* [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
@ 2021-10-13 17:33 Bret Barkelew
2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
0 siblings, 1 reply; 6+ messages in thread
From: Bret Barkelew @ 2021-10-13 17:33 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Jian J Wang, Qi Zhang, Rahul Kumar
Used to provision and maintain certain HW-defined NV spaces.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122 ++++++++++++++++++++
SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
2 files changed, 144 insertions(+)
diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
index 87572de20164..275cb1683f51 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
@@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
#define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
+#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
+
#define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
#define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
#define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
@@ -74,6 +76,20 @@ typedef struct {
TPMS_AUTH_RESPONSE AuthSession;
} TPM2_NV_UNDEFINESPACE_RESPONSE;
+typedef struct {
+ TPM2_COMMAND_HEADER Header;
+ TPMI_RH_NV_INDEX NvIndex;
+ TPMI_RH_PLATFORM Platform;
+ UINT32 AuthSessionSize;
+ TPMS_AUTH_COMMAND AuthSession;
+} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
+
+typedef struct {
+ TPM2_RESPONSE_HEADER Header;
+ UINT32 AuthSessionSize;
+ TPMS_AUTH_RESPONSE AuthSession;
+} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
+
typedef struct {
TPM2_COMMAND_HEADER Header;
TPMI_RH_NV_AUTH AuthHandle;
@@ -506,6 +522,112 @@ Done:
return Status;
}
+/**
+ This command allows removal of a platform-created NV Index that has TPMA_NV_POLICY_DELETE SET.
+
+ @param[in] NvIndex The NV Index.
+ @param[in] IndexAuthSession Auth session context for the Index auth/policy
+ @param[in] PlatAuthSession Auth session context for the Platform auth/policy
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found.
+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion through this call.
+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current policy session.
+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2NvUndefineSpaceSpecial (
+ IN TPMI_RH_NV_INDEX NvIndex,
+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
+ )
+{
+ EFI_STATUS Status;
+ TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
+ TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
+ UINT32 SendBufferSize;
+ UINT32 RecvBufferSize;
+ UINT8 *Buffer;
+ UINT32 IndexAuthSize, PlatAuthSize;
+ TPM_RC ResponseCode;
+
+ //
+ // Construct command
+ //
+ SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
+ SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
+
+ SendBuffer.NvIndex = SwapBytes32 (NvIndex);
+ SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
+
+ //
+ // Marshall the Auth Sessions for the two handles.
+ Buffer = (UINT8 *)&SendBuffer.AuthSession;
+ // IndexAuthSession
+ IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
+ Buffer += IndexAuthSize;
+ // PlatAuthSession
+ PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
+ Buffer += PlatAuthSize;
+ // AuthSessionSize
+ SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
+
+ // Update total command size.
+ SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
+ SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
+
+ //
+ // send Tpm command
+ //
+ RecvBufferSize = sizeof (RecvBuffer);
+ Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);
+ if (EFI_ERROR (Status)) {
+ goto Done;
+ }
+
+ if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize Error - %x\n", RecvBufferSize));
+ Status = EFI_DEVICE_ERROR;
+ goto Done;
+ }
+
+ ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
+ if (ResponseCode != TPM_RC_SUCCESS) {
+ DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
+ }
+ switch (ResponseCode) {
+ case TPM_RC_SUCCESS:
+ // return data
+ break;
+ case TPM_RC_ATTRIBUTES:
+ case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
+ Status = EFI_UNSUPPORTED;
+ break;
+ case TPM_RC_NV_AUTHORIZATION:
+ Status = EFI_SECURITY_VIOLATION;
+ break;
+ case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: // TPM_RC_NV_DEFINED:
+ Status = EFI_NOT_FOUND;
+ break;
+ case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
+ Status = EFI_INVALID_PARAMETER;
+ break;
+ default:
+ Status = EFI_DEVICE_ERROR;
+ break;
+ }
+
+Done:
+ //
+ // Clear AuthSession Content
+ //
+ ZeroMem (&SendBuffer, sizeof(SendBuffer));
+ ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
+ return Status;
+}
+
/**
This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace().
diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h b/SecurityPkg/Include/Library/Tpm2CommandLib.h
index ee8eb622951c..92967662ce96 100644
--- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
+++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
@@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
);
+/**
+ This command allows removal of a platform-created NV Index that has TPMA_NV_POLICY_DELETE SET.
