Adding @Jeremiah<mailto:jere...@microsoft.com>…
Jeremiah, weren’t you or @Michael<mailto:michael.kuba...@microsoft.com> shopping this change to MinPlatform? - Bret From: Stefan Berger via groups.io<mailto:stefanb=linux.ibm....@groups.io> Sent: Monday, July 26, 2021 7:48 AM To: Yao, Jiewen<mailto:jiewen....@intel.com>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Marc-André Lureau<mailto:marcandre.lur...@redhat.com> Subject: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to Tpm2HierarchyChangeAuth Hello! The TPM 2 code in EDK2 is missing an important call to Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the password of that hierarchy and discard the password. See also specs section 11: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0 "Platform Firmware MUST protect access to the Platform Hierarchy and prevent access to the platform hierarchy by non-manufacturer-controlled components. " I was wondering where we could put that call so it's invoked after the user has possibly interacted with the menu and before passing control to the next stage such as boot loader. Regards, Stefan -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78230): https://edk2.groups.io/g/devel/message/78230 Mute This Topic: https://groups.io/mt/84485285/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
