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
+  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
+  UINT32                                  SendBufferSize;
+  UINT32                                  RecvBufferSize;
+  UINT8                                   *Buffer;
+  UINT32                                  IndexAuthSize, PlatAuthSize;
+  TPM_RC                                  ResponseCode;
+
+  //
+  // Construct command
+  //
+  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
+  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
+
+  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
+  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
+
+  //
+  // Marshall the Auth Sessions for the two handles.
+  Buffer = (UINT8 *)&SendBuffer.AuthSession;
+  // IndexAuthSession
+  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
+  Buffer += IndexAuthSize;
+  // PlatAuthSession
+  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
+  Buffer += PlatAuthSize;
+  // AuthSessionSize
+  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
+
+  // Update total command size.
+  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
+  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
+
+  //
+  // send Tpm command
+  //
+  RecvBufferSize = sizeof (RecvBuffer);
+  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);
+  if (EFI_ERROR (Status)) {
+    goto Done;
+  }
+
+  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
+    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Error - %x\n", RecvBufferSize));
+    Status = EFI_DEVICE_ERROR;
+    goto Done;
+  }
+
+  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
+  if (ResponseCode != TPM_RC_SUCCESS) {
+    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
+  }
+  switch (ResponseCode) {
+  case TPM_RC_SUCCESS:
+    // return data
+    break;
+  case TPM_RC_ATTRIBUTES:
+  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
+    Status = EFI_UNSUPPORTED;
+    break;
+  case TPM_RC_NV_AUTHORIZATION:
+    Status = EFI_SECURITY_VIOLATION;
+    break;
+  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DEFINED:
+    Status = EFI_NOT_FOUND;
+    break;
+  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
+    Status = EFI_INVALID_PARAMETER;
+    break;
+  default:
+    Status = EFI_DEVICE_ERROR;
+    break;
+  }
+
+Done:
+  //
+  // Clear AuthSession Content
+  //
+  ZeroMem (&SendBuffer, sizeof(SendBuffer));
+  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
+  return Status;
+}
+
 /**
   This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace().
 
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Include/Library/Tpm2CommandLib.h
index ee8eb622951c..92967662ce96 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
   IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
   );
 
+/**
+  This command allows removal of a platform-created NV Index that has TPMA_NV_POLICY_DELETE SET.
+
+  @param[in]  NvIndex             The NV Index.
+  @param[in]  IndexAuthSession    Auth session context for the Index auth/policy
+  @param[in]  PlatAuthSession     Auth session context for the Platform auth/policy
+
+  @retval EFI_SUCCESS             Operation completed successfully.
+  @retval EFI_NOT_FOUND           The command was returned successfully, but NvIndex is not found.
+  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion through this call.
+  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current policy session.
+  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
+  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2NvUndefineSpaceSpecial (
+  IN      TPMI_RH_NV_INDEX          NvIndex,
+  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
+  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
+  );
+
 /**
   This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace().
 
-- 
2.31.1.windows.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
  2021-10-13 17:33 [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib Bret Barkelew
@ 2021-10-14 10:48 ` Yao, Jiewen
  2021-10-14 17:06   ` Bret Barkelew
  0 siblings, 1 reply; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-14 10:48 UTC (permalink / raw)
  To: devel@edk2.groups.io, bret@corthon.com
  Cc: Wang, Jian J, Zhang, Qi1, Kumar, Rahul1

Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
> 
> Used to provision and maintain certain HW-defined NV spaces.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
> 
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> ---
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
>  2 files changed, 144 insertions(+)
> 
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
> 
> 
> 
> +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
> 
> +
> 
>  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
> 
>  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
> 
> @@ -74,6 +76,20 @@ typedef struct {
>    TPMS_AUTH_RESPONSE         AuthSession;
> 
>  } TPM2_NV_UNDEFINESPACE_RESPONSE;
> 
> 
> 
> +typedef struct {
> 
> +  TPM2_COMMAND_HEADER       Header;
> 
> +  TPMI_RH_NV_INDEX          NvIndex;
> 
> +  TPMI_RH_PLATFORM          Platform;
> 
> +  UINT32                    AuthSessionSize;
> 
> +  TPMS_AUTH_COMMAND         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
> 
> +
> 
> +typedef struct {
> 
> +  TPM2_RESPONSE_HEADER       Header;
> 
> +  UINT32                     AuthSessionSize;
> 
> +  TPMS_AUTH_RESPONSE         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
> 
> +
> 
>  typedef struct {
> 
>    TPM2_COMMAND_HEADER       Header;
> 
>    TPMI_RH_NV_AUTH           AuthHandle;
> 
> @@ -506,6 +522,112 @@ Done:
>    return Status;
> 
>  }
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  )
> 
> +{
> 
> +  EFI_STATUS                              Status;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
> 
> +  UINT32                                  SendBufferSize;
> 
> +  UINT32                                  RecvBufferSize;
> 
> +  UINT8                                   *Buffer;
> 
> +  UINT32                                  IndexAuthSize, PlatAuthSize;
> 
> +  TPM_RC                                  ResponseCode;
> 
> +
> 
> +  //
> 
> +  // Construct command
> 
> +  //
> 
> +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
> 
> +  SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
> 
> +
> 
> +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
> 
> +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
> 
> +
> 
> +  //
> 
> +  // Marshall the Auth Sessions for the two handles.
> 
> +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
> 
> +  // IndexAuthSession
> 
> +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
> 
> +  Buffer += IndexAuthSize;
> 
> +  // PlatAuthSession
> 
> +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
> 
> +  Buffer += PlatAuthSize;
> 
> +  // AuthSessionSize
> 
> +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
> 
> +
> 
> +  // Update total command size.
> 
> +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
> 
> +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
> 
> +
> 
> +  //
> 
> +  // send Tpm command
> 
> +  //
> 
> +  RecvBufferSize = sizeof (RecvBuffer);
> 
> +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
> 
> +  if (EFI_ERROR (Status)) {
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
> 
> +  if (ResponseCode != TPM_RC_SUCCESS) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
>  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> 
> +  }
> 
> +  switch (ResponseCode) {
> 
> +  case TPM_RC_SUCCESS:
> 
> +    // return data
> 
> +    break;
> 
> +  case TPM_RC_ATTRIBUTES:
> 
> +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
> 
> +    Status = EFI_UNSUPPORTED;
> 
> +    break;
> 
> +  case TPM_RC_NV_AUTHORIZATION:
> 
> +    Status = EFI_SECURITY_VIOLATION;
> 
> +    break;
> 
> +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
> 
> +    Status = EFI_NOT_FOUND;
> 
> +    break;
> 
> +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
> 
> +    Status = EFI_INVALID_PARAMETER;
> 
> +    break;
> 
> +  default:
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    break;
> 
> +  }
> 
> +
> 
> +Done:
> 
> +  //
> 
> +  // Clear AuthSession Content
> 
> +  //
> 
> +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
> 
> +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
> 
> +  return Status;
> 
> +}
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
>    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
> 
>    );
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  );
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> --
> 2.31.1.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
> -=-=-=-=-=-=
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
  2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
@ 2021-10-14 17:06   ` Bret Barkelew
  2021-10-15  0:54     ` Yao, Jiewen
  0 siblings, 1 reply; 6+ messages in thread
From: Bret Barkelew @ 2021-10-14 17:06 UTC (permalink / raw)
  To: Yao, Jiewen; +Cc: devel@edk2.groups.io, Wang, Jian J, Zhang, Qi1, Kumar, Rahul1

[-- Attachment #1: Type: text/plain, Size: 10220 bytes --]

It looks like all errors are still related to ECC and PatchCheck, even
though I'm just matching the rest of the file.

Please advise if we want to update the entire file.