+
+ @param[in] NvIndex The NV Index.
+ @param[in] IndexAuthSession Auth session context for the Index auth/policy
+ @param[in] PlatAuthSession Auth session context for the Platform auth/policy
+
+ @retval EFI_SUCCESS Operation completed successfully.
+ @retval EFI_NOT_FOUND The command was returned successfully, but NvIndex is not found.
+ @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion through this call.
+ @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current policy session.
+ @retval EFI_INVALID_PARAMETER The command was unsuccessful.
+ @retval EFI_DEVICE_ERROR The command was unsuccessful.
+**/
+EFI_STATUS
+EFIAPI
+Tpm2NvUndefineSpaceSpecial (
+ IN TPMI_RH_NV_INDEX NvIndex,
+ IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
+ IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
+ );
+
/**
This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace().
--
2.31.1.windows.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
2021-10-13 17:33 [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib Bret Barkelew
@ 2021-10-14 10:48 ` Yao, Jiewen
2021-10-14 17:06 ` Bret Barkelew
0 siblings, 1 reply; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-14 10:48 UTC (permalink / raw)
To: devel@edk2.groups.io, bret@corthon.com
Cc: Wang, Jian J, Zhang, Qi1, Kumar, Rahul1
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066
Thank you
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> ---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
> SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
> 2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
>
> +
>
> #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
>
> #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
> TPMS_AUTH_RESPONSE AuthSession;
>
> } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> + TPM2_COMMAND_HEADER Header;
>
> + TPMI_RH_NV_INDEX NvIndex;
>
> + TPMI_RH_PLATFORM Platform;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_COMMAND AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> + TPM2_RESPONSE_HEADER Header;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_RESPONSE AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
> typedef struct {
>
> TPM2_COMMAND_HEADER Header;
>
> TPMI_RH_NV_AUTH AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
> return Status;
>
> }
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
>
> + UINT32 SendBufferSize;
>
> + UINT32 RecvBufferSize;
>
> + UINT8 *Buffer;
>
> + UINT32 IndexAuthSize, PlatAuthSize;
>
> + TPM_RC ResponseCode;
>
> +
>
> + //
>
> + // Construct command
>
> + //
>
> + SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> + SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> + SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> + SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> + //
>
> + // Marshall the Auth Sessions for the two handles.
>
> + Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> + // IndexAuthSession
>
> + IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> + Buffer += IndexAuthSize;
>
> + // PlatAuthSession
>
> + PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> + Buffer += PlatAuthSize;
>
> + // AuthSessionSize
>
> + SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> + // Update total command size.
>
> + SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> + SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> + //
>
> + // send Tpm command
>
> + //
>
> + RecvBufferSize = sizeof (RecvBuffer);
>
> + Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> + if (EFI_ERROR (Status)) {
>
> + goto Done;
>
> + }
>
> +
>
> + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> + Status = EFI_DEVICE_ERROR;
>
> + goto Done;
>
> + }
>
> +
>
> + ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> + if (ResponseCode != TPM_RC_SUCCESS) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> + }
>
> + switch (ResponseCode) {
>
> + case TPM_RC_SUCCESS:
>
> + // return data
>
> + break;
>
> + case TPM_RC_ATTRIBUTES:
>
> + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> + Status = EFI_UNSUPPORTED;
>
> + break;
>
> + case TPM_RC_NV_AUTHORIZATION:
>
> + Status = EFI_SECURITY_VIOLATION;
>
> + break;
>
> + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> + Status = EFI_NOT_FOUND;
>
> + break;
>
> + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> + Status = EFI_INVALID_PARAMETER;
>
> + break;
>
> + default:
>
> + Status = EFI_DEVICE_ERROR;
>
> + break;
>
> + }
>
> +
>
> +Done:
>
> + //
>
> + // Clear AuthSession Content
>
> + //
>
> + ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> + return Status;
>
> +}
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
>
> );
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + );
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
> -=-=-=-=-=-=
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
@ 2021-10-14 17:06 ` Bret Barkelew
2021-10-15 0:54 ` Yao, Jiewen
0 siblings, 1 reply; 6+ messages in thread
From: Bret Barkelew @ 2021-10-14 17:06 UTC (permalink / raw)
To: Yao, Jiewen; +Cc: devel@edk2.groups.io, Wang, Jian J, Zhang, Qi1, Kumar, Rahul1
[-- Attachment #1: Type: text/plain, Size: 10220 bytes --]
It looks like all errors are still related to ECC and PatchCheck, even
though I'm just matching the rest of the file.
