This change is split into two commits:
1) First commit: Add new library class TpmPlatformHierarchyLib
2) This commit: Add usage in Tcg2PlatformDxe
Tcg2PlatformDxe will now leverage from TpmPlatformHierarchyLib's
ConfigureTpmPlatformHierarchy function to configure the TPM's Platform
Hierarchy.
Cc: Michael Kubacki <michael.a.kuba...@intel.com>
Cc: Chasel Chiu <chasel.c...@intel.com>
Cc: Nate DeSimone <nathaniel.l.desim...@intel.com>
Cc: Liming Gao <liming....@intel.com>
Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cu...@intel.com>
---
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 168 +++---------------
.../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 12 +-
2 files changed, 24 insertions(+), 156 deletions(-)
diff --git
a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
index d0d88b2e91d5..704c6d8d6baa 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c
@@ -1,157 +1,31 @@
/** @file
- Platform specific TPM2 component.
+ Platform specific TPM2 component for configuring the Platform Hierarchy.
-Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
+ Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <PiDxe.h>
#include <Library/DebugLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/Tpm2CommandLib.h>
-#include <Library/RngLib.h>
#include <Library/UefiLib.h>
+#include <Library/TpmPlatformHierarchyLib.h>
#include <Protocol/DxeSmmReadyToLock.h>
-#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE
-
/**
- Generate high-quality entropy source through RDRAND.
-
- @param[in] Length Size of the buffer, in bytes, to fill with.
- @param[out] Entropy Pointer to the buffer to store the entropy data.
-
- @retval EFI_SUCCESS Entropy generation succeeded.
- @retval EFI_NOT_READY Failed to request random data.
-
-**/
-EFI_STATUS
-EFIAPI
-RdRandGenerateEntropy (
- IN UINTN Length,
- OUT UINT8 *Entropy
- )
-{
- EFI_STATUS Status;
- UINTN BlockCount;
- UINT64 Seed[2];
- UINT8 *Ptr;
-
- Status = EFI_NOT_READY;
- BlockCount = Length / 64;
- Ptr = (UINT8 *)Entropy;
+ This callback function will run at the SmmReadyToLock event.
- //
- // Generate high-quality seed for DRBG Entropy
- //
- while (BlockCount > 0) {
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, 64);
-
- BlockCount--;
- Ptr = Ptr + 64;
- }
-
- //
- // Populate the remained data as request.
- //
- Status = GetRandomNumber128(Seed);
- if (EFI_ERROR(Status)) {
- return Status;
- }
- CopyMem(Ptr, Seed, (Length % 64));
-
- return Status;
-}
-
-/**
- Set PlatformAuth to random value.
-**/
-VOID
-RandomizePlatformAuth (
- VOID
- )
-{
- EFI_STATUS Status;
- UINT16 AuthSize;
- TPML_PCR_SELECTION Pcrs;
- UINT32 Index;
- UINT8 *Rand;
- UINTN RandSize;
- TPM2B_AUTH NewPlatformAuth;
-
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
being null
- //
- ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION));
- AuthSize = MAX_NEW_AUTHORIZATION_SIZE;
-
- Status = Tpm2GetCapabilityPcrs(&Pcrs);
- if (EFI_ERROR(Status)) {
- DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));
- } else {
- for (Index = 0; Index < Pcrs.count; Index++) {
- switch (Pcrs.pcrSelections[Index].hash) {
- case TPM_ALG_SHA1:
- AuthSize = SHA1_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA256:
- AuthSize = SHA256_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA384:
- AuthSize = SHA384_DIGEST_SIZE;
- break;
- case TPM_ALG_SHA512:
- AuthSize = SHA512_DIGEST_SIZE;
- break;
- case TPM_ALG_SM3_256:
- AuthSize = SM3_256_DIGEST_SIZE;
- break;
- }
- }
- }
-
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- NewPlatformAuth.size = AuthSize;
-
- //
- // Allocate one buffer to store random data.
- //
- RandSize = MAX_NEW_AUTHORIZATION_SIZE;
- Rand = AllocatePool(RandSize);
-
- RdRandGenerateEntropy(RandSize, Rand);
- CopyMem(NewPlatformAuth.buffer, Rand, AuthSize);
-
- FreePool(Rand);
-
- //
- // Send Tpm2HierarchyChangeAuth command with the new Auth value
- //
- Status = Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAuth);
- DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));
- ZeroMem(NewPlatformAuth.buffer, AuthSize);
- ZeroMem(Rand, RandSize);
-}
-
-/**
- This is the Event call back function to notify the Library the system is
entering
- run time phase.
+ Configuration of the TPM's Platform Hierarchy Authorization Value
(platformAuth)
+ and Platform Hierarchy Authorization Policy (platformPolicy) can be defined
through this function.
@param Event Pointer to this event
@param Context Event hanlder private data
**/
VOID
EFIAPI
-ReadyToLockEventCallBack (
+SmmReadyToLockEventCallBack (
IN EFI_EVENT Event,
IN VOID *Context
)
@@ -172,22 +46,20 @@ ReadyToLockEventCallBack (
return ;
}
- //
- // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth
being null
- //
- RandomizePlatformAuth();
+ ConfigureTpmPlatformHierarchy ();
gBS->CloseEvent (Event);
}
/**
- The driver's entry point.
+ The driver's entry point. Will register a function for callback during
SmmReadyToLock event to
+ configure the TPM's platform authorization.
- @param[in] ImageHandle The firmware allocated handle for the EFI image.
- @param[in] SystemTable A pointer to the EFI System Table.
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
- @retval EFI_SUCCESS The entry point is executed successfully.
- @retval other Some error occurs when executing this entry point.
+ @retval EFI_SUCCESS The entry point is executed successfully.
+ @retval other Some error occurs when executing this entry point.
**/
EFI_STATUS
EFIAPI
@@ -196,17 +68,19 @@ Tcg2PlatformDxeEntryPoint (
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- VOID *Registration;
- EFI_EVENT Event;
+ VOID *Registration;
+ EFI_EVENT Event;
- Event = EfiCreateProtocolNotifyEvent (
+ Event = EfiCreateProtocolNotifyEvent (
&gEfiDxeSmmReadyToLockProtocolGuid,
TPL_CALLBACK,
- ReadyToLockEventCallBack,
+ SmmReadyToLockEventCallBack,
NULL,
&Registration
);
+
ASSERT (Event != NULL);
return EFI_SUCCESS;
}
+
diff --git
a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
index e8ab5f35a0da..af29c1cd98c9 100644
--- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
+++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf
@@ -1,7 +1,7 @@
### @file
# Platform specific TPM2 component.
#
-# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -21,23 +21,18 @@
#
[LibraryClasses]
- MemoryAllocationLib
BaseLib
UefiBootServicesTableLib
UefiDriverEntryPoint
- UefiRuntimeServicesTableLib
- BaseMemoryLib
DebugLib
- Tpm2CommandLib
- Tpm2DeviceLib
- RngLib
UefiLib
+ TpmPlatformHierarchyLib
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ MinPlatformPkg/MinPlatformPkg.dec
SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
[Sources]
Tcg2PlatformDxe.c
@@ -47,4 +42,3 @@
[Depex]
gEfiTcg2ProtocolGuid
-
--
2.22.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#50708): https://edk2.groups.io/g/devel/message/50708
Mute This Topic: https://groups.io/mt/58213061/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
