From nobody Thu May 2 02:10:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50368+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50368+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573468578; cv=none; d=zoho.com; s=zohoarc; b=DM6LaFVD7AfvWEuhsV53NOETqTTCLb5RAmePJ7kS3tb05OaBI17HyfDgSKvCtlpb/b3/36YafDYMU9rZzoW+vS8/92+PtEl/fLitWg30Xz9bNyjBURF0lMg2i29cU6x7UE71Bfkyb7iEHiebd+Gj1fNnboC4kQteiNrK3UxoItI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573468578; h=Content-Transfer-Encoding:Cc:Date:From:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To; bh=JmrwM+s82nOVgX4OC30G3KJvqciU4Jk/JsAeZo/ZNg0=; b=NkrBYB3OxgeWzpQTO9HNOE5J8HnOGNIlWH8LRTUnvkFPWLnswQWuMcCgtqDEm28513U54R+a2Ou3r51lQ5pnnuh/s4XO2cIOCCP18wnzeBjOT1b1wpAi8GRYqqfhJ6Lt+GFwAgI9vadt4ofg2ImJ+hbDRB2/Uvn8+4Lo6KyJ5Tk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50368+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 157346857891357.63394531168285; Mon, 11 Nov 2019 02:36:18 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id F6dhYY1788612xPEOxS1Nrph; Mon, 11 Nov 2019 02:36:18 -0800 X-Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web12.2110.1573465366033343389 for ; Mon, 11 Nov 2019 01:42:46 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Nov 2019 01:42:45 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,292,1569308400"; d="scan'208";a="202008300" X-Received: from fm73lab177-1.amr.corp.intel.com ([10.80.209.189]) by fmsmga008.fm.intel.com with ESMTP; 11 Nov 2019 01:42:45 -0800 From: Rodrigo Gonzalez del Cueto To: devel@edk2.groups.io Cc: Rodrigo Gonzalez del Cueto , Michael Kubacki , Chasel Chiu , Nate DeSimone , Liming Gao Subject: [edk2-devel] [edk2-platforms][Patch V2] MinPlatformPkg: Library for customizing TPM platform auth Date: Mon, 11 Nov 2019 01:42:30 -0800 Message-Id: <20191111094230.6414-1-rodrigo.gonzalez.del.cueto@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,rodrigo.gonzalez.del.cueto@intel.com X-Gm-Message-State: qplFsetfN5yhRxDXuodsC9Yhx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573468578; bh=udxgteNiuCGeQQVp4/+UVRSC1WWjLkHnRPom1aaN4Zs=; h=Cc:Date:From:Reply-To:Subject:To; b=xA9cfdpdGhDcJ91ePFtzWczIb58fQzDy/lSUJ8CxgAP0GIsH7DaK/p1P2U6weIUb6Ct YJnHr9Z6/pT2eYmz2pW1EDua3C2JSmK+EXp7tOqhMwIECNZcYRuo/BXvl1x0aEfg/g0Xa piBG5kfncPD2SXDUFWkldgqAZL0omqwOQCs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2331 In V2: + Kept callback function and registration in Tcg2PlatformDxe module. + New library defining API function: TpmPlatformAuthReadyToBootHandler for configuring the TPM's Platform Hierachy. This is now called through Tcg2PlatformDxe's ReadyToLockEventCallBack. + Ported GetAuthSize fix to both Tcg2PlatformPei and MinPlatform's TpmPlatformAuthLib instance. In order to enable some TPM use cases BIOS should enable to customize the configuration of the TPM platform, provisioning of endorsement, platform and storage hierarchy. Cc: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Signed-off-by: Rodrigo Gonzalez del Cueto --- .../Include/Library/TpmPlatformAuthLib.h | 24 ++ .../Intel/MinPlatformPkg/MinPlatformPkg.dec | 2 + .../Intel/MinPlatformPkg/MinPlatformPkg.dsc | 5 +- .../TpmPlatformAuthLib/TpmPlatformAuthLib.c | 229 ++++++++++++++++++ .../TpmPlatformAuthLib/TpmPlatformAuthLib.inf | 49 ++++ .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c | 161 ++---------- .../Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf | 6 +- .../Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c | 100 +++++--- 8 files changed, 402 insertions(+), 174 deletions(-) create mode 100644 Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatfo= rmAuthLib.h create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAu= thLib/TpmPlatformAuthLib.c create mode 100644 Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAu= thLib/TpmPlatformAuthLib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthL= ib.h b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h new file mode 100644 index 00000000..f33b67b0 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Include/Library/TpmPlatformAuthLib.h @@ -0,0 +1,24 @@ +/** @file + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _TPM_PLATFORM_AUTH_LIB_H_ +#define _TPM_PLATFORM_AUTH_LIB_H_ + +#include +#include + +/** + This service will perform the TPM Platform Auth configuration at the Re= adyToBoot event. + +**/ +VOID +EFIAPI +TpmPlatformAuthReadyToBootHandler ( + VOID + ); + +#endif diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dec index a851021c..fc5979db 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dec @@ -62,6 +62,8 @@ BoardInitLib|Include/Library/BoardInitLib.h MultiBoardInitSupportLib|Include/Library/MultiBoardInitSupportLib.h SecBoardInitLib|Include/Library/SecBoardInitLib.h =20 +TpmPlatformAuthLib|Include/Library/TpmPlatformAuthLib.h + TestPointLib|Include/Library/TestPointLib.h TestPointCheckLib|Include/Library/TestPointCheckLib.h =20 diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dsc index 5f9363ff..fbfd1e5d 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -185,7 +185,10 @@ =20 !if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable =3D=3D TRUE MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf - MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf + MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf { + + TpmPlatformAuthLib|MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPl= atformAuthLib.inf + } !endif =20 [BuildOptions] diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/T= pmPlatformAuthLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatform= AuthLib/TpmPlatformAuthLib.c new file mode 100644 index 00000000..8ac780e1 --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlatf= ormAuthLib.c @@ -0,0 +1,229 @@ +/** @file + TPM Platform Auth configuration library. + + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-g= uidance/ +**/ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// +// The authorization value may be no larger than the digest produced by th= e hash +// algorithm used for context integrity. +// +#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE + +/** + Generate high-quality entropy source through RDRAND. + + @param[in] Length Size of the buffer, in bytes, to fill with. + @param[out] Entropy Pointer to the buffer to store the entropy da= ta. + + @retval EFI_SUCCESS Entropy generation succeeded. + @retval EFI_NOT_READY Failed to request random data. + +**/ +EFI_STATUS +EFIAPI +RdRandGenerateEntropy ( + IN UINTN Length, + OUT UINT8 *Entropy + ) +{ + EFI_STATUS Status; + UINTN BlockCount; + UINT64 Seed[2]; + UINT8 *Ptr; + + Status =3D EFI_NOT_READY; + BlockCount =3D Length / 64; + Ptr =3D (UINT8 *)Entropy; + + // + // Generate high-quality seed for DRBG Entropy + // + while (BlockCount > 0) { + Status =3D GetRandomNumber128 (Seed); + if (EFI_ERROR (Status)) { + return Status; + } + CopyMem (Ptr, Seed, 64); + + BlockCount--; + Ptr =3D Ptr + 64; + } + + // + // Populate the remained data as request. + // + Status =3D GetRandomNumber128 (Seed); + if (EFI_ERROR (Status)) { + return Status; + } + CopyMem (Ptr, Seed, (Length % 64)); + + return Status; +} + +/** + This function returns the maximum size of TPM2B_AUTH; this structure is = used for an authorization value + and limits an authValue to being no larger than the largest digest produ= ced by a TPM. + + @param[out] AuthSize Tpm2 Auth size + + @retval EFI_SUCCESS Auth size returned. + @retval EFI_DEVICE_ERROR Can not return platform auth due to= device error. + +**/ +EFI_STATUS +EFIAPI +GetAuthSize ( + OUT UINT16 *AuthSize + ) +{ + EFI_STATUS Status; + TPML_PCR_SELECTION Pcrs; + UINTN Index; + UINT16 DigestSize; + + Status =3D EFI_SUCCESS; + + while (mAuthSize =3D=3D 0) { + + mAuthSize =3D SHA1_DIGEST_SIZE; + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); + Status =3D Tpm2GetCapabilityPcrs (&Pcrs); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); + break; + } + + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); + + for (Index =3D 0; Index < Pcrs.count; Index++) { + DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); + + switch (Pcrs.pcrSelections[Index].hash) { + case TPM_ALG_SHA1: + DigestSize =3D SHA1_DIGEST_SIZE; + break; + case TPM_ALG_SHA256: + DigestSize =3D SHA256_DIGEST_SIZE; + break; + case TPM_ALG_SHA384: + DigestSize =3D SHA384_DIGEST_SIZE; + break; + case TPM_ALG_SHA512: + DigestSize =3D SHA512_DIGEST_SIZE; + break; + case TPM_ALG_SM3_256: + DigestSize =3D SM3_256_DIGEST_SIZE; + break; + default: + DigestSize =3D SHA1_DIGEST_SIZE; + break; + } + + if (DigestSize > mAuthSize) { + mAuthSize =3D DigestSize; + } + } + break; + } + + *AuthSize =3D mAuthSize; + return Status; +} + +/** + Set PlatformAuth to random value. +**/ +VOID +RandomizePlatformAuth ( + VOID + ) +{ + EFI_STATUS Status; + UINT16 AuthSize; + UINT32 Index; + UINT8 *Rand; + UINTN RandSize; + TPM2B_AUTH NewPlatformAuth; + + // + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null + // + + GetAuthSize (&AuthSize); + + ZeroMem (NewPlatformAuth.buffer, AuthSize); + NewPlatformAuth.size =3D AuthSize; + + // + // Allocate one buffer to store random data. + // + RandSize =3D MAX_NEW_AUTHORIZATION_SIZE; + Rand =3D AllocatePool (RandSize); + + RdRandGenerateEntropy (RandSize, Rand); + CopyMem (NewPlatformAuth.buffer, Rand, AuthSize); + + FreePool (Rand); + + // + // Send Tpm2HierarchyChangeAuth command with the new Auth value + // + Status =3D Tpm2HierarchyChangeAuth (TPM_RH_PLATFORM, NULL, &NewPlatformA= uth); + DEBUG ((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); + ZeroMem (NewPlatformAuth.buffer, AuthSize); + ZeroMem (Rand, RandSize); +} + +/** + This service defines the configuration of the Platform Hierarchy Author= ization Value (platformAuth) + and Platform Hierarchy Authorization Policy (platformPolicy) + +**/ +VOID +EFIAPI +TpmPlatformAuthReadyToBootHandler ( + ) +{ + EFI_STATUS Status; + VOID *Interface; + + // + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null + // + RandomizePlatformAuth (); +} + +/** + The library constructor. + + @param ImageHandle The firmware allocated handle for the EFI image. + @param SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The function always return EFI_SUCCESS. +**/ +EFI_STATUS +EFIAPI +TpmPlatformAuthLibContructor ( + ) +{ + return EFI_SUCCESS; +} diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/T= pmPlatformAuthLib.inf b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatfo= rmAuthLib/TpmPlatformAuthLib.inf new file mode 100644 index 00000000..8a36f35e --- /dev/null +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformAuthLib/TpmPlatf= ormAuthLib.inf @@ -0,0 +1,49 @@ +### @file +# +# TPM Platform Auth configuration library. +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +### + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D TpmPlatformAuthLib + FILE_GUID =3D 7794F92C-4E8E-4E57-9E4A-49A0764C7D73 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D TpmPlatformAuthLib + CONSTRUCTOR =3D TpmPlatformAuthLibContructor + +[LibraryClasses] + MemoryAllocationLib + BaseLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib + Tpm2CommandLib + Tpm2DeviceLib + RngLib + UefiLib + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[Sources] + TpmPlatformAuthLib.c + +[Protocols] + gEfiDxeSmmReadyToLockProtocolGuid ## SOMETIMES_CONSUMES ## N= OTIFY + +[Guids] + gEfiEventExitBootServicesGuid ## SOMETIMES_CONSUMES ## E= vent + +[Depex] + gEfiTcg2ProtocolGuid diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2Platform= Dxe.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c index d0d88b2e..8fb5725c 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.c @@ -1,8 +1,8 @@ /** @file - Platform specific TPM2 component. + Platform specific TPM2 component for configuring the Platform Hierarchy. =20 -Copyright (c) 2017, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent + Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 @@ -13,138 +13,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include -#include -#include #include +#include #include =20 -#define MAX_NEW_AUTHORIZATION_SIZE SHA512_DIGEST_SIZE - /** - Generate high-quality entropy source through RDRAND. - - @param[in] Length Size of the buffer, in bytes, to fill with. - @param[out] Entropy