On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com> wrote:

> Hi Bret
> I saw PR failure - https://github.com/tianocore/edk2/pull/2066
>
> Thank you
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
> > Barkelew
> > Sent: Thursday, October 14, 2021 1:33 AM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <
> jian.j.wang@intel.com>;
> > Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> > Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> > Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
> >
> > Used to provision and maintain certain HW-defined NV spaces.
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
> >
> > Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
> > Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Qi Zhang <qi1.zhang@intel.com>
> > Cc: Rahul Kumar <rahul1.kumar@intel.com>
> > ---
> >  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> > ++++++++++++++++++++
> >  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
> >  2 files changed, 144 insertions(+)
> >
> > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > index 87572de20164..275cb1683f51 100644
> > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
> >
> >  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
> >
> >
> >
> > +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
> >
> > +
> >
> >  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
> >
> >  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
> >
> >  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
> >
> > @@ -74,6 +76,20 @@ typedef struct {
> >    TPMS_AUTH_RESPONSE         AuthSession;
> >
> >  } TPM2_NV_UNDEFINESPACE_RESPONSE;
> >
> >
> >
> > +typedef struct {
> >
> > +  TPM2_COMMAND_HEADER       Header;
> >
> > +  TPMI_RH_NV_INDEX          NvIndex;
> >
> > +  TPMI_RH_PLATFORM          Platform;
> >
> > +  UINT32                    AuthSessionSize;
> >
> > +  TPMS_AUTH_COMMAND         AuthSession;
> >
> > +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
> >
> > +
> >
> > +typedef struct {
> >
> > +  TPM2_RESPONSE_HEADER       Header;
> >
> > +  UINT32                     AuthSessionSize;
> >
> > +  TPMS_AUTH_RESPONSE         AuthSession;
> >
> > +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
> >
> > +
> >
> >  typedef struct {
> >
> >    TPM2_COMMAND_HEADER       Header;
> >
> >    TPMI_RH_NV_AUTH           AuthHandle;
> >
> > @@ -506,6 +522,112 @@ Done:
> >    return Status;
> >
> >  }
> >
> >
> >
> > +/**
> >
> > +  This command allows removal of a platform-created NV Index that has
> > TPMA_NV_POLICY_DELETE SET.
> >
> > +
> >
> > +  @param[in]  NvIndex             The NV Index.
> >
> > +  @param[in]  IndexAuthSession    Auth session context for the Index
> > auth/policy
> >
> > +  @param[in]  PlatAuthSession     Auth session context for the Platform
> > auth/policy
> >
> > +
> >
> > +  @retval EFI_SUCCESS             Operation completed successfully.
> >
> > +  @retval EFI_NOT_FOUND           The command was returned
> successfully, but
> > NvIndex is not found.
> >
> > +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support
> deletion
> > through this call.
> >
> > +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> > policy session.
> >
> > +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> >
> > +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +Tpm2NvUndefineSpaceSpecial (
> >
> > +  IN      TPMI_RH_NV_INDEX          NvIndex,
> >
> > +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> >
> > +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> >
> > +  )
> >
> > +{
> >
> > +  EFI_STATUS                              Status;
> >
> > +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
> >
> > +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
> >
> > +  UINT32                                  SendBufferSize;
> >
> > +  UINT32                                  RecvBufferSize;
> >
> > +  UINT8                                   *Buffer;
> >
> > +  UINT32                                  IndexAuthSize, PlatAuthSize;
> >
> > +  TPM_RC                                  ResponseCode;
> >
> > +
> >
> > +  //
> >
> > +  // Construct command
> >
> > +  //
> >
> > +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
> >
> > +  SendBuffer.Header.commandCode =
> > SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
> >
> > +
> >
> > +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
> >
> > +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
> >
> > +
> >
> > +  //
> >
