From nobody Fri May 17 07:07:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+112056+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+112056+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1701740449; cv=none; d=zohomail.com; s=zohoarc; b=UzFk1QscJbjMMg0SyxTPPqkgDtMPKC4JpEsQhwbRp1f2MYIW4qB1+HJBxhM1T16L8siePvpDhvS6ZFU0ssGFzOfzKU8yJY5cdBdXDrKh6WJfS5HT9F17MtZEWIs41qjkWlR7CDXu90KNRsr9USFxZXr4pQkS0i9tsEi11fC1dz4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1701740449; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Sender:Subject:Subject:To:To:Message-Id; bh=QZeKu3Vp0pI6FTC6099r7TpFWO1kJHgFt3eg5fHSB8w=; b=OvMFFk9u5regFbH/iDwzN3lYQkuDn9+WCTKUHG4pF2nAYm5OIOInKC0Ngs/tdblO15VftH+2P3QvbFxMBqGCRLKTIdfzK4LwdI1cUInvBTH/+GA25OFdb2RdGomo76UJEyPL92QWmuy2TjiLrtI5OLuPzD30XT3lkQUKXLIFo8o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+112056+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1701740449546376.3951090847405; Mon, 4 Dec 2023 17:40:49 -0800 (PST) Return-Path: DKIM-Signature: a=rsa-sha256; bh=g8lw9RFIGgy/cF419MS6RwQknkK/VHyUhW68vR03bLs=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1701740449; v=1; b=Xk+0jOhTYTtlSzGLmA5mwwsn/94m0jKZwgM3D/EK82e3BR7lyDTfWsOm2RIq2t3aBHvR23Kp uurAEAf5AFx+jdIuLkvpADAWda4TV8osnHs8HCycowyDMw5TJmBPA9AWJ0lvrnDI6Ut9UuGb4Hv Qr66M8YqKrNDnYoOuUt05S8s= X-Received: by 127.0.0.2 with SMTP id h8dCYY1788612xZkMqo1BD0o; Mon, 04 Dec 2023 17:40:49 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web11.64703.1701679883712407336 for ; Mon, 04 Dec 2023 00:51:23 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10913"; a="373135662" X-IronPort-AV: E=Sophos;i="6.04,249,1695711600"; d="scan'208";a="373135662" X-Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 00:51:23 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10913"; a="763878583" X-IronPort-AV: E=Sophos;i="6.04,249,1695711600"; d="scan'208";a="763878583" X-Received: from chiangc2-desk2.gar.corp.intel.com ([10.225.76.25]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Dec 2023 00:51:21 -0800 From: chris.chiang@intel.com To: devel@edk2.groups.io Cc: Chiang-Chris , Chasel Chiu , Nate DeSimone , Liming Gao , Eric Dong Subject: [edk2-devel] [PATCH v1] MinPlatformPkg: Remove PeiDxeTpmPlatformHierarchyLib Date: Mon, 4 Dec 2023 16:50:35 +0800 Message-ID: <20231204085035.1438-1-chris.chiang@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,chris.chiang@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: cW2zEkMxjR8L1i037MLhTvSJx1787277AA= Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1701740450095100004 Content-Type: text/plain; charset="utf-8" From: Chiang-Chris REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4612 Remove PeiDxeTpmPlatformHierarchyLib in Tcg/Library Signed-off-by: Chiang-Chris Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Reviewed-by: Chasel Chiu --- Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc = | 2 +- Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc = | 2 +- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc = | 1 - Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.c | 266 -------------------- Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/Pe= iDxeTpmPlatformHierarchyLib.inf | 45 ---- 5 files changed, 2 insertions(+), 314 deletions(-) diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc b/Pla= tform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc index 260f3b94c5..b469938823 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreDxeLib.dsc @@ -66,7 +66,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf =20 [LibraryClasses.common.DXE_DRIVER] - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHier= archyLib/PeiDxeTpmPlatformHierarchyLib.inf + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLi= b/PeiDxeTpmPlatformHierarchyLib.inf =20 [LibraryClasses.common.DXE_SMM_DRIVER] SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL= ib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc b/Pla= tform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc index 595f0ee490..7afbb2900f 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CorePeiLib.dsc @@ -52,7 +52,7 @@ Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibRouter/Tpm2DeviceLibRoute= rPei.inf HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou= terPei.inf Tcg2PhysicalPresenceLib|SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/P= eiTcg2PhysicalPresenceLib.inf - TpmPlatformHierarchyLib|MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHier= archyLib/PeiDxeTpmPlatformHierarchyLib.inf + TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLi= b/PeiDxeTpmPlatformHierarchyLib.inf =20 FspMeasurementLib|IntelFsp2WrapperPkg/Library/BaseFspMeasurementLib/Base= FspMeasurementLib.inf FspWrapperPlatformMultiPhaseLib|IntelFsp2WrapperPkg/Library/BaseFspWrapp= erPlatformMultiPhaseLibNull/BaseFspWrapperPlatformMultiPhaseLibNull.inf diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dsc index 087fa48dd0..ee5d211128 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -203,7 +203,6 @@ MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf =20 - MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatfo= rmHierarchyLib.inf MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf =20 diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/T= cg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c deleted file mode 100644 index 9812ab99ab..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.c +++ /dev/null @@ -1,266 +0,0 @@ -/** @file - TPM Platform Hierarchy configuration library. - - This library provides functions for customizing the TPM's Platform Hie= rarchy - Authorization Value (platformAuth) and Platform Hierarchy Authorization - Policy (platformPolicy) can be defined through this function. - - Copyright (c) 2019, Intel Corporation. All rights reserved.