Please advise if we want to update the entire file.
On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com> wrote:
> Hi Bret
> I saw PR failure - https://github.com/tianocore/edk2/pull/2066
>
> Thank you
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
> > Barkelew
> > Sent: Thursday, October 14, 2021 1:33 AM
> > To: devel@edk2.groups.io
> > Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <
> jian.j.wang@intel.com>;
> > Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> > Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> > Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
> >
> > Used to provision and maintain certain HW-defined NV spaces.
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
> >
> > Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com>
> > Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Qi Zhang <qi1.zhang@intel.com>
> > Cc: Rahul Kumar <rahul1.kumar@intel.com>
> > ---
> > SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> > ++++++++++++++++++++
> > SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
> > 2 files changed, 144 insertions(+)
> >
> > diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > index 87572de20164..275cb1683f51 100644
> > --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> > @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
> >
> > #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
> >
> >
> >
> > +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
> >
> > +
> >
> > #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
> >
> > #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
> >
> > #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
> >
> > @@ -74,6 +76,20 @@ typedef struct {
> > TPMS_AUTH_RESPONSE AuthSession;
> >
> > } TPM2_NV_UNDEFINESPACE_RESPONSE;
> >
> >
> >
> > +typedef struct {
> >
> > + TPM2_COMMAND_HEADER Header;
> >
> > + TPMI_RH_NV_INDEX NvIndex;
> >
> > + TPMI_RH_PLATFORM Platform;
> >
> > + UINT32 AuthSessionSize;
> >
> > + TPMS_AUTH_COMMAND AuthSession;
> >
> > +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
> >
> > +
> >
> > +typedef struct {
> >
> > + TPM2_RESPONSE_HEADER Header;
> >
> > + UINT32 AuthSessionSize;
> >
> > + TPMS_AUTH_RESPONSE AuthSession;
> >
> > +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
> >
> > +
> >
> > typedef struct {
> >
> > TPM2_COMMAND_HEADER Header;
> >
> > TPMI_RH_NV_AUTH AuthHandle;
> >
> > @@ -506,6 +522,112 @@ Done:
> > return Status;
> >
> > }
> >
> >
> >
> > +/**
> >
> > + This command allows removal of a platform-created NV Index that has
> > TPMA_NV_POLICY_DELETE SET.
> >
> > +
> >
> > + @param[in] NvIndex The NV Index.
> >
> > + @param[in] IndexAuthSession Auth session context for the Index
> > auth/policy
> >
> > + @param[in] PlatAuthSession Auth session context for the Platform
> > auth/policy
> >
> > +
> >
> > + @retval EFI_SUCCESS Operation completed successfully.
> >
> > + @retval EFI_NOT_FOUND The command was returned
> successfully, but
> > NvIndex is not found.
> >
> > + @retval EFI_UNSUPPORTED Selected NvIndex does not support
> deletion
> > through this call.
> >
> > + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> > policy session.
> >
> > + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
> >
> > + @retval EFI_DEVICE_ERROR The command was unsuccessful.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +Tpm2NvUndefineSpaceSpecial (
> >
> > + IN TPMI_RH_NV_INDEX NvIndex,
> >
> > + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
> >
> > + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
> >
> > + )
> >
> > +{
> >
> > + EFI_STATUS Status;
> >
> > + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
> >
> > + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
> >
> > + UINT32 SendBufferSize;
> >
> > + UINT32 RecvBufferSize;
> >
> > + UINT8 *Buffer;
> >
> > + UINT32 IndexAuthSize, PlatAuthSize;
> >
> > + TPM_RC ResponseCode;
> >
> > +
> >
> > + //
> >
> > + // Construct command
> >
> > + //
> >
> > + SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
> >
> > + SendBuffer.Header.commandCode =
> > SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
> >
> > +
> >
> > + SendBuffer.NvIndex = SwapBytes32 (NvIndex);
> >
> > + SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
> >
> > +
> >
> > + //
> >
> > + // Marshall the Auth Sessions for the two handles.