> > +  // Marshall the Auth Sessions for the two handles.
> >
> > +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
> >
> > +  // IndexAuthSession
> >
> > +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
> >
> > +  Buffer += IndexAuthSize;
> >
> > +  // PlatAuthSession
> >
> > +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
> >
> > +  Buffer += PlatAuthSize;
> >
> > +  // AuthSessionSize
> >
> > +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize +
> PlatAuthSize);
> >
> > +
> >
> > +  // Update total command size.
> >
> > +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
> >
> > +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
> >
> > +
> >
> > +  //
> >
> > +  // send Tpm command
> >
> > +  //
> >
> > +  RecvBufferSize = sizeof (RecvBuffer);
> >
> > +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> > &RecvBufferSize, (UINT8 *)&RecvBuffer);
> >
> > +  if (EFI_ERROR (Status)) {
> >
> > +    goto Done;
> >
> > +  }
> >
> > +
> >
> > +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
> >
> > +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> > Error - %x\n", RecvBufferSize));
> >
> > +    Status = EFI_DEVICE_ERROR;
> >
> > +    goto Done;
> >
> > +  }
> >
> > +
> >
> > +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
> >
> > +  if (ResponseCode != TPM_RC_SUCCESS) {
> >
> > +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> >  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> >
> > +  }
> >
> > +  switch (ResponseCode) {
> >
> > +  case TPM_RC_SUCCESS:
> >
> > +    // return data
> >
> > +    break;
> >
> > +  case TPM_RC_ATTRIBUTES:
> >
> > +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
> >
> > +    Status = EFI_UNSUPPORTED;
> >
> > +    break;
> >
> > +  case TPM_RC_NV_AUTHORIZATION:
> >
> > +    Status = EFI_SECURITY_VIOLATION;
> >
> > +    break;
> >
> > +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> > TPM_RC_NV_DEFINED:
> >
> > +    Status = EFI_NOT_FOUND;
> >
> > +    break;
> >
> > +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
> >
> > +    Status = EFI_INVALID_PARAMETER;
> >
> > +    break;
> >
> > +  default:
> >
> > +    Status = EFI_DEVICE_ERROR;
> >
> > +    break;
> >
> > +  }
> >
> > +
> >
> > +Done:
> >
> > +  //
> >
> > +  // Clear AuthSession Content
> >
> > +  //
> >
> > +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
> >
> > +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
> >
> > +  return Status;
> >
> > +}
> >
> > +
> >
> >  /**
> >
> >    This command reads a value from an area in NV memory previously
> defined by
> > TPM2_NV_DefineSpace().
> >
> >
> >
> > diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > index ee8eb622951c..92967662ce96 100644
> > --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> >    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
> >
> >    );
> >
> >
> >
> > +/**
> >
> > +  This command allows removal of a platform-created NV Index that has
> > TPMA_NV_POLICY_DELETE SET.
> >
> > +
> >
> > +  @param[in]  NvIndex             The NV Index.
> >
> > +  @param[in]  IndexAuthSession    Auth session context for the Index
> > auth/policy
> >
> > +  @param[in]  PlatAuthSession     Auth session context for the Platform
> > auth/policy
> >
> > +
> >
> > +  @retval EFI_SUCCESS             Operation completed successfully.
> >
> > +  @retval EFI_NOT_FOUND           The command was returned
> successfully, but
> > NvIndex is not found.
> >
> > +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support
> deletion
> > through this call.
> >
> > +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> > policy session.
> >
> > +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> >
> > +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +Tpm2NvUndefineSpaceSpecial (
> >
> > +  IN      TPMI_RH_NV_INDEX          NvIndex,
> >
> > +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> >
> > +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> >
> > +  );
> >
> > +
> >
> >  /**
> >
> >    This command reads a value from an area in NV memory previously
> defined by
> > TPM2_NV_DefineSpace().
> >
> >
> >
> > --
> > 2.31.1.windows.1
> >
> >
> >
> > -=-=-=-=-=-=
> > Groups.io Links: You receive all messages sent to this group.
> > View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> > Mute This Topic: https://groups.io/mt/86293842/1772286
> > Group Owner: devel+owner@edk2.groups.io
> > Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
> > -=-=-=-=-=-=
> >
>
>

