From nobody Thu May 16 11:34:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76002+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76002+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.microsoft.com ARC-Seal: i=1; a=rsa-sha256; t=1622684332; cv=none; d=zohomail.com; s=zohoarc; b=SqUpOjp3T4T4iMQVcJ4fC6IiwawvnhVMHi6ZQk6OfxC0ITspR6Z246nmmJt1gxIeSV42AFuBxBOCDJlW9vVVSSgqabdd41NKUzzXJ0Nuv69vpk26hPsc5/OJqEDh64vDxEYLmcnDpm+fiUN4325vmk68Ra9iMKBS/gfvBHzvJ4A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622684332; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Ga4jWLIfzjbqvbDzQkEz41S3GX4fAbtip6uCii0OlXw=; b=B5ZgbDNF545nUFtOD/U73pV/dRWE8hRMAivU8BWUpt1WGPs9iFoR4cOBkw66OpbgHKN2EJKEQKiNjop4CxbCP0Zxz07pDhTFR7Ta6G6+Pdrqnll4tMPclantuTUDAo+oDYy9Du0cA+w1r541eL1mTFM2SJE5GVPSBMTn7v3S0dU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76002+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1622684332773262.800294462069; Wed, 2 Jun 2021 18:38:52 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id RN0NYY1788612xVfVDjhtKox; Wed, 02 Jun 2021 18:38:47 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web09.2240.1622684326805146141 for ; Wed, 02 Jun 2021 18:38:47 -0700 X-Received: from localhost.localdomain (unknown [167.220.2.74]) by linux.microsoft.com (Postfix) with ESMTPSA id 7C6BA20B7178; Wed, 2 Jun 2021 18:38:46 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7C6BA20B7178 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Chasel Chiu , Nate DeSimone , Liming Gao , Eric Dong Subject: [edk2-devel] [edk2-platforms][PATCH v1 1/2] MinPlatformPkg: Add TpmPlatformHierarchyLib to Components in DSC Date: Wed, 2 Jun 2021 18:38:17 -0700 Message-Id: <20210603013818.1248-2-mikuback@linux.microsoft.com> In-Reply-To: <20210603013818.1248-1-mikuback@linux.microsoft.com> References: <20210603013818.1248-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com X-Gm-Message-State: FBq2mIFS3ZSCiGW9AfkxTcJox1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1622684327; bh=/bmKTu9YUNE0dMS8eEAPdFIe6rjDAdR19lh86QmR1Jw=; h=Cc:Date:From:Reply-To:Subject:To; b=K5gUaSVjDC2gBJUTO4z770vWSQf/azY1Whpd635ddOwjkwd2Nl7HVXte//qvS9q2uKi u3lQBB9Ind/7K8nROhHFgyzjDgDFIpzxd6YiO1G+4Ow9p+dPjsaoQlB8X1O+7b9lZehH3 OCpjnLit6w0U7z2RGiIA+Ov1TnKWHQMgnII= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: Michael Kubacki Adds TpmPlatformHierarchyLib to the [Components] section in MinPlatformPkg.dsc so it is always built in the package build. Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Michael Kubacki --- Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc b/Platform/In= tel/MinPlatformPkg/MinPlatformPkg.dsc index 35cbd40abb05..7e952dfaf300 100644 --- a/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc +++ b/Platform/Intel/MinPlatformPkg/MinPlatformPkg.dsc @@ -200,6 +200,7 @@ [Components] MinPlatformPkg/Test/TestPointStubDxe/TestPointStubDxe.inf MinPlatformPkg/Test/TestPointDumpApp/TestPointDumpApp.inf =20 + MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatformHierarchyL= ib.inf !if gMinPlatformPkgTokenSpaceGuid.PcdTpm2Enable =3D=3D TRUE MinPlatformPkg/Tcg/Tcg2PlatformPei/Tcg2PlatformPei.inf MinPlatformPkg/Tcg/Tcg2PlatformDxe/Tcg2PlatformDxe.inf --=20 2.28.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76002): https://edk2.groups.io/g/devel/message/76002 Mute This Topic: https://groups.io/mt/83274492/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 16 11:34:05 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76003+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76003+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=linux.microsoft.com ARC-Seal: i=1; a=rsa-sha256; t=1622684335; cv=none; d=zohomail.com; s=zohoarc; b=SKyGJUS2vY0LwcLuJp0no9No0+Mrf7NUTCZpCLgvv0JEfATL6zzrdTZIF3wxFPn31yrCS+JvZp3NgxKDCElLzeVd2T5Dltup8EdH9+y7DVvmjiD1GjEQqZj/D6Fa/Ou0NueoCw0yC4FJ3TKv928g5nS2tFyhZtq0KwLjdc2+6hE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622684335; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=QH3FzTKs6TuaGDjNE5pTqqUpH4OZwo0W3KrcT+fAyEo=; b=Fvq5s14wOwT3aaT7DWmJWgkNtyBX/2kvTX+6ZNSrR9m3mjTliU3uAQGKol3l1rSHeaJIUHH33AhOlBWqdzaqcSTVSB0hogYqFfuAVmfUPWa15e48Wp4GVyeSyhvxbwnYKZG/eHseCjFqaVkZC2OUH6yQnxze6g+nrhi+acIsvEQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76003+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162268433585732.62249325469804; Wed, 2 Jun 2021 18:38:55 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 