Reviewed-by: Nate DeSimone <nathaniel.l.desim...@intel.com> -----Original Message----- From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com> Sent: Thursday, November 14, 2019 1:05 PM To: devel@edk2.groups.io. Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com>; Kubacki, Michael A <michael.a.kuba...@intel.com>; Chiu, Chasel <chasel.c...@intel.com>; Desimone, Nathaniel L <nathaniel.l.desim...@intel.com>; Gao, Liming <liming....@intel.com> Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for customizing TPM platform hierarchy
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331 In V5: + Fixed build of MinPlatformPkg This change is split into two commits: 1) This commit: Add new library class TpmPlatformHierarchyLib 2) Second commit: Add usage in Tcg2PlatformDxe In order to enable some TPM use cases BIOS should enable to customize the configuration of the TPM platform, provisioning of endorsement, platform and storage hierarchy. Cc: Michael Kubacki <michael.a.kuba...@intel.com> Cc: Chasel Chiu <chasel.c...@intel.com> Cc: Nate DeSimone <nathaniel.l.desim...@intel.com> Cc: Liming Gao <liming....@intel.com> Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cu...@intel.com> --- .../Include/Library/TpmPlatformHierarchyLib.h | 29 +++ .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 + .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + .../TpmPlatformHierarchyLib.c | 214 ++++++++++++++++++ .../TpmPlatformHierarchyLib.inf | 45 ++++ 5 files changed, 291 insertions(+) create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h new file mode 100644 index 000000000000..ed9709b24a73 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchy +++ Lib.h @@ -0,0 +1,29 @@ +/** @file+ TPM Platform Hierarchy configuration library.++ This library provides functions for customizing the TPM's Platform Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy Authorization+ Policy (platformPolicy) can be defined through this function.++Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+SPDX-License-Identifier: BSD-2-Clause-Patent++**/++#ifndef _TPM_PLATFORM_HIERARCHY_LIB_H_+#define _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include <Uefi.h>++/**+ This service will perform the TPM Platform Hierarchy configuration at the SmmReadyToLock event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+ VOID+ );++#endifdiff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec index a851021c0b79..92bda3784ffc 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h SecBoardInitLib|Include/Library/SecBoardInitLib.h +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+ TestPointLib|Include/Library/TestPointLib.h TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc index 5f9363ff3228..a01f229a891d 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -102,6 +102,7 @@ FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrapperPlatformLib/DxeFspWrapperPlatformLib.inf TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTestPointCheckLib.inf TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf+ TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf [LibraryClasses.common.DXE_SMM_DRIVER] SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/SpiFlashCommonLibNull.infdiff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.c new file mode 100644 index 000000000000..41ddb26f4046 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ +++ TpmPlatformHierarchyLib.c @@ -0,0 +1,214 @@ +/** @file+ TPM Platform Hierarchy configuration library.++ This library provides functions for customizing the TPM's Platform Hierarchy+ Authorization Value (platformAuth) and Platform Hierarchy Authorization+ Policy (platformPolicy) can be defined through this function.++ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+ SPDX-License-Identifier: BSD-2-Clause-Patent++ @par Specification Reference:+ https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/+**/++#include <PiDxe.h>++#include <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include <Library/UefiBootServicesTableLib.h>+#include <Library/MemoryAllocationLib.h>+#include <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+// The authorization value may be no larger than the digest produced by the hash+// algorithm used for context integrity.+//+#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16 mAuthSize;++/**+ Generate high-quality entropy source through RDRAND.++ @param[in] Length Size of the buffer, in bytes, to fill with.+ @param[out] Entropy Pointer to the buffer to store the entropy data.++ @retval EFI_SUCCESS Entropy generation succeeded.