[-- Attachment #2: Type: text/html, Size: 15120 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
  2021-10-14 17:06   ` Bret Barkelew
@ 2021-10-15  0:54     ` Yao, Jiewen
  2021-10-15  1:56       ` 回复: " gaoliming
  0 siblings, 1 reply; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-15  0:54 UTC (permalink / raw)
  To: Bret Barkelew, Liming Gao, Kinney, Michael D
  Cc: devel@edk2.groups.io, Wang, Jian J, Zhang, Qi1, Kumar, Rahul1

[-- Attachment #1: Type: text/plain, Size: 10783 bytes --]

Hi Liming/Mike
Do you have any suggestion here?

How do we change CI to add the name to exception list ?

Thank you
Yao Jiewen

From: Bret Barkelew <bret@corthon.com>
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.

Please advise if we want to update the entire file.

On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>;
> Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Qi Zhang <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>
> Cc: Rahul Kumar <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> ---
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
>  2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
>
>  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
>
> +
>
>  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
>
>  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
>
>  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
>    TPMS_AUTH_RESPONSE         AuthSession;
>
>  } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> +  TPM2_COMMAND_HEADER       Header;
>
> +  TPMI_RH_NV_INDEX          NvIndex;
>
> +  TPMI_RH_PLATFORM          Platform;
>
> +  UINT32                    AuthSessionSize;
>
> +  TPMS_AUTH_COMMAND         AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> +  TPM2_RESPONSE_HEADER       Header;
>
> +  UINT32                     AuthSessionSize;
>
> +  TPMS_AUTH_RESPONSE         AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
>  typedef struct {
>
>    TPM2_COMMAND_HEADER       Header;
>
>    TPMI_RH_NV_AUTH           AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
>    return Status;
>
>  }
>
>
>
> +/**
>
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> +  @param[in]  NvIndex             The NV Index.
>
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
>
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
>
> +
>
> +  @retval EFI_SUCCESS             Operation completed successfully.
>
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
>
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
>
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
>
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
>
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
>
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
>
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
>
> +  )
>
> +{
>
> +  EFI_STATUS                              Status;
>
> +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
>
> +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
>
> +  UINT32                                  SendBufferSize;
>
> +  UINT32                                  RecvBufferSize;
>
> +  UINT8                                   *Buffer;
>
> +  UINT32                                  IndexAuthSize, PlatAuthSize;
>
> +  TPM_RC                                  ResponseCode;
>
> +
>
> +  //
>
> +  // Construct command
>
> +  //
>
> +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> +  SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> +  //
>
> +  // Marshall the Auth Sessions for the two handles.
>
> +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> +  // IndexAuthSession
>
> +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> +  Buffer += IndexAuthSize;
>
> +  // PlatAuthSession
>
> +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> +  Buffer += PlatAuthSize;
>
> +  // AuthSessionSize
>
> +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> +  // Update total command size.
>
> +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> +  //
>
> +  // send Tpm command
>
> +  //
>
> +  RecvBufferSize = sizeof (RecvBuffer);
>
> +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> +  if (EFI_ERROR (Status)) {
>
> +    goto Done;
>
> +  }
>
> +
>
> +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> +    Status = EFI_DEVICE_ERROR;
>
> +    goto Done;
>
> +  }
>
> +
>
> +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> +  if (ResponseCode != TPM_RC_SUCCESS) {
>
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
>  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> +  }
>
> +  switch (ResponseCode) {
>
> +  case TPM_RC_SUCCESS:
>
> +    // return data
>
> +    break;
>
> +  case TPM_RC_ATTRIBUTES:
>
> +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> +    Status = EFI_UNSUPPORTED;
>
> +    break;
>
> +  case TPM_RC_NV_AUTHORIZATION:
>
> +    Status = EFI_SECURITY_VIOLATION;
>
> +    break;
>
> +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> +    Status = EFI_NOT_FOUND;
>
> +    break;
>
> +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> +    Status = EFI_INVALID_PARAMETER;
>
> +    break;
>
> +  default:
>
> +    Status = EFI_DEVICE_ERROR;
>
> +    break;
>
> +  }
>
> +
>
> +Done:
>
> +  //
>
> +  // Clear AuthSession Content
>
> +  //
>
> +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> +  return Status;
>
> +}
>
> +
>
>  /**
>
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
>    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
>
>    );
>
>
>
> +/**
>
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> +  @param[in]  NvIndex             The NV Index.
>
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
>
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
>
> +
>
> +  @retval EFI_SUCCESS             Operation completed successfully.
>
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
>
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
>
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
>
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
>
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
>
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
>
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
>
> +  );
>
> +
>
>  /**
>
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io<mailto:devel%2Bowner@edk2.groups.io>
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>]
> -=-=-=-=-=-=
>

