The main commit of the series Bret mentioned (in edk2-platforms) is here:
https://github.com/tianocore/edk2-platforms/commit/bfabeef4c9a63374784bd19f18a869aa2769e011
Regards,
Michael
On 7/27/2021 12:25 PM, Yao, Jiewen wrote:
Oops. Sorry for late response.
The code is NOT in EDKII, but EDKII-platform as example.
https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg
<https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/MinPlatformPkg/Tcg>
We allow a platform having its own implementation. That is why it is NOT
in EDKII.
Thank you
Yao Jiewen
*From:* devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of *Bret
Barkelew via groups.io
*Sent:* Wednesday, July 28, 2021 12:11 AM
*To:* devel@edk2.groups.io; stef...@linux.ibm.com; Yao, Jiewen
<jiewen....@intel.com>; Jeremiah Cox <jere...@microsoft.com>; Michael
Kubacki <michael.kuba...@microsoft.com>
*Cc:* Marc-André Lureau <marcandre.lur...@redhat.com>
*Subject:* Re: [EXTERNAL] [edk2-devel] Missing TPM 2 related call to
Tpm2HierarchyChangeAuth
Adding @Jeremiah <mailto:jere...@microsoft.com>…
Jeremiah, weren’t you or @Michael <mailto:michael.kuba...@microsoft.com>
shopping this change to MinPlatform?
- Bret
*From: *Stefan Berger via groups.io <mailto:stefanb=linux.ibm....@groups.io>
*Sent: *Monday, July 26, 2021 7:48 AM
*To: *Yao, Jiewen <mailto:jiewen....@intel.com>; devel@edk2.groups.io
<mailto:devel@edk2.groups.io>
*Cc: *Marc-André Lureau <mailto:marcandre.lur...@redhat.com>
*Subject: *[EXTERNAL] [edk2-devel] Missing TPM 2 related call to
Tpm2HierarchyChangeAuth
Hello!
The TPM 2 code in EDK2 is missing an important call to
Tpm2HierarchyChangeAuth for the platform hierarchy. We have to set the
password of that hierarchy and discard the password. See also specs
section 11:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrustedcomputinggroup.org%2Fwp-content%2Fuploads%2FTCG_PCClient_PFP_r1p05_v22_02dec2020.pdf&data=04%7C01%7Cbret.barkelew%40microsoft.com%7Cf2a2262eee2c44b3760c08d95044601a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637629077356686202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=N7VQIw87rHqUAFQ54TvhNwcsPFEwJzdZQ9JZrmX1S4E%3D&reserved=0>
"Platform Firmware MUST protect access to the Platform Hierarchy and
prevent access to the platform hierarchy by
non-manufacturer-controlled components. "
I was wondering where we could put that call so it's invoked after the
user has possibly interacted with the menu and before passing control to
the next stage such as boot loader.
Regards,
Stefan
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78288): https://edk2.groups.io/g/devel/message/78288
Mute This Topic: https://groups.io/mt/84485285/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