> >
> > + Buffer = (UINT8 *)&SendBuffer.AuthSession;
> >
> > + // IndexAuthSession
> >
> > + IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
> >
> > + Buffer += IndexAuthSize;
> >
> > + // PlatAuthSession
> >
> > + PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
> >
> > + Buffer += PlatAuthSize;
> >
> > + // AuthSessionSize
> >
> > + SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize +
> PlatAuthSize);
> >
> > +
> >
> > + // Update total command size.
> >
> > + SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
> >
> > + SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
> >
> > +
> >
> > + //
> >
> > + // send Tpm command
> >
> > + //
> >
> > + RecvBufferSize = sizeof (RecvBuffer);
> >
> > + Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> > &RecvBufferSize, (UINT8 *)&RecvBuffer);
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + goto Done;
> >
> > + }
> >
> > +
> >
> > + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
> >
> > + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> > Error - %x\n", RecvBufferSize));
> >
> > + Status = EFI_DEVICE_ERROR;
> >
> > + goto Done;
> >
> > + }
> >
> > +
> >
> > + ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
> >
> > + if (ResponseCode != TPM_RC_SUCCESS) {
> >
> > + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> > %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> >
> > + }
> >
> > + switch (ResponseCode) {
> >
> > + case TPM_RC_SUCCESS:
> >
> > + // return data
> >
> > + break;
> >
> > + case TPM_RC_ATTRIBUTES:
> >
> > + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
> >
> > + Status = EFI_UNSUPPORTED;
> >
> > + break;
> >
> > + case TPM_RC_NV_AUTHORIZATION:
> >
> > + Status = EFI_SECURITY_VIOLATION;
> >
> > + break;
> >
> > + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> > TPM_RC_NV_DEFINED:
> >
> > + Status = EFI_NOT_FOUND;
> >
> > + break;
> >
> > + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
> >
> > + Status = EFI_INVALID_PARAMETER;
> >
> > + break;
> >
> > + default:
> >
> > + Status = EFI_DEVICE_ERROR;
> >
> > + break;
> >
> > + }
> >
> > +
> >
> > +Done:
> >
> > + //
> >
> > + // Clear AuthSession Content
> >
> > + //
> >
> > + ZeroMem (&SendBuffer, sizeof(SendBuffer));
> >
> > + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
> >
> > + return Status;
> >
> > +}
> >
> > +
> >
> > /**
> >
> > This command reads a value from an area in NV memory previously
> defined by
> > TPM2_NV_DefineSpace().
> >
> >
> >
> > diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > index ee8eb622951c..92967662ce96 100644
> > --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> > @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> > IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
> >
> > );
> >
> >
> >
> > +/**
> >
> > + This command allows removal of a platform-created NV Index that has
> > TPMA_NV_POLICY_DELETE SET.
> >
> > +
> >
> > + @param[in] NvIndex The NV Index.
> >
> > + @param[in] IndexAuthSession Auth session context for the Index
> > auth/policy
> >
> > + @param[in] PlatAuthSession Auth session context for the Platform
> > auth/policy
> >
> > +
> >
> > + @retval EFI_SUCCESS Operation completed successfully.
> >
> > + @retval EFI_NOT_FOUND The command was returned
> successfully, but
> > NvIndex is not found.
> >
> > + @retval EFI_UNSUPPORTED Selected NvIndex does not support
> deletion
> > through this call.
> >
> > + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> > policy session.
> >
> > + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
> >
> > + @retval EFI_DEVICE_ERROR The command was unsuccessful.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +Tpm2NvUndefineSpaceSpecial (
> >
> > + IN TPMI_RH_NV_INDEX NvIndex,
> >
> > + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
> >
> > + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
> >
> > + );
> >
> > +
> >
> > /**
> >
> > This command reads a value from an area in NV memory previously
> defined by
> > TPM2_NV_DefineSpace().
> >
> >
> >
> > --
> > 2.31.1.windows.1
> >
> >
> >
> > -=-=-=-=-=-=
> > Groups.io Links: You receive all messages sent to this group.