[-- Attachment #2: Type: text/html, Size: 20073 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* 回复: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
  2021-10-15  0:54     ` Yao, Jiewen
@ 2021-10-15  1:56       ` gaoliming
  2021-10-15  2:53         ` Yao, Jiewen
  0 siblings, 1 reply; 6+ messages in thread
From: gaoliming @ 2021-10-15  1:56 UTC (permalink / raw)
  To: 'Yao, Jiewen', 'Bret Barkelew',
	'Kinney, Michael D'
  Cc: devel, 'Wang, Jian J', 'Zhang, Qi1',
	'Kumar, Rahul1'

[-- Attachment #1: Type: text/plain, Size: 11834 bytes --]

Jiewen:

 You can refer to MdeModulePkg\MdeModulePkg.ci.yaml ExceptionList to skip the specific keyword. 

 

Thanks

Liming

发件人: Yao, Jiewen <jiewen.yao@intel.com> 
发送时间: 2021年10月15日 8:54
收件人: Bret Barkelew <bret@corthon.com>; Liming Gao <gaoliming@byosoft.com.cn>; Kinney, Michael D <michael.d.kinney@intel.com>
抄送: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
主题: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

 

Hi Liming/Mike

Do you have any suggestion here?

 

How do we change CI to add the name to exception list ?

 

Thank you

Yao Jiewen

 

From: Bret Barkelew <bret@corthon.com <mailto:bret@corthon.com> > 
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
Cc: devel@edk2.groups.io <mailto:devel@edk2.groups.io> ; Wang, Jian J <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >; Zhang, Qi1 <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >; Kumar, Rahul1 <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

 

It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.

 

Please advise if we want to update the entire file.

 

On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> > wrote:

Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

> -----Original Message-----
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io>  <devel@edk2.groups.io <mailto:devel@edk2.groups.io> > On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
> Cc: Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >; Wang, Jian J <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >;
> Zhang, Qi1 <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >; Kumar, Rahul1 <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
> 
> Used to provision and maintain certain HW-defined NV spaces.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
> 
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com> >
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
> Cc: Jiewen Yao <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
> Cc: Jian J Wang <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >
> Cc: Qi Zhang <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >
> Cc: Rahul Kumar <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
> ---
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
>  2 files changed, 144 insertions(+)
> 
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
> 
> 
> 
> +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
> 
> +
> 
>  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
> 
>  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
> 
> @@ -74,6 +76,20 @@ typedef struct {
>    TPMS_AUTH_RESPONSE         AuthSession;
> 
>  } TPM2_NV_UNDEFINESPACE_RESPONSE;
> 
> 
> 
> +typedef struct {
> 
> +  TPM2_COMMAND_HEADER       Header;
> 
> +  TPMI_RH_NV_INDEX          NvIndex;
> 
> +  TPMI_RH_PLATFORM          Platform;
> 
> +  UINT32                    AuthSessionSize;
> 
> +  TPMS_AUTH_COMMAND         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
> 
> +
> 
> +typedef struct {
> 
> +  TPM2_RESPONSE_HEADER       Header;
> 
> +  UINT32                     AuthSessionSize;
> 
> +  TPMS_AUTH_RESPONSE         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
> 
> +
> 
>  typedef struct {
> 
>    TPM2_COMMAND_HEADER       Header;
> 
>    TPMI_RH_NV_AUTH           AuthHandle;
> 
> @@ -506,6 +522,112 @@ Done:
>    return Status;
> 
>  }
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  )
> 
> +{
> 
> +  EFI_STATUS                              Status;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
> 
> +  UINT32                                  SendBufferSize;
> 
> +  UINT32                                  RecvBufferSize;
> 
> +  UINT8                                   *Buffer;
> 
> +  UINT32                                  IndexAuthSize, PlatAuthSize;
> 
> +  TPM_RC                                  ResponseCode;
> 
> +
> 
> +  //
> 
> +  // Construct command
> 
> +  //
> 
> +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
> 
> +  SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
> 
> +
> 
> +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
> 
> +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
> 
> +
> 
> +  //
> 
> +  // Marshall the Auth Sessions for the two handles.
> 
> +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
> 
> +  // IndexAuthSession
> 
> +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
> 
> +  Buffer += IndexAuthSize;
> 
> +  // PlatAuthSession
> 
> +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
> 
> +  Buffer += PlatAuthSize;
> 
> +  // AuthSessionSize
> 
> +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
> 
> +
> 
> +  // Update total command size.
> 
> +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
> 
> +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
> 
> +
> 
> +  //
> 
> +  // send Tpm command
> 
> +  //
> 
> +  RecvBufferSize = sizeof (RecvBuffer);
> 
> +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
> 
> +  if (EFI_ERROR (Status)) {
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
> 
> +  if (ResponseCode != TPM_RC_SUCCESS) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
>  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> 
> +  }
> 
> +  switch (ResponseCode) {
> 
> +  case TPM_RC_SUCCESS:
> 
> +    // return data
> 
> +    break;
> 
> +  case TPM_RC_ATTRIBUTES:
> 
> +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
> 
> +    Status = EFI_UNSUPPORTED;
> 
> +    break;
> 
> +  case TPM_RC_NV_AUTHORIZATION:
> 
> +    Status = EFI_SECURITY_VIOLATION;
> 
> +    break;
> 
> +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
> 
> +    Status = EFI_NOT_FOUND;
> 
> +    break;
> 
> +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
> 
> +    Status = EFI_INVALID_PARAMETER;
> 
> +    break;
> 
> +  default:
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    break;
> 
> +  }
> 
> +
> 
> +Done:
> 
> +  //
> 
> +  // Clear AuthSession Content
> 
> +  //
> 
> +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
> 
> +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
> 
> +  return Status;
> 
> +}
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
>    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
> 
>    );
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  );
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> --
> 2.31.1.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io <mailto:devel%2Bowner@edk2.groups.io> 
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> ]
> -=-=-=-=-=-=
> 


[-- Attachment #2: Type: text/html, Size: 21990 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
  2021-10-15  1:56       ` 回复: " gaoliming
@ 2021-10-15  2:53         ` Yao, Jiewen
  0 siblings, 0 replies; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-15  2:53 UTC (permalink / raw)
  To: devel@edk2.groups.io, gaoliming@byosoft.com.cn,
	'Bret Barkelew', Kinney, Michael D
  Cc: Wang, Jian J, Zhang, Qi1, Kumar, Rahul1

[-- Attachment #1: Type: text/plain, Size: 12475 bytes --]

Sounds good.

Then Bret, you may change https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.ci.yaml, to exclude the RC_NV_* naming check.

Thank you
Yao Jiewen


From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming
Sent: Friday, October 15, 2021 9:56 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; 'Bret Barkelew' <bret@corthon.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Cc: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: 回复: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

Jiewen:
 You can refer to MdeModulePkg\MdeModulePkg.ci.yaml ExceptionList to skip the specific keyword.

Thanks
Liming
发件人: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
发送时间: 2021年10月15日 8:54
收件人: Bret Barkelew <bret@corthon.com<mailto:bret@corthon.com>>; Liming Gao <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
抄送: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
主题: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

Hi Liming/Mike
Do you have any suggestion here?

How do we change CI to add the name to exception list ?

Thank you
Yao Jiewen

From: Bret Barkelew <bret@corthon.com<mailto:bret@corthon.com>>
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.

Please advise if we want to update the entire file.