7A7gYY1788612x4VfIG9wNxm; Wed, 02 Jun 2021 18:38:54 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.2206.1622684334067544839 for ; Wed, 02 Jun 2021 18:38:54 -0700 X-Received: from localhost.localdomain (unknown [167.220.2.74]) by linux.microsoft.com (Postfix) with ESMTPSA id 9DE5820B7178; Wed, 2 Jun 2021 18:38:53 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9DE5820B7178 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Michael Kubacki , Chasel Chiu , Nate DeSimone , Liming Gao , Eric Dong Subject: [edk2-devel] [edk2-platforms][PATCH v1 2/2] MinPlatformPkg/TpmPlatformHierarchyLib: Disable TPM platform hierarchy Date: Wed, 2 Jun 2021 18:38:18 -0700 Message-Id: <20210603013818.1248-3-mikuback@linux.microsoft.com> In-Reply-To: <20210603013818.1248-1-mikuback@linux.microsoft.com> References: <20210603013818.1248-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com X-Gm-Message-State: txyBts1bRLXIGlXWAnbOZC98x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1622684334; bh=eoun+FSqtDDYe3zn4lW5U/n21PIOduvJDwCtkagBndI=; h=Cc:Date:From:Reply-To:Subject:To; b=sbC7adFGSsPEkYMp7i4ekNXNCXfEjEvbYbSPMaNNHId8H/BL/cABh0snHMWrzKn5kwj MS0Z9o3H6gafduBn2/64Wqt7tv3R8+r9BvDSe/k/3omE8ByTRR8LEBbKswikVyVyjmTjj eYMRnka9Qqc46Zj7pSI2NMfBemVLeYS2JP4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: Jeremiah Cox REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D3411 Updates the current ConfigureTpmPlatformHierarchy() implementation to instruct the TPM to disable the platform hierarchy to prevent later boot/OS code from accessing TPM platform features. This modifies the current behavior which instead randomizes the platform auth and then "forgets" it to prevent future platform feature access. Co-authored-by: Michael Kubacki Cc: Chasel Chiu Cc: Nate DeSimone Cc: Liming Gao Cc: Eric Dong Signed-off-by: Michael Kubacki --- Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/TpmPlatf= ormHierarchyLib.c | 51 ++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchy= Lib/TpmPlatformHierarchyLib.c b/Platform/Intel/MinPlatformPkg/Tcg/Library/T= pmPlatformHierarchyLib/TpmPlatformHierarchyLib.c index 41ddb26f4046..bc1dce9b1c51 100644 --- a/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tpm= PlatformHierarchyLib.c +++ b/Platform/Intel/MinPlatformPkg/Tcg/Library/TpmPlatformHierarchyLib/Tpm= PlatformHierarchyLib.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include @@ -197,6 +198,51 @@ RandomizePlatformAuth ( ZeroMem (Rand, RandSize); } =20 +/** + Disable the TPM platform hierarchy. + + @retval EFI_SUCCESS The TPM was disabled successfully. + @retval Others An error occurred attempting to disable the = TPM platform hierarchy. + +**/ +EFI_STATUS +DisableTpmPlatformHierarchy ( + VOID + ) +{ + EFI_STATUS Status; + + // Make sure that we have use of the TPM. + Status =3D Tpm2RequestUseTpm (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Tpm2RequestUseTpm Failed! %r\n", gEfiC= allerBaseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + return Status; + } + + // Let's do what we can to shut down the hierarchies. + + // Disable the PH NV. + // IMPORTANT NOTE: We *should* be able to disable the PH NV here, but TP= M parts have + // been known to store the EK cert in the PH NV. If we d= isable it, the + // EK cert will be unreadable. + + // Disable the PH. + Status =3D Tpm2HierarchyControl ( + TPM_RH_PLATFORM, // AuthHandle + NULL, // AuthSession + TPM_RH_PLATFORM, // Hierarchy + NO // State + ); + DEBUG ((DEBUG_VERBOSE, "%a:%a() - Disable PH =3D %r\n", gEfiCallerBaseN= ame, __FUNCTION__, Status)); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a() - Disable PH Failed! %r\n", gEfiCallerB= aseName, __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + } + + return Status; +} + /** This service defines the configuration of the Platform Hierarchy Author= ization Value (platformAuth) and Platform Hierarchy Authorization Policy (platformPolicy) @@ -211,4 +257,9 @@ ConfigureTpmPlatformHierarchy ( // Send Tpm2HierarchyChange Auth with random value to avoid PlatformAuth= being null // RandomizePlatformAuth (); + + // + // Disable the hierarchy entirely (do not randomize it) + // + DisableTpmPlatformHierarchy (); } --=20 2.28.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76003): https://edk2.groups.io/g/devel/message/76003 Mute This Topic: https://groups.io/mt/83274495/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-