Pointer to the buffer to store the entropy da= ta. - - @retval EFI_SUCCESS Entropy generation succeeded. - @retval EFI_NOT_READY Failed to request random data. - -**/ -EFI_STATUS -EFIAPI -RdRandGenerateEntropy ( - IN UINTN Length, - OUT UINT8 *Entropy - ) -{ - EFI_STATUS Status; - UINTN BlockCount; - UINT64 Seed[2]; - UINT8 *Ptr; + This callback function will run at the ReadyToLock event. =20 - Status =3D EFI_NOT_READY; - BlockCount =3D Length / 64; - Ptr =3D (UINT8 *)Entropy; - - // - // Generate high-quality seed for DRBG Entropy - // - while (BlockCount > 0) { - Status =3D GetRandomNumber128(Seed); - if (EFI_ERROR(Status)) { - return Status; - } - CopyMem(Ptr, Seed, 64); - - BlockCount--; - Ptr =3D Ptr + 64; - } - - // - // Populate the remained data as request. - // - Status =3D GetRandomNumber128(Seed); - if (EFI_ERROR(Status)) { - return Status; - } - CopyMem(Ptr, Seed, (Length % 64)); - - return Status; -} - -/** - Set PlatformAuth to random value. -**/ -VOID -RandomizePlatformAuth ( - VOID - ) -{ - EFI_STATUS Status; - UINT16 AuthSize; - TPML_PCR_SELECTION Pcrs; - UINT32 Index; - UINT8 *Rand; - UINTN RandSize; - TPM2B_AUTH NewPlatformAuth; - - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null - // - ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION)); - AuthSize =3D MAX_NEW_AUTHORIZATION_SIZE; - - Status =3D Tpm2GetCapabilityPcrs(&Pcrs); - if (EFI_ERROR(Status)) { - DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); - } else { - for (Index =3D 0; Index < Pcrs.count; Index++) { - switch (Pcrs.pcrSelections[Index].hash) { - case TPM_ALG_SHA1: - AuthSize =3D SHA1_DIGEST_SIZE; - break; - case TPM_ALG_SHA256: - AuthSize =3D SHA256_DIGEST_SIZE; - break; - case TPM_ALG_SHA384: - AuthSize =3D SHA384_DIGEST_SIZE; - break; - case TPM_ALG_SHA512: - AuthSize =3D SHA512_DIGEST_SIZE; - break; - case TPM_ALG_SM3_256: - AuthSize =3D SM3_256_DIGEST_SIZE; - break; - } - } - } - - ZeroMem(NewPlatformAuth.buffer, AuthSize); - NewPlatformAuth.size =3D AuthSize; - - // - // Allocate one buffer to store random data. - // - RandSize =3D MAX_NEW_AUTHORIZATION_SIZE; - Rand =3D AllocatePool(RandSize); - - RdRandGenerateEntropy(RandSize, Rand); - CopyMem(NewPlatformAuth.buffer, Rand, AuthSize); - - FreePool(Rand); - - // - // Send Tpm2HierarchyChangeAuth command with the new Auth value - // - Status =3D Tpm2HierarchyChangeAuth(TPM_RH_PLATFORM, NULL, &NewPlatformAu= th); - DEBUG((DEBUG_INFO, "Tpm2HierarchyChangeAuth Result: - %r\n", Status)); - ZeroMem(NewPlatformAuth.buffer, AuthSize); - ZeroMem(Rand, RandSize); -} - -/** - This is the Event call back function to notify the Library the system is= entering - run time phase. + Configuration of the TPM's Platform Hierarchy Authorization Value (plat= formAuth) + and Platform Hierarchy Authorization Policy (platformPolicy) can be def= ined through this function. =20 @param Event Pointer to this event @param Context Event hanlder private data @@ -172,22 +49,20 @@ ReadyToLockEventCallBack ( return ; } =20 - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null - // - RandomizePlatformAuth(); + TpmPlatformAuthReadyToBootHandler (); =20 gBS->CloseEvent (Event); } =20 /** - The driver's entry point. + The driver's entry point. Will register a function for callback during = ReadyToLock event to + configure the TPM's platform authorization. =20 - @param[in] ImageHandle The firmware allocated handle for the EFI image. - @param[in] SystemTable A pointer to the EFI System Table. + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. =20 - @retval EFI_SUCCESS The entry point is executed successfully. - @retval other Some error occurs when executing this entry poin= t. + @retval EFI_SUCCESS The entry point is executed successfully. + @retval other Some error occurs when executing this entry poi= nt. **/ EFI_STATUS EFIAPI @@ -196,17 +71,19 @@ Tcg2PlatformDxeEntryPoint ( IN EFI_SYSTEM_TABLE *SystemTable ) { - VOID *Registration; - EFI_EVENT Event; + VOID *Registration; + EFI_EVENT Event; =20 - Event =3D EfiCreateProtocolNotifyEvent ( + Event =3D EfiCreateProtocolNotifyEvent ( &gEfiDxeSmmReadyToLockProtocolGuid, TPL_CALLBACK, ReadyToLockEventCallBack, NULL, &Registration ); + ASSERT (Event !