> > View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> > Mute This Topic: https://groups.io/mt/86293842/1772286
> > Group Owner: devel+owner@edk2.groups.io
> > Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com]
> > -=-=-=-=-=-=
> >
>
>
[-- Attachment #2: Type: text/html, Size: 15120 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
2021-10-14 17:06 ` Bret Barkelew
@ 2021-10-15 0:54 ` Yao, Jiewen
2021-10-15 1:56 ` 回复: " gaoliming
0 siblings, 1 reply; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-15 0:54 UTC (permalink / raw)
To: Bret Barkelew, Liming Gao, Kinney, Michael D
Cc: devel@edk2.groups.io, Wang, Jian J, Zhang, Qi1, Kumar, Rahul1
[-- Attachment #1: Type: text/plain, Size: 10783 bytes --]
Hi Liming/Mike
Do you have any suggestion here?
How do we change CI to add the name to exception list ?
Thank you
Yao Jiewen
From: Bret Barkelew <bret@corthon.com>
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.
Please advise if we want to update the entire file.
On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066
Thank you
> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>;
> Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Qi Zhang <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>
> Cc: Rahul Kumar <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> ---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
> SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
> 2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
>
> +
>
> #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
>
> #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
> TPMS_AUTH_RESPONSE AuthSession;
>
> } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> + TPM2_COMMAND_HEADER Header;
>
> + TPMI_RH_NV_INDEX NvIndex;
>
> + TPMI_RH_PLATFORM Platform;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_COMMAND AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> + TPM2_RESPONSE_HEADER Header;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_RESPONSE AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
> typedef struct {
>
> TPM2_COMMAND_HEADER Header;
>
> TPMI_RH_NV_AUTH AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
> return Status;
>
> }
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
>
> + UINT32 SendBufferSize;
>
> + UINT32 RecvBufferSize;
>
> + UINT8 *Buffer;
>
> + UINT32 IndexAuthSize, PlatAuthSize;
>
> + TPM_RC ResponseCode;
>
> +
>
> + //
>
> + // Construct command
>
> + //
>
> + SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> + SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> + SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> + SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> + //
>
> + // Marshall the Auth Sessions for the two handles.
>
> + Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> + // IndexAuthSession
>
> + IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> + Buffer += IndexAuthSize;
>
> + // PlatAuthSession
>
> + PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> + Buffer += PlatAuthSize;
>
> + // AuthSessionSize
>
> + SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> + // Update total command size.
>
> + SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> + SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> + //
>
> + // send Tpm command
>
> + //
>
> + RecvBufferSize = sizeof (RecvBuffer);
>
> + Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> + if (EFI_ERROR (Status)) {
>
> + goto Done;
>
> + }
>
> +
>
> + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> + Status = EFI_DEVICE_ERROR;
>
> + goto Done;
>
> + }
>
> +
>
> + ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> + if (ResponseCode != TPM_RC_SUCCESS) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> + }
>
> + switch (ResponseCode) {
>
> + case TPM_RC_SUCCESS:
>
> + // return data
>
> + break;
>
> + case TPM_RC_ATTRIBUTES:
>
> + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> + Status = EFI_UNSUPPORTED;
>
> + break;
>
> + case TPM_RC_NV_AUTHORIZATION:
>
> + Status = EFI_SECURITY_VIOLATION;
>
> + break;
>
> + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> + Status = EFI_NOT_FOUND;
>
> + break;
>
> + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> + Status = EFI_INVALID_PARAMETER;
>
> + break;
>
> + default:
>
> + Status = EFI_DEVICE_ERROR;
>
> + break;
>
> + }
>
> +
>
> +Done:
>
> + //
>
> + // Clear AuthSession Content
>
> + //
>
> + ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> + return Status;
>
> +}
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
>
> );
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + );
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io<mailto:devel%2Bowner@edk2.groups.io>
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>]
> -=-=-=-=-=-=
>
[-- Attachment #2: Type: text/html, Size: 20073 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* 回复: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
2021-10-15 0:54 ` Yao, Jiewen
@ 2021-10-15 1:56 ` gaoliming
2021-10-15 2:53 ` Yao, Jiewen
0 siblings, 1 reply; 6+ messages in thread
From: gaoliming @ 2021-10-15 1:56 UTC (permalink / raw)
To: 'Yao, Jiewen', 'Bret Barkelew',
'Kinney, Michael D'
Cc: devel, 'Wang, Jian J', 'Zhang, Qi1',
'Kumar, Rahul1'
[-- Attachment #1: Type: text/plain, Size: 11834 bytes --]
Jiewen:
You can refer to MdeModulePkg\MdeModulePkg.ci.yaml ExceptionList to skip the specific keyword.
