Reviewed-by: Michael Kubacki <michael.a.kuba...@intel.com> > -----Original Message----- > From: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com> > Sent: Thursday, November 14, 2019 1:05 PM > To: devel@edk2.groups.io. > Cc: Gonzalez Del Cueto, Rodrigo <rodrigo.gonzalez.del.cu...@intel.com>; > Kubacki, Michael A <michael.a.kuba...@intel.com>; Chiu, Chasel > <chasel.c...@intel.com>; Desimone, Nathaniel L > <nathaniel.l.desim...@intel.com>; Gao, Liming <liming....@intel.com> > Subject: [edk2-platforms][Patch V5 1/2] MinPlatformPkg: Library for > customizing TPM platform hierarchy > > BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2331 > > In V5: > + Fixed build of MinPlatformPkg > > This change is split into two commits: > 1) This commit: Add new library class TpmPlatformHierarchyLib > 2) Second commit: Add usage in Tcg2PlatformDxe > > In order to enable some TPM use cases BIOS should enable to customize the > configuration of the TPM platform, provisioning of endorsement, platform > and storage hierarchy. > > Cc: Michael Kubacki <michael.a.kuba...@intel.com> > Cc: Chasel Chiu <chasel.c...@intel.com> > Cc: Nate DeSimone <nathaniel.l.desim...@intel.com> > Cc: Liming Gao <liming....@intel.com> > > Signed-off-by: Rodrigo Gonzalez del Cueto > <rodrigo.gonzalez.del.cu...@intel.com> > --- > .../Include/Library/TpmPlatformHierarchyLib.h | 29 +++ > .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 + > .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + > .../TpmPlatformHierarchyLib.c | 214 ++++++++++++++++++ > .../TpmPlatformHierarchyLib.inf | 45 ++++ > 5 files changed, 291 insertions(+) > create mode 100644 > Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib.h > create mode 100644 > Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPl > atformHierarchyLib.c > create mode 100644 > Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPl > atformHierarchyLib.inf > > diff --git > a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib. > h > b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchyLib. > h > new file mode 100644 > index 000000000000..ed9709b24a73 > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformHierarchy > +++ Lib.h > @@ -0,0 +1,29 @@ > +/** @file+ TPM Platform Hierarchy configuration library.++ This library > provides functions for customizing the TPM's Platform Hierarchy+ > Authorization Value (platformAuth) and Platform Hierarchy Authorization+ > Policy (platformPolicy) can be defined through this function.++Copyright (c) > 2019, Intel Corporation. All rights reserved.<BR>+SPDX-License-Identifier: > BSD-2-Clause-Patent++**/++#ifndef > _TPM_PLATFORM_HIERARCHY_LIB_H_+#define > _TPM_PLATFORM_HIERARCHY_LIB_H_++#include <PiDxe.h>+#include > <Uefi.h>++/**+ This service will perform the TPM Platform Hierarchy > configuration at the SmmReadyToLock > event.++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+ VOID+ > );++#endifdiff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > index a851021c0b79..92bda3784ffc 100644 > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec > @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h > MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h > SecBoardInitLib|Include/Library/SecBoardInitLib.h > +TpmPlatformHierarchyLib|Include/Library/TpmPlatformHierarchyLib.h+ > TestPointLib|Include/Library/TestPointLib.h > TestPointCheckLib|Include/Library/TestPointCheckLib.h diff --git > a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > index 5f9363ff3228..a01f229a891d 100644 > --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc > @@ -102,6 +102,7 @@ > > FspWrapperPlatformLib|MinPlatformPkg/FspWrapper/Library/DxeFspWrap > perPlatformLib/DxeFspWrapperPlatformLib.inf > TestPointCheckLib|MinPlatformPkg/Test/Library/TestPointCheckLib/DxeTes > tPointCheckLib.inf > TestPointLib|MinPlatformPkg/Test/Library/TestPointLib/DxeTestPointLib.inf > + > TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/TpmPlatformHierarc > hyLib/TpmPlatformHierarchyLib.inf > [LibraryClasses.common.DXE_SMM_DRIVER] > SpiFlashCommonLib|MinPlatformPkg/Flash/Library/SpiFlashCommonLibNull/ > SpiFlashCommonLibNull.infdiff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp > mPlatformHierarchyLib.c > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp > mPlatformHierarchyLib.c > new file mode 100644 > index 000000000000..41ddb26f4046 > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ > +++ TpmPlatformHierarchyLib.c > @@ -0,0 +1,214 @@ > +/** @file+ TPM Platform Hierarchy configuration library.++ This library > provides functions for customizing the TPM's Platform Hierarchy+ > Authorization Value (platformAuth) and Platform Hierarchy Authorization+ > Policy (platformPolicy) can be defined through this function.++ Copyright > (c) 2019, Intel Corporation. All rights reserved.<BR>+ SPDX-License- > Identifier: BSD-2-Clause-Patent++ @par Specification Reference:+ > https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning- > guidance/+**/++#include <PiDxe.h>++#include > <Library/DebugLib.h>+#include <Library/BaseMemoryLib.h>+#include > <Library/UefiBootServicesTableLib.h>+#include > <Library/MemoryAllocationLib.h>+#include > <Library/Tpm2CommandLib.h>+#include <Library/RngLib.h>+#include > <Library/UefiLib.h>+#include <Protocol/DxeSmmReadyToLock.h>++//+// > The authorization value may be no larger than the digest produced by the > hash+// algorithm used for context integrity.+//+#define > MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE++UINT16 > mAuthSize;++/**+ Generate high-quality entropy source through > RDRAND.++ @param[in] Length Size of the buffer, in bytes, to fill > with.+ > @param[out] Entropy Pointer to the buffer to store the entropy data.++ > @retval EFI_SUCCESS Entropy generation succeeded.+ @retval > EFI_NOT_READY Failed to request random > data.++**/+EFI_STATUS+EFIAPI+RdRandGenerateEntropy (+ IN UINTN > Length,+ OUT UINT8 *Entropy+ )+{+ EFI_STATUS Status;+ UINTN > BlockCount;+ UINT64 Seed[2];+ UINT8 *Ptr;++ Status = > EFI_NOT_READY;+ BlockCount = Length / 64;+ Ptr = (UINT8 *)Entropy;++ > //+ // Generate high-quality seed for DRBG Entropy+ //+ while (BlockCount > > 0) {+ Status = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) > {+ return Status;+ }+ CopyMem (Ptr, Seed, 64);++ BlockCount--;+ > Ptr > = Ptr + 64;+ }++ //+ // Populate the remained data as request.+ //+ > Status > = GetRandomNumber128 (Seed);+ if (EFI_ERROR (Status)) {+ return > Status;+ }+ CopyMem (Ptr, Seed, (Length % 64));++ return Status;+}++/**+ > This function returns the maximum size of TPM2B_AUTH; this structure is > used for an authorization value+ and limits an authValue to being no larger > than the largest digest produced by a TPM.++ @param[out] AuthSize > Tpm2 Auth size++ @retval EFI_SUCCESS Auth size returned.+ > @retval EFI_DEVICE_ERROR Can not return platform auth due to > device error.