+ @retval EFI_NOT_READY Failed to request random data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+ IN UINTN Length,+ OUT UINT8 *Entropy+ )+{+ EFI_STATUS Status;+ UINTN BlockCount;+ UINT64 Seed[2];+ UINT8 *Ptr;++ Status = EFI_NOT_READY;+ BlockCount = Length / 64;+ Ptr = (UINT8 *)Entropy;++ //+ // Generate high-quality seed for DRBG Entropy+ //+ while (BlockCount > 0) {+ Status = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr, Seed, 64);++ BlockCount--;+ Ptr = Ptr + 64;+ }++ //+ // Populate the remained data as request.+ //+ Status = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) {+ return Status;+ }+ CopyMem (Ptr, Seed, (Length % 64));++ return Status;+}++/**+ This function returns the maximum size of TPM2B_AUTH; this structure is used for an authorization value+ and limits an authValue to being no larger than the largest digest produced by a TPM.++ @param[out] AuthSize Tpm2 Auth size++ @retval EFI_SUCCESS Auth size returned.+ @retval EFI_DEVICE_ERROR Can not return platform auth due to device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize (+ OUT UINT16 *AuthSize+ )+{+ EFI_STATUS Status;+ TPML_PCR_SELECTION Pcrs;+ UINTN Index;+ UINT16 DigestSize;++ Status = EFI_SUCCESS;++ while (mAuthSize == 0) {++ mAuthSize = SHA1_DIGEST_SIZE;+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+ Status = Tpm2GetCapabilityPcrs (&Pcrs);++ if (EFI_ERROR (Status)) {+ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+ break;+ }++ DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));++ for (Index = 0; Index < Pcrs.count; Index++) {+ DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash));++ switch (Pcrs.pcrSelections[Index].hash) {+ case TPM_ALG_SHA1:+ DigestSize = SHA1_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA256:+ DigestSize = SHA256_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA384:+ DigestSize = SHA384_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA512:+ DigestSize = SHA512_DIGEST_SIZE;+ break;+ case TPM_ALG_SM3_256:+ DigestSize = SM3_256_DIGEST_SIZE;+ break;+ default:+ DigestSize = SHA1_DIGEST_SIZE;+ break;+ }++ if (DigestSize > mAuthSize) {+ mAuthSize = DigestSize;+ }+ }+ break;+ }++ *AuthSize = mAuthSize;+ return Status;+}++/**+ Set PlatformAuth to random value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ EFI_STATUS Status;+ UINT16 AuthSize;+ UINT8 *Rand;+ UINTN RandSize;+ TPM2B_AUTH NewPlatformAuth;++ //+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null+ //++ GetAuthSize (&AuthSize);++ ZeroMem (NewPlatformAuth.buffer, AuthSize);+ NewPlatformAuth.size = AuthSize;++ //+ // Allocate one buffer to store random data.+ //+ RandSize = MAX_NEW_AUTHORIZATION_SIZE;+ Rand = AllocatePool (RandSize);++ RdRandGenerateEntropy (RandSize, Rand);+ CopyMem (NewPlatformAuth.buffer, Rand, AuthSize);++ FreePool (Rand);++ //+ // Send Tpm2HierarchyChangeAuth command with the new Auth value+ //+ Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformAuth);+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status));+ ZeroMem (NewPlatformAuth.buffer, AuthSize);+ ZeroMem (Rand, RandSize);+}++/**+ This service defines the configuration of the Platform Hierarchy Authorization Value (platformAuth)+ and Platform Hierarchy Authorization Policy (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+ )+{+ //+ // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth being null+ //+ RandomizePlatformAuth ();+}diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyLib.inf new file mode 100644 index 000000000000..0911bdffa01f --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ +++ TpmPlatformHierarchyLib.inf @@ -0,0 +1,45 @@ +### @file+#+# TPM Platform Hierarchy configuration library.+#+# This library provides functions for customizing the TPM's Platform Hierarchy+# Authorization Value (platformAuth) and Platform Hierarchy Authorization+# Policy (platformPolicy) can be defined through this function.+#+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>+#+# SPDX-License-Identifier: BSD-2-Clause-Patent+#+###++[Defines]+ INF_VERSION = 0x00010005+ BASE_NAME = TpmPlatformHierarchyLib+ FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+ MODULE_TYPE = DXE_DRIVER+ VERSION_STRING = 1.0+ LIBRARY_CLASS = TpmPlatformHierarchyLib++[LibraryClasses]+ MemoryAllocationLib+ BaseLib+ UefiBootServicesTableLib+ UefiDriverEntryPoint+ BaseMemoryLib+ DebugLib+ Tpm2CommandLib+ Tpm2DeviceLib+ RngLib+ UefiLib++[Packages]+ MdePkg/MdePkg.dec+ MdeModulePkg/MdeModulePkg.dec+ SecurityPkg/SecurityPkg.dec+ CryptoPkg/CryptoPkg.dec++[Sources]+ TpmPlatformHierarchyLib.c++[Depex]+ gEfiTcg2ProtocolGuid-- 2.22.0.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50711): https://edk2.groups.io/g/devel/message/50711 Mute This Topic: https://groups.io/mt/58213054/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