Thanks
Liming
发件人: Yao, Jiewen <jiewen.yao@intel.com>
发送时间: 2021年10月15日 8:54
收件人: Bret Barkelew <bret@corthon.com>; Liming Gao <gaoliming@byosoft.com.cn>; Kinney, Michael D <michael.d.kinney@intel.com>
抄送: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
主题: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
Hi Liming/Mike
Do you have any suggestion here?
How do we change CI to add the name to exception list ?
Thank you
Yao Jiewen
From: Bret Barkelew <bret@corthon.com <mailto:bret@corthon.com> >
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
Cc: devel@edk2.groups.io <mailto:devel@edk2.groups.io> ; Wang, Jian J <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >; Zhang, Qi1 <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >; Kumar, Rahul1 <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.
Please advise if we want to update the entire file.
On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> > wrote:
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066
Thank you
> -----Original Message-----
> From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io> > On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io <mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >; Wang, Jian J <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >;
> Zhang, Qi1 <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >; Kumar, Rahul1 <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com <mailto:bret.barkelew@microsoft.com> >
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
> Cc: Jiewen Yao <jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> >
> Cc: Jian J Wang <jian.j.wang@intel.com <mailto:jian.j.wang@intel.com> >
> Cc: Qi Zhang <qi1.zhang@intel.com <mailto:qi1.zhang@intel.com> >
> Cc: Rahul Kumar <rahul1.kumar@intel.com <mailto:rahul1.kumar@intel.com> >
> ---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
> SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
> 2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
>
> +
>
> #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
>
> #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
> TPMS_AUTH_RESPONSE AuthSession;
>
> } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> + TPM2_COMMAND_HEADER Header;
>
> + TPMI_RH_NV_INDEX NvIndex;
>
> + TPMI_RH_PLATFORM Platform;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_COMMAND AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> + TPM2_RESPONSE_HEADER Header;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_RESPONSE AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
> typedef struct {
>
> TPM2_COMMAND_HEADER Header;
>
> TPMI_RH_NV_AUTH AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
> return Status;
>
> }
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
>
> + UINT32 SendBufferSize;
>
> + UINT32 RecvBufferSize;
>
> + UINT8 *Buffer;
>
> + UINT32 IndexAuthSize, PlatAuthSize;
>
> + TPM_RC ResponseCode;
>
> +
>
> + //
>
> + // Construct command
>
> + //
>
> + SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> + SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> + SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> + SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> + //
>
> + // Marshall the Auth Sessions for the two handles.
>
> + Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> + // IndexAuthSession
>
> + IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> + Buffer += IndexAuthSize;
>
> + // PlatAuthSession
>
> + PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> + Buffer += PlatAuthSize;
>
> + // AuthSessionSize
>
> + SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> + // Update total command size.
>
> + SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> + SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> + //
>
> + // send Tpm command
>
> + //
>
> + RecvBufferSize = sizeof (RecvBuffer);
>
> + Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> + if (EFI_ERROR (Status)) {
>
> + goto Done;
>
> + }
>
> +
>
> + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> + Status = EFI_DEVICE_ERROR;
>
> + goto Done;
>
> + }
>
> +
>
> + ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> + if (ResponseCode != TPM_RC_SUCCESS) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> + }
>
> + switch (ResponseCode) {
>
> + case TPM_RC_SUCCESS:
>
> + // return data
>
> + break;
>
> + case TPM_RC_ATTRIBUTES:
>
> + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> + Status = EFI_UNSUPPORTED;
>
> + break;
>
> + case TPM_RC_NV_AUTHORIZATION:
>
> + Status = EFI_SECURITY_VIOLATION;
>
> + break;
>
> + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> + Status = EFI_NOT_FOUND;
>
> + break;
>
> + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> + Status = EFI_INVALID_PARAMETER;
>
> + break;
>
> + default:
>
> + Status = EFI_DEVICE_ERROR;
>
> + break;
>
> + }
>
> +
>
> +Done:
>
> + //
>
> + // Clear AuthSession Content
>
> + //
>
> + ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> + return Status;
>
> +}
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
>
> );
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + );
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io <mailto:devel%2Bowner@edk2.groups.io>
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com <mailto:jiewen.yao@intel.com> ]
> -=-=-=-=-=-=
>
[-- Attachment #2: Type: text/html, Size: 21990 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
2021-10-15 1:56 ` 回复: " gaoliming
@ 2021-10-15 2:53 ` Yao, Jiewen
0 siblings, 0 replies; 6+ messages in thread
From: Yao, Jiewen @ 2021-10-15 2:53 UTC (permalink / raw)
To: devel@edk2.groups.io, gaoliming@byosoft.com.cn,
'Bret Barkelew', Kinney, Michael D
Cc: Wang, Jian J, Zhang, Qi1, Kumar, Rahul1
[-- Attachment #1: Type: text/plain, Size: 12475 bytes --]
Sounds good.