- Copyright (c) Microsoft Corporation.
- SPDX-License-Identifier: BSD-2-Clause-Patent - - @par Specification Reference: - https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g= uidance/ -**/ - -#include - -#include -#include -#include -#include -#include -#include -#include - -// -// The authorization value may be no larger than the digest produced by th= e hash -// algorithm used for context integrity. -// -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE - -UINT16 mAuthSize; - -/** - Generate high-quality entropy source through RDRAND. - - @param[in] Length Size of the buffer, in bytes, to fill with. - @param[out] Entropy Pointer to the buffer to store the entropy da= ta. - - @retval EFI_SUCCESS Entropy generation succeeded. - @retval EFI_NOT_READY Failed to request random data. - -**/ -EFI_STATUS -EFIAPI -RdRandGenerateEntropy ( - IN UINTN Length, - OUT UINT8 *Entropy - ) -{ - EFI_STATUS Status; - UINTN BlockCount; - UINT64 Seed[2]; - UINT8 *Ptr; - - Status =3D EFI_NOT_READY; - BlockCount =3D Length / 64; - Ptr =3D (UINT8 *)Entropy; - - // - // Generate high-quality seed for DRBG Entropy - // - while (BlockCount > 0) { - Status =3D GetRandomNumber128 (Seed); - if (EFI_ERROR (Status)) { - return Status; - } - CopyMem (Ptr, Seed, 64); - - BlockCount--; - Ptr =3D Ptr + 64; - } - - // - // Populate the remained data as request. - // - Status =3D GetRandomNumber128 (Seed); - if (EFI_ERROR (Status)) { - return Status; - } - CopyMem (Ptr, Seed, (Length % 64)); - - return Status; -} - -/** - This function returns the maximum size of TPM2B_AUTH; this structure is = used for an authorization value - and limits an authValue to being no larger than the largest digest produ= ced by a TPM. - - @param[out] AuthSize Tpm2 Auth size - - @retval EFI_SUCCESS Auth size returned. - @retval EFI_DEVICE_ERROR Can not return platform auth due to= device error. - -**/ -EFI_STATUS -EFIAPI -GetAuthSize ( - OUT UINT16 *AuthSize - ) -{ - EFI_STATUS Status; - TPML_PCR_SELECTION Pcrs; - UINTN Index; - UINT16 DigestSize; - - Status =3D EFI_SUCCESS; - - while (mAuthSize =3D=3D 0) { - - mAuthSize =3D SHA1_DIGEST_SIZE; - ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); - Status =3D Tpm2GetCapabilityPcrs (&Pcrs); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); - break; - } - - DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); - - for (Index =3D 0; Index < Pcrs.count; Index++) { - DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); - - switch (Pcrs.pcrSelections[Index].hash) { - case TPM_ALG_SHA1: - DigestSize =3D SHA1_DIGEST_SIZE; - break; - case TPM_ALG_SHA256: - DigestSize =3D SHA256_DIGEST_SIZE; - break; - case TPM_ALG_SHA384: - DigestSize =3D SHA384_DIGEST_SIZE; - break; - case TPM_ALG_SHA512: - DigestSize =3D SHA512_DIGEST_SIZE; - break; - case TPM_ALG_SM3_256: - DigestSize =3D SM3_256_DIGEST_SIZE; - break; - default: - DigestSize =3D SHA1_DIGEST_SIZE; - break; - } - - if (DigestSize > mAuthSize) { - mAuthSize =3D DigestSize; - } - } - break; - } - - *AuthSize =3D mAuthSize; - return Status; -} - -/** - Set PlatformAuth to random value. -**/ -VOID -RandomizePlatformAuth ( - VOID - ) -{ - EFI_STATUS Status; - UINT16 AuthSize; - UINT8 *Rand; - UINTN RandSize; - TPM2B_AUTH NewPlatformAuth; - - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null - // - - GetAuthSize (&AuthSize); - - ZeroMem (NewPlatformAuth.buffer, AuthSize); - NewPlatformAuth.size =3D AuthSize; - - // - // Allocate one buffer to store random data. - // - RandSize =3D MAX_NEW_AUTHORIZATION_SIZE; - Rand =3D AllocatePool (RandSize); - - RdRandGenerateEntropy (RandSize, Rand); - CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); - - FreePool (Rand); - - // - // Send Tpm2HierarchyChangeAuth command with the new Auth value - // - Status =3D Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformA= uth); - DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); - ZeroMem (NewPlatformAuth.buffer, AuthSize); - ZeroMem (Rand, RandSize); -} - -/** - Disable the TPM platform hierarchy. - - @retval EFI_SUCCESS The TPM was disabled successfully. - @retval Others An error occurred attempting to disable the = TPM platform hierarchy. - -**/ -EFI_STATUS -DisableTpmPlatformHierarchy ( - VOID - ) -{ - EFI_STATUS Status; - - // Make sure that we have use of the TPM. - Status =3D Tpm2RequestUseTpm (); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC= allerBaseName, __FUNCTION__, Status)); - ASSERT_EFI_ERROR (Status); - return Status; - } - - // Let's do what we can to shut down the hierarchies. - - // Disable the PH NV. - // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP= M parts have - // been known to store the EK cert in the PH NV. If we d= isable it, the - // EK cert will be unreadable. - - // Disable the PH. - Status =3D Tpm2HierarchyControl ( - TPM_RH_PLATFORM, // AuthHandle - NULL, // AuthSession - TPM_RH_PLATFORM, // Hierarchy - NO // State - ); - DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBaseN= ame, __FUNCTION__, Status)); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerB= aseName, __FUNCTION__, Status)); - ASSERT_EFI_ERROR (Status); - } - - return Status; -} - -/** - This service defines the configuration of the Platform Hierarchy Author= ization Value (platformAuth) - and Platform Hierarchy Authorization Policy (platformPolicy) - -**/ -VOID -EFIAPI -ConfigureTpmPlatformHierarchy ( - ) -{ - if (PcdGetBool (PcdRandomizePlatformHierarchy)) { - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAu= th being null - // - RandomizePlatformAuth (); - } else { - // - // Disable the hierarchy entirely (do not randomize it) - // - DisableTpmPlatformHierarchy (); - } -} diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHie= rarchyLib/PeiDxeTpmPlatformHierarchyLib.inf b/Platform/Intel/MinPlatformPkg= /Tcg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf deleted file mode 100644 index b7a7fb0a08..0000000000 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/PeiDxeTpmPlatformHierarchyL= ib/PeiDxeTpmPlatformHierarchyLib.inf +++ /dev/null @@ -1,45 +0,0 @@ -### @file -# -# TPM Platform Hierarchy configuration library. -# -# This library provides functions for customizing the TPM's Platform Hie= rarchy -# Authorization Value (platformAuth) and Platform Hierarchy Authorization -# Policy (platformPolicy) can be defined through this function. -# -# Copyright (c) 2019, Intel Corporation. All rights reserved.
-# Copyright (c) Microsoft Corporation.
-# -# SPDX-License-Identifier: BSD-2-Clause-Patent -# -### - -[Defines] - INF_VERSION =3D 0x00010005 - BASE_NAME =3D PeiDxeTpmPlatformHierarchyLib - FILE_GUID =3D 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 - MODULE_TYPE =3D PEIM - VERSION_STRING =3D 1.0 - LIBRARY_CLASS =3D TpmPlatformHierarchyLib|PEIM DXE_DRIV= ER - -[LibraryClasses] - BaseLib - BaseMemoryLib - DebugLib - MemoryAllocationLib - PcdLib - RngLib - Tpm2CommandLib - Tpm2DeviceLib - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec - MinPlatformPkg/MinPlatformPkg.dec - -[Sources] - PeiDxeTpmPlatformHierarchyLib.c - -[Pcd] - gMinPlatformPkgTokenSpaceGuid.PcdRandomizePlatformHierarchy --=20 2.43.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112056): https://edk2.groups.io/g/devel/message/112056 Mute This Topic: https://groups.io/mt/102974261/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-