On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>;
> Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Qi Zhang <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>
> Cc: Rahul Kumar <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> ---
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
>  2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
>
>  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
>
> +
>
>  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
>
>  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
>
>  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
>    TPMS_AUTH_RESPONSE         AuthSession;
>
>  } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> +  TPM2_COMMAND_HEADER       Header;
>
> +  TPMI_RH_NV_INDEX          NvIndex;
>
> +  TPMI_RH_PLATFORM          Platform;
>
> +  UINT32                    AuthSessionSize;
>
> +  TPMS_AUTH_COMMAND         AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> +  TPM2_RESPONSE_HEADER       Header;
>
> +  UINT32                     AuthSessionSize;
>
> +  TPMS_AUTH_RESPONSE         AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
>  typedef struct {
>
>    TPM2_COMMAND_HEADER       Header;
>
>    TPMI_RH_NV_AUTH           AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
>    return Status;
>
>  }
>
>
>
> +/**
>
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> +  @param[in]  NvIndex             The NV Index.
>
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
>
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
>
> +
>
> +  @retval EFI_SUCCESS             Operation completed successfully.
>
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
>
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
>
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
>
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
>
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
>
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
>
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
>
> +  )
>
> +{
>
> +  EFI_STATUS                              Status;
>
> +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
>
> +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
>
> +  UINT32                                  SendBufferSize;
>
> +  UINT32                                  RecvBufferSize;
>
> +  UINT8                                   *Buffer;
>
> +  UINT32                                  IndexAuthSize, PlatAuthSize;
>
> +  TPM_RC                                  ResponseCode;
>
> +
>
> +  //
>
> +  // Construct command
>
> +  //
>
> +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> +  SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> +  //
>
> +  // Marshall the Auth Sessions for the two handles.
>
> +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> +  // IndexAuthSession
>
> +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> +  Buffer += IndexAuthSize;
>
> +  // PlatAuthSession
>
> +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> +  Buffer += PlatAuthSize;
>
> +  // AuthSessionSize
>
> +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> +  // Update total command size.
>
> +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> +  //
>
> +  // send Tpm command
>
> +  //
>
> +  RecvBufferSize = sizeof (RecvBuffer);
>
> +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> +  if (EFI_ERROR (Status)) {
>
> +    goto Done;
>
> +  }
>
> +
>
> +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> +    Status = EFI_DEVICE_ERROR;
>
> +    goto Done;
>
> +  }
>
> +
>
> +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> +  if (ResponseCode != TPM_RC_SUCCESS) {
>
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
>  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> +  }
>
> +  switch (ResponseCode) {
>
> +  case TPM_RC_SUCCESS:
>
> +    // return data
>
> +    break;
>
> +  case TPM_RC_ATTRIBUTES:
>
> +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> +    Status = EFI_UNSUPPORTED;
>
> +    break;
>
> +  case TPM_RC_NV_AUTHORIZATION:
>
> +    Status = EFI_SECURITY_VIOLATION;
>
> +    break;
>
> +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> +    Status = EFI_NOT_FOUND;
>
> +    break;
>
> +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> +    Status = EFI_INVALID_PARAMETER;
>
> +    break;
>
> +  default:
>
> +    Status = EFI_DEVICE_ERROR;
>
> +    break;
>
> +  }
>
> +
>
> +Done:
>
> +  //
>
> +  // Clear AuthSession Content
>
> +  //
>
> +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> +  return Status;
>
> +}
>
> +
>
>  /**
>
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
>    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
>
>    );
>
>
>
> +/**
>
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> +  @param[in]  NvIndex             The NV Index.
>
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
>
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
>
> +
>
> +  @retval EFI_SUCCESS             Operation completed successfully.
>
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
>
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
>
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
>
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
>
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
>
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
>
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
>
> +  );
>
> +
>
>  /**
>
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io<mailto:devel%2Bowner@edk2.groups.io>
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>]
> -=-=-=-=-=-=
>


[-- Attachment #2: Type: text/html, Size: 24422 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-10-15  2:53 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-13 17:33 [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib Bret Barkelew
2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
2021-10-14 17:06   ` Bret Barkelew
2021-10-15  0:54     ` Yao, Jiewen
2021-10-15  1:56       ` 回复: " gaoliming
2021-10-15  2:53         ` Yao, Jiewen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox