Re: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib

Thu, 14 Oct 2021 03:48:50 -0700 

Hi Bret
I saw PR failure - https://github.com/tianocore/edk2/pull/2066

Thank you

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret
> Barkelew
> Sent: Thursday, October 14, 2021 1:33 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com>;
> Zhang, Qi1 <qi1.zh...@intel.com>; Kumar, Rahul1 <rahul1.ku...@intel.com>
> Subject: [edk2-devel] [PATCH v2 1/1] SecurityPkg/Library: Add
> Tpm2NvUndefineSpaceSpecial to Tpm2CommandLib
> 
> Used to provision and maintain certain HW-defined NV spaces.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2994
> 
> Signed-off-by: Bret Barkelew <bret.barke...@microsoft.com>
> Reviewed-by: Jiewen Yao <jiewen....@intel.com>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Qi Zhang <qi1.zh...@intel.com>
> Cc: Rahul Kumar <rahul1.ku...@intel.com>
> ---
>  SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c | 122
> ++++++++++++++++++++
>  SecurityPkg/Include/Library/Tpm2CommandLib.h       |  22 ++++
>  2 files changed, 144 insertions(+)
> 
> diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> index 87572de20164..275cb1683f51 100644
> --- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> +++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2NVStorage.c
> @@ -24,6 +24,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #define RC_NV_UndefineSpace_authHandle      (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_UndefineSpace_nvIndex         (TPM_RC_H + TPM_RC_2)
> 
> 
> 
> +#define RC_NV_UndefineSpaceSpecial_nvIndex  (TPM_RC_H + TPM_RC_1)
> 
> +
> 
>  #define RC_NV_Read_authHandle               (TPM_RC_H + TPM_RC_1)
> 
>  #define RC_NV_Read_nvIndex                  (TPM_RC_H + TPM_RC_2)
> 
>  #define RC_NV_Read_size                     (TPM_RC_P + TPM_RC_1)
> 
> @@ -74,6 +76,20 @@ typedef struct {
>    TPMS_AUTH_RESPONSE         AuthSession;
> 
>  } TPM2_NV_UNDEFINESPACE_RESPONSE;
> 
> 
> 
> +typedef struct {
> 
> +  TPM2_COMMAND_HEADER       Header;
> 
> +  TPMI_RH_NV_INDEX          NvIndex;
> 
> +  TPMI_RH_PLATFORM          Platform;
> 
> +  UINT32                    AuthSessionSize;
> 
> +  TPMS_AUTH_COMMAND         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_COMMAND;
> 
> +
> 
> +typedef struct {
> 
> +  TPM2_RESPONSE_HEADER       Header;
> 
> +  UINT32                     AuthSessionSize;
> 
> +  TPMS_AUTH_RESPONSE         AuthSession;
> 
> +} TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE;
> 
> +
> 
>  typedef struct {
> 
>    TPM2_COMMAND_HEADER       Header;
> 
>    TPMI_RH_NV_AUTH           AuthHandle;
> 
> @@ -506,6 +522,112 @@ Done:
>    return Status;
> 
>  }
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  )
> 
> +{
> 
> +  EFI_STATUS                              Status;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_COMMAND    SendBuffer;
> 
> +  TPM2_NV_UNDEFINESPACESPECIAL_RESPONSE   RecvBuffer;
> 
> +  UINT32                                  SendBufferSize;
> 
> +  UINT32                                  RecvBufferSize;
> 
> +  UINT8                                   *Buffer;
> 
> +  UINT32                                  IndexAuthSize, PlatAuthSize;
> 
> +  TPM_RC                                  ResponseCode;
> 
> +
> 
> +  //
> 
> +  // Construct command
> 
> +  //
> 
> +  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);
> 
> +  SendBuffer.Header.commandCode =
> SwapBytes32(TPM_CC_NV_UndefineSpaceSpecial);
> 
> +
> 
> +  SendBuffer.NvIndex = SwapBytes32 (NvIndex);
> 
> +  SendBuffer.Platform = SwapBytes32 (TPM_RH_PLATFORM);
> 
> +
> 
> +  //
> 
> +  // Marshall the Auth Sessions for the two handles.
> 
> +  Buffer = (UINT8 *)&SendBuffer.AuthSession;
> 
> +  // IndexAuthSession
> 
> +  IndexAuthSize = CopyAuthSessionCommand (IndexAuthSession, Buffer);
> 
> +  Buffer += IndexAuthSize;
> 
> +  // PlatAuthSession
> 
> +  PlatAuthSize = CopyAuthSessionCommand (PlatAuthSession, Buffer);
> 
> +  Buffer += PlatAuthSize;
> 
> +  // AuthSessionSize
> 