=3D NULL); =20 return EFI_SUCCESS; } + diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2Platform= Dxe.inf b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe= .inf index e8ab5f35..921f7ac6 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf +++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf @@ -28,16 +28,14 @@ UefiRuntimeServicesTableLib BaseMemoryLib DebugLib - Tpm2CommandLib - Tpm2DeviceLib - RngLib UefiLib + TpmPlatformAuthLib =20 [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + MinPlatformPkg/MinPlatformPkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec =20 [Sources] Tcg2PlatformDxe.c diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2Platform= Pei.c b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c index 3a2d7d31..c52547e4 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.c @@ -1,7 +1,8 @@ /** @file + Platform specific TPM2 component for configuring the Platform Hierarch= y. =20 -Copyright (c) 2017, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent + Copyright (c) 2017 - 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 @@ -72,52 +73,97 @@ RdRandGenerateEntropy ( } =20 /** - Set PlatformAuth to random value. + This function returns the maximum size of TPM2B_AUTH; this structure is = used for an authorization value + and limits an authValue to being no larger than the largest digest produ= ced by a TPM. + + @param[out] AuthSize Tpm2 Auth size + + @retval EFI_SUCCESS Auth size returned. + @retval EFI_DEVICE_ERROR Can not return platform auth due to= device error. + **/ -VOID -RandomizePlatformAuth ( - VOID +EFI_STATUS +EFIAPI +GetAuthSize ( + OUT UINT16 *AuthSize ) { - EFI_STATUS Status; - UINT16 AuthSize; - TPML_PCR_SELECTION Pcrs; - UINT32 Index; - UINT8 *Rand; - UINTN RandSize; - TPM2B_AUTH NewPlatformAuth; + EFI_STATUS Status; + TPML_PCR_SELECTION Pcrs; + UINTN Index; + UINT16 DigestSize; =20 - // - // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null - // - ZeroMem(&Pcrs, sizeof(TPML_PCR_SELECTION)); - AuthSize =3D MAX_NEW_AUTHORIZATION_SIZE; + Status =3D EFI_SUCCESS; + + while (mAuthSize =3D=3D 0) { + + mAuthSize =3D SHA1_DIGEST_SIZE; + ZeroMem (&Pcrs, sizeof (TPML_PCR_SELECTION)); + Status =3D Tpm2GetCapabilityPcrs (&Pcrs); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); + break; + } + + DEBUG ((DEBUG_ERROR, "Tpm2GetCapabilityPcrs - %08x\n", Pcrs.count)); =20 - Status =3D Tpm2GetCapabilityPcrs(&Pcrs); - if (EFI_ERROR(Status)) { - DEBUG((EFI_D_ERROR, "Tpm2GetCapabilityPcrs fail!\n")); - } else { for (Index =3D 0; Index < Pcrs.count; Index++) { + DEBUG ((DEBUG_ERROR, "alg - %x\n", Pcrs.pcrSelections[Index].hash)); + switch (Pcrs.pcrSelections[Index].hash) { case TPM_ALG_SHA1: - AuthSize =3D SHA1_DIGEST_SIZE; + DigestSize =3D SHA1_DIGEST_SIZE; break; case TPM_ALG_SHA256: - AuthSize =3D SHA256_DIGEST_SIZE; + DigestSize =3D SHA256_DIGEST_SIZE; break; case TPM_ALG_SHA384: - AuthSize =3D SHA384_DIGEST_SIZE; + DigestSize =3D SHA384_DIGEST_SIZE; break; case TPM_ALG_SHA512: - AuthSize =3D SHA512_DIGEST_SIZE; + DigestSize =3D SHA512_DIGEST_SIZE; break; case TPM_ALG_SM3_256: - AuthSize =3D SM3_256_DIGEST_SIZE; + DigestSize =3D SM3_256_DIGEST_SIZE; + break; + default: + DigestSize =3D SHA1_DIGEST_SIZE; break; } + + if (DigestSize > mAuthSize) { + mAuthSize =3D DigestSize; + } } + break; } =20 + *AuthSize =3D mAuthSize; + return Status; +} + +/** + Set PlatformAuth to random value. +**/ +VOID +RandomizePlatformAuth ( + VOID + ) +{ + EFI_STATUS Status; + UINT16 AuthSize; + UINT32 Index; + UINT8 *Rand; + UINTN RandSize; + TPM2B_AUTH NewPlatformAuth; + + // + // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null + // + + GetAuthSize (&AuthSize); + ZeroMem(NewPlatformAuth.buffer, AuthSize); NewPlatformAuth.size =3D AuthSize; =20 --=20 2.22.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50368): https://edk2.groups.io/g/devel/message/50368 Mute This Topic: https://groups.io/mt/52588899/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-