Then Bret, you may change https://github.com/tianocore/edk2/blob/master/SecurityPkg/SecurityPkg.ci.yaml, to exclude the RC_NV_* naming check.
Thank you
Yao Jiewen
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming
Sent: Friday, October 15, 2021 9:56 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; 'Bret Barkelew' <bret@corthon.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Cc: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: 回复: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
Jiewen:
You can refer to MdeModulePkg\MdeModulePkg.ci.yaml ExceptionList to skip the specific keyword.
Thanks
Liming
发件人: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
发送时间: 2021年10月15日 8:54
收件人: Bret Barkelew <bret@corthon.com<mailto:bret@corthon.com>>; Liming Gao <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
抄送: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
主题: RE: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
Hi Liming/Mike
Do you have any suggestion here?
How do we change CI to add the name to exception list ?
Thank you
Yao Jiewen
From: Bret Barkelew <bret@corthon.com<mailto:bret@corthon.com>>
Sent: Friday, October 15, 2021 1:07 AM
To: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Cc: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
It looks like all errors are still related to ECC and PatchCheck, even though I'm just matching the rest of the file.
Please advise if we want to update the entire file.
On Thu, Oct 14, 2021 at 3:48 AM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066
Thank you
> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>;
> Zhang, Qi1 <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>; Kumar, Rahul1 <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
>
> Used to provision and maintain certain HW-defined NV spaces.
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
>
> Signed-off-by: Bret Barkelew <bret.barkelew@microsoft.com<mailto:bret.barkelew@microsoft.com>>
> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Qi Zhang <qi1.zhang@intel.com<mailto:qi1.zhang@intel.com>>
> Cc: Rahul Kumar <rahul1.kumar@intel.com<mailto:rahul1.kumar@intel.com>>
> ---
> SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
> SecurityPkg/Include/Library/Tpm2CommandLib.h | 22 ++++
> 2 files changed, 144 insertions(+)
>
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #define RC_NV_UndefineSpace_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_UndefineSpace_nvIndex (TPM_RC_H + TPM_RC_2)
>
>
>
> +#define RC_NV_UndefineSpaceSpecial_nvIndex (TPM_RC_H + TPM_RC_1)
>
> +
>
> #define RC_NV_Read_authHandle (TPM_RC_H + TPM_RC_1)
>
> #define RC_NV_Read_nvIndex (TPM_RC_H + TPM_RC_2)
>
> #define RC_NV_Read_size (TPM_RC_P + TPM_RC_1)
>
> @@ -74,6 +76,20 @@ typedef struct {
> TPMS_AUTH_RESPONSE AuthSession;
>
> } TPM2_NV_UNDEFINESPACE_RESPONSE;
>
>
>
> +typedef struct {
>
> + TPM2_COMMAND_HEADER Header;
>
> + TPMI_RH_NV_INDEX NvIndex;
>
> + TPMI_RH_PLATFORM Platform;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_COMMAND AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
>
> +
>
> +typedef struct {
>
> + TPM2_RESPONSE_HEADER Header;
>
> + UINT32 AuthSessionSize;
>
> + TPMS_AUTH_RESPONSE AuthSession;
>
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
>
> +
>
> typedef struct {
>
> TPM2_COMMAND_HEADER Header;
>
> TPMI_RH_NV_AUTH AuthHandle;
>
> @@ -506,6 +522,112 @@ Done:
> return Status;
>
> }
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + )
>
> +{
>
> + EFI_STATUS Status;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_COMMAND SendBuffer;
>
> + TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE RecvBuffer;
>
> + UINT32 SendBufferSize;
>
> + UINT32 RecvBufferSize;
>
> + UINT8 *Buffer;
>
> + UINT32 IndexAuthSize, PlatAuthSize;
>
> + TPM_RC ResponseCode;
>
> +
>
> + //
>
> + // Construct command
>
> + //
>
> + SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
>
> + SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
>
> +
>
> + SendBuffer.NvIndex = SwapBytes32 (NvIndex);
>
> + SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
>
> +
>
> + //
>
> + // Marshall the Auth Sessions for the two handles.