> +  SendBuffer.AuthSessionSize = SwapBytes32(IndexAuthSize + PlatAuthSize);
> 
> +
> 
> +  // Update total command size.
> 
> +  SendBufferSize = (UINT32)(Buffer - (UINT8 *)&SendBuffer);
> 
> +  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);
> 
> +
> 
> +  //
> 
> +  // send Tpm command
> 
> +  //
> 
> +  RecvBufferSize = sizeof (RecvBuffer);
> 
> +  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer,
> &RecvBufferSize, (UINT8 *)&RecvBuffer);
> 
> +  if (EFI_ERROR (Status)) {
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - RecvBufferSize
> Error - %x\n", RecvBufferSize));
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    goto Done;
> 
> +  }
> 
> +
> 
> +  ResponseCode = SwapBytes32(RecvBuffer.Header.responseCode);
> 
> +  if (ResponseCode != TPM_RC_SUCCESS) {
> 
> +    DEBUG ((EFI_D_ERROR, "Tpm2NvUndefineSpaceSpecial - responseCode -
>  %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));
> 
> +  }
> 
> +  switch (ResponseCode) {
> 
> +  case TPM_RC_SUCCESS:
> 
> +    // return data
> 
> +    break;
> 
> +  case TPM_RC_ATTRIBUTES:
> 
> +  case TPM_RC_ATTRIBUTES + RC_NV_UndefineSpaceSpecial_nvIndex:
> 
> +    Status = EFI_UNSUPPORTED;
> 
> +    break;
> 
> +  case TPM_RC_NV_AUTHORIZATION:
> 
> +    Status = EFI_SECURITY_VIOLATION;
> 
> +    break;
> 
> +  case TPM_RC_HANDLE + RC_NV_UndefineSpaceSpecial_nvIndex: //
> TPM_RC_NV_DEFINED:
> 
> +    Status = EFI_NOT_FOUND;
> 
> +    break;
> 
> +  case TPM_RC_VALUE + RC_NV_UndefineSpace_nvIndex:
> 
> +    Status = EFI_INVALID_PARAMETER;
> 
> +    break;
> 
> +  default:
> 
> +    Status = EFI_DEVICE_ERROR;
> 
> +    break;
> 
> +  }
> 
> +
> 
> +Done:
> 
> +  //
> 
> +  // Clear AuthSession Content
> 
> +  //
> 
> +  ZeroMem (&SendBuffer, sizeof(SendBuffer));
> 
> +  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));
> 
> +  return Status;
> 
> +}
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> diff --git a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> index ee8eb622951c..92967662ce96 100644
> --- a/SecurityPkg/Include/Library/Tpm2CommandLib.h
> +++ b/SecurityPkg/Include/Library/Tpm2CommandLib.h
> @@ -364,6 +364,28 @@ Tpm2NvUndefineSpace (
>    IN      TPMS_AUTH_COMMAND         *AuthSession OPTIONAL
> 
>    );
> 
> 
> 
> +/**
> 
> +  This command allows removal of a platform-created NV Index that has
> TPMA_NV_POLICY_DELETE SET.
> 
> +
> 
> +  @param[in]  NvIndex             The NV Index.
> 
> +  @param[in]  IndexAuthSession    Auth session context for the Index
> auth/policy
> 
> +  @param[in]  PlatAuthSession     Auth session context for the Platform
> auth/policy
> 
> +
> 
> +  @retval EFI_SUCCESS             Operation completed successfully.
> 
> +  @retval EFI_NOT_FOUND           The command was returned successfully, but
> NvIndex is not found.
> 
> +  @retval EFI_UNSUPPORTED         Selected NvIndex does not support deletion
> through this call.
> 
> +  @retval EFI_SECURITY_VIOLATION  Deletion is not authorized by current
> policy session.
> 
> +  @retval EFI_INVALID_PARAMETER   The command was unsuccessful.
> 
> +  @retval EFI_DEVICE_ERROR        The command was unsuccessful.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +Tpm2NvUndefineSpaceSpecial (
> 
> +  IN      TPMI_RH_NV_INDEX          NvIndex,
> 
> +  IN      TPMS_AUTH_COMMAND         *IndexAuthSession OPTIONAL,
> 
> +  IN      TPMS_AUTH_COMMAND         *PlatAuthSession OPTIONAL
> 
> +  );
> 
> +
> 
>  /**
> 
>    This command reads a value from an area in NV memory previously defined by
> TPM2_NV_DefineSpace().
> 
> 
> 
> --
> 2.31.1.windows.1
> 
> 
> 
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#81922): https://edk2.groups.io/g/devel/message/81922
> Mute This Topic: https://groups.io/mt/86293842/1772286
> Group Owner: devel+ow...@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jiewen....@intel.com]
> -=-=-=-=-=-=
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82026): https://edk2.groups.io/g/devel/message/82026
Mute This Topic: https://groups.io/mt/86293842/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to