++**/+EFI_STATUS+EFIAPI+GetAuthSize (+ OUT UINT16 > *AuthSize+ )+{+ EFI_STATUS Status;+ TPML_PCR_SELECTION Pcrs;+ > UINTN Index;+ UINT16 DigestSize;++ Status = > EFI_SUCCESS;++ while (mAuthSize == 0) {++ mAuthSize = > SHA1_DIGEST_SIZE;+ ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION));+ > Status = Tpm2GetCapabilityPcrs (&Pcrs);++ if (EFI_ERROR (Status)) {+ > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n"));+ break;+ }++ > DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count));++ > for (Index = 0; Index < Pcrs.count; Index++) {+ DEBUG ((DEBUG_ERROR, > "alg - %x\n", Pcrs.pcrSelections[Index].hash));++ switch > (Pcrs.pcrSelections[Index].hash) {+ case TPM_ALG_SHA1:+ DigestSize > = SHA1_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA256:+ > DigestSize = SHA256_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA384:+ > DigestSize = SHA384_DIGEST_SIZE;+ break;+ case TPM_ALG_SHA512:+ > DigestSize = SHA512_DIGEST_SIZE;+ break;+ case > TPM_ALG_SM3_256:+ DigestSize = SM3_256_DIGEST_SIZE;+ break;+ > default:+ DigestSize = SHA1_DIGEST_SIZE;+ break;+ }++ > if > (DigestSize > mAuthSize) {+ mAuthSize = DigestSize;+ }+ }+ > break;+ > }++ *AuthSize = mAuthSize;+ return Status;+}++/**+ Set PlatformAuth to > random value.+**/+VOID+RandomizePlatformAuth (+ VOID+ )+{+ > EFI_STATUS Status;+ UINT16 > AuthSize;+ UINT8 > *Rand;+ UINTN RandSize;+ TPM2B_AUTH > NewPlatformAuth;++ //+ // Send Tpm2HierarchyChange Auth with random > value to avoid PlatformAuth being null+ //++ GetAuthSize (&AuthSize);++ > ZeroMem (NewPlatformAuth.buffer, AuthSize);+ NewPlatformAuth.size = > AuthSize;++ //+ // Allocate one buffer to store random data.+ //+ RandSize > = MAX_NEW_AUTHORIZATION_SIZE;+ Rand = AllocatePool (RandSize);++ > RdRandGenerateEntropy (RandSize, Rand);+ CopyMem > (NewPlatformAuth.buffer, Rand, AuthSize);++ FreePool (Rand);++ //+ // > Send Tpm2HierarchyChangeAuth command with the new Auth value+ //+ > Status = Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, > &NewPlatformAuth);+ DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth > Result: - %r\n", Status));+ ZeroMem (NewPlatformAuth.buffer, AuthSize);+ > ZeroMem (Rand, RandSize);+}++/**+ This service defines the configuration > of the Platform Hierarchy Authorization Value (platformAuth)+ and Platform > Hierarchy Authorization Policy > (platformPolicy)++**/+VOID+EFIAPI+ConfigureTpmPlatformHierarchy (+ > )+{+ //+ // Send Tpm2HierarchyChange Auth with random value to avoid > PlatformAuth being null+ //+ RandomizePlatformAuth ();+}diff --git > a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp > mPlatformHierarchyLib.inf > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tp > mPlatformHierarchyLib.inf > new file mode 100644 > index 000000000000..0911bdffa01f > --- /dev/null > +++ > b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/ > +++ TpmPlatformHierarchyLib.inf > @@ -0,0 +1,45 @@ > +### @file+#+# TPM Platform Hierarchy configuration library.+#+# This > library provides functions for customizing the TPM's Platform Hierarchy+# > Authorization Value (platformAuth) and Platform Hierarchy Authorization+# > Policy (platformPolicy) can be defined through this function.+#+# Copyright > (c) 2019, Intel Corporation. All rights reserved.<BR>+#+# SPDX-License- > Identifier: BSD-2-Clause-Patent+#+###++[Defines]+ INF_VERSION > = 0x00010005+ BASE_NAME = TpmPlatformHierarchyLib+ > FILE_GUID = 7794F92C-4E8E-4E57-9E4A-49A0764C7D73+ > MODULE_TYPE = DXE_DRIVER+ VERSION_STRING > = 1.0+ > LIBRARY_CLASS = TpmPlatformHierarchyLib++[LibraryClasses]+ > MemoryAllocationLib+ BaseLib+ UefiBootServicesTableLib+ > UefiDriverEntryPoint+ BaseMemoryLib+ DebugLib+ Tpm2CommandLib+ > Tpm2DeviceLib+ RngLib+ UefiLib++[Packages]+ MdePkg/MdePkg.dec+ > MdeModulePkg/MdeModulePkg.dec+ SecurityPkg/SecurityPkg.dec+ > CryptoPkg/CryptoPkg.dec++[Sources]+ > TpmPlatformHierarchyLib.c++[Depex]+ gEfiTcg2ProtocolGuid-- > 2.22.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50713): https://edk2.groups.io/g/devel/message/50713 Mute This Topic: https://groups.io/mt/58213054/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