>
> + Buffer = (UINT8 *)&SendBuffer.AuthSession;
>
> + // IndexAuthSession
>
> + IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
>
> + Buffer += IndexAuthSize;
>
> + // PlatAuthSession
>
> + PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
>
> + Buffer += PlatAuthSize;
>
> + // AuthSessionSize
>
> + SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
>
> +
>
> + // Update total command size.
>
> + SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
>
> + SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
>
> +
>
> + //
>
> + // send Tpm command
>
> + //
>
> + RecvBufferSize = sizeof (RecvBuffer);
>
> + Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
>
> + if (EFI_ERROR (Status)) {
>
> + goto Done;
>
> + }
>
> +
>
> + if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
>
> + Status = EFI_DEVICE_ERROR;
>
> + goto Done;
>
> + }
>
> +
>
> + ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
>
> + if (ResponseCode != TPM_RC_SUCCESS) {
>
> + DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
> %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
>
> + }
>
> + switch (ResponseCode) {
>
> + case TPM_RC_SUCCESS:
>
> + // return data
>
> + break;
>
> + case TPM_RC_ATTRIBUTES:
>
> + case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
>
> + Status = EFI_UNSUPPORTED;
>
> + break;
>
> + case TPM_RC_NV_AUTHORIZATION:
>
> + Status = EFI_SECURITY_VIOLATION;
>
> + break;
>
> + case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
>
> + Status = EFI_NOT_FOUND;
>
> + break;
>
> + case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
>
> + Status = EFI_INVALID_PARAMETER;
>
> + break;
>
> + default:
>
> + Status = EFI_DEVICE_ERROR;
>
> + break;
>
> + }
>
> +
>
> +Done:
>
> + //
>
> + // Clear AuthSession Content
>
> + //
>
> + ZeroMem (&SendBuffer, sizeof(SendBuffer));
>
> + ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
>
> + return Status;
>
> +}
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
> IN TPMS_AUTH_COMMAND *AuthSession OPTIONAL
>
> );
>
>
>
> +/**
>
> + This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
>
> +
>
> + @param[in] NvIndex The NV Index.
>
> + @param[in] IndexAuthSession Auth session context for the Index
> auth/policy
>
> + @param[in] PlatAuthSession Auth session context for the Platform
> auth/policy
>
> +
>
> + @retval EFI_SUCCESS Operation completed successfully.
>
> + @retval EFI_NOT_FOUND The command was returned successfully, but
> NvIndex is not found.
>
> + @retval EFI_UNSUPPORTED Selected NvIndex does not support deletion
> through this call.
>
> + @retval EFI_SECURITY_VIOLATION Deletion is not authorized by current
> policy session.
>
> + @retval EFI_INVALID_PARAMETER The command was unsuccessful.
>
> + @retval EFI_DEVICE_ERROR The command was unsuccessful.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +Tpm2NvUndefineSpaceSpecial (
>
> + IN TPMI_RH_NV_INDEX NvIndex,
>
> + IN TPMS_AUTH_COMMAND *IndexAuthSession OPTIONAL,
>
> + IN TPMS_AUTH_COMMAND *PlatAuthSession OPTIONAL
>
> + );
>
> +
>
> /**
>
> This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
>
>
>
> --
> 2.31.1.windows.1
>
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+owner@edk2.groups.io<mailto:devel%2Bowner@edk2.groups.io>
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>]
> -=-=-=-=-=-=
>
[-- Attachment #2: Type: text/html, Size: 24422 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-10-15 2:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-13 17:33 [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib Bret Barkelew
2021-10-14 10:48 ` [edk2-devel] " Yao, Jiewen
2021-10-14 17:06 ` Bret Barkelew
2021-10-15 0:54 ` Yao, Jiewen
2021-10-15 1:56 ` 回复: " gaoliming
2021-10-15 2:53 ` Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox